Play interactive tour

Edit tour

Windows Analysis Report 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Overview

General Information

Sample Name:	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
Analysis ID:	499229
MD5:	909d88235d78c58b802b626d3848a723
SHA1:	1784716422e801892997dfea3f1838c3e3b47034
SHA256:	01cee78809685f39cb8f139a99f4b3936c60f4d86cac5f714595c311b079e19c
Tags:	exeRedLineStealer
Infos:
Most interesting Screenshot:

Detection

RedLine

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Multi AV Scanner detection for submitted file

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Found many strings related to Crypto-Wallets (likely being stolen)

Potential time zone aware malware

Uses known network protocols on non-standard ports

Machine Learning detection for sample

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains strange resources

Tries to load missing DLLs

Uses code obfuscation techniques (call, push, ret)

Detected TCP or UDP traffic on non-standard ports

Binary contains a suspicious time stamp

Detected potential crypto function

HTTP GET or POST without a user agent

Program does not show much activity (idle)

Enables debug privileges

Classification

Process Tree

System is w10x64

01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe (PID: 7136 cmdline: 'C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe' MD5: 909D88235D78C58B802B626D3848A723)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.549318800.0000000003F81000.00000004.00000001.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000000.280631652.0000000000A32000.00000002.00020000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe PID: 7136	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.3f85530.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.3f85530.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Virustotal: Detection: 38%	Perma Link
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Metadefender: Detection: 14%	Perma Link
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	ReversingLabs: Detection: 67%

Machine Learning detection for sample

Show sources

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Joe Sandbox ML: detected

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882

Source: global traffic

TCP traffic: 192.168.2.3:49753 -> 193.164.16.58:36882

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-AliveData Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58
Source: unknown	TCP traffic detected without corresponding DNS query: 193.164.16.58

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: .www.linkedin.comTRUE/11614436726bscookie"v=1&2019022803011495c185b7-0b96-4d19-891e-d2ece41a3e44AQFpZpsfkE7YkjmnTKzkZJVD4k2hykue" equals www.linkedin.com (Linkedin)
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: .www.linkedin.comTRUE/11628096480bscookie"v=1&201908050523465f3f043c-c590-4ca5-837d-70448d17168eAQHQzhmqtHuIvZXVSsvl987FnChs4ZEy" equals www.linkedin.com (Linkedin)
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: iam-3arby.blogspot.comTRUE/01593590725c_ref_3812176https%3A%2F%2Fwww.youtube.com%2F equals www.youtube.com (Youtube)
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: www.downloadprogramgames.comTRUE/01612974153c_ref_2926597https%3A%2F%2Fsearch.yahoo.com%2F equals www.yahoo.com (Yahoo)
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: www.nataeeg.comTRUE/01612514350c_ref_2390093https%3A%2F%2Fsearch.yahoo.com%2F equals www.yahoo.com (Yahoo)

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://193.164.16.58:36882
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://193.164.16.58:36882/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://193.164.16.58:368824
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: http://download.televisionfanatic.com/chromeInstruct.jhtml?tabView=bubble
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: http://download.televisionfanatic.com/chromeInstruct.jhtml?tabView=instruct
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: http://download.televisionfanatic.com/chromeInstruct.jhtml?tabView=success
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: http://download.televisionfanatic.com/install_pixels.jhtml?partner=
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: http://ext.ask.com/index.jhtml?productName=TelevisionFanatic&installDate=2019032905&partnerId=
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: http://hp.myway.com/televisionfanatic/ttab02/index.html?p2=$
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549305256.00000000030E1000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549284317.00000000030D8000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549305256.00000000030E1000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549284317.00000000030D8000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549284317.00000000030D8000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/0D
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549305256.00000000030E1000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArguments
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetArgumentsResponse
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequest
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyScanRequestResponse
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: http://www.legacy.com/obituaries/augustachronicle/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: https://api.ipify.org
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://cache.legacy.com/globalcontent/affiliatelogossmall/augustachronicle.gif
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: https://icanhazip.com4https://wtfismyip.com/textBhttp://bot.whatismyipaddress.com/2http://checkip.dy
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://iqoption.com/lp/get-started/pt/%22
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://narr.typeform.com/to/HHCiHD%22%2C%22lang%22:%22ar%22%2C%22invText%22:%22%D9%86%D9%82%D9%88%D
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://search.yahoo.com/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://www.google.com.br/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://www.nchsoftware.com/videopad/index.html?kw=lightworks%20download&gclid=CjwKCAjw96fkBRA2EiwAK
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://www.research.net/r/V6GHNWV?CBID=XP
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://www.solvusoft.com/ar/update/%D8%A8%D8%B1%D8%A7%D9%85%D8%AC/categories/soundmax/
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: https://www.vulture.com/2019/04/crazy-ex-girlfriend-finale-behind-the-scenes.html%22%2C%22sref%22:%2

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetArguments"Host: 193.164.16.58:36882Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.546077738.0000000000AAE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename5ElEtm6anDN.exeJ vs 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.548750194.0000000002FC8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameclrjit.dllT vs 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.548750194.0000000002FC8000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.548750194.0000000002FC8000.00000004.00000001.sdmp	Binary or memory string: i,\\StringFileInfo\\040904B0\\OriginalFilename vs 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Binary or memory string: OriginalFilename5ElEtm6anDN.exeJ vs 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Section loaded: mscorjit.dll

Jump to behavior

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Code function: 0_2_00A32830	0_2_00A32830
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Code function: 0_2_00A3401F	0_2_00A3401F
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Code function: 0_2_00A38D7D	0_2_00A38D7D
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Code function: 0_2_00A336C4	0_2_00A336C4

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Virustotal: Detection: 38%
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Metadefender: Detection: 14%
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	ReversingLabs: Detection: 67%

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

File read: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Jump to behavior

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Binary or memory string: mdemulher.abril.com.brTRUE/01585779980_chartbeat2.1551322842878.1551651980320.1001.VBP56B6GF6rCE8qTBD-Czz8C2vz20.1

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: .televisionfanatic.dl.myway.comTRUE/01556483155pixelUrl"http://download.televisionfanatic.com/install_pixels.jhtml?partner=^XP^xpw137^S32193^br&sub_id=98652&s2=6P72fEBGpQc&coId=ab6432a7e60e4b0fb762115c4cf8dbca&tbGuid=7365FA2D-A027-43B0-BC08-80E692479561"
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: .iqoption.comTRUE/01559108265landing/lp/get-started/pt
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: .iqoption.comTRUE/01559108265aff_params{%22landing_url%22:%22https://iqoption.com/lp/get-started/pt/%22}
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: www.rawstory.comTRUE/FALSE1731569164cp-impression-added-forcp_id_4578btrue
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: .zdnet.comTRUE/article/new-windows-10-start-menu-microsoft-shows-this-new-design-that-sidelines-live-tilesFALSE1658201692CBS_INTERNAL0
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: .zdnet.comTRUE/FALSE1666884868OptanonConsentisIABGlobal=false&datestamp=Wed+Mar+04+2020+12%3A41%3A13+GMT-0500+(Eastern+Standard+Time)&version=5.12.0&landingPath=https%3A%2F%2Fwww.zdnet.com%2Farticle%2Fnew-windows-10-start-menu-microsoft-shows-this-new-design-that-sidelines-live-tiles%2F&groups=1%3A1%2C2%3A1%2C3%3A1%2C4%3A1%2C5%3A1&hosts=H123%3A1%2CH296%3A1%2Ckad%3A1%2Cykx%3A1%2CH74%3A1%2Cnhp%3A1%2CH314%3A1%2CH378%3A1%2Cycm%3A1%2CH551%3A1%2Cqgc%3A1%2CH33%3A1%2Cevp%3A1%2Cmsc%3A1%2CH38%3A1%2Csbj%3A1%2CH82%3A1%2CH93%3A1%2CH98%3A1%2Cshp%3A1%2Cocn%3A1%2Cxol%3A1%2Cldx%3A1%2CH134%3A1%2Cgbj%3A1%2Cxuc%3A1%2CH148%3A1%2Cket%3A1%2Cyhw%3A1%2Cowg%3A1%2Caau%3A1%2CH194%3A1%2Cxzz%3A1%2Cgos%3A1%2Ckij%3A1%2Cqqh%3A1%2CH215%3A1%2CH229%3A1%2Cbjv%3A1%2Cgny%3A1%2Cfgh%3A1%2Ckbc%3A1%2Cezx%3A1%2Clbl%3A1%2Cjyk%3A1%2CH250%3A1%2Cpmv%3A1%2CH270%3A1%2Clzu%3A1%2Cpve%3A1%2CH276%3A1%2Ctch%3A1%2Cxmd%3A1%2Ciax%3A1%2Cqnc%3A1%2CH315%3A1%2Cuxy%3A1%2Cumx%3A1%2CH333%3A1%2CH335%3A1%2CH338%3A1%2Ccnd%3A1%2Cobo%3A1%2CH355%3A1%2Ctas%3A1%2Cqtj%3A1%2Ceod%3A1%2Cxxp%3A1%2Czmt%3A1%2Cmym%3A1%2CH387%3A1%2Cmdi%3A1%2Ciex%3A1%2Chqo%3A1%2CH407%3A1%2CH411%3A1%2Crjz%3A1%2CH412%3A1%2CH420%3A1%2CH430%3A1%2Cwit%3A1%2Clvb%3A1%2CH456%3A1%2CH458%3A1%2CH463%3A1%2CH464%3A1%2Cdmn%3A1%2CH475%3A1%2CH477%3A1%2Cfst%3A1%2Cyxb%3A1%2Ceri%3A1%2CH518%3A1%2Cpcn%3A1%2Cjva%3A1%2Czmy%3A1%2CH545%3A1%2CH554%3A1%2CH566%3A1%2Czou%3A1%2Cdzf%3A1%2Cyon%3A1%2Cdmn%3A1%2Ckuw%3A1%2Cndb%3A1&consentId=bd81c7df-cf61-40ab-bd36-5e765cee00db&interactionCount=0

Source: classification engine

Classification label: mal80.troj.spyw.evad.winEXE@1/0@0/1

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static file information: File size 1371648 > 1048576

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x11e000

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

.NET source code contains method to dynamically call methods (often used by packers)

Show sources

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)
Source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	.Net Code: stackVariable6.GetMethod("GetDelegateForFunctionPointer", V_0)

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Code function: 0_2_014BD5E8 pushad ; iretd

0_2_014BD5E9

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Static PE information: 0xDC1D7569 [Thu Jan 9 02:35:21 2087 UTC]

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'H6Msm13TJj4kF', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'H6Msm13TJj4kF', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
Source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	High entropy of concatenated method names: '.cctor', 'H6Msm13TJj4kF', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 36882

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.547636527.000000000125F000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

.NET source code references suspicious native API functions

Show sources

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Reference to suspicious API methods: ('Kxm8CyXvJ', 'OpenProcess@kernel32.dll'), ('T7LBbJ4ta', 'WriteProcessMemory@kernel32.dll'), ('yMayDYsjD', 'VirtualProtect@kernel32.dll'), ('LXFsnj021', 'FindResource@kernel32.dll'), ('SR2f8Si0X', 'VirtualProtect@kernel32.dll'), ('jMyYFyWuy', 'VirtualAlloc@kernel32.dll'), ('puGi6bKKk', 'LoadLibrary@kernel32'), ('ROhFJh1RB', 'GetProcAddress@kernel32'), ('fMdPu7i25', 'ReadProcessMemory@kernel32.dll')
Source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Reference to suspicious API methods: ('Kxm8CyXvJ', 'OpenProcess@kernel32.dll'), ('T7LBbJ4ta', 'WriteProcessMemory@kernel32.dll'), ('yMayDYsjD', 'VirtualProtect@kernel32.dll'), ('LXFsnj021', 'FindResource@kernel32.dll'), ('SR2f8Si0X', 'VirtualProtect@kernel32.dll'), ('jMyYFyWuy', 'VirtualAlloc@kernel32.dll'), ('puGi6bKKk', 'LoadLibrary@kernel32'), ('ROhFJh1RB', 'GetProcAddress@kernel32'), ('fMdPu7i25', 'ReadProcessMemory@kernel32.dll')
Source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, vJiGl01UUJfXfNWas3/DyyVDbaRvM1YfIq9il.cs	Reference to suspicious API methods: ('Kxm8CyXvJ', 'OpenProcess@kernel32.dll'), ('T7LBbJ4ta', 'WriteProcessMemory@kernel32.dll'), ('yMayDYsjD', 'VirtualProtect@kernel32.dll'), ('LXFsnj021', 'FindResource@kernel32.dll'), ('SR2f8Si0X', 'VirtualProtect@kernel32.dll'), ('jMyYFyWuy', 'VirtualAlloc@kernel32.dll'), ('puGi6bKKk', 'LoadLibrary@kernel32'), ('ROhFJh1RB', 'GetProcAddress@kernel32'), ('fMdPu7i25', 'ReadProcessMemory@kernel32.dll')

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.548119737.0000000001970000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.548119737.0000000001970000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.548119737.0000000001970000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.548119737.0000000001970000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, type: SAMPLE
Source: Yara match	File source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.3f85530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.3f85530.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.549318800.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280631652.0000000000A32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe PID: 7136, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: ElectrumRule
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: JaxxRule
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	String found in binary or memory: Exodus*\Exodus\exodus.wallet
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: ExodusRule
Source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	String found in binary or memory: set_UseMachineKeyStore

Remote Access Functionality:

Yara detected RedLine Stealer

Show sources

Source: Yara match	File source: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, type: SAMPLE
Source: Yara match	File source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.3f85530.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.3f85530.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe.a30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.549318800.0000000003F81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.280631652.0000000000A32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe PID: 7136, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	DLL Side-Loading1	Process Injection1	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Native API1	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Data from Local System1	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery13	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Timestomp1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	38%	Virustotal		Browse
01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	14%	Metadefender		Browse
01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	68%	ReversingLabs	ByteCode-MSIL.Infostealer.Reline
01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://193.164.16.58:368824	1%	Virustotal		Browse
http://193.164.16.58:368824	0%	Avira URL Cloud	safe
http://193.164.16.58:36882	0%	Virustotal		Browse
http://193.164.16.58:36882	0%	Avira URL Cloud	safe
http://193.164.16.58:36882/	0%	Virustotal		Browse
http://193.164.16.58:36882/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetArguments	0%	Virustotal		Browse
http://tempuri.org/Endpoint/GetArguments	0%	Avira URL Cloud	safe
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	0%	URL Reputation	safe
http://tempuri.org/	0%	URL Reputation	safe
http://tempuri.org/0D	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyUpdateResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/GetArgumentsResponse	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdates	0%	URL Reputation	safe
https://www.google.com.br/	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/VerifyScanRequest	0%	Avira URL Cloud	safe
https://icanhazip.com4https://wtfismyip.com/textBhttp://bot.whatismyipaddress.com/2http://checkip.dy	0%	Avira URL Cloud	safe
http://tempuri.org/Endpoint/GetUpdatesResponse	0%	URL Reputation	safe
http://tempuri.org/Endpoint/	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyUpdate	0%	URL Reputation	safe
http://tempuri.org/Endpoint/VerifyScanRequestResponse	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://193.164.16.58:36882/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/ip%appdata%	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://193.164.16.58:368824	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://193.164.16.58:36882	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetArguments	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549305256.00000000030E1000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.legacy.com/obituaries/augustachronicle/	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/soap/envelope/	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549305256.00000000030E1000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549284317.00000000030D8000.00000004.00000001.sdmp	false		high
http://tempuri.org/	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549305256.00000000030E1000.00000004.00000001.sdmp, 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549284317.00000000030D8000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/0D	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549284317.00000000030D8000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://download.televisionfanatic.com/install_pixels.jhtml?partner=	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://cache.legacy.com/globalcontent/affiliatelogossmall/augustachronicle.gif	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
https://iqoption.com/lp/get-started/pt/%22	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://tempuri.org/Endpoint/GetArgumentsResponse	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://download.televisionfanatic.com/chromeInstruct.jhtml?tabView=bubble	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://tempuri.org/Endpoint/GetUpdates	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://api.ipify.org	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false		high
https://www.google.com.br/	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false	Avira URL Cloud: safe	unknown
https://narr.typeform.com/to/HHCiHD%22%2C%22lang%22:%22ar%22%2C%22invText%22:%22%D9%86%D9%82%D9%88%D	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://hp.myway.com/televisionfanatic/ttab02/index.html?p2=$	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false		high
http://ext.ask.com/index.jhtml?productName=TelevisionFanatic&installDate=2019032905&partnerId=	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false		high
http://tempuri.org/Endpoint/VerifyScanRequest	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://icanhazip.com4https://wtfismyip.com/textBhttp://bot.whatismyipaddress.com/2http://checkip.dy	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/GetUpdatesResponse	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.nchsoftware.com/videopad/index.html?kw=lightworks%20download&gclid=CjwKCAjw96fkBRA2EiwAK	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://tempuri.org/Endpoint/	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.vulture.com/2019/04/crazy-ex-girlfriend-finale-behind-the-scenes.html%22%2C%22sref%22:%2	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://download.televisionfanatic.com/chromeInstruct.jhtml?tabView=instruct	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://download.televisionfanatic.com/chromeInstruct.jhtml?tabView=success	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false		high
http://tempuri.org/Endpoint/VerifyScanRequestResponse	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/soap/actor/next	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe, 00000000.00000002.549122448.0000000003037000.00000004.00000001.sdmp	false		high
https://www.solvusoft.com/ar/update/%D8%A8%D8%B1%D8%A7%D9%85%D8%AC/categories/soundmax/	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.164.16.58	unknown	Russian Federation		47995	AT-ASRU	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	499229
Start date:	08.10.2021
Start time:	05:52:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.spyw.evad.winEXE@1/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.1%) Quality average: 59.2% Quality standard deviation: 34.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 59 Number of non-executed functions: 4
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 20.82.210.154, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60, 2.20.178.10, 2.20.178.56, 8.247.248.223, 8.247.248.249, 8.247.244.221, 20.199.120.151 Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AT-ASRU	mirai.x86	Get hash	malicious	Browse	5.165.233.37
	VunjeCGYgU.exe	Get hash	malicious	Browse	193.164.17.17
	X2PrdXhH1y.exe	Get hash	malicious	Browse	193.164.17.17
	Clh974QBqG	Get hash	malicious	Browse	5.166.34.38
	WiqtUEK1DH.exe	Get hash	malicious	Browse	193.164.17.17
	onekb0XOFQ.exe	Get hash	malicious	Browse	193.164.16.126
	OhrS5bSU6r.dll	Get hash	malicious	Browse	193.164.16.126
	7spunOMzSK	Get hash	malicious	Browse	46.254.26.76
	D16YRFIELV.exe	Get hash	malicious	Browse	193.164.16.141
	dt7RkA0T6X.exe	Get hash	malicious	Browse	193.164.16.141
	5903CA7C770EB447D3D83E9DBC28469B172D74A4E9FB5.exe	Get hash	malicious	Browse	77.223.124.210
	MTImzMa0Gy.exe	Get hash	malicious	Browse	193.164.16.141
	wEcncyxrEe	Get hash	malicious	Browse	217.119.82.33
	yVn2ywuhEC.exe	Get hash	malicious	Browse	80.251.153.186
	SecuriteInfo.com.Trojan.InjectNET.14.10717.exe	Get hash	malicious	Browse	45.150.206.10
	SecuriteInfo.com.Trojan.InjectNET.14.28056.exe	Get hash	malicious	Browse	45.150.206.10
	SJa7s8Fd2g.exe	Get hash	malicious	Browse	45.150.206.10
	lyrvDJCi1i.exe	Get hash	malicious	Browse	45.150.206.10
	https://bit.ly/3r7zqa6	Get hash	malicious	Browse	45.150.207.107
	http://www.venturamedstaff.com	Get hash	malicious	Browse	45.150.206.251

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.990840248270224
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.69% Win32 Executable (generic) a (10002005/4) 49.64% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% InstallShield setup (43055/19) 0.21% Windows Screen Saver (13104/52) 0.07%
File name:	01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
File size:	1371648
MD5:	909d88235d78c58b802b626d3848a723
SHA1:	1784716422e801892997dfea3f1838c3e3b47034
SHA256:	01cee78809685f39cb8f139a99f4b3936c60f4d86cac5f714595c311b079e19c
SHA512:	fd6e39ce48e488923987fcb4127de781fb080ab5875e5fdf600c1fb014d5c3dd2e849bfd1aab795c3e8eb4ba723e23f6fda56756221d013060a064b0ce54af64
SSDEEP:	24576:AjL4A6IUWe1MTc9nqkuGElJ+DqOP+pOJ:6UANUWe1Mb+j+w
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...iu................................... ... ....@.. .......................@............@................................

File Icon


Icon Hash:	04ced2c280a2a200

Static PE Info

General
Entrypoint:	0x431bce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xDC1D7569 [Thu Jan 9 02:35:21 2087 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x31b80	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0x11de9c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x152000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2fbd4	0x2fc00	False	0.601823257526	data	6.73382751713	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0x32000	0xbb4	0xc00	False	0.481770833333	data	4.44223374401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x34000	0x11de9c	0x11e000	False	0.502320189576	data	6.9701537176	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x152000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
AVI	0x34cc0	0x2e1a	RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp
PNG	0x37adc	0x34a7a	PNG image data, 500 x 500, 8-bit/color RGBA, non-interlaced
RT_ICON	0x6c558	0x1a76	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x6dfd0	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 134217728, next used block 117440512	English	United States
RT_ICON	0x7e7f8	0x94a8	data	English	United States
RT_ICON	0x87ca0	0x5488	data	English	United States
RT_ICON	0x8d128	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x91350	0x25a8	data	English	United States
RT_ICON	0x938f8	0x10a8	data	English	United States
RT_ICON	0x949a0	0x988	data	English	United States
RT_ICON	0x95328	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x95790	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 1460640, next used block 13768	English	United States
RT_ICON	0x96038	0xb37b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0xa13b4	0x10828	dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0xb1bdc	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 16719616	English	United States
RT_ICON	0xb5e04	0x25a8	data	English	United States
RT_ICON	0xb83ac	0x10a8	data	English	United States
RT_ICON	0xb9454	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xb98bc	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 80066, next used block 11723	English	United States
RT_ICON	0xba164	0x1500	data	English	United States
RT_ICON	0xbb664	0x8a8	data	English	United States
RT_ICON	0xbbf0c	0x10a8	data	English	United States
RT_ICON	0xbcfb4	0x8a8	data	English	United States
RT_ICON	0xbd85c	0x668	data	English	United States
RT_ICON	0xbdec4	0x2e8	dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 1199999112, next used block 943932598	English	United States
RT_ICON	0xbe1ac	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0xbe2d4	0xea8	data	English	United States
RT_ICON	0xbf17c	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 14476024, next used block 15788765	English	United States
RT_ICON	0xbfa24	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0xbff8c	0x2f2	data
RT_DIALOG	0xc0280	0x35c	data	Russian	Russia
RT_DIALOG	0xc05dc	0x1b0	data
RT_DIALOG	0xc078c	0x1b4	data	Russian	Russia
RT_DIALOG	0xc0940	0x166	data
RT_DIALOG	0xc0aa8	0x168	data	Russian	Russia
RT_DIALOG	0xc0c10	0x1c0	data
RT_DIALOG	0xc0dd0	0x1e0	data	Russian	Russia
RT_DIALOG	0xc0fb0	0x130	data
RT_DIALOG	0xc10e0	0x150	data	Russian	Russia
RT_DIALOG	0xc1230	0x120	data
RT_DIALOG	0xc1350	0x122	data	Russian	Russia
RT_STRING	0xc1474	0x8c	data
RT_STRING	0xc1500	0x86	data	Russian	Russia
RT_STRING	0xc1588	0x520	data
RT_STRING	0xc1aa8	0x52e	data	Russian	Russia
RT_STRING	0xc1fd8	0x5cc	data
RT_STRING	0xc25a4	0x592	data	Russian	Russia
RT_STRING	0xc2b38	0x4b0	data
RT_STRING	0xc2fe8	0x4b2	data	Russian	Russia
RT_STRING	0xc349c	0x44a	data
RT_STRING	0xc38e8	0x43e	data	Russian	Russia
RT_STRING	0xc3d28	0x3ce	data
RT_STRING	0xc40f8	0x2fc	data	Russian	Russia
RT_RCDATA	0xc43f4	0x54140	ASCII text, with very long lines, with CRLF line terminators
RT_RCDATA	0x118534	0x19fd	ASCII text, with very long lines, with no line terminators
RT_RCDATA	0x119f34	0x1a8c7	ASCII text, with very long lines, with CRLF line terminators
RT_RCDATA	0x1347fc	0x1c69e	ASCII text, with very long lines, with CRLF line terminators
RT_GROUP_ICON	0x150e9c	0x84	data	English	United States
RT_GROUP_ICON	0x150f20	0x14	data	English	United States
RT_GROUP_ICON	0x150f34	0x5a	data	English	United States
RT_GROUP_ICON	0x150f90	0x14	data	English	United States
RT_GROUP_ICON	0x150fa4	0x14	data	English	United States
RT_GROUP_ICON	0x150fb8	0x22	data	English	United States
RT_GROUP_ICON	0x150fdc	0x14	data	English	United States
RT_GROUP_ICON	0x150ff0	0x5a	data	English	United States
RT_VERSION	0x15104c	0x3a6	data
RT_MANIFEST	0x1513f4	0xaa8	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Bitcoin LLC 2021 (c)
Assembly Version	43.2.8.3
InternalName	5ElEtm6anDN.exe
FileVersion	43.2.8.3
CompanyName	Bitcoin
LegalTrademarks	Full Version
Comments	USA Trader's
ProductName	License Full Version
ProductVersion	43.2.8.3
FileDescription	Software functions LLC
OriginalFilename	5ElEtm6anDN.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Russian	Russia

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 8, 2021 05:53:27.173229933 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:30.183710098 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:30.252664089 CEST	36882	49753	193.164.16.58	192.168.2.3
Oct 8, 2021 05:53:30.252856970 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:30.502289057 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:30.855979919 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:33.512123108 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:36.559259892 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:42.576008081 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:53:54.577675104 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:54:06.578255892 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:54:18.578528881 CEST	49753	36882	192.168.2.3	193.164.16.58
Oct 8, 2021 05:54:42.580468893 CEST	49753	36882	192.168.2.3	193.164.16.58

HTTP Request Dependency Graph

193.164.16.58:36882

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49753	193.164.16.58	36882	C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Timestamp	kBytes transferred	Direction	Data
Oct 8, 2021 05:53:30.502289057 CEST	1004	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Oct 8, 2021 05:53:33.512123108 CEST	1030	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 8, 2021 05:53:36.559259892 CEST	4007	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 8, 2021 05:53:42.576008081 CEST	4221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 8, 2021 05:53:54.577675104 CEST	5059	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 8, 2021 05:54:06.578255892 CEST	5217	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 8, 2021 05:54:18.578528881 CEST	5233	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>
Oct 8, 2021 05:54:42.580468893 CEST	5247	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetArguments" Host: 193.164.16.58:36882 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 41 72 67 75 6d 65 6e 74 73 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetArguments xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe PID: 7136 Parent PID: 1296

General

Start time:	05:53:06
Start date:	08/10/2021
Path:	C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe'
Imagebase:	0xa30000
File size:	1371648 bytes
MD5 hash:	909D88235D78C58B802B626D3848A723
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.549318800.0000000003F81000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000000.280631652.0000000000A32000.00000002.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe PID: 7136 Parent PID: 1296 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exeCOMMON

Executed Functions

Function 014BA2C0, Relevance: 2.0, Instructions: 1973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df75a2bc22b7b3da8d6a16f70c91cd7b6fe1dc39f0c3381d8f9a9e850f068d85
Instruction ID: acfd9068c71e04c579f4fa91a1e403dc51867e1b588cdedd3492497f3a411c2a
Opcode Fuzzy Hash: df75a2bc22b7b3da8d6a16f70c91cd7b6fe1dc39f0c3381d8f9a9e850f068d85
Instruction Fuzzy Hash: 0A13ED34946204EFCF1A6F60D850D99B732FF9930AB1084BAEE1136B54CB3FA946DE51

Uniqueness

Uniqueness Score: -1.00%

Function 014BA2D0, Relevance: 2.0, Instructions: 1973COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 700c335144b9a3500f480ad8c43acc9f0120f872de24e8fba049ccdf2f87c265
Instruction ID: c1425d6868d329a54ea9154738f5f081ca2cbdf3157f4428cf19ba09a03d011e
Opcode Fuzzy Hash: 700c335144b9a3500f480ad8c43acc9f0120f872de24e8fba049ccdf2f87c265
Instruction Fuzzy Hash: 5013ED34946204EFCF1AAF60D850D99B732FF5930AB1084BAEE1136B54CB3FA946DE51

Uniqueness

Uniqueness Score: -1.00%

Function 014B7748, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

pFxl, xrefs: 014B7778

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID: pFxl
API String ID: 0-2643349631
Opcode ID: 02b42119302d98fa1cf5bac235d4931557b669123137eddfabd1d145c7e19fff
Instruction ID: e65a2ce75ed484f9e53b7e104cc0e7c465162bbf379c77f5d46d0b03f218c8d0
Opcode Fuzzy Hash: 02b42119302d98fa1cf5bac235d4931557b669123137eddfabd1d145c7e19fff
Instruction Fuzzy Hash: 1B416938A002069FCB10DB69D5C5AAEFBF2EF84315F15C46AD9199B3A1D734EC45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 014B0006, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b242b3092ab18ab96b9fbaa845beef883d205c34406cb394e1d06156fcef4932
Instruction ID: f5dab0172a625ba3e28d5a73fecd56b0077561fb95964a548a9116ac431c111a
Opcode Fuzzy Hash: b242b3092ab18ab96b9fbaa845beef883d205c34406cb394e1d06156fcef4932
Instruction Fuzzy Hash: 1A028D36600215DFCF1A9FA0C944E9A7FB2FF4C710B0644A9E6069B276DB32C991EF50

Uniqueness

Uniqueness Score: -1.00%

Function 014B0040, Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a197e27fdc1cb667ba5dd4dfe73165441515bd63dbddcaa3a8bc39181613ff28
Instruction ID: fe5da7840abdc4668c5d2431b533d911bc6b1dc17deb5e9cafbf16fe183ac0e5
Opcode Fuzzy Hash: a197e27fdc1cb667ba5dd4dfe73165441515bd63dbddcaa3a8bc39181613ff28
Instruction Fuzzy Hash: 39F18036600215DFCF1A9FA0C944E9A7FB2FF4C710B0645A5E6069B276DB32C951EF50

Uniqueness

Uniqueness Score: -1.00%

Function 014B2377, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2399ba3547a651a344625a06fc493399c8d045524b1e5a2a35a1cde931d7d28a
Instruction ID: c15bdc6877e41f0ad8a0f1b1d1eef46ba589eb3591f23671ee5c678dcb7519dd
Opcode Fuzzy Hash: 2399ba3547a651a344625a06fc493399c8d045524b1e5a2a35a1cde931d7d28a
Instruction Fuzzy Hash: 94A11134946208DFCF15AF60D8909A9B772FF4534AB1084BAEE1136B21CB3F9946EB50

Uniqueness

Uniqueness Score: -1.00%

Function 014B59A2, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f9a22e96c1c33314ff08038c92373c9217a8027538eb22a4040d6306de13b42
Instruction ID: b12ec8a9b2d8085472ab911414c8741ec9a5b531086d39b6320d379cf1e6398c
Opcode Fuzzy Hash: 0f9a22e96c1c33314ff08038c92373c9217a8027538eb22a4040d6306de13b42
Instruction Fuzzy Hash: 87519B30610A048FC714EB78D49856EBBF6FF89321F554A5DE4929B3A8DF30A845CB51

Uniqueness

Uniqueness Score: -1.00%

Function 014B59B0, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07e105a432f1504299ea3324ce3bff92b1f7db8bf01f9a0936734f953201b55d
Instruction ID: 364d58312f784274fc409ffe95a1402f484d3034829c50f8d05c2a151d15bc41
Opcode Fuzzy Hash: 07e105a432f1504299ea3324ce3bff92b1f7db8bf01f9a0936734f953201b55d
Instruction Fuzzy Hash: 1E51BC30610A048FC714EB78D49856DBBF6FF89321F554A5DE4929B3A8DF30B845CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014B9850, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ebc2b383198a8caa7b474eac8bd7074c5174de735a645f00b93c74b436d839
Instruction ID: f52e4f7c2970c4b323a2e9ddc139e8b407a7070651adc66b5c2fee0d403d1528
Opcode Fuzzy Hash: 96ebc2b383198a8caa7b474eac8bd7074c5174de735a645f00b93c74b436d839
Instruction Fuzzy Hash: A84117702083459FCB21DF68C84479B7FA9EF85218F148E6EE5458B3A5DB30F806CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BF520, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3abc6df863e9d161e549f63a9efea62ab8c75f5ae8ee35b63519319f3d32203c
Instruction ID: 47acf6aa9f64aacb127033b97b928b2d939276210773e30d91f96e1bd37d6ba0
Opcode Fuzzy Hash: 3abc6df863e9d161e549f63a9efea62ab8c75f5ae8ee35b63519319f3d32203c
Instruction Fuzzy Hash: DC41A335B002048FDB18DB68D8947AFFBB6EF89314F14846AD509DB3A1DB359C46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 014B9B20, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e001a80d5deaad0cf9786aa72e9e6dd0dc6e00145b73dd5b23e243a884ef5f
Instruction ID: 299811293d066215f76020b5f64615b866f993530d4c10bf7257a1d2bd56f211
Opcode Fuzzy Hash: b6e001a80d5deaad0cf9786aa72e9e6dd0dc6e00145b73dd5b23e243a884ef5f
Instruction Fuzzy Hash: 1C414E747002048FDB08EF68C499AAA7BF6EF89314F14446DE6069B364DF75AC41DB61

Uniqueness

Uniqueness Score: -1.00%

Function 014BC330, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b04c58492c9d0ac717055cf77e416c0a5de34c75d7cc0d0ac66b0650f7e70ce
Instruction ID: 9111f68bd000c5bd47cdea80ac269b33517affdb9a02afc1ef3ebde151c20947
Opcode Fuzzy Hash: 9b04c58492c9d0ac717055cf77e416c0a5de34c75d7cc0d0ac66b0650f7e70ce
Instruction Fuzzy Hash: 5D31D234B002189FEB14EBB4D8947AE7BB6AF85304F108479D505EB3A5DB789D098BA1

Uniqueness

Uniqueness Score: -1.00%

Function 014BCAA8, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7836b10a2b631c7ea68570526dac51015fbf301c79bde1ec098ab5e3edcb08fa
Instruction ID: 1b222f5699fb2cf4da7e5ac89586ce96f16202399aa8db820b4047d04cb73693
Opcode Fuzzy Hash: 7836b10a2b631c7ea68570526dac51015fbf301c79bde1ec098ab5e3edcb08fa
Instruction Fuzzy Hash: C131CE31D10B4A9ACB11EF68CC402C9B771FF99314F249726E8567B200EB74B5D4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014BCAB8, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56d31d7cb073ff38e0079fdbf93e8108994dcb2575f79d22d0628408a22affbd
Instruction ID: 811981cb12160227cc21c5437df33f788d84eb240d87630569a0a603f7d6843a
Opcode Fuzzy Hash: 56d31d7cb073ff38e0079fdbf93e8108994dcb2575f79d22d0628408a22affbd
Instruction Fuzzy Hash: AF318F31D1070ADACB10EFA9C8402D9B771FF99324F249B25E9567B200EB74B5D4CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014B9C90, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98691ed619e4651c807994bf8534fa04a88cc54c5b5d9244e2fa111bf1a1b054
Instruction ID: 5ed888fb9d6fa635fbfb81b13adcb2515076856b7b124e4bb82245bea93bdd3e
Opcode Fuzzy Hash: 98691ed619e4651c807994bf8534fa04a88cc54c5b5d9244e2fa111bf1a1b054
Instruction Fuzzy Hash: D821F3357103154FCB19AB7495592AE7FEA9FC9209B148C3EE406CF7A4EF70A8068792

Uniqueness

Uniqueness Score: -1.00%

Function 014BCE50, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b887b75ad058d238741e239fcf25b2fe835a808041adb8f1a964dc1b3da4f6d3
Instruction ID: f0c68f8076be320e14c56cc52044d922cf02ba56138ddad9a93cec2f27235e61
Opcode Fuzzy Hash: b887b75ad058d238741e239fcf25b2fe835a808041adb8f1a964dc1b3da4f6d3
Instruction Fuzzy Hash: CA219E30724244CBD71A9B75A4EB3BA3FAD9B41315F4440AEF08ACE692CF35A802D761

Uniqueness

Uniqueness Score: -1.00%

Function 014BA1B0, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1dae91fef8839709ce558397a22a828bb318cc3dbfedffc8b1547bb6f78ba42
Instruction ID: 903cb475f7d9ba5bebdae0501c9ef56d57945d4db3dfe9de8f3dd0158d75c1d6
Opcode Fuzzy Hash: d1dae91fef8839709ce558397a22a828bb318cc3dbfedffc8b1547bb6f78ba42
Instruction Fuzzy Hash: 8031C531E1060ACBCB15AFB8C4651EEFBB5FF84304B10862AD55AB7350EF35A981CB90

Uniqueness

Uniqueness Score: -1.00%

Function 014B6797, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ee862ef77accf619881fe5dd62a197465ae7e926674637bd1e1f13fa14380ca
Instruction ID: 55157de7e3ea88c72557a87db9718ca65ffe32cb87ee177844ed340d6e858c9d
Opcode Fuzzy Hash: 7ee862ef77accf619881fe5dd62a197465ae7e926674637bd1e1f13fa14380ca
Instruction Fuzzy Hash: 82313E36900209FFDF09AFA0ED69AA9BFB6FB48304F004864F6145A268CB327955DF40

Uniqueness

Uniqueness Score: -1.00%

Function 014B5BDE, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cae1704a311bc59aad8e75d6e79a3da2d4ec08aa82c7de7f0b11bafae871629
Instruction ID: eca93218e74d23a9ac06126956051a0083f0d142de9c449b6d42e095db632c96
Opcode Fuzzy Hash: 4cae1704a311bc59aad8e75d6e79a3da2d4ec08aa82c7de7f0b11bafae871629
Instruction Fuzzy Hash: AF218B342053808FC7169B38D5985597FB6FFCA21574509AEE086CB7A2CF38BC06CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 014B67A8, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea1535af6b345c49f61bb95bfb9df9940d87df156695069ba13e46376336ed38
Instruction ID: 1c6e31b700454e7add99a5fc5a8cd1d928cae99972ee1a3b8e2f7ccf79792947
Opcode Fuzzy Hash: ea1535af6b345c49f61bb95bfb9df9940d87df156695069ba13e46376336ed38
Instruction Fuzzy Hash: BB31EC35910209FFDF09AFA0ED69AA9BFB6FB48304F004868F6155A268CB327955DF41

Uniqueness

Uniqueness Score: -1.00%

Function 014B4310, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80f4a634dd1cfa4644640c5d28a8b4b65d2518691dd6988daa47773a1140f8f1
Instruction ID: 2d867d418cc97d070e894c6b091054f0deda42eb6bbad128d46395561bb6a2f8
Opcode Fuzzy Hash: 80f4a634dd1cfa4644640c5d28a8b4b65d2518691dd6988daa47773a1140f8f1
Instruction Fuzzy Hash: 7A110B30B002148FD7248BACC454BEEBAF69F89724F195169E401EB3E1CBB18C41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 014B4320, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bf420e7c35ae08506a697d0b7218e553249e469b5fe04d06c37d98c242cd01
Instruction ID: 9e80293567b66a547f670fdfeed46d7a557dc68f26b1248a821bf2bc664c5bdf
Opcode Fuzzy Hash: 15bf420e7c35ae08506a697d0b7218e553249e469b5fe04d06c37d98c242cd01
Instruction Fuzzy Hash: 2711CA31B002149FD7249BACC454BDEBAF69F98710F1D416AE502FB3A1CBB18D4187A1

Uniqueness

Uniqueness Score: -1.00%

Function 014B5389, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3187cc3278657fed7f8073e32a56d6ef7ef1c9a1ce05bca8906f734e733e9915
Instruction ID: 4f45ac72cb0c1eeab71b33f171b1d1ca4b73fc693f8d1abe91596b825b0f0210
Opcode Fuzzy Hash: 3187cc3278657fed7f8073e32a56d6ef7ef1c9a1ce05bca8906f734e733e9915
Instruction Fuzzy Hash: 8D11A575E102158FCF48EBA8D8951EEBFF9EBC8316B04406AD409EB344DF705D4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 014BFD68, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83ca948e1f800e4e32703580b390dd53474ee7ae9c6621565c36a1949ea5ce13
Instruction ID: a41c6db9b25c1a4e32a0e9fe65d5179078cebafac5d41caae76e4f975b5d94fe
Opcode Fuzzy Hash: 83ca948e1f800e4e32703580b390dd53474ee7ae9c6621565c36a1949ea5ce13
Instruction Fuzzy Hash: BF11E871200204DFD725DF69D884AA6BBB9FF86351F00846AF95A8F760DB32D842CB60

Uniqueness

Uniqueness Score: -1.00%

Function 014BEB10, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc6be77be6c963436f7b9ca737d04631545a9fc4edda341353b08e1b308b5ed
Instruction ID: 403ba2af5be35c1e395c3d9a1df4288455fd20fe0b2a52c210b13c451deeff7a
Opcode Fuzzy Hash: 6fc6be77be6c963436f7b9ca737d04631545a9fc4edda341353b08e1b308b5ed
Instruction Fuzzy Hash: 3E018E353203008FCB259A74949876ABFAAFBC431AF54482DE5078B340CFB1AC058750

Uniqueness

Uniqueness Score: -1.00%

Function 014B5398, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e328e2bb109dab6308a2fb4c542ef022ed70acd511d576aa07fa8120585125d
Instruction ID: b9b5cb514ecc29accc75b853a34775674606ce2558f82e3eba209f61201b16cd
Opcode Fuzzy Hash: 6e328e2bb109dab6308a2fb4c542ef022ed70acd511d576aa07fa8120585125d
Instruction Fuzzy Hash: 6D016175E102198F8F44EBA8D8541EEBFF9EBC8216B04446AD50AE7344EF715D0187A5

Uniqueness

Uniqueness Score: -1.00%

Function 014BE290, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585a05cb214aa6c991f7f49342da885e66993fc1dd09258416ef605c29a7bc41
Instruction ID: 1e8010bf7bf49f7da304ba8c2fe85f1477e8f92fd341aafe0718af5ab6825799
Opcode Fuzzy Hash: 585a05cb214aa6c991f7f49342da885e66993fc1dd09258416ef605c29a7bc41
Instruction Fuzzy Hash: 230146342006098FCB64DF69D588DDABBEAFF88219711C86AE5058B771DBB0F9018B90

Uniqueness

Uniqueness Score: -1.00%

Function 014BFD00, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6063dd53b2aa7d7b8f2a3933002799ad6dd9c3c9a5cfb9d3f1e9b4e7322b4158
Instruction ID: addc0fccead325cda24bcbaa0b2c04bb97beca9008ca46c1245a603b4e70b65e
Opcode Fuzzy Hash: 6063dd53b2aa7d7b8f2a3933002799ad6dd9c3c9a5cfb9d3f1e9b4e7322b4158
Instruction Fuzzy Hash: B0F0F972E10118ABCB05DB999C05AEEBBBAEBC8711F048066E619E6240DB7056159BA0

Uniqueness

Uniqueness Score: -1.00%

Function 014BD5EA, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c528074eb6f001e16eae11071e243c14a027ca549e540987eb87af360b45e59
Instruction ID: 6c13118479fba4b1dfa358a51f5a30be01ac56ea2671f714e5d1b7289cb5e2ec
Opcode Fuzzy Hash: 2c528074eb6f001e16eae11071e243c14a027ca549e540987eb87af360b45e59
Instruction Fuzzy Hash: 08F03C71A006189FCF50EFA9D4065DEBFF4FF88714F40452AE449E7310DB70A9058B91

Uniqueness

Uniqueness Score: -1.00%

Function 014BD188, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c358cf44f0d744cc4bdab3e76caa211622f6f185f5a5199231f4ac71658bbe
Instruction ID: d4747516bb7b495ffbdeaae564ad035f210da4fd67208373e9593cfec9fa193f
Opcode Fuzzy Hash: 93c358cf44f0d744cc4bdab3e76caa211622f6f185f5a5199231f4ac71658bbe
Instruction Fuzzy Hash: 36E02B3A3001406BC6046A66F899A5FBF6DDBC5655F80043DF90987300EE7A4C0443A0

Uniqueness

Uniqueness Score: -1.00%

Function 014B9C79, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669f32874fb44ed8889c4801db81b34b65792258534393ca00eec49ed0454584
Instruction ID: dbf4b15bf10306c2be7ea02817660563d1d767c1e67f8b95684da9df3b8f751a
Opcode Fuzzy Hash: 669f32874fb44ed8889c4801db81b34b65792258534393ca00eec49ed0454584
Instruction Fuzzy Hash: 63F0E5763053905BDB079639D9943AA3FA98F82119B0888B7C905CB7B2EF34D8058391

Uniqueness

Uniqueness Score: -1.00%

Function 014B3EC1, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b82bf40c62f257ca0ecee476430e8c6ef3695ccd60ea94ca5a4cbc89f7a8506
Instruction ID: 690b43a82f9fe732be33f37e275428a0e05f012d92552243fcda94af02072b16
Opcode Fuzzy Hash: 8b82bf40c62f257ca0ecee476430e8c6ef3695ccd60ea94ca5a4cbc89f7a8506
Instruction Fuzzy Hash: 2EF0A0B2E103159B8F80AFBE98402DEBBF4BE44914B08056AD559D7240FB3196018BE2

Uniqueness

Uniqueness Score: -1.00%

Function 014B3ED0, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cad000e56008001165031c41827fdc903c2503cf985bb7c5b7e59d5186dc652
Instruction ID: 65efdfc76f2b825f21267cdec6e8968c2a8a525492b1ef7ec0087837823547eb
Opcode Fuzzy Hash: 8cad000e56008001165031c41827fdc903c2503cf985bb7c5b7e59d5186dc652
Instruction Fuzzy Hash: 32F06570E002159F4F44FFBE54502EEBAF4BE85514701057AD95EEB244EF348A058BEB

Uniqueness

Uniqueness Score: -1.00%

Function 014BD198, Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df620e6f56fed35df7db23a5fb737e99bc134c531457ebd52aecf1fd92cee8c
Instruction ID: 11b4a54618522773e24c87c61a5ae0698ef3753d0572e478934bf627a9af3e4d
Opcode Fuzzy Hash: 3df620e6f56fed35df7db23a5fb737e99bc134c531457ebd52aecf1fd92cee8c
Instruction Fuzzy Hash: BEE020353101445BC6187A6AF85985FBF5DE7C5265B40443DF90987304DEB95C0443B0

Uniqueness

Uniqueness Score: -1.00%

Function 014BC511, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8e1b6f444bb7e520a67245fa3592ef5bf24b4fc820b7cc1b32432306c3640cd
Instruction ID: cd7fae4e77e4972369f12c35f28b7a17bdf4fca4bdb388fc2340bb3ea115be70
Opcode Fuzzy Hash: f8e1b6f444bb7e520a67245fa3592ef5bf24b4fc820b7cc1b32432306c3640cd
Instruction Fuzzy Hash: 5BE0CD3350421C27D714DDE59C957DE7F5DC791164F1109AE961CEB310ED315D4003D4

Uniqueness

Uniqueness Score: -1.00%

Function 014B42F1, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a16892b0bd55836e95e69e2ec0d73b506ec746a7a9f825dc31a1bde332234a4
Instruction ID: dfa3c1099ce7d78fe55a4fe76e4734e4b1fac93f3eaed29f96734bd09cf1a80e
Opcode Fuzzy Hash: 4a16892b0bd55836e95e69e2ec0d73b506ec746a7a9f825dc31a1bde332234a4
Instruction Fuzzy Hash: 74E01A39704514CFCB48DB68D4548A837B1EF4971571400A6EA1ACB7B1D7319D12DB41

Uniqueness

Uniqueness Score: -1.00%

Function 014BD140, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01016475f358e453963dc1da5363bd7a545bbf8c49a5db929a79ccbaddcae22f
Instruction ID: adbca950ec7a3500168704c1ac43555c679146df35245c3802f5a34000706af7
Opcode Fuzzy Hash: 01016475f358e453963dc1da5363bd7a545bbf8c49a5db929a79ccbaddcae22f
Instruction Fuzzy Hash: AAE08C7AA122448FDB09EF25E58930A3BE3EB84344F418078A445A724ADE3D8C058B40

Uniqueness

Uniqueness Score: -1.00%

Function 014B6578, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fb22bbc6e9c64d75ba60889d43f449f0c4ddeeda465d429b3cb7acba212306b
Instruction ID: 195316ea74ffd23de6aab768a5f24b3445a064b78f7270ba7440fe22980cf98e
Opcode Fuzzy Hash: 3fb22bbc6e9c64d75ba60889d43f449f0c4ddeeda465d429b3cb7acba212306b
Instruction Fuzzy Hash: 5DE0C23A60401483E60C6A48E86574B2B15E7D8324F154068A50A8B34AEB7DCC0623D0

Uniqueness

Uniqueness Score: -1.00%

Function 014BF658, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fdd2a7441d8c32a20fb5d4ca5fee39ffb04758613ef73995c44527a5fbd3cf6
Instruction ID: 86611eedb3e3def5f87b719b50289ab4de054ad270e8706938a77583a8f9cff5
Opcode Fuzzy Hash: 7fdd2a7441d8c32a20fb5d4ca5fee39ffb04758613ef73995c44527a5fbd3cf6
Instruction Fuzzy Hash: 73E09AB0D0420D9F8B94DFA9D4415BEBFF4AB48200F10816AE918E2240E6345651CFD5

Uniqueness

Uniqueness Score: -1.00%

Function 014B7880, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8d00f501077d89d6bf4ce5c8b161af4552afe5c7694c6c896cb6dcdef25a7d5
Instruction ID: 66a5b8352c05dbc70933d129506617cc4f704a872722f5e0bb25ebdd452961a5
Opcode Fuzzy Hash: e8d00f501077d89d6bf4ce5c8b161af4552afe5c7694c6c896cb6dcdef25a7d5
Instruction Fuzzy Hash: F7E0EC365011159FCA44AA94F5C678977A5E78431DF06846DD8066B344DB3CAC8DCF94

Uniqueness

Uniqueness Score: -1.00%

Function 014B6F48, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb2ee88904fec42441e07644dfb47b59fd95d99eeeac0319387b771848d10ee
Instruction ID: f40ba834eecd1a409007023fd65d23e618e877321c314ade0fd654e35606f284
Opcode Fuzzy Hash: 3cb2ee88904fec42441e07644dfb47b59fd95d99eeeac0319387b771848d10ee
Instruction Fuzzy Hash: 44E04639201015CBCEA1AA54F4957D937A6EBC4319F4248A9E8246B2C0CB3C2CCACBD0

Uniqueness

Uniqueness Score: -1.00%

Function 014B101D, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0350525c2029dee68f9ccbf0638f5ae0ee6e7bb52c868b40be02d2366640d06e
Instruction ID: c942645978cda6685cfeebcb56d76f16f27ffabb5e134e64d8750642f1ce5f58
Opcode Fuzzy Hash: 0350525c2029dee68f9ccbf0638f5ae0ee6e7bb52c868b40be02d2366640d06e
Instruction Fuzzy Hash: 64E0C274808010CBE7210F29A0E92EA3B60F305F10F0C0473D407C6369DA3419034772

Uniqueness

Uniqueness Score: -1.00%

Function 014B3F60, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76ad618df6ba2ad2f85686485287625730fa5f34c02e430452a1ad393cb839f
Instruction ID: 1125fb18bd268558a6eb3c0d88cbd455537dab7bd52879dc896bcdd03f72ffcd
Opcode Fuzzy Hash: b76ad618df6ba2ad2f85686485287625730fa5f34c02e430452a1ad393cb839f
Instruction Fuzzy Hash: A1E0C23804D3C08FD3268BA460043A13FE46712A25F4C00AAD09486D57D1A95880C763

Uniqueness

Uniqueness Score: -1.00%

Function 014B3F99, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd8db5d0502d72d651a54282037d16cdcf6452cf85acc2c4e8ae4d66c6603dd
Instruction ID: 70122b3325658d1a39dea79dc350cba4c91d84978fe4ecd96e6b0b844c143c56
Opcode Fuzzy Hash: 6cd8db5d0502d72d651a54282037d16cdcf6452cf85acc2c4e8ae4d66c6603dd
Instruction Fuzzy Hash: 08D0A771D053886FC7D0EEFD684529177E4A930A1874846EAC46887106F57244128FE1

Uniqueness

Uniqueness Score: -1.00%

Function 014B1190, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68323dc6bd180d9e6aab946960b7c9b86667cd7b5c94182b922ddc8a77272829
Instruction ID: 54c3fcc7cf0d28bbb69985aa9a5ce72689e6313c781005e9d692ff3905801811
Opcode Fuzzy Hash: 68323dc6bd180d9e6aab946960b7c9b86667cd7b5c94182b922ddc8a77272829
Instruction Fuzzy Hash: 04E0C23104C3C5DFC3868AE04CAD1D63FA1AB0A400B5C049DD84287222E6141A42A320

Uniqueness

Uniqueness Score: -1.00%

Function 014BC520, Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec990e2424c06387a02198e7e0e6eda7f220daced4b31e499500075ed4c78f56
Instruction ID: 7824834ebc2c19004a3ec8e562d7d756f6405573faf06c29a6ab522cefadbb82
Opcode Fuzzy Hash: ec990e2424c06387a02198e7e0e6eda7f220daced4b31e499500075ed4c78f56
Instruction Fuzzy Hash: 1BD0223260832C2B0704DAE968148CFBFADCA80174F0100AAC20CEB300EE701E4003D8

Uniqueness

Uniqueness Score: -1.00%

Function 014B40C0, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e21ca3737eb09efecf5238f1ce16c3bd33ee399e9dc63413459eb022318a047
Instruction ID: bd8436f62aac107df6a9c72b93e599e8113a48506bc33656794516f339868460
Opcode Fuzzy Hash: 3e21ca3737eb09efecf5238f1ce16c3bd33ee399e9dc63413459eb022318a047
Instruction Fuzzy Hash: F1C02B36009B0C6FE3951378AC023C43B9CCF5673578500B3F04CC2801D10B0443C392

Uniqueness

Uniqueness Score: -1.00%

Function 014B3EA1, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9efa87d77882185b2b2f13a6aa9f5204c0e3fdebb37dfbf85d325a18147932af
Instruction ID: ca43165c7b1980c03309232bf936c8e2a9679d7e1d279cf65dfb4341fdaf6a96
Opcode Fuzzy Hash: 9efa87d77882185b2b2f13a6aa9f5204c0e3fdebb37dfbf85d325a18147932af
Instruction Fuzzy Hash: 21C080320093585FC34227B454181C13BEDBD5263438C00D6F004C7022E65D1541C767

Uniqueness

Uniqueness Score: -1.00%

Function 014B3FA8, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9a60a02434de15140dbc37b4c52260b98efd2ca2019187a4d0e23fa17ce6308
Instruction ID: 6b9d4bd8c3aebc8611ed36e929d35a64dbe4f8ece06b16ef22ea0452b8d1ba4b
Opcode Fuzzy Hash: e9a60a02434de15140dbc37b4c52260b98efd2ca2019187a4d0e23fa17ce6308
Instruction Fuzzy Hash: 5FC08C64D492C85B4A00FAFA2802126BBA85910604B4089E688AD87642F93680228BE2

Uniqueness

Uniqueness Score: -1.00%

Function 014B6399, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 921c64592ad1b4ff8a4153caf7266178b55687a9ce6379d297430acad896d2d8
Instruction ID: d010a69f7ade4dee84ac156d7e607020bd2db60b92b111cdb38b40136ae33c23
Opcode Fuzzy Hash: 921c64592ad1b4ff8a4153caf7266178b55687a9ce6379d297430acad896d2d8
Instruction Fuzzy Hash: 5AC0922E6940264AE21F269CC8663AD09139BD0128FDA86B80188CBFC5DF1EC8072395

Uniqueness

Uniqueness Score: -1.00%

Function 014BC4F0, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51580cbfec2839e905ea374ec7ee233268bc58d65ee226f57cb88bb56fa22e93
Instruction ID: 3861901c0c5139ccafbe7874e79b66b9082538e526c0614fabe4b9c87d136f25
Opcode Fuzzy Hash: 51580cbfec2839e905ea374ec7ee233268bc58d65ee226f57cb88bb56fa22e93
Instruction Fuzzy Hash: B2C0483611000487EF548B14C88A797BB66EB90380F79189891AAA7640DA35AE16DB81

Uniqueness

Uniqueness Score: -1.00%

Function 014B3F70, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c3e142d3f9af31aa6d004ebb0ca44f29dc9f08e86561abdd3d2f036f3410fc1
Instruction ID: 010ef810708bb46f6f595740aff4eb7cd1c347cbe07fc372751c220e281651ad
Opcode Fuzzy Hash: 1c3e142d3f9af31aa6d004ebb0ca44f29dc9f08e86561abdd3d2f036f3410fc1
Instruction Fuzzy Hash: 4BC08C6C08C3C99FF33ECAE670083613FD86301B2AF0800B5D4E881E4BC6A550D0D321

Uniqueness

Uniqueness Score: -1.00%

Function 014B18D3, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c879f36976f78df9d59e176172a140c45b34e59ad783bd3dd22597b7c3a08e
Instruction ID: 3d1421aa6503a48fa4bebcb06f68c41d13b795d100a04f648bf518725bdffa4c
Opcode Fuzzy Hash: a8c879f36976f78df9d59e176172a140c45b34e59ad783bd3dd22597b7c3a08e
Instruction Fuzzy Hash: 88C09B3CA04055CBC7588E50DCD49ED73757745708F1084F6990663214C6349D43CE50

Uniqueness

Uniqueness Score: -1.00%

Function 014B2CE7, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e526730e556deff0c062b7a48c3124b91ec8a6526605d59dea43cf886592b3
Instruction ID: 4d83cc8297c20d58ad620ed9d2fa8010dd898f017441b18618ba001a3044abaf
Opcode Fuzzy Hash: a8e526730e556deff0c062b7a48c3124b91ec8a6526605d59dea43cf886592b3
Instruction Fuzzy Hash: E8B092A0105000CBE7952A2AA0EE3EC1711B320F02F054623E003445AB8EA444430322

Uniqueness

Uniqueness Score: -1.00%

Function 014B40D0, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 119a19d12f59ec398a4d7d0c5e6ae04b5324b71d4d41f9c74e1f7e20b5dcc426
Instruction ID: 73207fefdece8548ec72473ace022a97c807de0ad92e0e32b621f53d8831828b
Opcode Fuzzy Hash: 119a19d12f59ec398a4d7d0c5e6ae04b5324b71d4d41f9c74e1f7e20b5dcc426
Instruction Fuzzy Hash: 05900235045A0C8B456427957809699775C99D49267810071B55D419055A55649086D5

Uniqueness

Uniqueness Score: -1.00%

Function 014B4300, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13eb7d67f39a166c2b999276470e3840d653548812ead353a603f0fd00631ddd
Instruction ID: 71c8ee69a862fdaa2463612b8652fd203d75da94229c9ad5318ae38c83fddb3f
Opcode Fuzzy Hash: 13eb7d67f39a166c2b999276470e3840d653548812ead353a603f0fd00631ddd
Instruction Fuzzy Hash: 50902232008A0C8F0A2023A03008280330CA0008223800020B00C208000A8820800280

Uniqueness

Uniqueness Score: -1.00%

Function 014B3EB0, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3153370b933cc73a237b1272577ec30b8a1332c789ef210cd0aa132a9d3407ad
Instruction ID: c36463898d6fa780686412745b65ef255f9997471b1c71b2740127a82c6f5e7f
Opcode Fuzzy Hash: 3153370b933cc73a237b1272577ec30b8a1332c789ef210cd0aa132a9d3407ad
Instruction Fuzzy Hash: F790023504560C8B465437E5750A655779C95449157840061A51D419055E556550469D

Uniqueness

Uniqueness Score: -1.00%

Function 014B336B, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3898cf9a749db1f316a43dd0cd0d35e9068f805d7696c8d5dcfdbae075746f1f
Instruction ID: 8a3b614d93ceaca4dd596bfa559ab8efc4a536a990e49afb09b0aa9e72ded2a7
Opcode Fuzzy Hash: 3898cf9a749db1f316a43dd0cd0d35e9068f805d7696c8d5dcfdbae075746f1f
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 014B344D, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.547985710.00000000014B0000.00000040.00000001.sdmp, Offset: 014B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 140203bfba12830c158ecdbcbb28d474d93c97bb47fff231a2cc54f7c0d12ad1
Instruction ID: 28b9845631ecdcc9f6a36bff801829d56f0d9adc3073efb694f7c5d3b188665e
Opcode Fuzzy Hash: 140203bfba12830c158ecdbcbb28d474d93c97bb47fff231a2cc54f7c0d12ad1
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A336C4, Relevance: 1.1, Instructions: 1096
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00A336C4(signed int __eax, void* __ebx, intOrPtr* __ecx, intOrPtr* __edx, signed int __edi, intOrPtr* __esi) {
				signed int _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				signed int _t205;
				signed int _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				intOrPtr* _t209;
				intOrPtr* _t210;
				signed char _t213;
				intOrPtr* _t216;
				intOrPtr* _t217;
				intOrPtr* _t218;
				intOrPtr* _t219;
				intOrPtr* _t220;
				intOrPtr* _t221;
				intOrPtr* _t223;
				signed int _t226;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				intOrPtr* _t232;
				intOrPtr* _t233;
				signed char _t234;
				intOrPtr* _t235;
				signed char _t236;
				intOrPtr* _t237;
				intOrPtr* _t238;
				signed int _t240;
				signed int _t241;
				signed char _t242;
				signed char _t244;
				intOrPtr* _t245;
				intOrPtr* _t246;
				intOrPtr* _t247;
				intOrPtr* _t248;
				signed int _t249;
				signed int _t250;
				intOrPtr* _t252;
				signed char _t253;
				signed int* _t254;
				signed int* _t255;
				intOrPtr* _t256;
				signed char _t257;
				signed char _t258;
				intOrPtr* _t260;
				intOrPtr* _t261;
				intOrPtr* _t262;
				intOrPtr* _t263;
				intOrPtr* _t264;
				intOrPtr* _t265;
				intOrPtr* _t266;
				intOrPtr* _t269;
				intOrPtr* _t270;
				intOrPtr* _t271;
				intOrPtr* _t272;
				intOrPtr* _t273;
				intOrPtr* _t274;
				intOrPtr* _t275;
				intOrPtr* _t276;
				intOrPtr* _t277;
				intOrPtr* _t278;
				intOrPtr* _t279;
				intOrPtr* _t280;
				intOrPtr* _t281;
				intOrPtr* _t283;
				intOrPtr* _t284;
				intOrPtr* _t285;
				intOrPtr* _t286;
				intOrPtr* _t287;
				intOrPtr* _t288;
				intOrPtr* _t289;
				intOrPtr* _t291;
				signed int _t292;
				signed int _t293;
				intOrPtr* _t294;
				intOrPtr* _t295;
				intOrPtr* _t296;
				intOrPtr* _t299;
				intOrPtr* _t300;
				intOrPtr* _t301;
				intOrPtr* _t303;
				intOrPtr* _t305;
				intOrPtr* _t307;
				intOrPtr* _t309;
				intOrPtr* _t311;
				intOrPtr* _t313;
				intOrPtr* _t314;
				intOrPtr* _t316;
				intOrPtr* _t317;
				intOrPtr* _t319;
				intOrPtr* _t320;
				intOrPtr* _t323;
				void* _t325;
				intOrPtr* _t327;
				intOrPtr* _t328;
				void* _t332;
				void* _t333;
				intOrPtr* _t334;
				intOrPtr* _t335;
				intOrPtr* _t336;
				void* _t337;
				intOrPtr* _t338;
				signed char _t339;
				intOrPtr* _t340;
				void* _t341;
				void* _t342;
				intOrPtr* _t343;
				intOrPtr* _t344;
				intOrPtr* _t345;
				intOrPtr* _t346;
				intOrPtr* _t347;
				intOrPtr* _t348;
				signed char _t349;
				void* _t350;
				intOrPtr* _t354;
				intOrPtr* _t355;
				signed int* _t356;
				intOrPtr* _t357;
				intOrPtr* _t360;
				intOrPtr* _t362;
				intOrPtr* _t363;
				void* _t364;
				void* _t365;
				intOrPtr* _t366;
				void* _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				void* _t373;
				void* _t374;

				_t202 = __eax ^ 0xf8000000;
				 *_t202 =  *_t202 + _t202;
				 *__esi =  *__esi + __ecx;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				 *__edx =  *__edx + _t202;
				 *_t202 =  *_t202 + _t202;
				 *((intOrPtr*)(__esi + 0x34000001)) =  *((intOrPtr*)(__esi + 0x34000001)) + _t202;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				 *__esi =  *__esi + __ecx;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				 *_t202 =  *_t202 + _t202;
				 *__esi =  *__esi + __ecx;
				 *_t202 =  *_t202 + _t202;
				_t354 = __edx + __ebx + _t202;
				 *_t202 =  *_t202 + _t202;
				_t203 = _t202 + _t354;
				 *_t203 =  *_t203 + _t203;
				 *__esi =  *__esi + _t203;
				 *_t203 =  *_t203 + _t203;
				 *__esi =  *__esi + __ecx;
				 *_t203 =  *_t203 + _t203;
				 *_t203 =  *_t203 + _t203;
				 *_t203 =  *_t203 + _t203;
				 *((intOrPtr*)(_t362 + 0x63000000)) =  *((intOrPtr*)(_t362 + 0x63000000)) + _t203;
				 *_t203 =  *_t203 + _t203;
				 *_t203 =  *_t203 + __ecx;
				_t204 = _t203 +  *_t203;
				 *__esi =  *__esi + _t204;
				 *_t204 =  *_t204 + _t204;
				 *__esi =  *__esi + __ecx;
				 *_t204 =  *_t204 + _t204;
				 *_t354 =  *_t354 + __ebx;
				 *((intOrPtr*)(_t362 + 2)) =  *((intOrPtr*)(_t362 + 2)) - _t204;
				 *__esi =  *__esi + _t204;
				_t205 = _t204 -  *_t204;
				asm("sbb esi, [eax]");
				 *_t205 =  *_t205 | _t205;
				_t206 = _t205;
				 *_t206 =  *_t206 + _t206;
				 *_t206 =  *_t206 & _t206;
				 *__ecx =  *__ecx + _t354;
				 *_t206 =  *_t206 + _t206;
				asm("adc al, 0x2a");
				asm("les eax, [eax]");
				 *_t206 =  *_t206 + _t206;
				 *_t206 =  *_t206 + _t206;
				_t332 = __ecx + 1 + __ebx;
				 *_t206 =  *_t206 + _t206;
				 *((intOrPtr*)(__ebx - 0x68000000)) =  *((intOrPtr*)(__ebx - 0x68000000)) + __ebx;
				 *_t206 =  *_t206 + _t206;
				 *__esi =  *__esi + _t206;
				 *_t206 =  *_t206 + _t206;
				 *__esi =  *__esi + _t332;
				 *_t206 =  *_t206 + _t206;
				 *_t354 =  *_t354 + _t206;
				 *_t206 =  *_t206 + _t206;
				_t325 = __ebx + _t332;
				 *_t206 =  *_t206 + _t206;
				_t207 = _t206 + _t206;
				 *_t207 =  *_t207 + _t207;
				 *((intOrPtr*)(__edi + 0xf000001)) =  *((intOrPtr*)(__edi + 0xf000001)) + _t332;
				 *_t207 =  *_t207 + _t207;
				 *_t207 =  *_t207 + _t207;
				 *_t207 =  *_t207 + _t207;
				 *_t207 =  *_t207 + _t207;
				 *_t207 =  *_t207 + _t207;
				_t208 = _t207 + _t325;
				 *_t208 =  *_t208 + _t208;
				 *_t208 =  *_t208 + _t208;
				_t327 = _t325 + _t332 + _t208;
				 *_t208 =  *_t208 + _t208;
				 *__esi =  *__esi + _t208;
				 *_t208 =  *_t208 + _t208;
				 *__esi =  *__esi + _t332;
				 *_t208 =  *_t208 + _t208;
				 *_t208 =  *_t208 + _t208;
				 *_t208 =  *_t208 + _t208;
				 *((intOrPtr*)(_t354 + _t208)) =  *((intOrPtr*)(_t354 + _t208)) + _t208;
				 *_t208 =  *_t208 + _t208;
				asm("wait");
				 *_t208 =  *_t208 + _t208;
				 *((intOrPtr*)(__edi + 0x6000002)) =  *((intOrPtr*)(__edi + 0x6000002)) + _t327;
				 *_t208 =  *_t208 + _t208;
				 *0x2010000 =  *0x2010000 + _t327;
				 *_t208 =  *_t208 + _t208;
				_t355 = _t354 + _t354;
				 *_t208 =  *_t208 + _t208;
				_t209 = _t208 + _t208;
				 *_t209 =  *_t209 + _t209;
				 *((intOrPtr*)(__esi + 0xf000002)) =  *((intOrPtr*)(__esi + 0xf000002)) + _t355;
				 *_t209 =  *_t209 + _t209;
				 *_t209 =  *_t209 + _t209;
				 *_t209 =  *_t209 + _t209;
				 *_t209 =  *_t209 + _t209;
				 *_t209 =  *_t209 + _t209;
				 *__edi =  *__edi + _t209;
				 *_t209 =  *_t209 + _t209;
				 *((intOrPtr*)(_t327 - 0x35fffffe)) =  *((intOrPtr*)(_t327 - 0x35fffffe)) + _t209;
				_t210 = _t209 +  *_t209;
				 *__esi =  *__esi + _t210;
				 *_t210 =  *_t210 + _t210;
				 *0x2010000 =  *0x2010000 + _t327;
				 *_t210 =  *_t210 + _t210;
				 *_t327 =  *_t327 + _t327;
				 *_t210 =  *_t210 + _t210;
				_t333 = _t332 + _t210;
				_t213 = _t210 +  *_t210 + _t210 +  *_t210 +  *((intOrPtr*)(_t210 +  *_t210 + _t210 +  *_t210));
				 *0 =  *0 + _t333;
				 *_t213 =  *_t213 + _t213;
				 *_t213 =  *_t213 + _t213;
				 *_t213 =  *_t213 + _t213;
				 *((intOrPtr*)(_t213 + _t213)) =  *((intOrPtr*)(_t213 + _t213)) + _t355;
				 *_t213 =  *_t213 + _t213;
				asm("fiadd word [edx]");
				 *_t213 =  *_t213 + _t213;
				asm("repne add al, [eax]");
				 *__esi =  *__esi + _t213;
				 *_t213 =  *_t213 + _t213;
				 *__esi =  *__esi + _t333;
				 *_t213 =  *_t213 + _t213;
				 *_t327 =  *_t327 + _t327;
				 *0x400 =  *0x400 ^ _t213;
				 *_t355 =  *_t355 + _t213;
				 *_t213 =  *_t213 + _t213;
				asm("adc [eax], eax");
				 *((intOrPtr*)(_t355 + _t362)) =  *((intOrPtr*)(_t355 + _t362)) + _t355;
				 *((intOrPtr*)(_t213 + _t213)) =  *((intOrPtr*)(_t213 + _t213)) + __esi;
				 *_t355 =  *_t355 + _t213;
				_t334 = _t333 + _t333;
				 *((intOrPtr*)(0xe00 + __edi * 8)) =  *((intOrPtr*)(0xe00 + __edi * 8)) + _t355;
				 *_t213 =  *_t213 + _t213;
				_t216 =  *0x1319000;
				 *_t216 =  *_t216 + _t216;
				_t217 = _t362;
				_t363 = _t216;
				 *((intOrPtr*)(__esi + 0xe060143)) =  *((intOrPtr*)(__esi + 0xe060143)) + _t334;
				 *_t217 =  *_t217 + _t217;
				 *_t217 =  *_t217 + _t217;
				 *((intOrPtr*)(_t327 + 1)) =  *((intOrPtr*)(_t327 + 1)) + _t327;
				asm("adc al, 0x6f");
				 *__esi =  *__esi + _t217;
				 *_t217 =  *_t217 + _t217;
				 *_t355 =  *_t355 + _t327;
				 *((intOrPtr*)(_t363 + 2)) =  *((intOrPtr*)(_t363 + 2)) - _t217;
				 *__esi =  *__esi + _t217;
				_t218 = _t217 -  *_t217;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t355 + _t363)) =  *((intOrPtr*)(_t355 + _t363)) + _t355;
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t355;
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t334;
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t355;
				 *_t218 =  *_t218 + _t218;
				asm("adc al, 0x2a");
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t355;
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t334;
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t355;
				 *_t218 =  *_t218 + _t218;
				asm("adc al, 0x2a");
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t355;
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t334;
				 *_t218 =  *_t218 + _t218;
				 *_t355 =  *_t355 + _t355;
				 *_t218 =  *_t218 + _t218;
				ss = cs;
				_t219 = _t218 -  *_t218;
				 *_t219 =  *_t219 + _t219;
				asm("adc al, [eax]");
				 *_t219 =  *_t219 + _t219;
				_t220 = _t219 -  *_t219;
				 *_t220 =  *_t220 + _t220;
				asm("adc al, [eax]");
				 *_t220 =  *_t220 + _t220;
				_t221 = _t220 -  *_t220;
				 *_t221 =  *_t221 + _t221;
				asm("sbb ch, [eax]");
				_t364 = _t363 + 1;
				_t223 = _t221 +  *_t221 -  *((intOrPtr*)(_t221 +  *_t221));
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t355 + _t364)) =  *((intOrPtr*)(_t355 + _t364)) + _t355;
				 *_t223 =  *_t223 + _t223;
				 *_t355 =  *_t355 + _t355;
				 *_t223 =  *_t223 + _t223;
				 *_t355 =  *_t355 + _t334;
				 *_t223 =  *_t223 + _t223;
				 *_t355 =  *_t355 + _t355;
				 *_t223 =  *_t223 + _t223;
				 *_t355 =  *_t355 + _t334;
				 *_t223 =  *_t223 + _t223;
				 *_t355 =  *_t355 + _t327;
				 *((intOrPtr*)(_t364 + 2)) =  *((intOrPtr*)(_t364 + 2)) - _t223;
				 *__esi =  *__esi + _t223;
				asm("adc esi, [eax]");
				_t226 = _t223 -  *_t223;
				 *_t226 =  *_t226 + _t226;
				 *_t226 =  *_t226 + _t226;
				 *_t226 =  *_t226 + _t226;
				 *_t226 =  *_t226 + _t226;
				asm("adc al, 0x2a");
				asm("sbb esi, [eax]");
				_t228 = _t226 |  *_t226;
				 *_t228 =  *_t228 + _t228;
				_t229 = _t228 &  *_t228;
				 *_t334 =  *_t334 + _t355;
				 *_t229 =  *_t229 + _t229;
				asm("adc al, 0x2a");
				_t335 = _t334 + 1;
				 *_t229 =  *_t229 + _t229;
				_t230 = _t229 +  *_t229;
				 *_t230 =  *_t230 + _t230;
				_t231 = _t230 | 0xc2000001;
				 *_t231 =  *_t231 + _t231;
				_t328 = _t327 + _t335;
				 *_t231 =  *_t231 + _t231;
				 *__esi =  *__esi + _t335;
				 *_t231 =  *_t231 + _t231;
				 *_t231 =  *_t231 + _t231;
				 *_t231 =  *_t231 + _t231;
				 *_t231 =  *_t231 + _t231;
				 *_t231 =  *_t231 + _t231;
				 *__esi =  *__esi + _t231;
				 *_t231 =  *_t231 + _t231;
				_t232 = _t231 + _t328;
				 *_t232 =  *_t232 + _t232;
				_t356 = _t355 + _t232;
				 *_t232 =  *_t232 + _t232;
				 *__esi =  *__esi + _t232;
				 *_t232 =  *_t232 + _t232;
				 *__esi =  *__esi + _t335;
				 *_t232 =  *_t232 + _t232;
				 *_t232 =  *_t232 + _t232;
				 *_t232 =  *_t232 + _t232;
				 *((intOrPtr*)(_t232 + _t232)) =  *((intOrPtr*)(_t232 + _t232)) + _t356;
				 *_t232 =  *_t232 + _t232;
				 *_t232 =  *_t232 + _t232;
				asm("in eax, dx");
				 *_t232 =  *_t232 + _t232;
				 *__esi =  *__esi + _t232;
				 *_t232 =  *_t232 + _t232;
				 *__esi =  *__esi + _t335;
				 *_t232 =  *_t232 + _t232;
				 *_t356 = _t356 +  *_t356;
				 *_t232 =  *_t232 + _t232;
				 *_t356 =  *_t356 + _t335;
				 *_t232 =  *_t232 + _t232;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t364 + 2)) =  *((intOrPtr*)(_t364 + 2)) - _t232;
				 *__esi =  *__esi + _t232;
				_t233 = _t232 -  *_t232;
				asm("adc al, [eax]");
				 *_t233 =  *_t233 + _t233;
				_t234 = _t233 -  *_t233;
				 *_t234 =  *_t234 + _t234;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t364)) =  *((intOrPtr*)(_t356 + _t364)) + _t356;
				 *_t234 =  *_t234 + _t234;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ _t234;
				 *((intOrPtr*)(_t234 + _t234)) =  *((intOrPtr*)(_t234 + _t234)) + _t234;
				 *_t335 =  *_t335 + _t356;
				 *_t234 =  *_t234 + _t234;
				asm("adc al, 0x2a");
				 *_t234 =  *_t234 + _t356;
				 *_t234 =  *_t234 + _t234;
				 *_t234 =  *_t234 + _t234;
				asm("adc al, 0x0");
				_t365 = _t364 + 1;
				_t336 = es;
				 *__esi =  *__esi + _t234;
				 *_t234 =  *_t234 + _t234;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t365 + 2)) =  *((intOrPtr*)(_t365 + 2)) - _t234;
				 *__esi =  *__esi + _t234;
				_t235 = _t234 -  *_t234;
				asm("adc al, [eax]");
				 *_t235 =  *_t235 + _t235;
				_t236 = _t235 -  *_t235;
				 *_t236 =  *_t236 + _t236;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t365)) =  *((intOrPtr*)(_t356 + _t365)) + _t356;
				 *_t236 =  *_t236 + _t236;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ _t236;
				 *((intOrPtr*)(_t236 + _t236)) =  *((intOrPtr*)(_t236 + _t236)) + _t236;
				 *_t336 =  *_t336 + _t356;
				 *_t236 =  *_t236 + _t236;
				asm("adc al, 0x2a");
				 *_t236 =  *_t236 + _t356;
				 *_t236 =  *_t236 + _t236;
				 *_t236 =  *_t236 + _t236;
				asm("adc al, 0x0");
				_t366 = _t365 + 1;
				_t337 = cs;
				 *__esi =  *__esi + _t236;
				_push(cs);
				 *_t236 =  *_t236 + _t236;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t366 + 2)) =  *((intOrPtr*)(_t366 + 2)) - _t236;
				 *__esi =  *__esi + _t236;
				_t237 = _t236 -  *_t236;
				asm("adc esi, [eax]");
				_push(es);
				 *((intOrPtr*)(_t237 + _t237)) =  *((intOrPtr*)(_t237 + _t237)) + _t237;
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 + _t237;
				 *_t237 =  *_t237 + _t237;
				 *_t356 =  *_t356 + _t337;
				asm("adc al, [eax]");
				 *_t237 =  *_t237 + _t237;
				_t238 = _t237 -  *_t237;
				 *_t238 =  *_t238 + _t238;
				asm("sbb esi, [eax]");
				_t240 = _t238 +  *_t238;
				 *_t240 =  *_t240 + _t240;
				_t241 = _t240 & 0x00110000;
				 *((intOrPtr*)(_t356 + _t366)) =  *((intOrPtr*)(_t356 + _t366)) + _t356;
				 *_t241 =  *_t241 + _t356;
				 *_t241 =  *_t241 + _t241;
				_t242 = _t241 +  *_t241;
				asm("sbb al, [eax]");
				_t360 = __esi + 1;
				asm("pushad");
				 *_t360 =  *_t360 + _t337;
				 *_t242 =  *_t242 + _t242;
				 *_t242 =  *_t242 + _t242;
				asm("sbb esi, [eax]");
				_t244 = _t242 |  *_t242;
				 *_t244 =  *_t244 + _t244;
				 *[es:eax] =  *[es:eax] + _t244;
				asm("adc [eax], eax");
				 *((intOrPtr*)(_t356 + _t366)) =  *((intOrPtr*)(_t356 + _t366)) + _t356;
				_t338 = _t337 + 1;
				if (_t338 < 0) goto L1;
				 *_t356 =  *_t356 + _t244;
				 *_t244 =  *_t244 + _t244;
				_t245 = _t244 + _t338;
				 *_t245 =  *_t245 + _t245;
				 *((intOrPtr*)(_t360 + 0x6e000000)) =  *((intOrPtr*)(_t360 + 0x6e000000)) + _t245;
				_t246 = _t245 +  *_t245;
				 *_t360 =  *_t360 + _t338;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				_t247 = _t246 + _t246;
				 *_t247 =  *_t247 + _t247;
				 *((intOrPtr*)(_t366 - 0x7effffff)) =  *((intOrPtr*)(_t366 - 0x7effffff)) + _t328;
				_t248 = _t247 +  *_t247;
				 *_t360 =  *_t360 + _t248;
				 *_t248 =  *_t248 + _t248;
				 *_t360 =  *_t360 + _t338;
				 *_t248 =  *_t248 + _t248;
				 *_t356 =  *_t356 + _t248;
				 *_t248 =  *_t248 + _t248;
				 *((intOrPtr*)(__edi - 0x1f000000)) =  *((intOrPtr*)(__edi - 0x1f000000)) + _t356;
				 *_t248 =  *_t248 + _t248;
				 *((intOrPtr*)(_t248 + 0xe000002)) =  *((intOrPtr*)(_t248 + 0xe000002)) + _t328;
				 *_t248 =  *_t248 + _t248;
				 *_t248 =  *_t248 + _t248;
				 *_t248 =  *_t248 + _t248;
				 *_t356 =  *_t356 + _t248;
				 *_t248 =  *_t248 + _t248;
				 *_t366 =  *_t366 + _t338;
				 *_t248 =  *_t248 + _t248;
				_t249 =  *_t356 * 0x2b60000;
				 *_t249 =  *_t249 + _t249;
				_t250 = _t249;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *_t250 =  *_t250 + _t250;
				 *((intOrPtr*)(_t250 + _t250)) =  *((intOrPtr*)(_t250 + _t250)) + _t356;
				 *_t250 =  *_t250 + _t250;
				 *2 =  *2 + 2;
				asm("enter 0x2, 0x0");
				 *2 =  *2 + 2;
				 *_t360 =  *_t360 + _t338;
				 *2 =  *2 + 2;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t366 + 2)) =  *((intOrPtr*)(_t366 + 2)) - 2;
				 *_t360 =  *_t360 + 2;
				_t252 = 2 -  *2;
				asm("adc al, [eax]");
				 *_t252 =  *_t252 + _t252;
				_t253 = _t252 -  *_t252;
				 *_t253 =  *_t253 + _t253;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t366)) =  *((intOrPtr*)(_t356 + _t366)) + _t356;
				 *_t253 =  *_t253 + _t253;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ _t253;
				 *((intOrPtr*)(_t253 + _t253)) =  *((intOrPtr*)(_t253 + _t253)) + 2;
				 *_t338 =  *_t338 + _t356;
				 *_t253 =  *_t253 + _t253;
				asm("adc al, 0x2a");
				 *_t253 =  *_t253 + _t356;
				 *_t253 =  *_t253 + _t253;
				 *_t253 =  *_t253 + _t253;
				asm("adc al, 0x0");
				_t367 = _t366 + 1;
				_t339 = es;
				 *_t360 =  *_t360 + _t253;
				_push(cs);
				 *_t253 =  *_t253 + _t253;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t367 + 2)) =  *((intOrPtr*)(_t367 + 2)) - _t253;
				 *_t360 =  *_t360 + _t253;
				_t254 = _t253 -  *_t253;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t367)) =  *((intOrPtr*)(_t356 + _t367)) + _t356;
				 *_t254 = _t254 +  *_t254;
				 *_t356 = _t356 +  *_t356;
				 *_t254 = _t254 +  *_t254;
				 *_t356 =  *_t356 + _t339;
				 *_t254 = _t254 +  *_t254;
				 *_t328 =  *_t328 + _t328;
				 *_t254 =  *_t254 ^ _t339;
				 *((intOrPtr*)(_t254 + _t254)) =  *((intOrPtr*)(_t254 + _t254)) + _t254;
				 *_t254 = _t254 +  *_t254;
				asm("daa");
				 *_t254 = _t254 +  *_t254;
				asm("adc [eax], eax");
				 *((intOrPtr*)(_t356 + _t367)) =  *((intOrPtr*)(_t356 + _t367)) + _t356;
				 *_t254 = _t356 +  *_t254;
				 *_t254 = _t254 +  *_t254;
				 *_t254 = _t254 +  *_t254;
				_t255 = _t254 - 0xf2c500;
				_push(es);
				_push(cs);
				 *_t255 = _t255 +  *_t255;
				 *_t328 =  *_t328 + _t328;
				 *_t255 =  *_t255 ^ _t339;
				 *((intOrPtr*)(_t255 + _t255)) =  *((intOrPtr*)(_t255 + _t255)) + _t255;
				 *_t255 = _t255 +  *_t255;
				 *_t255 =  *_t255 - _t255;
				 *_t339 =  *_t339 + _t356;
				 *_t255 = _t255 +  *_t255;
				asm("adc al, 0x2a");
				_t340 = _t339 + 1;
				 *_t255 = _t255 +  *_t255;
				 *_t255 = _t255 +  *_t255;
				 *_t255 = _t255 +  *_t255;
				 *_t255 = _t255 +  *_t255;
				 *_t356 =  *_t356 + _t328;
				 *_t255 = _t255 +  *_t255;
				 *((intOrPtr*)(_t360 + 1)) =  *((intOrPtr*)(_t360 + 1)) + 2;
				 *_t255 = _t255 +  *_t255;
				_push(es);
				 *_t255 = _t255 +  *_t255;
				 *0x2010000 =  *0x2010000 + _t328;
				 *_t255 = _t255 +  *_t255;
				 *__edi =  *__edi + _t328;
				 *_t255 = _t255 +  *_t255;
				 *_t360 =  *_t360 + _t328;
				 *_t255 = _t255 +  *_t255;
				 *((intOrPtr*)(_t367 + 1)) =  *((intOrPtr*)(_t367 + 1)) + _t328;
				 *_t255 = _t255 +  *_t255;
				_push(cs);
				 *_t255 = _t255 +  *_t255;
				 *_t255 = _t255 +  *_t255;
				 *_t255 = _t255 +  *_t255;
				 *_t255 = _t255 +  *_t255;
				 *_t255 = _t255 +  *_t255;
				 *((intOrPtr*)(_t255 + _t255)) =  *((intOrPtr*)(_t255 + _t255)) + _t356;
				 *_t255 = _t255 +  *_t255;
				asm("outsd");
				_t256 = _t255 +  *_t255;
				 *((intOrPtr*)(_t328 + 0x6000002)) =  *((intOrPtr*)(_t328 + 0x6000002)) + _t256;
				 *_t256 =  *_t256 + _t256;
				 *_t360 =  *_t360 + _t340;
				 *_t256 =  *_t256 + _t256;
				 *_t356 = _t356 +  *_t356;
				 *_t256 =  *_t256 + _t256;
				 *_t356 =  *_t356 + _t340;
				 *_t256 =  *_t256 + _t256;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t367 + 2)) =  *((intOrPtr*)(_t367 + 2)) - _t256;
				 *_t360 =  *_t360 + _t256;
				_t257 = _t256 -  *_t256;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t367)) =  *((intOrPtr*)(_t356 + _t367)) + _t356;
				 *_t257 =  *_t257 + _t257;
				 *_t328 =  *_t328 + _t328;
				 *__edi =  *__edi ^ _t257;
				 *((intOrPtr*)(_t257 + _t257)) =  *((intOrPtr*)(_t257 + _t257)) + _t257;
				 *_t257 =  *_t257 + _t257;
				_t258 = _t257 & 0x00000000;
				 *_t340 =  *_t340 + _t356;
				 *_t258 =  *_t258 + _t258;
				asm("adc al, 0x2a");
				 *_t258 =  *_t258 + _t356;
				 *_t258 =  *_t258 + _t258;
				 *_t258 =  *_t258 + _t258;
				asm("adc al, 0x0");
				asm("pushfd");
				_push(es);
				 *0 =  *0;
				 *_t328 =  *_t328 + _t328;
				 *__edi =  *__edi ^ 0x00000000;
				 *((intOrPtr*)(0)) =  *((intOrPtr*)(0));
				 *0 =  *0;
				 *0 =  *0;
				 *_t340 =  *_t340 + _t356;
				 *0 =  *0;
				asm("adc al, 0x2a");
				_t341 = _t340 + 1;
				if (_t341 < 0) goto L2;
				 *0 =  *0;
				 *0 =  *0;
				 *((intOrPtr*)(_t367 + 0x28000000)) =  *((intOrPtr*)(_t367 + 0x28000000)) + _t341;
				 *0 =  *0;
				 *((intOrPtr*)(_t367 + 0x6000000)) =  *((intOrPtr*)(_t367 + 0x6000000)) + _t356;
				 *0 =  *0;
				 *_t360 =  *_t360 + _t341;
				 *0 =  *0;
				 *_t356 =  *_t356;
				 *0 =  *0;
				 *_t356 =  *_t356 + _t328;
				 *0 =  *0;
				 *0 =  *0;
				_t260 = 0 + _t341;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260 + _t328;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t360 =  *_t360;
				 *_t260 =  *_t260;
				 *_t360 =  *_t360 + _t341;
				 *_t260 =  *_t260;
				 *_t356 =  *_t356 + _t260;
				 *_t260 =  *_t260;
				 *_t328 =  *_t328 + _t356;
				 *_t260 =  *_t260;
				_t342 = _t341 + _t341;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260 + _t260;
				 *_t360 =  *_t360 + _t342;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *((intOrPtr*)(_t260 + _t260)) =  *((intOrPtr*)(_t260 + _t260)) + _t356;
				 *_t260 =  *_t260;
				_t343 = _t342 + 1;
				 *_t260 =  *_t260 + _t260;
				 *((intOrPtr*)(_t367 + 1)) =  *((intOrPtr*)(_t367 + 1)) + _t356;
				 *_t260 =  *_t260;
				 *_t260 =  *_t260;
				 *_t360 =  *_t360 + _t343;
				 *_t260 =  *_t260;
				 *_t356 = _t356 +  *_t356;
				 *_t260 =  *_t260;
				 *_t356 =  *_t356 + _t343;
				 *_t260 =  *_t260;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t367 + 2)) =  *((intOrPtr*)(_t367 + 2));
				 *_t360 =  *_t360;
				_t261 = _t260 -  *_t260;
				asm("adc al, [eax]");
				 *_t261 =  *_t261;
				_t262 = _t261 -  *_t261;
				 *_t262 =  *_t262;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t367)) =  *((intOrPtr*)(_t356 + _t367)) + _t356;
				 *_t262 =  *_t262;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ 0x00000000;
				 *((intOrPtr*)(_t262 + _t262)) =  *((intOrPtr*)(_t262 + _t262)) + 2;
				 *_t343 =  *_t343 + _t356;
				 *_t262 =  *_t262;
				asm("adc al, 0x2a");
				 *_t262 =  *_t262 + _t356;
				 *_t262 =  *_t262;
				 *_t262 =  *_t262;
				asm("adc al, 0x0");
				_t368 = _t367 + 1;
				_t344 = es;
				 *_t360 =  *_t360;
				 *_t262 =  *_t262;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t368 + 2)) =  *((intOrPtr*)(_t368 + 2));
				 *_t360 =  *_t360;
				_t263 = _t262 -  *_t262;
				asm("adc al, [eax]");
				 *_t263 =  *_t263;
				_t264 = _t263 -  *_t263;
				 *_t264 =  *_t264;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t368)) =  *((intOrPtr*)(_t356 + _t368)) + _t356;
				 *_t264 =  *_t264;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ 0x00000000;
				 *((intOrPtr*)(_t264 + _t264)) =  *((intOrPtr*)(_t264 + _t264)) + 2;
				 *_t344 =  *_t344 + _t356;
				 *_t264 =  *_t264;
				asm("adc al, 0x2a");
				 *_t264 =  *_t264 + _t356;
				 *_t264 =  *_t264;
				 *_t264 =  *_t264;
				asm("adc al, 0x0");
				_t345 = cs;
				asm("insd");
				 *_t360 =  *_t360;
				 *_t264 =  *_t264;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t368 + 2)) =  *((intOrPtr*)(_t368 + 2));
				 *_t360 =  *_t360;
				_t265 = _t264 -  *_t264;
				asm("adc al, [eax]");
				 *_t265 =  *_t265;
				_t266 = _t265 -  *_t265;
				 *_t266 =  *_t266;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t368)) =  *((intOrPtr*)(_t356 + _t368)) + _t356;
				 *_t266 =  *_t266;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ 0x00000000;
				 *((intOrPtr*)(_t266 + _t266)) =  *((intOrPtr*)(_t266 + _t266)) + 2;
				 *_t345 =  *_t345 + _t356;
				 *_t266 =  *_t266;
				asm("adc al, 0x2a");
				 *_t266 =  *_t266 + _t356;
				 *_t266 =  *_t266;
				 *_t266 =  *_t266;
				asm("adc al, 0x0");
				_t369 = _t368 + 1;
				_t346 = cs;
				 *_t360 =  *_t360;
				 *_t266 =  *_t266;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t369 + 2)) =  *((intOrPtr*)(_t369 + 2));
				 *_t360 =  *_t360;
				asm("sbb esi, [eax]");
				_t269 = _t266 -  *_t266 +  *((intOrPtr*)(_t266 -  *_t266));
				 *_t269 =  *_t269;
				asm("adc al, [eax]");
				 *_t346 =  *_t346 + _t356;
				 *_t269 =  *_t269;
				asm("adc al, 0x2a");
				 *_t269 =  *_t269 + _t356;
				 *_t269 =  *_t269;
				 *_t269 =  *_t269;
				 *__edi =  *__edi + _t346;
				 *_t346 =  *_t346;
				asm("sbb esi, [eax]");
				es = cs;
				 *((intOrPtr*)(_t269 + _t269)) =  *((intOrPtr*)(_t269 + _t269));
				 *_t269 =  *_t269;
				_t270 = _t269 -  *_t269;
				 *_t346 =  *_t346 + _t356;
				 *_t270 =  *_t270;
				asm("adc al, 0x2a");
				_t347 = _t346 + 1;
				asm("sbb al, 0x0");
				 *_t270 =  *_t270;
				 *_t270 =  *_t270;
				 *((intOrPtr*)(_t270 + _t270)) =  *((intOrPtr*)(_t270 + _t270)) + _t356;
				 *_t270 =  *_t270;
				_t271 = _t270 + 0x19000001;
				 *_t271 =  *_t271 + _t271;
				 *_t360 =  *_t360;
				 *_t271 =  *_t271;
				 *_t360 =  *_t360 + _t347;
				 *_t271 =  *_t271;
				 *_t356 = _t356 +  *_t356;
				 *_t271 =  *_t271;
				 *_t356 =  *_t356 + _t347;
				 *_t271 =  *_t271;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t369 + 2)) =  *((intOrPtr*)(_t369 + 2));
				 *_t360 =  *_t360;
				_t272 = _t271 -  *_t271;
				asm("adc al, [eax]");
				 *_t272 =  *_t272;
				_t273 = _t272 -  *_t272;
				 *_t273 =  *_t273;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t369)) =  *((intOrPtr*)(_t356 + _t369)) + _t356;
				 *_t273 =  *_t273;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ 0x00000000;
				 *((intOrPtr*)(_t273 + _t273)) =  *((intOrPtr*)(_t273 + _t273)) + 2;
				 *_t347 =  *_t347 + _t356;
				 *_t273 =  *_t273;
				asm("adc al, 0x2a");
				 *_t273 =  *_t273 + _t356;
				 *_t273 =  *_t273;
				 *_t273 =  *_t273;
				asm("adc al, 0x0");
				_t370 = _t369 + 1;
				_t348 = cs;
				 *_t360 =  *_t360;
				 *_t273 =  *_t273;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t370 + 2)) =  *((intOrPtr*)(_t370 + 2));
				 *_t360 =  *_t360;
				_t274 = _t273 -  *_t273;
				asm("adc al, [eax]");
				 *_t274 =  *_t274;
				_t275 = _t274 -  *_t274;
				 *_t275 =  *_t275;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t370)) =  *((intOrPtr*)(_t356 + _t370)) + _t356;
				 *_t275 =  *_t275;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ 0x00000000;
				 *((intOrPtr*)(_t275 + _t275)) =  *((intOrPtr*)(_t275 + _t275)) + 2;
				 *_t348 =  *_t348 + _t356;
				 *_t275 =  *_t275;
				asm("adc al, 0x2a");
				 *_t275 =  *_t275 + _t356;
				 *_t275 =  *_t275;
				 *_t275 =  *_t275;
				asm("adc al, 0x0");
				_t371 = _t370 + 1;
				_t349 = cs;
				 *_t360 =  *_t360;
				 *_t275 =  *_t275;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t371 + 2)) =  *((intOrPtr*)(_t371 + 2));
				 *_t360 =  *_t360;
				_t276 = _t275 -  *_t275;
				asm("adc al, [eax]");
				 *_t276 =  *_t276;
				_t277 = _t276 -  *_t276;
				 *_t277 =  *_t277;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t371)) =  *((intOrPtr*)(_t356 + _t371)) + _t356;
				 *_t277 =  *_t277;
				 *_t328 =  *_t328 + _t328;
				 *0x400 =  *0x400 ^ 0x00000000;
				 *((intOrPtr*)(_t277 + _t277)) =  *((intOrPtr*)(_t277 + _t277)) + 2;
				 *_t349 = _t356 +  *_t349;
				 *_t277 =  *_t277;
				asm("adc al, 0x2a");
				 *_t277 =  *_t277 + _t356;
				 *_t277 =  *_t277;
				 *_t277 =  *_t277;
				asm("adc al, 0x0");
				_t278 = cs;
				asm("insb");
				 *_t360 =  *_t360;
				 *_t278 =  *_t278;
				 *_t356 =  *_t356 + _t328;
				 *((intOrPtr*)(_t371 + 2)) =  *((intOrPtr*)(_t371 + 2));
				 *_t360 =  *_t360;
				_t279 = _t278 -  *_t278;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t371)) =  *((intOrPtr*)(_t356 + _t371)) + _t356;
				 *_t279 =  *_t279;
				 *_t328 =  *_t328 + _t328;
				 *_t349 =  *_t349 ^ _t349;
				 *((intOrPtr*)(_t279 + _t279)) =  *((intOrPtr*)(_t279 + _t279));
				 *_t279 =  *_t279;
				_t280 = _t279 -  *_t279;
				 *_t349 = _t356 +  *_t349;
				 *_t280 =  *_t280;
				asm("adc al, 0x2a");
				 *_t280 =  *_t280 + _t356;
				 *_t280 =  *_t280;
				 *_t280 =  *_t280;
				asm("adc al, 0x0");
				asm("cmpsd");
				 *_t349 =  *_t349;
				asm("adc al, [eax]");
				 *_t280 =  *_t280;
				_t281 = _t280 -  *_t280;
				 *_t281 =  *_t281;
				asm("sbb ch, [eax]");
				_t372 = _t371 + 1;
				_t283 = _t281 +  *_t281 -  *((intOrPtr*)(_t281 +  *_t281));
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t356 + _t372)) =  *((intOrPtr*)(_t356 + _t372)) + _t356;
				 *_t283 =  *_t283;
				 *0xe0600 = 0xe0600 +  *0xe0600;
				 *__edi =  *__edi ^ 0x00000000;
				 *((intOrPtr*)(_t283 + _t283)) =  *((intOrPtr*)(_t283 + _t283));
				 *_t283 =  *_t283;
				_t284 = _t283 -  *_t283;
				 *_t349 = _t356 +  *_t349;
				 *_t284 =  *_t284;
				asm("adc al, 0x2a");
				 *_t284 =  *_t284 + _t356;
				 *_t284 =  *_t284;
				 *_t284 =  *_t284;
				asm("adc al, 0x0");
				asm("outsb");
				 *_t284 =  *_t284 + 6;
				 *_t284 =  *_t284;
				 *_t356 = _t356 +  *_t356;
				 *_t284 =  *_t284;
				 *_t356 =  *_t356 + _t349;
				 *_t284 =  *_t284;
				 *_t356 = 0xe0600 +  *_t356;
				 *((intOrPtr*)(_t372 + 2)) =  *((intOrPtr*)(_t372 + 2));
				 *_t360 =  *_t360;
				_t285 = _t284 -  *_t284;
				asm("adc al, [eax]");
				 *_t285 =  *_t285;
				_t286 = _t285 -  *_t285;
				 *_t286 =  *_t286;
				asm("sbb esi, [eax]");
				_t287 = _t286 + 0x400;
				 *((intOrPtr*)(_t287 + _t287)) =  *((intOrPtr*)(_t287 + _t287)) + _t349;
				 *_t349 = _t356 +  *_t349;
				 *_t287 =  *_t287;
				ss = cs;
				_t288 = _t287 -  *_t349;
				asm("adc [eax], al");
				 *_t288 =  *_t288;
				 *_t360 =  *_t360 + _t349;
				 *0x1d08004b =  *0x1d08004b + 0xe0600;
				 *_t288 =  *_t288;
				 *0xe0600 = 0xe0600 +  *0xe0600;
				 *0xe0600 =  *0xe0600 ^ 0x00000000;
				 *((intOrPtr*)(_t288 + _t288)) =  *((intOrPtr*)(_t288 + _t288));
				 *_t288 =  *_t288;
				asm("sbb al, 0x0");
				 *_t349 = _t356 +  *_t349;
				 *_t288 =  *_t288;
				ss = es;
				_t289 = _t288 -  *_t349;
				asm("adc [eax], al");
				 *_t289 =  *_t289;
				 *_t360 =  *_t360 + _t349;
				 *0xe0600 = 0xe0600 +  *0xe0600;
				 *_t289 =  *_t289 - _t289;
				 *_t349 =  *_t349;
				asm("sbb esi, [eax]");
				_t291 = _t289 +  *_t289;
				 *_t291 =  *_t291;
				asm("sbb al, 0x0");
				 *_t349 = _t356 +  *_t349;
				 *_t291 =  *_t291;
				ss = cs;
				_t292 = _t291 -  *_t349;
				asm("adc [eax], al");
				 *_t292 =  *_t292;
				 *_t360 =  *_t360 + _t349;
				 *0xe0600 = _t356 +  *0xe0600;
				 *_t292 =  *_t292 & _t292;
				 *0x1b010000 =  *0x1b010000 | 0x000e0600;
				 *(_t292 + _t292) =  *(_t292 + _t292) ^ 0x00000000;
				_t293 = _t292;
				 *_t293 =  *_t293;
				asm("sbb al, 0x0");
				 *_t349 = _t356 +  *_t349;
				 *_t293 =  *_t293;
				ss = _t356;
				_t294 = _t293 -  *_t349;
				asm("adc [eax], al");
				 *_t294 =  *_t294;
				 *_t360 =  *_t360 + _t349;
				 *0x1d0f0023 =  *0x1d0f0023 + _t356;
				 *_t294 =  *_t294;
				 *0xe0600 = 0xe0600 +  *0xe0600;
				 *(_t294 + _t294) =  *(_t294 + _t294) ^ 0x00000000;
				_t295 = _t294;
				 *_t295 =  *_t295;
				asm("sbb al, 0x0");
				 *_t349 = _t356 +  *_t349;
				 *_t295 =  *_t295;
				ss = cs;
				_t296 = _t295 -  *_t349;
				asm("adc [eax], al");
				 *_t296 =  *_t296;
				 *_t360 =  *_t360 + _t349;
				 *_t356 = _t356 +  *_t356;
				 *_t296 =  *_t296 + _t349;
				asm("sbb eax, 0x12010000");
				 *_t296 =  *_t296;
				 *_t356 =  *_t356 + _t349;
				 *_t296 =  *_t296;
				 *0xe0600 =  *0xe0600;
				 *0xe0600 =  *0xe0600 ^ 0x00000000;
				 *((intOrPtr*)(_t296 + _t296)) =  *((intOrPtr*)(_t296 + _t296));
				 *_t296 =  *_t296;
				 *_t296 =  *_t296;
				 *_t296 =  *_t296;
				 *_t296 =  *_t296;
				 *_t356 =  *_t356 + _t349;
				asm("sbb ch, [eax]");
				_t373 = _t372 + 1;
				_push(es);
				asm("adc al, [eax]");
				 *__edi = _t356 +  *__edi;
				_t299 = _t296 +  *_t296 -  *((intOrPtr*)(_t296 +  *_t296)) -  *((intOrPtr*)(_t296 +  *_t296 -  *((intOrPtr*)(_t296 +  *_t296))));
				 *_t299 =  *_t299;
				asm("sbb esi, [eax]");
				_t300 = _t299 + 0x400;
				 *_t300 =  *_t300;
				 *_t300 =  *_t300;
				 *_t300 =  *_t300;
				 *__edi = _t356 +  *__edi;
				_t301 = _t300 -  *_t349;
				asm("adc [eax], al");
				 *_t301 =  *_t301;
				 *_t360 =  *_t360 + _t349;
				 *((intOrPtr*)(__edi + 0x6d)) =  *((intOrPtr*)(__edi + 0x6d)) + 0xe0600;
				 *_t360 =  *_t360;
				_push(cs);
				 *_t301 =  *_t301;
				 *_t356 = _t356 +  *_t356;
				 *_t301 =  *_t301;
				 *_t356 =  *_t356 + _t349;
				 *_t301 =  *_t301;
				 *_t356 = 0xe0600 +  *_t356;
				 *((intOrPtr*)(_t373 + 2)) =  *((intOrPtr*)(_t373 + 2));
				 *_t360 =  *_t360;
				asm("adc al, [eax]");
				 *__edi = _t356 +  *__edi;
				_t303 = _t301 -  *_t301 -  *((intOrPtr*)(_t301 -  *_t301));
				 *_t303 =  *_t303;
				asm("sbb esi, [eax]");
				_push(es);
				 *((intOrPtr*)(_t303 + _t303)) =  *((intOrPtr*)(_t303 + _t303));
				 *_t303 =  *_t303;
				 *__edi = _t356 +  *__edi;
				_t305 = _t303 - 0x110000 -  *_t349;
				asm("adc [eax], al");
				 *_t305 =  *_t305;
				 *_t360 =  *_t360 + _t349;
				 *((intOrPtr*)(_t373 - 0x7d)) =  *((intOrPtr*)(_t373 - 0x7d)) + _t356;
				 *_t360 =  *_t360;
				_push(cs);
				 *_t305 =  *_t305;
				 *_t356 = _t356 +  *_t356;
				 *_t305 =  *_t305;
				 *_t356 =  *_t356 + _t349;
				 *_t305 =  *_t305;
				 *_t356 = 0xe0600 +  *_t356;
				 *((intOrPtr*)(_t373 + 2)) =  *((intOrPtr*)(_t373 + 2));
				 *_t360 =  *_t360;
				asm("adc al, [eax]");
				 *__edi = _t356 +  *__edi;
				_t307 = _t305 -  *_t305 -  *((intOrPtr*)(_t305 -  *_t305));
				 *_t307 =  *_t307;
				asm("sbb esi, [eax]");
				 *((intOrPtr*)(_t307 + _t307)) =  *((intOrPtr*)(_t307 + _t307));
				 *_t307 =  *_t307;
				 *__edi = _t356 +  *__edi;
				_t309 = _t307 - 0x110000 -  *_t349;
				asm("adc [eax], al");
				 *_t309 =  *_t309;
				 *_t360 =  *_t360 + _t349;
				 *__edi = 0xe0600 +  *__edi;
				_t374 = _t373 - 1;
				 *_t360 =  *_t360;
				 *_t309 =  *_t309;
				 *_t356 = _t356 +  *_t356;
				 *_t309 =  *_t309;
				 *_t356 =  *_t356 + _t349;
				 *_t309 =  *_t309;
				 *_t356 = 0xe0600 +  *_t356;
				 *((intOrPtr*)(_t374 + 2)) =  *((intOrPtr*)(_t374 + 2));
				 *_t360 =  *_t360;
				asm("adc al, [eax]");
				 *__edi = _t356 +  *__edi;
				_t311 = _t309 -  *_t309 -  *((intOrPtr*)(_t309 -  *_t309));
				 *_t311 =  *_t311;
				asm("sbb esi, [eax]");
				_t313 = _t311 +  *_t311;
				 *_t313 =  *_t313;
				 *_t313 =  *_t313;
				 *_t313 =  *_t313;
				 *_t313 =  *_t313;
				ss = cs;
				_t314 = _t313 -  *_t349;
				asm("adc [eax], al");
				 *_t314 =  *_t314;
				 *_t360 =  *_t360 + _t349;
				 *_t349 = _t356 +  *_t349;
				ds = es;
				 *_t360 =  *_t360;
				_push(cs);
				 *_t314 =  *_t314;
				 *_t356 = _t356 +  *_t356;
				 *_t314 =  *_t314;
				 *_t356 =  *_t356 + _t349;
				 *_t314 =  *_t314;
				 *_t356 = 0xe0600 +  *_t356;
				 *((intOrPtr*)(_t374 + 2)) =  *((intOrPtr*)(_t374 + 2));
				 *_t360 =  *_t360;
				asm("adc esi, [eax]");
				_t316 = _t314 -  *_t314 + 0x400;
				 *_t316 =  *_t316;
				 *_t316 =  *_t316;
				 *_t316 =  *_t316;
				 *_t316 =  *_t316;
				_t357 = _t356 -  *_t356;
				 *_t316 =  *_t316;
				asm("adc al, 0x2a");
				 *_t316 =  *_t316;
				 *_t357 =  *_t357 + _t316;
				 *0x200002c =  *0x200002c + _t357;
				_t317 = _t316 -  *_t316;
				 *_t317 =  *_t317;
				asm("sbb esi, [eax]");
				_t319 = _t317 +  *_t317;
				 *_t319 =  *_t319;
				 *[cs:eax] =  *[cs:eax];
				asm("adc [eax], eax");
				 *((intOrPtr*)(_t357 + _t374)) =  *((intOrPtr*)(_t357 + _t374)) + _t357;
				 *_t319 =  *_t319 + _t374;
				 *_t319 =  *_t319;
				_t320 = _t319 +  *_t319;
				_t350 = _t349 - 1;
				 *((intOrPtr*)(_t357 - 0x6d)) =  *((intOrPtr*)(_t357 - 0x6d)) + _t350;
				 *_t360 =  *_t360 + _t350;
				 *_t320 =  *_t320;
				 *_t320 =  *_t320;
				asm("sbb eax, [eax]");
				_t323 = _t360;
				 *_t323 =  *_t323 + _t323;
				asm("adc al, 0x0");
				asm("scasd");
				return _t323;
			}

0x00a336c4
0x00a336c9
0x00a336cb
0x00a336cd
0x00a336cf
0x00a336d1
0x00a336d3
0x00a336d5
0x00a336d7
0x00a336dd
0x00a336e1
0x00a336e3
0x00a336e5
0x00a336e7
0x00a336e9
0x00a336eb
0x00a336ed
0x00a336ef
0x00a336f1
0x00a336f3
0x00a336f5
0x00a336f7
0x00a336f9
0x00a336fb
0x00a336fd
0x00a336ff
0x00a33701
0x00a33703
0x00a33705
0x00a33707
0x00a3370d
0x00a3370f
0x00a33711
0x00a33713
0x00a33715
0x00a33717
0x00a33719
0x00a3371b
0x00a3371d
0x00a33720
0x00a33722
0x00a33724
0x00a33726
0x00a33728
0x00a3372a
0x00a3372c
0x00a3372e
0x00a33730
0x00a33732
0x00a33735
0x00a33737
0x00a33739
0x00a3373b
0x00a3373d
0x00a3373f
0x00a33745
0x00a33747
0x00a33749
0x00a3374b
0x00a3374d
0x00a3374f
0x00a33751
0x00a33753
0x00a33755
0x00a33757
0x00a33759
0x00a3375b
0x00a33761
0x00a33763
0x00a33765
0x00a33767
0x00a33769
0x00a3376b
0x00a3376d
0x00a33771
0x00a33773
0x00a33775
0x00a33777
0x00a33779
0x00a3377b
0x00a3377d
0x00a3377f
0x00a33781
0x00a33783
0x00a33786
0x00a33788
0x00a33789
0x00a3378b
0x00a33791
0x00a33793
0x00a33799
0x00a3379b
0x00a3379d
0x00a3379f
0x00a337a1
0x00a337a3
0x00a337a9
0x00a337ab
0x00a337ad
0x00a337af
0x00a337b1
0x00a337b3
0x00a337b5
0x00a337b7
0x00a337bd
0x00a337bf
0x00a337c1
0x00a337c3
0x00a337c9
0x00a337cb
0x00a337cd
0x00a337cf
0x00a337d5
0x00a337d7
0x00a337dd
0x00a337df
0x00a337e1
0x00a337e3
0x00a337e6
0x00a337e8
0x00a337ea
0x00a337ec
0x00a337ef
0x00a337f1
0x00a337f3
0x00a337f5
0x00a337f7
0x00a337f9
0x00a337ff
0x00a33801
0x00a33803
0x00a33805
0x00a33808
0x00a3380b
0x00a3380d
0x00a3380f
0x00a33816
0x00a3381f
0x00a33824
0x00a33826
0x00a33826
0x00a33827
0x00a3382d
0x00a3382f
0x00a33831
0x00a33834
0x00a33836
0x00a33839
0x00a3383b
0x00a3383d
0x00a33840
0x00a33842
0x00a33844
0x00a33846
0x00a33849
0x00a3384b
0x00a3384d
0x00a3384f
0x00a33851
0x00a33853
0x00a33855
0x00a33857
0x00a33859
0x00a3385b
0x00a3385d
0x00a3385f
0x00a33861
0x00a33863
0x00a33865
0x00a33867
0x00a33869
0x00a3386b
0x00a3386d
0x00a3386f
0x00a33871
0x00a33873
0x00a33875
0x00a33877
0x00a33878
0x00a3387a
0x00a3387c
0x00a3387e
0x00a33880
0x00a33882
0x00a33884
0x00a33886
0x00a33888
0x00a3388a
0x00a3388c
0x00a3388e
0x00a33892
0x00a33894
0x00a33896
0x00a33899
0x00a3389b
0x00a3389d
0x00a3389f
0x00a338a1
0x00a338a3
0x00a338a5
0x00a338a7
0x00a338a9
0x00a338ab
0x00a338ad
0x00a338b0
0x00a338b4
0x00a338b8
0x00a338ba
0x00a338bc
0x00a338be
0x00a338c0
0x00a338c2
0x00a338c4
0x00a338c8
0x00a338ca
0x00a338cc
0x00a338ce
0x00a338d0
0x00a338d2
0x00a338d4
0x00a338d6
0x00a338d8
0x00a338da
0x00a338dc
0x00a338e1
0x00a338e3
0x00a338e5
0x00a338e7
0x00a338e9
0x00a338eb
0x00a338ed
0x00a338ef
0x00a338f1
0x00a338f3
0x00a338f5
0x00a338f7
0x00a338f9
0x00a338fb
0x00a338fd
0x00a338ff
0x00a33901
0x00a33903
0x00a33905
0x00a33907
0x00a33909
0x00a3390b
0x00a3390e
0x00a33912
0x00a33914
0x00a33915
0x00a33917
0x00a33919
0x00a3391b
0x00a3391d
0x00a3391f
0x00a33921
0x00a33923
0x00a33925
0x00a33927
0x00a33929
0x00a3392c
0x00a3392e
0x00a33930
0x00a33932
0x00a33934
0x00a33936
0x00a33938
0x00a3393a
0x00a3393d
0x00a3393f
0x00a33941
0x00a33947
0x00a3394a
0x00a3394c
0x00a3394e
0x00a33950
0x00a33952
0x00a33954
0x00a33956
0x00a33958
0x00a33959
0x00a3395a
0x00a3395d
0x00a3395f
0x00a33961
0x00a33964
0x00a33966
0x00a33968
0x00a3396a
0x00a3396c
0x00a3396e
0x00a33970
0x00a33972
0x00a33975
0x00a33977
0x00a33979
0x00a3397f
0x00a33982
0x00a33984
0x00a33986
0x00a33988
0x00a3398a
0x00a3398c
0x00a3398e
0x00a33990
0x00a33991
0x00a33992
0x00a33994
0x00a33995
0x00a33997
0x00a33999
0x00a3399c
0x00a3399e
0x00a339a0
0x00a339a2
0x00a339a3
0x00a339a6
0x00a339a8
0x00a339aa
0x00a339ac
0x00a339ae
0x00a339b0
0x00a339b2
0x00a339b4
0x00a339b6
0x00a339b8
0x00a339bc
0x00a339be
0x00a339c0
0x00a339c5
0x00a339c8
0x00a339ca
0x00a339cc
0x00a339ce
0x00a339d0
0x00a339d1
0x00a339d2
0x00a339d4
0x00a339d6
0x00a339d8
0x00a339dc
0x00a339de
0x00a339e0
0x00a339e3
0x00a339e5
0x00a339e8
0x00a339e9
0x00a339eb
0x00a339ed
0x00a339ef
0x00a339f1
0x00a339f3
0x00a339f9
0x00a339fb
0x00a339fd
0x00a339ff
0x00a33a01
0x00a33a03
0x00a33a05
0x00a33a07
0x00a33a09
0x00a33a0b
0x00a33a11
0x00a33a13
0x00a33a15
0x00a33a17
0x00a33a19
0x00a33a1b
0x00a33a1d
0x00a33a1f
0x00a33a25
0x00a33a27
0x00a33a2d
0x00a33a2f
0x00a33a31
0x00a33a33
0x00a33a35
0x00a33a37
0x00a33a3a
0x00a33a3c
0x00a33a42
0x00a33a44
0x00a33a49
0x00a33a4b
0x00a33a4d
0x00a33a4f
0x00a33a52
0x00a33a56
0x00a33a58
0x00a33a5d
0x00a33a5f
0x00a33a61
0x00a33a63
0x00a33a65
0x00a33a68
0x00a33a6a
0x00a33a6c
0x00a33a6e
0x00a33a70
0x00a33a72
0x00a33a74
0x00a33a76
0x00a33a79
0x00a33a7b
0x00a33a7d
0x00a33a83
0x00a33a86
0x00a33a88
0x00a33a8a
0x00a33a8c
0x00a33a8e
0x00a33a90
0x00a33a92
0x00a33a94
0x00a33a95
0x00a33a96
0x00a33a98
0x00a33a99
0x00a33a9b
0x00a33a9d
0x00a33aa0
0x00a33aa2
0x00a33aa4
0x00a33aa6
0x00a33aa9
0x00a33aab
0x00a33aad
0x00a33aaf
0x00a33ab1
0x00a33ab3
0x00a33ab5
0x00a33ab7
0x00a33aba
0x00a33abc
0x00a33abd
0x00a33abf
0x00a33ac1
0x00a33ac4
0x00a33ac6
0x00a33ac8
0x00a33aca
0x00a33acf
0x00a33ad0
0x00a33ad1
0x00a33ad3
0x00a33ad5
0x00a33ad7
0x00a33ada
0x00a33adc
0x00a33ade
0x00a33ae0
0x00a33ae2
0x00a33ae4
0x00a33ae6
0x00a33ae8
0x00a33aea
0x00a33aed
0x00a33aef
0x00a33af1
0x00a33af3
0x00a33af6
0x00a33af8
0x00a33af9
0x00a33afb
0x00a33b01
0x00a33b03
0x00a33b05
0x00a33b07
0x00a33b09
0x00a33b0b
0x00a33b0e
0x00a33b10
0x00a33b11
0x00a33b13
0x00a33b15
0x00a33b17
0x00a33b19
0x00a33b1b
0x00a33b1e
0x00a33b20
0x00a33b21
0x00a33b23
0x00a33b29
0x00a33b2b
0x00a33b2d
0x00a33b2f
0x00a33b31
0x00a33b33
0x00a33b35
0x00a33b37
0x00a33b39
0x00a33b3c
0x00a33b3e
0x00a33b40
0x00a33b42
0x00a33b45
0x00a33b47
0x00a33b49
0x00a33b4b
0x00a33b4e
0x00a33b50
0x00a33b52
0x00a33b54
0x00a33b56
0x00a33b58
0x00a33b5a
0x00a33b5c
0x00a33b5e
0x00a33b60
0x00a33b63
0x00a33b65
0x00a33b67
0x00a33b69
0x00a33b6b
0x00a33b6e
0x00a33b70
0x00a33b72
0x00a33b74
0x00a33b76
0x00a33b78
0x00a33b79
0x00a33b7b
0x00a33b7d
0x00a33b7f
0x00a33b85
0x00a33b87
0x00a33b8d
0x00a33b8f
0x00a33b91
0x00a33b93
0x00a33b95
0x00a33b97
0x00a33b9a
0x00a33b9d
0x00a33b9f
0x00a33ba1
0x00a33ba3
0x00a33ba5
0x00a33ba7
0x00a33ba9
0x00a33bab
0x00a33bad
0x00a33baf
0x00a33bb2
0x00a33bb9
0x00a33bbb
0x00a33bbd
0x00a33bbf
0x00a33bc1
0x00a33bc3
0x00a33bc5
0x00a33bc7
0x00a33bc9
0x00a33bcb
0x00a33bcd
0x00a33bcf
0x00a33bd1
0x00a33bd3
0x00a33bd5
0x00a33bd7
0x00a33bd9
0x00a33bdb
0x00a33bdd
0x00a33bdf
0x00a33be2
0x00a33be4
0x00a33be5
0x00a33be7
0x00a33bea
0x00a33bed
0x00a33bef
0x00a33bf1
0x00a33bf3
0x00a33bf5
0x00a33bf7
0x00a33bf9
0x00a33bfb
0x00a33bfd
0x00a33c00
0x00a33c02
0x00a33c04
0x00a33c06
0x00a33c08
0x00a33c0a
0x00a33c0c
0x00a33c0e
0x00a33c11
0x00a33c13
0x00a33c15
0x00a33c1b
0x00a33c1e
0x00a33c20
0x00a33c22
0x00a33c24
0x00a33c26
0x00a33c28
0x00a33c2a
0x00a33c2c
0x00a33c2d
0x00a33c2e
0x00a33c31
0x00a33c33
0x00a33c35
0x00a33c38
0x00a33c3a
0x00a33c3c
0x00a33c3e
0x00a33c40
0x00a33c42
0x00a33c44
0x00a33c46
0x00a33c49
0x00a33c4b
0x00a33c4d
0x00a33c53
0x00a33c56
0x00a33c58
0x00a33c5a
0x00a33c5c
0x00a33c5e
0x00a33c60
0x00a33c62
0x00a33c64
0x00a33c65
0x00a33c66
0x00a33c69
0x00a33c6b
0x00a33c6d
0x00a33c70
0x00a33c72
0x00a33c74
0x00a33c76
0x00a33c78
0x00a33c7a
0x00a33c7c
0x00a33c7e
0x00a33c81
0x00a33c83
0x00a33c85
0x00a33c8b
0x00a33c8e
0x00a33c90
0x00a33c92
0x00a33c94
0x00a33c96
0x00a33c98
0x00a33c9a
0x00a33c9c
0x00a33c9d
0x00a33c9e
0x00a33ca1
0x00a33ca3
0x00a33ca5
0x00a33ca8
0x00a33cac
0x00a33cb0
0x00a33cb2
0x00a33cb4
0x00a33cb6
0x00a33cb8
0x00a33cba
0x00a33cbc
0x00a33cbe
0x00a33cc0
0x00a33cc3
0x00a33cca
0x00a33ccc
0x00a33cce
0x00a33ccf
0x00a33cd2
0x00a33cd4
0x00a33cd6
0x00a33cd8
0x00a33cda
0x00a33cdc
0x00a33cdd
0x00a33cdf
0x00a33ce1
0x00a33ce3
0x00a33ce6
0x00a33ce8
0x00a33ced
0x00a33cef
0x00a33cf1
0x00a33cf3
0x00a33cf5
0x00a33cf7
0x00a33cf9
0x00a33cfb
0x00a33cfd
0x00a33cff
0x00a33d01
0x00a33d04
0x00a33d06
0x00a33d08
0x00a33d0a
0x00a33d0c
0x00a33d0e
0x00a33d10
0x00a33d12
0x00a33d15
0x00a33d17
0x00a33d19
0x00a33d1f
0x00a33d22
0x00a33d24
0x00a33d26
0x00a33d28
0x00a33d2a
0x00a33d2c
0x00a33d2e
0x00a33d30
0x00a33d31
0x00a33d32
0x00a33d35
0x00a33d37
0x00a33d39
0x00a33d3c
0x00a33d3e
0x00a33d40
0x00a33d42
0x00a33d44
0x00a33d46
0x00a33d48
0x00a33d4a
0x00a33d4d
0x00a33d4f
0x00a33d51
0x00a33d57
0x00a33d5a
0x00a33d5c
0x00a33d5e
0x00a33d60
0x00a33d62
0x00a33d64
0x00a33d66
0x00a33d68
0x00a33d69
0x00a33d6a
0x00a33d6d
0x00a33d6f
0x00a33d71
0x00a33d74
0x00a33d76
0x00a33d78
0x00a33d7a
0x00a33d7c
0x00a33d7e
0x00a33d80
0x00a33d82
0x00a33d85
0x00a33d87
0x00a33d89
0x00a33d8f
0x00a33d92
0x00a33d94
0x00a33d96
0x00a33d98
0x00a33d9a
0x00a33d9c
0x00a33d9e
0x00a33da0
0x00a33da1
0x00a33da2
0x00a33da5
0x00a33da7
0x00a33da9
0x00a33dac
0x00a33dae
0x00a33db0
0x00a33db2
0x00a33db5
0x00a33db7
0x00a33db9
0x00a33dbb
0x00a33dbe
0x00a33dc0
0x00a33dc2
0x00a33dc4
0x00a33dc6
0x00a33dc8
0x00a33dca
0x00a33dcc
0x00a33dce
0x00a33dd0
0x00a33dd6
0x00a33dd8
0x00a33dda
0x00a33ddc
0x00a33dde
0x00a33de0
0x00a33de2
0x00a33de6
0x00a33de8
0x00a33dea
0x00a33ded
0x00a33def
0x00a33df1
0x00a33df3
0x00a33df6
0x00a33df8
0x00a33dfa
0x00a33dfc
0x00a33dfe
0x00a33e00
0x00a33e02
0x00a33e04
0x00a33e06
0x00a33e08
0x00a33e09
0x00a33e0d
0x00a33e0f
0x00a33e11
0x00a33e13
0x00a33e15
0x00a33e17
0x00a33e19
0x00a33e1c
0x00a33e1e
0x00a33e20
0x00a33e22
0x00a33e24
0x00a33e26
0x00a33e28
0x00a33e2a
0x00a33e2f
0x00a33e32
0x00a33e34
0x00a33e36
0x00a33e37
0x00a33e39
0x00a33e3b
0x00a33e3d
0x00a33e3f
0x00a33e45
0x00a33e47
0x00a33e49
0x00a33e4b
0x00a33e4e
0x00a33e50
0x00a33e52
0x00a33e54
0x00a33e56
0x00a33e57
0x00a33e59
0x00a33e5b
0x00a33e5d
0x00a33e5f
0x00a33e61
0x00a33e66
0x00a33e68
0x00a33e6c
0x00a33e6e
0x00a33e70
0x00a33e72
0x00a33e74
0x00a33e76
0x00a33e77
0x00a33e79
0x00a33e7b
0x00a33e7d
0x00a33e7f
0x00a33e81
0x00a33e83
0x00a33e89
0x00a33e8c
0x00a33e8e
0x00a33e90
0x00a33e92
0x00a33e94
0x00a33e96
0x00a33e97
0x00a33e99
0x00a33e9b
0x00a33e9d
0x00a33e9f
0x00a33ea5
0x00a33ea7
0x00a33ea9
0x00a33eac
0x00a33eae
0x00a33eb0
0x00a33eb2
0x00a33eb4
0x00a33eb6
0x00a33eb7
0x00a33eb9
0x00a33ebb
0x00a33ebd
0x00a33ebf
0x00a33ec2
0x00a33ec4
0x00a33ec9
0x00a33ecb
0x00a33ecd
0x00a33ecf
0x00a33ed1
0x00a33ed3
0x00a33ed6
0x00a33ed8
0x00a33eda
0x00a33edc
0x00a33ede
0x00a33ee0
0x00a33ee2
0x00a33ee5
0x00a33ee8
0x00a33eea
0x00a33eec
0x00a33eee
0x00a33ef0
0x00a33ef2
0x00a33ef7
0x00a33ef9
0x00a33efb
0x00a33efd
0x00a33eff
0x00a33f01
0x00a33f03
0x00a33f05
0x00a33f07
0x00a33f0a
0x00a33f0c
0x00a33f0d
0x00a33f0f
0x00a33f11
0x00a33f13
0x00a33f15
0x00a33f17
0x00a33f19
0x00a33f1c
0x00a33f20
0x00a33f22
0x00a33f24
0x00a33f26
0x00a33f28
0x00a33f2a
0x00a33f2b
0x00a33f2e
0x00a33f35
0x00a33f37
0x00a33f39
0x00a33f3b
0x00a33f3d
0x00a33f3f
0x00a33f42
0x00a33f44
0x00a33f45
0x00a33f47
0x00a33f49
0x00a33f4b
0x00a33f4d
0x00a33f4f
0x00a33f51
0x00a33f54
0x00a33f58
0x00a33f5a
0x00a33f5c
0x00a33f5e
0x00a33f60
0x00a33f63
0x00a33f66
0x00a33f6d
0x00a33f6f
0x00a33f71
0x00a33f73
0x00a33f75
0x00a33f77
0x00a33f79
0x00a33f7a
0x00a33f7d
0x00a33f7f
0x00a33f81
0x00a33f83
0x00a33f85
0x00a33f87
0x00a33f89
0x00a33f8c
0x00a33f90
0x00a33f92
0x00a33f94
0x00a33f96
0x00a33f98
0x00a33f9c
0x00a33f9e
0x00a33fa0
0x00a33fa2
0x00a33fa4
0x00a33fa6
0x00a33fa7
0x00a33fa9
0x00a33fab
0x00a33fad
0x00a33faf
0x00a33fb1
0x00a33fb2
0x00a33fb4
0x00a33fb5
0x00a33fb7
0x00a33fb9
0x00a33fbb
0x00a33fbd
0x00a33fbf
0x00a33fc1
0x00a33fc4
0x00a33fc8
0x00a33fca
0x00a33fcf
0x00a33fd1
0x00a33fd3
0x00a33fd5
0x00a33fd7
0x00a33fd9
0x00a33fdb
0x00a33fdd
0x00a33fdf
0x00a33fe1
0x00a33fe8
0x00a33fea
0x00a33fec
0x00a33ff0
0x00a33ff2
0x00a33ff4
0x00a33ff7
0x00a33ff9
0x00a33ffc
0x00a33ffe
0x00a34000
0x00a34002
0x00a34003
0x00a34006
0x00a34008
0x00a3400a
0x00a3400e
0x00a34013
0x00a34018
0x00a3401a
0x00a3401c
0x00a3401d

Memory Dump Source

Source File: 00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.545922025.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546003817.0000000000A64000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546077738.0000000000AAE000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cf227f599b5044795a1c432dde04576f9d82f9926f6fddefbe0752bc40fae02
Instruction ID: 946835991ee96f762a1674da79e7454e1c4ea9d47fda832107fa9dc2a316aa81
Opcode Fuzzy Hash: 3cf227f599b5044795a1c432dde04576f9d82f9926f6fddefbe0752bc40fae02
Instruction Fuzzy Hash: 8EA20E6544E3C25FCB234BB45CB6594BFB0AE5B224B1E49DBC4C0CF4A3E15C299AD722

Uniqueness

Uniqueness Score: -1.00%

Function 00A38D7D, Relevance: .9, Instructions: 930COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.545922025.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546003817.0000000000A64000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546077738.0000000000AAE000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66433e4714d77bb9de71f58cf36f9c4a0e7f894f7f996294fb211fc01ecd44e
Instruction ID: 8db0f42fb851f7cd35eb0087e881bfd4cc19079d7924c0ab585b914d4f3eb125
Opcode Fuzzy Hash: d66433e4714d77bb9de71f58cf36f9c4a0e7f894f7f996294fb211fc01ecd44e
Instruction Fuzzy Hash: E182ADA64AE3D15FE3038770587A6907FB19E17218B1F89DBC4C0DF4A3E24A495AD332

Uniqueness

Uniqueness Score: -1.00%

Function 00A32830, Relevance: .7, Instructions: 670
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00A32830(signed char __eax, intOrPtr* __ebx, void* __ecx, intOrPtr* __edx, signed int* __edi, signed int* __esi) {
				signed char _t76;
				signed char _t77;
				signed char _t78;
				signed char _t79;
				signed int _t80;
				signed char _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				signed char _t86;
				signed char _t87;
				intOrPtr* _t88;
				signed int* _t89;
				signed char _t91;
				intOrPtr* _t92;
				signed char _t93;
				intOrPtr* _t95;
				intOrPtr* _t97;
				intOrPtr* _t99;
				intOrPtr* _t100;
				intOrPtr* _t101;
				intOrPtr* _t102;
				intOrPtr* _t103;
				intOrPtr* _t104;
				intOrPtr* _t105;
				intOrPtr* _t106;
				intOrPtr* _t108;
				intOrPtr* _t109;
				intOrPtr* _t110;
				intOrPtr* _t111;
				signed char _t112;
				signed char _t113;
				signed char _t114;
				intOrPtr* _t115;
				intOrPtr* _t119;
				signed int* _t120;
				signed char _t121;
				signed char _t123;
				void* _t126;
				intOrPtr* _t127;
				intOrPtr* _t128;
				signed int* _t129;
				signed int* _t130;
				intOrPtr* _t131;
				intOrPtr* _t132;
				void* _t133;
				void* _t134;
				void* _t136;
				void* _t151;
				void* _t152;
				void* _t153;

				_t130 = __esi;
				_t129 = __edi;
				_t125 = __edx;
				_t76 = __eax;
				 *_t76 =  *_t76 + _t76;
				 *_t76 =  *_t76 + _t76;
				 *_t76 =  *_t76 + _t76;
				 *((intOrPtr*)(_t76 + _t76)) =  *((intOrPtr*)(_t76 + _t76)) + __edx;
				 *_t76 =  *_t76 + _t76;
				asm("sgdt [eax]");
				 *__ebx =  *__ebx + _t76;
				 *_t76 =  *_t76 + _t76;
				 *__esi =  *__esi + _t76;
				 *_t76 =  *_t76 + _t76;
				 *__esi =  *__esi + __ecx;
				 *_t76 =  *_t76 + _t76;
				 *__ebx =  *__ebx + __ebx;
				 *__esi =  *__esi ^ _t76;
				 *((intOrPtr*)(_t76 + _t76)) =  *((intOrPtr*)(_t76 + _t76)) + _t76;
				 *_t76 =  *_t76 + _t76;
				_push(cs);
				 *_t76 =  *_t76 + _t76;
				asm("adc [eax], eax");
				 *((intOrPtr*)(__edx + _t132)) =  *((intOrPtr*)(__edx + _t132)) + __edx;
				_t123 = __ecx + 1;
				 *[fs:eax] =  *[fs:eax] + _t76;
				_t77 = _t76 +  *_t76;
				 *_t77 =  *_t77 + _t77;
				_push(__edi);
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *__esi =  *__esi + _t123;
				 *_t77 =  *_t77 + _t77;
				 *__edi =  *__edi + _t123;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *_t132 =  *_t132 + _t123;
				 *_t77 =  *_t77 + _t77;
				asm("cmc");
				 *_t77 =  *_t77 + _t77;
				 *((intOrPtr*)(__edx + 1)) =  *((intOrPtr*)(__edx + 1)) + _t77;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *__esi =  *__esi + _t123;
				 *_t77 =  *_t77 + _t77;
				 *__edx =  *__edx + _t77;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + __ebx + __edx;
				 *_t77 =  *_t77 + _t77;
				 *0x5d000001 =  *0x5d000001 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *0 =  *0 + _t123;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *_t77 =  *_t77 + _t77;
				 *(_t77 + _t77) =  *(_t77 + _t77) + __edx;
				 *_t77 =  *_t77 + _t77;
				_t119 = es;
				 *_t77 =  *_t77 + _t77;
				__edi[0] = __edi[0] + _t123;
				do {
					asm("outsd");
					 *_t77 =  *_t77 + _t77;
					 *__esi =  *__esi + _t77;
					 *_t77 =  *_t77 + _t77;
					 *__esi =  *__esi + _t123;
					 *_t77 =  *_t77 + _t77;
					 *_t119 =  *_t119 + _t119;
					 *(_t77 + _t77) =  *(_t77 + _t77) ^ _t77;
					_t78 = _t77;
					 *_t78 =  *_t78 + _t78;
					asm("sldt word [eax]");
					asm("adc [eax], eax");
					 *((intOrPtr*)(__edx + _t132)) =  *((intOrPtr*)(__edx + _t132)) + __edx;
					 *_t78 =  *_t78 + __edx;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					asm("adc al, 0x0");
					 *__esi =  *__esi + _t78;
					_push(cs);
					 *_t78 =  *_t78 + _t78;
					 *_t119 =  *_t119 + _t119;
					 *(_t78 + _t78) =  *(_t78 + _t78) ^ _t78;
					_t77 = _t78;
					 *_t77 =  *_t77 + _t77;
					asm("adc [eax], al");
					 *_t123 =  *_t123 + __edx;
					 *_t77 =  *_t77 + _t77;
					asm("adc al, 0x2a");
					 *_t77 =  *_t77 + _t77;
					 *_t77 =  *_t77 + _t77;
					 *_t123 =  *_t123 + _t123;
				} while ( *_t123 >= 0);
				 *__esi =  *__esi + _t77;
				_push(cs);
				 *_t77 =  *_t77 + _t77;
				 *__edx =  *__edx + _t77;
				 *__edi =  *__edi + __edx;
				 *((intOrPtr*)(_t123 + 0xd00d0)) =  *((intOrPtr*)(_t123 + 0xd00d0)) + _t119;
				 *_t77 =  *_t77 + _t77;
				 *__edx =  *__edx + _t77;
				 *_t77 =  *_t77 + __edx;
				 *((intOrPtr*)(__edx + 0xd00e2)) =  *((intOrPtr*)(__edx + 0xd00e2)) + __edx;
				 *_t77 =  *_t77 + _t77;
				 *__edx =  *__edx + _t77;
				 *_t123 =  *_t123 + _t123;
				_t120 = _t119 + _t123;
				asm("hlt");
				 *0 =  *0 + _t123;
				 *_t77 =  *_t77 + _t77;
				asm("sbb [eax], eax");
				asm("in eax, dx");
				_push(es);
				 *__esi =  *__esi + _t77;
				_push(cs);
				 *_t77 =  *_t77 + _t77;
				 *_t120 = _t120 +  *_t120;
				 *(_t77 + _t77) =  *(_t77 + _t77) ^ _t77;
				_t79 = _t77;
				 *_t79 =  *_t79 + _t79;
				asm("adc [eax], eax");
				 *_t123 =  *_t123 + __edx;
				 *_t79 =  *_t79 + _t79;
				asm("adc al, 0x2a");
				 *((intOrPtr*)(_t79 + _t79)) =  *((intOrPtr*)(_t79 + _t79)) + _t120;
				 *_t79 =  *_t79 + _t79;
				 *__esi =  *__esi + _t123;
				 *_t123 =  *_t123 + _t123;
				asm("aaa");
				 *_t123 =  *_t123 + __edx;
				asm("sbb eax, 0x10000");
				 *__esi =  *__esi + _t123;
				 *((intOrPtr*)(_t132 + 0x1d0600a3)) =  *((intOrPtr*)(_t132 + 0x1d0600a3)) + __edx;
				 *_t79 =  *_t79 + _t79;
				 *_t120 = _t120 +  *_t120;
				 *_t120 =  *_t120 ^ _t79;
				 *((intOrPtr*)(_t79 + _t79)) =  *((intOrPtr*)(_t79 + _t79)) + _t79;
				 *_t79 =  *_t79 + _t79;
				asm("adc al, [eax]");
				 *_t123 =  *_t123 + __edx;
				 *_t79 =  *_t79 + _t79;
				asm("adc al, 0x2a");
				 *_t79 =  *_t79 + __edx;
				 *_t79 =  *_t79 + _t79;
				 *_t79 =  *_t79 + _t79;
				 *0xe0c0043 =  *0xe0c0043 + __edx;
				 *_t79 =  *_t79 + _t79;
				 *__edx =  *__edx + _t120;
				 *((intOrPtr*)(_t132 + 2)) =  *((intOrPtr*)(_t132 + 2)) - _t79;
				 *__esi =  *__esi + _t79;
				_t80 = _t79 -  *_t79;
				 *((char*)(_t80 + 0x6b4d806f)) =  *((char*)(_t80 + 0x6b4d806f));
				 *_t80 =  *_t80 ^ _t80;
				 *_t80 =  *_t80 + _t80;
				 *__edx =  *__edx + _t120;
				 *((intOrPtr*)(_t132 + 2)) =  *((intOrPtr*)(_t132 + 2)) - _t80;
				 *__esi =  *__esi + _t80;
				_t81 = _t80 -  *_t80;
				asm("adc al, [eax]");
				 *((intOrPtr*)(__edx + _t132)) =  *((intOrPtr*)(__edx + _t132)) + __edx;
				 *_t81 =  *_t81 + _t81;
				 *__edx =  *__edx + __edx;
				 *_t81 =  *_t81 + _t81;
				asm("adc al, 0x2a");
				 *_t81 =  *_t81 + _t81;
				 *__edx =  *__edx + __edx;
				 *_t81 =  *_t81 + _t81;
				asm("adc al, 0x2a");
				 *_t81 =  *_t81 + _t81;
				 *_t120 = _t120 +  *_t120;
				 *__esi =  *__esi ^ _t81;
				 *((intOrPtr*)(_t81 + _t81)) =  *((intOrPtr*)(_t81 + _t81)) + _t81;
				 *_t81 =  *_t81 + _t81;
				asm("adc eax, [eax]");
				 *_t123 =  *_t123 + __edx;
				 *_t81 =  *_t81 + _t81;
				ss = cs;
				_t82 = _t81 -  *_t123;
				asm("adc [eax], al");
				 *__edx =  *__edx + _t82;
				_t121 = _t120 + _t82;
				 *((intOrPtr*)(_t123 + 0x3c)) =  *((intOrPtr*)(_t123 + 0x3c)) + _t121;
				 *0 =  *0 + _t123;
				asm("adc esi, [eax]");
				_t84 = _t82;
				 *_t84 =  *_t84 + _t84;
				 *_t84 =  *_t84 + _t84;
				 *_t84 =  *_t84 + _t84;
				 *_t84 =  *_t84 + _t84;
				 *__edx =  *__edx + _t123;
				asm("sbb ch, [eax]");
				_t133 = _t132 + 1;
				_push(es);
				_t86 = _t84 +  *_t84 -  *((intOrPtr*)(_t84 +  *_t84));
				asm("adc al, [eax]");
				 *((intOrPtr*)(__edx + _t133)) =  *((intOrPtr*)(__edx + _t133)) + __edx;
				 *_t86 =  *_t86 + _t86;
				 *_t121 =  *_t121 + _t121;
				 *_t121 =  *_t121 ^ _t86;
				 *((intOrPtr*)(_t86 + _t86)) =  *((intOrPtr*)(_t86 + _t86)) + _t86;
				 *_t86 =  *_t86 + _t86;
				asm("adc al, 0x0");
				 *_t123 =  *_t123 + __edx;
				 *_t86 =  *_t86 + _t86;
				asm("adc al, 0x2a");
				 *_t86 =  *_t86 + __edx;
				 *_t86 =  *_t86 + _t86;
				 *_t86 =  *_t86 + _t86;
				_push(cs);
				 *__esi =  *__esi + __edx;
				_t87 = _t86 & 0x00000000;
				asm("adc [0x12010000], bl");
				 *_t87 =  *_t87 + _t87;
				asm("adc al, 0x2a");
				 *_t87 =  *_t87 + _t87;
				 *__edx =  *__edx + _t121;
				 *((intOrPtr*)(_t133 + 2)) =  *((intOrPtr*)(_t133 + 2)) - _t87;
				 *__esi =  *__esi + _t87;
				_t88 = _t87 -  *_t87;
				asm("adc esi, [eax]");
				_push(es);
				 *((intOrPtr*)(_t121 + 0x15000001)) =  *((intOrPtr*)(_t121 + 0x15000001)) + _t88;
				 *_t88 =  *_t88 + _t88;
				asm("adc [eax], ebp");
				_t134 = _t133 + 1;
				_t89 = _t88 +  *_t88;
				_push(es);
				 *_t89 =  *_t89 & _t123;
				 *_t89 = _t89 +  *_t89;
				 *_t89 =  *_t89 + _t123;
				 *__esi = _t89 +  *__esi;
				 *_t123 = _t89;
				 *_t89 = _t89 +  *_t89;
				_t91 = _t89 - _t123 +  *((intOrPtr*)(_t89 - _t123));
				_push(es);
				if(_t91 >= 0) {
					L9:
					 *_t91 =  *_t91 + _t91;
					_push(es);
					if( *_t91 >= 0) {
						goto L21;
					} else {
						 *_t91 =  *_t91 + _t91;
						_push(es);
						 *0xfe141c25 = _t91;
						_push(es);
						_t130 =  &(_t130[0]);
						 *_t91 =  *_t91 + _t91;
						_t151 =  *_t91;
						goto L11;
					}
				} else {
					 *_t91 =  *_t91 + _t91;
					_push(es);
					_t121 = _t121 |  *__edi;
					asm("adc eax, 0xf8d");
					_t91 = _t91 +  *0x6fe1416 + 1;
					 *_t91 =  *_t91 + _t91;
					_push(es);
					if( *_t91 >= 0) {
						L11:
						_push(es);
						if(_t151 >= 0) {
							goto L23;
						} else {
							 *_t91 =  *_t91 + _t91;
							_push(es);
							 *0xfe141d25 = _t91;
							_push(es);
							_t129 =  &(_t129[0]);
							 *_t91 =  *_t91 + _t91;
							_t152 =  *_t91;
							goto L13;
						}
					} else {
						 *_t91 =  *_t91 + _t91;
						_push(es);
						 *0xfe141725 = _t91;
						_push(es);
						_t123 = _t123 + 1;
						 *_t91 =  *_t91 + _t91;
						_push(es);
						if( *_t91 >= 0) {
							L13:
							_push(es);
							if(_t152 >= 0) {
								goto L25;
							} else {
								 *_t91 =  *_t91 + _t91;
								_push(es);
								 *0xfe141e25 = _t91;
								_push(es);
								_t91 = _t91 - 1;
								 *_t91 =  *_t91 + _t91;
								_t153 =  *_t91;
								goto L15;
							}
						} else {
							 *_t91 =  *_t91 + _t91;
							_push(es);
							 *0xfe141825 = _t91;
							_push(es);
							_t125 = __edx + 1;
							 *_t91 =  *_t91 + _t91;
							_push(es);
							if( *_t91 >= 0) {
								L15:
								_push(es);
								if(_t153 >= 0) {
									goto L27;
								} else {
									 *_t91 =  *_t91 + _t91;
									_push(es);
									 *0x14091f25 = _t91;
									 *_t130 =  *_t130 + 1;
									_t123 = _t123 - 1;
									 *_t91 =  *_t91 + _t91;
									goto L17;
								}
							} else {
								 *_t91 =  *_t91 + _t91;
								_push(es);
								 *0xfe141925 = _t91;
								_push(es);
								_t121 = _t121 + 1;
								 *_t91 =  *_t91 + _t91;
								_push(es);
								if( *_t91 >= 0) {
									L17:
									 *_t130 =  *_t130 + _t91;
									if( *_t130 >= 0) {
										goto L29;
									} else {
										 *_t91 =  *_t91 + _t91;
										_push(es);
										 *0x140a1f25 = _t91;
										 *_t130 =  *_t130 + 1;
										_t125 = _t125 - 1;
										goto L19;
									}
								} else {
									 *_t91 =  *_t91 + _t91;
									_push(es);
									 *0xfe141a25 = _t91;
									_push(es);
									_t136 = _t136 + 1;
									 *_t91 =  *_t91 + _t91;
									_push(es);
									if( *_t91 >= 0) {
										L19:
										 *_t91 =  *_t91 + _t91;
										_push(es);
										if( *_t91 >= 0) {
											L32:
											asm("adc al, 0xfe");
											_push(es);
											_push(_t91);
											 *_t91 =  *_t91 + _t91;
											_push(es);
											if( *_t91 >= 0) {
												goto L45;
											} else {
												 *_t91 =  *_t91 + _t91;
												goto L34;
											}
										} else {
											 *_t91 =  *_t91 + _t91;
											_push(es);
											 *0x140b1f25 = _t91;
											 *_t130 =  *_t130 + 1;
											L21:
											_t121 = _t121 - 1;
											 *_t91 =  *_t91 + _t91;
											_push(es);
											if( *_t91 >= 0) {
												L35:
												asm("adc al, 0xfe");
												_push(es);
												_push(_t123);
												 *_t91 =  *_t91 + _t91;
												_push(es);
												if( *_t91 >= 0) {
													goto L47;
												} else {
													 *_t91 =  *_t91 + _t91;
													_push(es);
													 *0x14121f25 = _t91;
													goto L37;
												}
											} else {
												 *_t91 =  *_t91 + _t91;
												_push(es);
												 *0x140c1f25 = _t91;
												 *_t130 =  *_t130 + 1;
												L23:
												_push(es);
												_t136 = _t136 - 1;
												 *_t91 =  *_t91 + _t91;
												_push(es);
												if( *_t91 >= 0) {
													L37:
													asm("adc al, 0xfe");
													_push(es);
													_push(_t125);
													 *_t91 =  *_t91 + _t91;
													_push(es);
													if( *_t91 >= 0) {
														goto L48;
													} else {
														 *_t91 =  *_t91 + _t91;
														_push(es);
														 *0x14131f25 = _t91;
														goto L39;
													}
												} else {
													 *_t91 =  *_t91 + _t91;
													_push(es);
													 *0x140d1f25 = _t91;
													L25:
													 *_t130 =  *_t130 + 1;
													_t134 = _t134 - 1;
													 *_t91 =  *_t91 + _t91;
													_push(es);
													if( *_t91 >= 0) {
														L39:
														asm("adc al, 0xfe");
														_push(es);
														_push(_t121);
														 *_t91 =  *_t91 + _t91;
														_push(es);
														if( *_t91 >= 0) {
															goto L49;
														} else {
															 *_t91 =  *_t91 + _t91;
															_push(es);
															 *0x14141f25 = _t91;
															goto L41;
														}
													} else {
														 *_t91 =  *_t91 + _t91;
														_push(es);
														 *0x140e1f25 = _t91;
														L27:
														asm("adc al, 0xfe");
														_push(es);
														_t130 = _t130 - 1;
														 *_t91 =  *_t91 + _t91;
														_push(es);
														if( *_t91 >= 0) {
															L41:
															asm("adc al, 0xfe");
															_push(es);
															_push(_t136);
															 *_t91 =  *_t91 + _t91;
															_push(es);
															if( *_t91 < 0) {
																 *_t91 =  *_t91 + _t91;
																_push(es);
																 *0x5628 = _t91;
																goto L43;
															}
														} else {
															 *_t91 =  *_t91 + _t91;
															_push(es);
															 *0x140f1f25 = _t91;
															L29:
															asm("adc al, 0xfe");
															_push(es);
															_t129 = _t129 - 1;
															L30:
															 *_t91 =  *_t91 + _t91;
															_push(es);
															if( *_t91 >= 0) {
																L43:
																 *_t130 =  *_t130 + _t91;
																_push(es);
																if( *_t130 >= 0) {
																	goto L30;
																} else {
																	 *_t91 =  *_t91 + _t91;
																	_t121 = _t121 |  *(_t134 + 0x14);
																	 *_t91 =  *_t91 + _t91;
																	_t91 = _t91 + 0x28;
																	_push(_t134);
																	 *_t91 =  *_t91 + _t91;
																	L45:
																	 *_t130 =  *_t130 + _t91;
																	 *_t130 =  *_t130 + 1;
																	_t134 = es;
																	 *_t91 =  *_t91 + _t91;
																	_push(es);
																	if( *_t91 >= 0) {
																		L34:
																		_push(es);
																		 *0x14111f25 = _t91;
																		goto L35;
																	} else {
																		 *_t91 =  *_t91 + _t91;
																		_t123 = _t123 |  *_t91;
																		_t91 = _t91 | 0x282b0000;
																		L47:
																		 *_t91 =  *_t91 + _t91;
																		_push(cs);
																		 *_t91 =  *_t91 + _t91;
																		_t134 = _t134 -  *_t91 -  *_t91;
																		_push(_t130);
																		 *_t91 =  *_t91 + _t91;
																		_push(es);
																		_t91 = _t91 -  *_t91;
																		asm("sbb esi, [eax]");
																		L48:
																		 *0x400 =  *0x400 ^ _t91;
																		 *_t130 =  *_t130 + _t125;
																		 *_t91 =  *_t91 + _t91;
																		asm("adc [eax], eax");
																		 *_t129 =  *_t129 + _t125;
																		_t91 = _t91 -  *_t123;
																		L49:
																		asm("sbb al, 0x0");
																		 *_t91 =  *_t91 + _t91;
																		_t123 = _t123 + _t91;
																		 *0xe0600ee =  *0xe0600ee + _t123;
																		 *_t91 =  *_t91 + _t91;
																		 *_t91 =  *_t91 + _t91;
																	}
																}
															} else {
																 *_t91 =  *_t91 + _t91;
																_push(es);
																 *0x14101f25 = _t91;
																goto L32;
															}
														}
													}
												}
											}
										}
									} else {
										 *_t91 =  *_t91 + _t91;
										_push(es);
										 *0xfe141b25 = _t91;
										_push(es);
										_t134 = _t134 + 1;
										goto L9;
									}
								}
							}
						}
					}
				}
				 *_t130 =  *_t130 + _t123;
				_t126 = _t125 + _t121;
				 *_t123 =  *_t123 | _t91;
				 *_t130 =  *_t130 | _t123;
				 *_t91 =  *_t91 + _t91;
				 *_t121 =  *_t121 + _t126;
				 *_t121 =  *_t121 ^ _t91;
				 *((intOrPtr*)(_t91 + _t91)) =  *((intOrPtr*)(_t91 + _t91)) + _t91;
				 *_t91 =  *_t91 + _t91;
				_pop(ss);
				 *_t91 =  *_t91 + _t91;
				asm("adc [eax], eax");
				 *_t91 =  *_t91 + _t91;
				_t127 = _t126 -  *_t121;
				 *_t91 =  *_t91 ^ _t123;
				 *((intOrPtr*)(_t91 + _t91)) =  *((intOrPtr*)(_t91 + _t91)) + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t91 =  *_t91 + _t91;
				 *_t127 =  *_t127 + _t123;
				asm("adc al, [eax]");
				 *_t91 =  *_t91 + _t91;
				_t92 = _t91 -  *_t91;
				 *_t92 =  *_t92 + _t92;
				asm("adc esi, [eax]");
				_t93 = _t92 + 0x400;
				 *_t93 =  *_t93 + _t121;
				 *_t93 =  *_t93 + _t93;
				asm("adc [eax], eax");
				 *_t93 =  *_t93 + _t93;
				_t128 = _t127 -  *_t127;
				 *_t93 =  *_t93 + _t93;
				 *_t128 =  *_t128 + _t123;
				 *_t93 =  *_t93 + _t93;
				 *_t121 =  *_t121 + _t121;
				 *_t121 =  *_t121 ^ _t93;
				 *((intOrPtr*)(_t93 + _t93)) =  *((intOrPtr*)(_t93 + _t93)) + _t93;
				 *_t93 =  *_t93 + _t93;
				asm("sbb [eax], eax");
				 *_t123 =  *_t123 + _t128;
				 *_t93 =  *_t93 + _t93;
				 *_t128 =  *_t128 + _t123;
				 *_t93 =  *_t93 + _t128;
				 *_t93 =  *_t93 + _t93;
				asm("sbb [eax], eax");
				asm("das");
				_t95 = _t93 +  *_t93 - 1;
				 *_t130 =  *_t130 + _t123;
				 *_t95 =  *_t95 + _t95;
				 *_t95 =  *_t95 + _t95;
				asm("sbb esi, [eax]");
				_t97 = _t95 +  *_t95;
				 *_t97 =  *_t97 + _t97;
				asm("sbb [eax], eax");
				 *_t123 =  *_t123 + _t128;
				 *_t97 =  *_t97 + _t97;
				 *_t128 =  *_t128 + _t123;
				 *_t97 =  *_t97 + _t128;
				 *_t97 =  *_t97 + _t97;
				asm("sbb [eax], eax");
				asm("das");
				_t99 = _t97 +  *_t97 - 1;
				 *_t130 =  *_t130 + _t123;
				 *_t99 =  *_t99 + _t99;
				 *_t99 =  *_t99 + _t99;
				asm("adc al, [eax]");
				 *_t99 =  *_t99 + _t99;
				_t100 = _t99 -  *_t99;
				 *_t100 =  *_t100 + _t100;
				asm("adc esi, [eax]");
				_push(es);
				 *((intOrPtr*)(_t100 + _t100)) =  *((intOrPtr*)(_t100 + _t100)) + _t100;
				 *_t100 =  *_t100 + _t100;
				asm("sbb al, [eax]");
				 *_t123 =  *_t123 + _t128;
				 *_t100 =  *_t100 + _t100;
				 *_t128 =  *_t128 + _t123;
				asm("adc al, [eax]");
				 *_t100 =  *_t100 + _t100;
				_t101 = _t100 -  *_t100;
				 *_t101 =  *_t101 + _t101;
				asm("adc al, [eax]");
				 *_t101 =  *_t101 + _t101;
				_t102 = _t101 -  *_t101;
				 *_t102 =  *_t102 + _t102;
				asm("adc al, [eax]");
				 *_t102 =  *_t102 + _t102;
				_t103 = _t102 -  *_t102;
				 *_t103 =  *_t103 + _t103;
				asm("adc al, [eax]");
				 *_t103 =  *_t103 + _t103;
				_t104 = _t103 -  *_t103;
				 *_t104 =  *_t104 + _t104;
				asm("adc al, [eax]");
				 *_t104 =  *_t104 + _t104;
				_t105 = _t104 -  *_t104;
				 *_t105 =  *_t105 + _t105;
				asm("adc al, [eax]");
				 *_t105 =  *_t105 + _t105;
				_t106 = _t105 -  *_t105;
				 *_t106 =  *_t106 + _t106;
				_t131 = _t130 +  *_t106;
				_t108 = _t106 +  *_t106;
				 *_t108 =  *_t108 + _t108;
				 *_t108 =  *_t108 + _t108;
				 *_t108 =  *_t108 + _t108;
				 *_t108 =  *_t108 + _t108;
				 *_t128 =  *_t128 + _t123;
				asm("adc al, [eax]");
				 *_t108 =  *_t108 + _t108;
				_t109 = _t108 -  *_t108;
				 *_t109 =  *_t109 + _t109;
				asm("adc al, [eax]");
				 *_t109 =  *_t109 + _t109;
				_t110 = _t109 -  *_t109;
				 *_t110 =  *_t110 + _t110;
				asm("adc esi, [eax]");
				_push(es);
				 *((intOrPtr*)(_t110 + _t110)) =  *((intOrPtr*)(_t110 + _t110)) + _t110;
				 *_t110 =  *_t110 + _t110;
				asm("sbb eax, [eax]");
				 *_t123 =  *_t123 + _t128;
				 *_t110 =  *_t110 + _t110;
				 *_t128 =  *_t128 + _t123;
				asm("adc al, [eax]");
				 *_t110 =  *_t110 + _t110;
				_t111 = _t110 -  *_t110;
				 *_t111 =  *_t111 + _t111;
				asm("adc al, [eax]");
				 *_t111 =  *_t111 + _t111;
				_t112 = _t111 -  *_t111;
				 *_t112 =  *_t112 + _t112;
				asm("adc esi, [eax]");
				_push(es);
				 *(_t112 + _t112) =  *(_t112 + _t112) + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				 *_t128 =  *_t128 + _t123;
				asm("adc al, [eax]");
				 *((intOrPtr*)(_t128 + _t134)) =  *((intOrPtr*)(_t128 + _t134)) + _t128;
				 *_t112 =  *_t112 + _t112;
				 *_t128 =  *_t128 + _t128;
				 *_t112 =  *_t112 + _t112;
				 *_t128 =  *_t128 + _t123;
				 *_t112 =  *_t112 + _t112;
				 *_t121 =  *_t121 + _t121;
				 *_t121 =  *_t121 ^ _t112;
				 *(_t112 + _t112) =  *(_t112 + _t112) + _t112;
				 *_t112 =  *_t112 + _t112;
				asm("adc al, [eax]");
				 *_t123 =  *_t123 + _t128;
				 *_t112 =  *_t112 + _t112;
				asm("adc al, 0x2a");
				 *_t112 =  *_t112 + _t128;
				 *_t112 =  *_t112 + _t112;
				 *_t112 =  *_t112 + _t112;
				_push(cs);
				 *((intOrPtr*)(_t123 + 0x6f)) =  *((intOrPtr*)(_t123 + 0x6f)) + _t112;
				 *_t129 =  *_t129 + _t123;
				 *_t112 =  *_t112 + _t112;
				 *_t121 =  *_t121 + _t121;
				 *(_t112 + _t112) =  *(_t112 + _t112) ^ _t112;
				_t113 = _t112;
				 *_t113 =  *_t113 + _t113;
				asm("sbb al, 0x0");
				 *_t123 =  *_t123 + _t128;
				 *_t113 =  *_t113 + _t113;
				ss = cs;
				_t114 = _t113 -  *_t123;
				asm("adc [eax], al");
				 *_t114 =  *_t114 + _t114;
				 *_t131 =  *_t131 + _t123;
				 *_t131 =  *_t131 + _t123;
				asm("sbb al, 0x0");
				 *0x1b010000 =  *0x1b010000 | _t121;
				 *0x400 =  *0x400 ^ _t114;
				 *0x110000 =  *0x110000 + _t121;
				 *((intOrPtr*)(_t128 + _t134)) =  *((intOrPtr*)(_t128 + _t134)) + _t128;
				 *[fs:eax] =  *[fs:eax] + _t114;
				_t115 = _t114 +  *_t114;
				 *_t115 =  *_t115 + _t115;
				return _t115;
			}

0x00a32830
0x00a32830
0x00a32830
0x00a32830
0x00a32835
0x00a32837
0x00a32839
0x00a3283b
0x00a3283e
0x00a32840
0x00a32843
0x00a32845
0x00a32847
0x00a32849
0x00a3284b
0x00a3284d
0x00a3284f
0x00a32851
0x00a32853
0x00a32856
0x00a32858
0x00a32859
0x00a3285b
0x00a3285d
0x00a32860
0x00a32861
0x00a32864
0x00a32866
0x00a32868
0x00a32869
0x00a3286d
0x00a3286f
0x00a32871
0x00a32873
0x00a32875
0x00a32877
0x00a32879
0x00a3287b
0x00a3287d
0x00a3287f
0x00a32882
0x00a32884
0x00a32885
0x00a32887
0x00a3288a
0x00a3288d
0x00a3288f
0x00a32891
0x00a32893
0x00a32895
0x00a32897
0x00a32899
0x00a3289b
0x00a328a1
0x00a328a3
0x00a328a9
0x00a328ab
0x00a328ad
0x00a328af
0x00a328b2
0x00a328b4
0x00a328b5
0x00a328b7
0x00a328b8
0x00a328b8
0x00a328b9
0x00a328bb
0x00a328bd
0x00a328bf
0x00a328c1
0x00a328c3
0x00a328c5
0x00a328c8
0x00a328ca
0x00a328cc
0x00a328cf
0x00a328d1
0x00a328d4
0x00a328d6
0x00a328d8
0x00a328da
0x00a328de
0x00a328e0
0x00a328e1
0x00a328e3
0x00a328e5
0x00a328e8
0x00a328ea
0x00a328ec
0x00a328ee
0x00a328f0
0x00a328f2
0x00a328f4
0x00a328f7
0x00a328f9
0x00a328f9
0x00a328fe
0x00a32900
0x00a32901
0x00a32903
0x00a32905
0x00a32907
0x00a3290d
0x00a3290f
0x00a32911
0x00a32913
0x00a32919
0x00a3291b
0x00a3291d
0x00a3291f
0x00a32921
0x00a32922
0x00a32928
0x00a3292a
0x00a3292c
0x00a3292d
0x00a3292e
0x00a32930
0x00a32931
0x00a32933
0x00a32935
0x00a32938
0x00a3293a
0x00a3293c
0x00a3293e
0x00a32940
0x00a32942
0x00a32944
0x00a32947
0x00a32949
0x00a3294b
0x00a3294d
0x00a3294e
0x00a32950
0x00a32955
0x00a32957
0x00a3295d
0x00a3295f
0x00a32961
0x00a32963
0x00a32966
0x00a32968
0x00a3296a
0x00a3296c
0x00a3296e
0x00a32970
0x00a32972
0x00a32974
0x00a32977
0x00a3297d
0x00a3297f
0x00a32981
0x00a32984
0x00a32986
0x00a3298c
0x00a32993
0x00a32995
0x00a32997
0x00a32999
0x00a3299c
0x00a3299e
0x00a329a0
0x00a329a2
0x00a329a5
0x00a329a7
0x00a329a9
0x00a329ab
0x00a329ad
0x00a329af
0x00a329b1
0x00a329b3
0x00a329b5
0x00a329b7
0x00a329b9
0x00a329bb
0x00a329be
0x00a329c0
0x00a329c2
0x00a329c4
0x00a329c6
0x00a329c7
0x00a329c9
0x00a329cb
0x00a329cd
0x00a329cf
0x00a329d2
0x00a329d8
0x00a329dc
0x00a329de
0x00a329e0
0x00a329e2
0x00a329e4
0x00a329e6
0x00a329e8
0x00a329ea
0x00a329ed
0x00a329ee
0x00a329f0
0x00a329f2
0x00a329f5
0x00a329f7
0x00a329f9
0x00a329fb
0x00a329fe
0x00a32a00
0x00a32a02
0x00a32a04
0x00a32a06
0x00a32a08
0x00a32a0a
0x00a32a0c
0x00a32a0e
0x00a32a0f
0x00a32a11
0x00a32a13
0x00a32a19
0x00a32a1b
0x00a32a1d
0x00a32a1f
0x00a32a21
0x00a32a24
0x00a32a26
0x00a32a28
0x00a32a2a
0x00a32a2b
0x00a32a31
0x00a32a33
0x00a32a35
0x00a32a36
0x00a32a38
0x00a32a39
0x00a32a3b
0x00a32a3d
0x00a32a41
0x00a32a49
0x00a32a4b
0x00a32a4f
0x00a32a51
0x00a32a52
0x00a32ab0
0x00a32ab0
0x00a32ab2
0x00a32ab3
0x00000000
0x00a32ab5
0x00a32ab5
0x00a32ab7
0x00a32ab8
0x00a32abd
0x00a32abe
0x00a32abf
0x00a32abf
0x00000000
0x00a32abf
0x00a32a54
0x00a32a54
0x00a32a56
0x00a32a57
0x00a32a59
0x00a32a64
0x00a32a65
0x00a32a67
0x00a32a68
0x00a32ac1
0x00a32ac1
0x00a32ac2
0x00000000
0x00a32ac4
0x00a32ac4
0x00a32ac6
0x00a32ac7
0x00a32acc
0x00a32acd
0x00a32ace
0x00a32ace
0x00000000
0x00a32ace
0x00a32a6a
0x00a32a6a
0x00a32a6c
0x00a32a6d
0x00a32a72
0x00a32a73
0x00a32a74
0x00a32a76
0x00a32a77
0x00a32ad0
0x00a32ad0
0x00a32ad1
0x00000000
0x00a32ad3
0x00a32ad3
0x00a32ad5
0x00a32ad6
0x00a32adb
0x00a32adc
0x00a32add
0x00a32add
0x00000000
0x00a32add
0x00a32a79
0x00a32a79
0x00a32a7b
0x00a32a7c
0x00a32a81
0x00a32a82
0x00a32a83
0x00a32a85
0x00a32a86
0x00a32adf
0x00a32adf
0x00a32ae0
0x00000000
0x00a32ae2
0x00a32ae2
0x00a32ae4
0x00a32ae5
0x00a32aea
0x00a32aec
0x00a32aed
0x00000000
0x00a32aed
0x00a32a88
0x00a32a88
0x00a32a8a
0x00a32a8b
0x00a32a90
0x00a32a91
0x00a32a92
0x00a32a94
0x00a32a95
0x00a32aee
0x00a32aee
0x00a32af0
0x00000000
0x00a32af2
0x00a32af2
0x00a32af4
0x00a32af5
0x00a32afa
0x00a32afc
0x00000000
0x00a32afc
0x00a32a97
0x00a32a97
0x00a32a99
0x00a32a9a
0x00a32a9f
0x00a32aa0
0x00a32aa1
0x00a32aa3
0x00a32aa4
0x00a32afd
0x00a32afd
0x00a32aff
0x00a32b00
0x00a32b59
0x00a32b59
0x00a32b5b
0x00a32b5c
0x00a32b5d
0x00a32b5f
0x00a32b60
0x00000000
0x00a32b62
0x00a32b62
0x00000000
0x00a32b62
0x00a32b02
0x00a32b02
0x00a32b04
0x00a32b05
0x00a32b0a
0x00a32b0c
0x00a32b0c
0x00a32b0d
0x00a32b0f
0x00a32b10
0x00a32b69
0x00a32b69
0x00a32b6b
0x00a32b6c
0x00a32b6d
0x00a32b6f
0x00a32b70
0x00000000
0x00a32b72
0x00a32b72
0x00a32b74
0x00a32b75
0x00000000
0x00a32b75
0x00a32b12
0x00a32b12
0x00a32b14
0x00a32b15
0x00a32b1a
0x00a32b1b
0x00a32b1b
0x00a32b1c
0x00a32b1d
0x00a32b1f
0x00a32b20
0x00a32b79
0x00a32b79
0x00a32b7b
0x00a32b7c
0x00a32b7d
0x00a32b7f
0x00a32b80
0x00000000
0x00a32b82
0x00a32b82
0x00a32b84
0x00a32b85
0x00000000
0x00a32b85
0x00a32b22
0x00a32b22
0x00a32b24
0x00a32b25
0x00a32b2a
0x00a32b2a
0x00a32b2c
0x00a32b2d
0x00a32b2f
0x00a32b30
0x00a32b89
0x00a32b89
0x00a32b8b
0x00a32b8c
0x00a32b8d
0x00a32b8f
0x00a32b90
0x00000000
0x00a32b92
0x00a32b92
0x00a32b94
0x00a32b95
0x00000000
0x00a32b95
0x00a32b32
0x00a32b32
0x00a32b34
0x00a32b35
0x00a32b39
0x00a32b39
0x00a32b3b
0x00a32b3c
0x00a32b3d
0x00a32b3f
0x00a32b40
0x00a32b99
0x00a32b99
0x00a32b9b
0x00a32b9c
0x00a32b9d
0x00a32b9f
0x00a32ba0
0x00a32ba2
0x00a32ba4
0x00a32ba5
0x00000000
0x00a32ba5
0x00a32b42
0x00a32b42
0x00a32b44
0x00a32b45
0x00a32b49
0x00a32b49
0x00a32b4b
0x00a32b4c
0x00a32b4d
0x00a32b4d
0x00a32b4f
0x00a32b50
0x00a32ba9
0x00a32ba9
0x00a32bab
0x00a32bac
0x00000000
0x00a32bae
0x00a32bae
0x00a32bb0
0x00a32bb3
0x00a32bb5
0x00a32bb7
0x00a32bb8
0x00a32bb9
0x00a32bb9
0x00a32bbc
0x00a32bbe
0x00a32bbf
0x00a32bc1
0x00a32bc2
0x00a32b64
0x00a32b64
0x00a32b65
0x00000000
0x00a32bc4
0x00a32bc4
0x00a32bc6
0x00a32bc8
0x00a32bc9
0x00a32bc9
0x00a32bcd
0x00a32bce
0x00a32bd0
0x00a32bd2
0x00a32bd3
0x00a32bd5
0x00a32bd6
0x00a32bd8
0x00a32bd9
0x00a32bd9
0x00a32bdf
0x00a32be1
0x00a32be3
0x00a32be5
0x00a32be7
0x00a32be9
0x00a32be9
0x00a32beb
0x00a32bed
0x00a32bef
0x00a32bf5
0x00a32bf7
0x00a32bf7
0x00a32bc2
0x00a32b52
0x00a32b52
0x00a32b54
0x00a32b55
0x00000000
0x00a32b55
0x00a32b50
0x00a32b40
0x00a32b30
0x00a32b20
0x00a32b10
0x00a32aa6
0x00a32aa6
0x00a32aa8
0x00a32aa9
0x00a32aae
0x00a32aaf
0x00000000
0x00a32aaf
0x00a32aa4
0x00a32a95
0x00a32a86
0x00a32a77
0x00a32a68
0x00a32bf9
0x00a32bfb
0x00a32bfd
0x00a32bff
0x00a32c01
0x00a32c03
0x00a32c05
0x00a32c07
0x00a32c0a
0x00a32c0c
0x00a32c0d
0x00a32c0f
0x00a32c11
0x00a32c13
0x00a32c15
0x00a32c17
0x00a32c1a
0x00a32c1c
0x00a32c1e
0x00a32c20
0x00a32c22
0x00a32c24
0x00a32c26
0x00a32c28
0x00a32c2a
0x00a32c2c
0x00a32c2e
0x00a32c33
0x00a32c35
0x00a32c37
0x00a32c39
0x00a32c3b
0x00a32c3d
0x00a32c3f
0x00a32c41
0x00a32c43
0x00a32c45
0x00a32c47
0x00a32c4a
0x00a32c4c
0x00a32c4e
0x00a32c50
0x00a32c52
0x00a32c54
0x00a32c56
0x00a32c5a
0x00a32c5c
0x00a32c5d
0x00a32c5e
0x00a32c60
0x00a32c62
0x00a32c64
0x00a32c68
0x00a32c6a
0x00a32c6c
0x00a32c6e
0x00a32c70
0x00a32c72
0x00a32c74
0x00a32c76
0x00a32c7a
0x00a32c7c
0x00a32c7d
0x00a32c7e
0x00a32c80
0x00a32c82
0x00a32c84
0x00a32c86
0x00a32c88
0x00a32c8a
0x00a32c8c
0x00a32c8e
0x00a32c8f
0x00a32c92
0x00a32c94
0x00a32c96
0x00a32c98
0x00a32c9a
0x00a32c9c
0x00a32c9e
0x00a32ca0
0x00a32ca2
0x00a32ca4
0x00a32ca6
0x00a32ca8
0x00a32caa
0x00a32cac
0x00a32cae
0x00a32cb0
0x00a32cb2
0x00a32cb4
0x00a32cb6
0x00a32cb8
0x00a32cba
0x00a32cbc
0x00a32cbe
0x00a32cc0
0x00a32cc2
0x00a32cc4
0x00a32cc6
0x00a32cc8
0x00a32cca
0x00a32ccc
0x00a32cd0
0x00a32cd2
0x00a32cd4
0x00a32cd6
0x00a32cd8
0x00a32cda
0x00a32cdc
0x00a32cde
0x00a32ce0
0x00a32ce2
0x00a32ce4
0x00a32ce6
0x00a32ce8
0x00a32cea
0x00a32cec
0x00a32cee
0x00a32cef
0x00a32cf2
0x00a32cf4
0x00a32cf6
0x00a32cf8
0x00a32cfa
0x00a32cfc
0x00a32cfe
0x00a32d00
0x00a32d02
0x00a32d04
0x00a32d06
0x00a32d08
0x00a32d0a
0x00a32d0c
0x00a32d0e
0x00a32d0f
0x00a32d12
0x00a32d14
0x00a32d16
0x00a32d18
0x00a32d1a
0x00a32d1c
0x00a32d1e
0x00a32d21
0x00a32d23
0x00a32d25
0x00a32d27
0x00a32d29
0x00a32d2b
0x00a32d2d
0x00a32d2f
0x00a32d32
0x00a32d34
0x00a32d36
0x00a32d38
0x00a32d3a
0x00a32d3c
0x00a32d3e
0x00a32d40
0x00a32d42
0x00a32d43
0x00a32d46
0x00a32d49
0x00a32d4b
0x00a32d4d
0x00a32d50
0x00a32d52
0x00a32d54
0x00a32d56
0x00a32d58
0x00a32d5a
0x00a32d5b
0x00a32d5d
0x00a32d5f
0x00a32d61
0x00a32d63
0x00a32d65
0x00a32d67
0x00a32d6d
0x00a32d73
0x00a32d79
0x00a32d7d
0x00a32d80
0x00a32d82
0x00a32d84

Memory Dump Source

Source File: 00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.545922025.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546003817.0000000000A64000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546077738.0000000000AAE000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc541aec897061dd9df39816cd5a6ec7c1cf241f80ad0e823afe6b0e84bad393
Instruction ID: 975e711ccb4249ca86ca5dadc43472e84d4b770fe59120bec81385d47221e3d5
Opcode Fuzzy Hash: fc541aec897061dd9df39816cd5a6ec7c1cf241f80ad0e823afe6b0e84bad393
Instruction Fuzzy Hash: E942846548F3C15FC7234B746CB19A27FB49E6B264B1E08DBE4C0CF0A3D158196AE762

Uniqueness

Uniqueness Score: -1.00%

Function 00A3401F, Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.545936967.0000000000A32000.00000002.00020000.sdmp, Offset: 00A30000, based on PE: true

Associated: 00000000.00000002.545922025.0000000000A30000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546003817.0000000000A64000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.546077738.0000000000AAE000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d093a91c2b2a3ab9e6db6aa0af94abaee8071e8ccab15e99fa4a0ac4c28f8ef
Instruction ID: c322340485541b9f403fd8c97e7b7d55b4a79bc26a8caa5dd5d98d43453d5f7c
Opcode Fuzzy Hash: 1d093a91c2b2a3ab9e6db6aa0af94abaee8071e8ccab15e99fa4a0ac4c28f8ef
Instruction Fuzzy Hash: 7C423D6548E3C25FC7234B7458B2691BFB0AE17224B1F49DBD4C0CF4A3E25C299AD722

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 01CEE78809685F39CB8F139A99F4B3936C60F4D86CAC5.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage